Add option in Kube runner TOML to disable automount of the account token

Hi We see that our Kubernetes Gitlab runners have automatically mounted the following files:

/var/run/secrets/kubernetes.io/serviceaccount

This comes from the Admission Controller that is enabled for RBAC.

By default, the pod will mount the default service account or the service account it is linked to, so that the software can use the same permission than the pod has been linked to.

In our case, the service account is used for the gitlab-runner pod to start a job runner, and so this account has the permission to start/stop pods.

Is there any way to limit as much as possible its permission? We do not want job to have any permission by default on the kube cluster.

This service account allows any job, even in merge requests, to access the kubernetes cluster with the same privileges than the runner has. Can't this be considerated as a potential security risk?

I recommend to set the automountServiceAccountToken option in the gitlab runner pod to avoid this behavior by default, or better expose it in the TOML configuration.

Thanks