Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.
Endigest AI Core Summary
Kubernetes v1.35 introduces a beta opt-in mechanism for CSI drivers to receive service account tokens via the secrets field instead of volume_context, improving security.
•Previous behavior passed tokens through volume_context using key csi.storage.k8s.io/serviceAccount.tokens, which is not designed for sensitive data
•The protosanitizer tool does not treat volume_context as sensitive, leading to accidental token logging (CVE-2023-2878, CVE-2024-3744)
•New CSIDriver spec field serviceAccountTokenInSecrets: true routes tokens to the NodePublishVolumeRequest secrets field instead
•The CSIServiceAccountTokenSecrets feature gate is enabled by default but defaults to false, ensuring no breaking changes for existing drivers
•Rollout requires adding fallback logic first, completing cluster upgrade, then updating CSIDriver manifest to opt in
This summary was automatically generated by AI based on the original article and may not be fully accurate.
Kubernetes
Google Cloud
AWS