diff --git a/lib/resourcemerge/core.go b/lib/resourcemerge/core.go
index 822038e5c..99f5a3216 100644
--- a/lib/resourcemerge/core.go
+++ b/lib/resourcemerge/core.go
@@ -45,6 +45,7 @@ func ensurePodSpec(modified *bool, existing *corev1.PodSpec, required corev1.Pod
 		}
 	}
 
+	setBoolPtr(modified, &existing.AutomountServiceAccountToken, required.AutomountServiceAccountToken)
 	setStringIfSet(modified, &existing.ServiceAccountName, required.ServiceAccountName)
 	setBool(modified, &existing.HostNetwork, required.HostNetwork)
 	setBoolPtr(modified, &existing.HostUsers, required.HostUsers)
diff --git a/lib/resourcemerge/core_test.go b/lib/resourcemerge/core_test.go
index 1ec88c09e..ef9989f3f 100644
--- a/lib/resourcemerge/core_test.go
+++ b/lib/resourcemerge/core_test.go
@@ -56,6 +56,56 @@ func TestEnsurePodSpec(t *testing.T) {
 				HostUsers: boolPtr(false),
 			},
 		},
+		{
+			name:     "automountServiceAccountToken is set",
+			existing: corev1.PodSpec{},
+			input: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false),
+			},
+
+			expectedModified: true,
+			expected: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false),
+			},
+		},
+		{
+			name: "automountServiceAccountToken is unset",
+			existing: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false),
+			},
+			input: corev1.PodSpec{},
+
+			expectedModified: true,
+			expected:         corev1.PodSpec{},
+		},
+		{
+			name: "automountServiceAccountToken is changed",
+			existing: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(true),
+			},
+			input: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false),
+			},
+
+			expectedModified: true,
+			expected: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false),
+			},
+		},
+		{
+			name: "automountServiceAccountToken is unchanged",
+			existing: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false),
+			},
+			input: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false),
+			},
+
+			expectedModified: false,
+			expected: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false),
+			},
+		},
 		{
 			name: "PodSecurityContext empty",
 			existing: corev1.PodSpec{