• Kubernetes v1.35: A Better Way to Pass Service Account Tokens to CSI Drivers If you maintain a CSI driver that uses service account tokens, Kubernetes v1.35 brings a refinement you’ll want to know about. • Since the introduction of the TokenRequests feature, service account tokens requested by CSI drivers have been passed to them through the volume_context field. • While this has worked, it’s not the ideal place for sensitive information, and we’ve seen instances where tokens were accidentally logged in CSI drivers. • Kubernetes v1.35 introduces a beta solution to address this: CSI Driver Opt-in for Service Account Tokens via Secrets Field. • This allows CSI drivers to receive service account tokens through the secrets field in NodePublishVolumeRequest , which is the appropriate place for sensitive data in the CSI specification. • Understanding the existing approach When CSI drivers use the TokenRequests feature, they can request service account tokens for workload identity by configuring the TokenRequests field in the CSIDriver spec.

Article Summaries:

  • Kubernetes v1.35 introduces a beta opt‑in feature that lets CSI drivers receive service‑account tokens through the secrets field of NodePublishVolumeRequest instead of the volume_context map. The change addresses security concerns where tokens were inadvertently logged, as seen in CVE‑2023‑2878 and CVE‑2024‑3744. Drivers can enable the new behavior by setting serviceAccountTokenInSecrets: true in their CSIDriver spec; otherwise the default remains false, preserving existing functionality. The CSIServiceAccountTokenSecrets feature gate is enabled by default on kubelet and apiserver, allowing a smooth transition without breaking current drivers.

Sources: