I have an issue, getting the CIS benchmark to pass, specifically "5.1.5 Ensure that default service accounts are not actively used. (Automated)". Running the profile rke2-cis-1.6-profile-hardened on a v1.24.9+rke2r1 cluster. Below query does not return any results so should be fine but the test keeps failing.

kubectl get serviceaccounts --all-namespaces -o json | jq -r '.items[] | select(.metadata.name=="default") | select((.automountServiceAccountToken == null) or (.automountServiceAccountToken == true))' | jq .metadata.namespace

Any ideas?