Hi, We are seeing a strange issue on one of the RKE2 clusters where service account is not being mounted inside few pods. The error is "open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory". When I check the pod spec, I don't see a "projected" volume mount such as this:

volumes:
  - name: kube-api-access-nv5hz
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token

The problem is only happening on some pods and across many nodes. Even on a node where such problematic pods are present, there are other pods which don't see this error. My initial thought was that "ServiceAccount" is not included in kube-apiserver command flag "--enable-admission-plugins" in some apiserver instances but I confirmed that all apiserver instances have only this:

--enable-admission-plugins=NodeRestriction

So I am guessing that on RKE2, ServiceAccount (and other plugins) are automatically included. Any one has seen a similar error? Thanks in advance.