Kubernetes v1.35: Streamlining Service Account Token Handling for CSI Drivers
Kubernetes v1.35 introduces a beta feature that changes the way CSI drivers receive service account tokens. This is crucial for ensuring that sensitive information is handled securely and efficiently. The TokenRequests feature allows CSI drivers to request tokens for workload identity, which is vital for maintaining security in your Kubernetes environment.
The mechanism is straightforward. By default, service account tokens are placed in the VolumeContext with the key csi.storage.k8s.io/serviceAccount.tokens. However, with the new serviceAccountTokenInSecrets field in the CSIDriver spec, you can opt to have these tokens delivered via the Secrets field instead. When this field is set to true, the driver will first check the Secrets field for tokens before falling back to the VolumeContext. This change not only enhances security but also aligns better with Kubernetes' overall approach to managing sensitive data.
In production, this means you should evaluate your current CSI driver configurations. Opting into this new behavior can help you manage service account tokens more securely. However, be cautious: the documentation warns against using example configurations directly in your clusters. Always tailor configurations to your specific needs and security requirements.
Key takeaways
- →Use the `serviceAccountTokenInSecrets` field to enhance security by opting for token delivery via Secrets.
- →Understand that tokens are placed in VolumeContext by default unless you opt-in to the new behavior.
- →Check the Secrets field first for tokens when implementing the new mechanism in your CSI driver.
Why it matters
This change reduces the risk of exposing sensitive tokens and aligns with best practices for managing secrets in Kubernetes, ultimately leading to a more secure production environment.
Code examples
1const serviceAccountTokenKey = "csi.storage.k8s.io/serviceAccount.tokens"
2func getServiceAccountTokens(req *csi.NodePublishVolumeRequest) (string, error) {
3 // Check secrets field first (new behavior when driver opts in)
4 if tokens, ok := req.Secrets[serviceAccountTokenKey]; ok {
5 return tokens, nil
6 }
7 // Fall back to volume context (existing behavior)
8 if tokens, ok := req.VolumeContext[serviceAccountTokenKey]; ok {
9 return tokens, nil
10 }
11 return "", fmt.Errorf("service account tokens not found")
12}When NOT to use this
The official docs don't call out specific anti-patterns here. Use your judgment based on your scale and requirements.
Want the complete reference?
Read official docsBuilding a Memcached Operator with Go: A Practical Guide
Operators are a powerful way to extend Kubernetes, and building one with Go can streamline your application management. This guide walks you through creating a Memcached operator, focusing on the Custom Resource Definition (CRD) and the controller's role in reconciliation.
Mastering Admission Control in Kubernetes: What You Need to Know
Admission control is a critical gatekeeper in Kubernetes, ensuring that only valid requests reach your cluster. Understanding the difference between mutating and validating admission controllers can save you from costly misconfigurations.
CustomResourceDefinitions: Extending Kubernetes for Your Needs
Unlock the power of Kubernetes by extending its API with CustomResourceDefinitions (CRDs). Learn how to create custom resources that fit your application’s specific requirements, including namespaced and cluster-scoped options.
Get the daily digest
One email. 5 articles. Every morning.
No spam. Unsubscribe anytime.