The solution involves three steps. First, a new ServiceAccount named frontend-sa is created in the qa namespace. The manifest explicitly sets automountServiceAccountToken: false to comply with the stated security policy. Second, the Pod manifest is modified using sed to replace the incorrect ServiceAccount name with the newly created frontend-sa. The Pod is then created from this corrected manifest. Finally, the old, unused ServiceAccount (assumed to be named frontend) is deleted from the qa namespace to complete the cleanup task. This sequence correctly addresses all requirements of the problem.

1. Kubernetes Documentation

"Configure Service Accounts for Pods": This document explains how to disable the automatic mounting of API credentials for a ServiceAccount by setting automountServiceAccountToken: false in its manifest. This directly supports the first step of the solution. (See section: "Opt out of automounting API credentials for a ServiceAccount").

2. Kubernetes API Reference

v1.ServiceAccount: The official API documentation for the ServiceAccount resource confirms that automountServiceAccountToken is a boolean field that controls whether an API token is automatically mounted for pods using the service account.

3. Kubernetes API Reference

v1.PodSpec: The PodSpec API reference details the serviceAccountName field

which is used to specify the name of the ServiceAccount a pod should use. This justifies the modification of the pod manifest in the second step.

4. Kubernetes Documentation

kubectl Commands: The official kubectl command reference provides the syntax and usage for kubectl apply to create resources from a manifest and kubectl delete serviceaccount to remove them

as used in the solution.