disable injecting unnecessary variables allowing access to k8s API

jsonnet/kube-prometheus/components/alertmanager.libsonnet

@@ -121,6 +121,7 @@ function(params) {
     apiVersion: 'v1',
     kind: 'ServiceAccount',
     metadata: am._metadata,
+    automountServiceAccountToken: false,
   },
 
   service: {

jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet

@@ -115,6 +115,7 @@ function(params) {
     apiVersion: 'v1',
     kind: 'ServiceAccount',
     metadata: bb._metadata,
+    automountServiceAccountToken: false,
   },
 
   clusterRole: {
@@ -238,6 +239,7 @@ function(params) {
           spec: {
             containers: [blackboxExporter, reloader, kubeRbacProxy],
             nodeSelector: { 'kubernetes.io/os': 'linux' },
+            automountServiceAccountToken: true,
             serviceAccountName: 'blackbox-exporter',
             volumes: [{
               name: 'config',

jsonnet/kube-prometheus/components/grafana.libsonnet

@@ -88,10 +88,12 @@ function(params)
     // 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
     // 'readOnlyRootFilesystem: true' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged.
     // 'capabilities: { drop: ['ALL'] }' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/130 gets merged.
+    // FIXME(paulfantom): `automountServiceAccountToken` can be removed after porting to brancz/kuberentes-grafana
     deployment+: {
       spec+: {
         template+: {
           spec+: {
+            automountServiceAccountToken: false,
             containers: std.map(function(c) c {
               securityContext+: {
                 allowPrivilegeEscalation: false,

jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet

@@ -129,6 +129,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
           },
         },
         spec+: {
+          automountServiceAccountToken: true,
           containers: std.map(function(c) c {
             ports:: null,
             livenessProbe:: null,

jsonnet/kube-prometheus/components/node-exporter.libsonnet

@@ -114,6 +114,7 @@ function(params) {
     apiVersion: 'v1',
     kind: 'ServiceAccount',
     metadata: ne._metadata,
+    automountServiceAccountToken: false,
   },
 
   service: {
@@ -240,6 +241,7 @@ function(params) {
               { name: 'sys', hostPath: { path: '/sys' } },
               { name: 'root', hostPath: { path: '/' } },
             ],
+            automountServiceAccountToken: true,
             serviceAccountName: ne._config.name,
             securityContext: {
               runAsUser: 65534,

jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet

@@ -253,6 +253,7 @@ function(params) {
           spec: {
             containers: [c],
             serviceAccountName: $.serviceAccount.metadata.name,
+            automountServiceAccountToken: true,
             nodeSelector: { 'kubernetes.io/os': 'linux' },
             volumes: [
               { name: 'tmpfs', emptyDir: {} },
@@ -268,6 +269,7 @@ function(params) {
     apiVersion: 'v1',
     kind: 'ServiceAccount',
     metadata: pa._metadata,
+    automountServiceAccountToken: false,
   },
 
   clusterRole: {

jsonnet/kube-prometheus/components/prometheus-operator.libsonnet

@@ -131,6 +131,7 @@ function(params)
       spec+: {
         template+: {
           spec+: {
+            automountServiceAccountToken: true,
             containers: std.map(function(c) c {
               securityContext+: {
                 capabilities: { drop: ['ALL'] },

jsonnet/kube-prometheus/components/prometheus.libsonnet

@@ -98,6 +98,7 @@ function(params) {
     apiVersion: 'v1',
     kind: 'ServiceAccount',
     metadata: p._metadata,
+    automountServiceAccountToken: false,
   },
 
   service: {