Kubernetes v1.35: A Better Way to Pass Service Account Tokens to CSI Drivers

If you maintain a CSI driver that uses service account tokens, Kubernetes v1.35 brings a refinement you'll want to know about. Since the introduction of the TokenRequests feature , service account tokens requested by CSI drivers have been passed to them through the volume_context field. While this has worked, it's not the ideal place for sensitive information, and we've seen instances where tokens were accidentally logged in CSI drivers. Kubernetes v1.35 introduces a beta solution to address this: CSI Driver Opt-in for Service Account Tokens via Secrets Field . This allows CSI drivers to receive service account tokens through the secrets field in NodePublishVolumeRequest , which is the appropriate place for sensitive data in the CSI specification. Understanding the existing approach When CSI drivers use the TokenRequests feature , they can request service account tokens for workload identity by configuring the TokenRequests field in the CSIDriver spec. These tokens are passed to driver