Audit policy metadata-only rule should include `serviceaccounts/token` resource

[liggitt]

The following files reference a metadata-only audit policy in order to prevent logging request/response contents for sensitive resources:

• https://github.com/dev-sec/cis-kubernetes-benchmark/blob/master/controls/3_2_control_plane_logging.rb

A recent bugfix resolves logging of subresource requests which would previously fail with an error. The serviceaccounts/token subresource responds to TokenRequest API calls with a newly minted service account token.

The serviceaccounts/token resource should also be included in the metadata-only audit policy if credentials are not intended to appear in the audit log.