cert-manager automounts service account tokens

all containers will get the service account token automounted in current setup regardless of whether they need it which goes against principle of least privilege

should follow best practises outlined in cert-managers docs: https://cert-manager.io/docs/installation/best-practice/#restrict-auto-mount-of-service-account-tokens