Workload cannot access the service account token on Juju 3.5.0

One way to deploy the charm was to add a name to group 170 and use that group in the pebble layer for the service, which needed access to the service account token. However, it doesn't seem to be the proper way to fix this.

Do you have any recommendations on how to handle this situation? Thanks in advance.

Harry said he found this in the upstream source:
```
  case source.ServiceAccountToken != nil:
   tp := source.ServiceAccountToken

   // When FsGroup is set, we depend on SetVolumeOwnership to
   // change from 0600 to 0640.
   mode := *s.source.DefaultMode
   if mounterArgs.FsUser != nil || mounterArgs.FsGroup != nil {
    mode = 0600
   }
```

I identified three issues yesterday:
1. The charm I was looking at, kubeflow-dashboard was very confusing because the charm did not specify to run the application as the _daemon_ user. But it was running via `npm run` which in older versions used to fork/exec as the user of the root directory of the node module, so a lot of time was spent discovering this issue there.
2. fsGroup security context affects the default mode of a mounted service account, this is bespoke logic not documented in k8s, and only affects service account mounts. Very opinionated.
3. If all the containers in a pod use the same explicit user in their securityContext (either at the pod level securityContext or the container level securityContext), then the service account mounts the files only readable by the user (no r-flag for group or other).

The fix is to maintain the previous behaviour of not specifying the runAsUser/fsGroup for the pod/containers.

https://github.com/juju/juju/pull/17415

Thanks, Harry! I tested the fix by using 3.5.1 from the candidate risk, and it's working fine.