diff --git a/install/0000_00_cluster-version-operator_03_deployment.yaml b/install/0000_00_cluster-version-operator_03_deployment.yaml
index ff85c55f9..a89cc927f 100644
--- a/install/0000_00_cluster-version-operator_03_deployment.yaml
+++ b/install/0000_00_cluster-version-operator_03_deployment.yaml
@@ -22,7 +22,7 @@ spec:
       labels:
         k8s-app: cluster-version-operator
     spec:
-      automountServiceAccountToken: false
+      automountServiceAccountToken: false  # removed in the next version.
       containers:
       - name: cluster-version-operator
         image: '{{.ReleaseImage}}'
diff --git a/lib/resourcemerge/core.go b/lib/resourcemerge/core.go
index c18a948f0..cf63223f7 100644
--- a/lib/resourcemerge/core.go
+++ b/lib/resourcemerge/core.go
@@ -45,6 +45,7 @@ func ensurePodSpec(modified *bool, existing *corev1.PodSpec, required corev1.Pod
 		}
 	}
 
+	setBoolPtr(modified, &existing.AutomountServiceAccountToken, required.AutomountServiceAccountToken)
 	setStringIfSet(modified, &existing.ServiceAccountName, required.ServiceAccountName)
 	setBool(modified, &existing.HostNetwork, required.HostNetwork)
 	mergeMap(modified, &existing.NodeSelector, required.NodeSelector)
diff --git a/lib/resourcemerge/core_test.go b/lib/resourcemerge/core_test.go
index 74ea9a5c9..9af841c16 100644
--- a/lib/resourcemerge/core_test.go
+++ b/lib/resourcemerge/core_test.go
@@ -45,6 +45,37 @@ func TestEnsurePodSpec(t *testing.T) {
 				Containers: []corev1.Container{
 					{Name: "test"}}},
 		},
+		{
+			name: "AutomountServiceAccountToken none",
+			existing: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false)},
+			input: corev1.PodSpec{},
+
+			expectedModified: true,
+			expected:         corev1.PodSpec{},
+		},
+		{
+			name: "AutomountServiceAccountToken changed",
+			existing: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(true)},
+			input: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false)},
+
+			expectedModified: true,
+			expected: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false)},
+		},
+		{
+			name: "AutomountServiceAccountToken no changes",
+			existing: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false)},
+			input: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false)},
+
+			expectedModified: false,
+			expected: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false)},
+		},
 		{
 			name: "PodSecurityContext empty",
 			existing: corev1.PodSpec{
diff --git a/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml b/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml
index b3f0c40d1..5892691c7 100644
--- a/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml
+++ b/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml
@@ -22,7 +22,7 @@ spec:
       labels:
         k8s-app: cluster-version-operator
     spec:
-      automountServiceAccountToken: false
+      automountServiceAccountToken: false  # removed in the next version.
       containers:
       - name: cluster-version-operator
         image: 'quay.io/cvo/release:latest'