In our case it's 'default'.
gitlab
This also solves the async nature of the automatic creation of default service tokens for service accounts. It also makes explicit which service account token we always use. create cluster role binding only if the provider has legacy_abac disabled.
Correspondingly, use the token of the gitlab service account, vs the default service account token which will have no privs.
