feat(kubernetes): configure sandbox service account token automount

[RohanAdwankar]

Summary

Adds an explicit opt-in for Kubernetes sandbox pods to automount their service account token. The default remains hardened (false), but operators can enable it when sandbox-local tools such as kubectl need Kubernetes API access under least-privilege RBAC.

Related Issue

Resolves #1874

Changes

• Added automount_service_account_token to the Kubernetes driver config, defaulting to false.
• Added CLI/env support via --automount-service-account-token and OPENSHELL_K8S_AUTOMOUNT_SERVICE_ACCOUNT_TOKEN.
• Updated sandbox pod rendering to use the configured value instead of hardcoding automountServiceAccountToken: false.
• Exposed the setting in the Helm chart as server.sandboxAutomountServiceAccountToken.
• Added Kubernetes driver tests for default-off and explicit opt-in behavior.
• Updated Kubernetes driver README, Helm README, and reference docs.

Testing

• mise run pre-commit passes
• Unit tests added/updated
• E2E tests added/updated (if applicable)

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[github-actions]

Thank you for your submission! We ask that you sign our Developer Certificate of Origin before we can accept your contribution. You can sign the DCO by adding a comment below using this text:

---

I have read the DCO document and I hereby sign the DCO.

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the DCO Assistant Lite bot.}

[RohanAdwankar]

Am talking with John on Slack, no rush to review, just wanted to put a draft of what I wanted to do

[RohanAdwankar]

I have read the DCO document and I hereby sign the DCO.

[RohanAdwankar]

recheck