Kubernetes v1.35: A Better Way... Note

Kubernetes v1.35: A Better Way to Pass Service Account Tokens to CSI Drivers

Kubernetes v1.35 introduces a beta feature, CSI Driver Opt-in for Service Account Tokens via Secrets Field. Previously, service account tokens for CSI drivers were passed through the volume_context field, which is not ideal for sensitive data and has led to tokens being accidentally logged. This new feature allows CSI drivers to receive these tokens via the secrets field in NodePublishVolumeRequest, the designated place for sensitive information in the CSI specification. Existing CSI drivers will continue to receive tokens via volume_context by default, as the new serviceAccountTokenInSecrets field in the CSIDriver spec defaults to false.To adopt this feature, CSI driver authors should first implement fallback logic in their driver code. This logic checks both the secrets field and volume_context for tokens, ensuring compatibility with both older and newer Kubernetes versions. After deploying this updated driver, the cluster must be upgraded to Kubernetes v1.35 or later, including both kube-apiserver and kubelet. Once the cluster and driver are upgraded, the CSIDriver manifest can be updated to set serviceAccountTokenInSecrets: true.It is crucial to follow a specific rollout sequence to avoid breaking existing volumes. The driver update with fallback logic must be deployed and fully rolled out before updating the CSIDriver object to enable the new behavior. This opt-in mechanism eliminates the risk of accidental token logging, uses the correct CSI specification field for sensitive data, and is managed by the protosanitizer tool without needing driver-specific workarounds. CSI driver authors are encouraged to adopt this feature and provide feedback.