rancher-charts/charts/rancher-cis-benchmark/2.0.2/templates/patch_default_serviceaccount.yaml

---
apiVersion: batch/v1
kind: Job
metadata:
  name: patch-sa
  annotations:
    "helm.sh/hook": post-install, post-upgrade
    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
spec:
  template:
    spec:
      serviceAccountName: cis-operator-serviceaccount
      restartPolicy: Never
      containers:
      - name: sa
        image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
        command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
        args: ["-n", {{ template "cis.namespace" . }}]
  backoffLimit: 1