feat(kubernetes): configure sandbox service account token automount

[RohanAdwankar]

Summary

Adds an explicit opt-in for Kubernetes sandbox pods to automount their service account token. The default remains hardened (false), but operators can enable it when sandbox-local tools such as kubectl need Kubernetes API access under least-privilege RBAC.

Related Issue

Resolves #1874

Changes

• Added automount_service_account_token to the Kubernetes driver config, defaulting to false.
• Added CLI/env support via --automount-service-account-token and OPENSHELL_K8S_AUTOMOUNT_SERVICE_ACCOUNT_TOKEN.
• Updated sandbox pod rendering to use the configured value instead of hardcoding automountServiceAccountToken: false.
• Exposed the setting in the Helm chart as server.sandboxAutomountServiceAccountToken.
• Added Kubernetes driver tests for default-off and explicit opt-in behavior.
• Updated Kubernetes driver README, Helm README, and reference docs.

Testing

• mise run pre-commit passes
• Unit tests added/updated
• E2E tests added/updated (if applicable)

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[github-actions]

All contributors have signed the DCO ✍️ ✅
_{Posted by the DCO Assistant Lite bot.}

[RohanAdwankar]

Am talking with John on Slack, no rush to review, just wanted to put a draft of what I wanted to do

[RohanAdwankar]

I have read the DCO document and I hereby sign the DCO.

[RohanAdwankar]

recheck

[RohanAdwankar]

Oops didn't realize the merge will request a review, I have one change to make before review, I can ping when ready

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.