Update content/en/docs/concepts/storage/projected-volumes.md

verb · Tim Bannister · web-flow · commit 2512f5d7f1a9 · 2022-08-26T20:13:01.000+02:00
Co-authored-by: Tim Bannister &lt;tim@scalefactory.com&gt;
diff --git a/content/en/docs/concepts/storage/projected-volumes.md b/content/en/docs/concepts/storage/projected-volumes.md
@@ -87,10 +87,13 @@ then the kubelet  ensures that the contents of the `serviceAccountToken` volume
 and that every file has its permission mode set to `0600`.
 
 {{< note >}}
-If you add any {{< glossary_tooltip text="ephemeral containers" term_id="ephemeral-container" >}} to
-a Pod, those won't have been present when the pod started running on that node.
-Adding an ephemeral container to a pod does **not** change any volume permissions
-that were set when the pod was created.
+{{< glossary_tooltip text="Ephemeral containers" term_id="ephemeral-container" >}}
+added to a Pod after it is created do *not* change volume permissions that were
+set when the pod was created.
+
+If a Pod's `serviceAccountToken` volume permissions were set to `0600` because
+all other containers in the Pod have the same `runAsUser`, ephemeral
+containers must use the same `runAsUser` to be able to read the token.
 {{< /note >}}
 
 #### Windows
