From 75128a8d3dad8438ed337ece243e563f1365963b Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Mon, 13 Oct 2025 14:16:44 -0500 Subject: [PATCH] Add CSI driver opt-in for service account tokens via secrets field Signed-off-by: Anish Ramasekar Kubernetes-commit: 30a6d4b389a6c6b10c5bd136216b47e55da3f18a --- applyconfigurations/internal/internal.go | 6 ++++ .../storage/v1/csidriverspec.go | 28 +++++++++++++++++++ .../storage/v1beta1/csidriverspec.go | 28 +++++++++++++++++++ 3 files changed, 62 insertions(+) diff --git a/applyconfigurations/internal/internal.go b/applyconfigurations/internal/internal.go index ed8b7a18e..9d16b9c33 100644 --- a/applyconfigurations/internal/internal.go +++ b/applyconfigurations/internal/internal.go @@ -15024,6 +15024,9 @@ var schemaYAML = typed.YAMLObject(`types: - name: seLinuxMount type: scalar: boolean + - name: serviceAccountTokenInSecrets + type: + scalar: boolean - name: storageCapacity type: scalar: boolean @@ -15430,6 +15433,9 @@ var schemaYAML = typed.YAMLObject(`types: - name: seLinuxMount type: scalar: boolean + - name: serviceAccountTokenInSecrets + type: + scalar: boolean - name: storageCapacity type: scalar: boolean diff --git a/applyconfigurations/storage/v1/csidriverspec.go b/applyconfigurations/storage/v1/csidriverspec.go index b365949a7..653329ece 100644 --- a/applyconfigurations/storage/v1/csidriverspec.go +++ b/applyconfigurations/storage/v1/csidriverspec.go @@ -158,6 +158,26 @@ type CSIDriverSpecApplyConfiguration struct { // // This field is mutable. NodeAllocatableUpdatePeriodSeconds *int64 `json:"nodeAllocatableUpdatePeriodSeconds,omitempty"` + // serviceAccountTokenInSecrets is an opt-in for CSI drivers to indicate that + // service account tokens should be passed via the Secrets field in NodePublishVolumeRequest + // instead of the VolumeContext field. The CSI specification provides a dedicated Secrets + // field for sensitive information like tokens, which is the appropriate mechanism for + // handling credentials. This addresses security concerns where sensitive tokens were being + // logged as part of volume context. + // + // When "true", kubelet will pass the tokens only in the Secrets field with the key + // "csi.storage.k8s.io/serviceAccount.tokens". The CSI driver must be updated to read + // tokens from the Secrets field instead of VolumeContext. + // + // When "false" or not set, kubelet will pass the tokens in VolumeContext with the key + // "csi.storage.k8s.io/serviceAccount.tokens" (existing behavior). This maintains backward + // compatibility with existing CSI drivers. + // + // This field can only be set when TokenRequests is configured. The API server will reject + // CSIDriver specs that set this field without TokenRequests. + // + // Default behavior if unset is to pass tokens in the VolumeContext field. + ServiceAccountTokenInSecrets *bool `json:"serviceAccountTokenInSecrets,omitempty"` } // CSIDriverSpecApplyConfiguration constructs a declarative configuration of the CSIDriverSpec type for use with @@ -244,3 +264,11 @@ func (b *CSIDriverSpecApplyConfiguration) WithNodeAllocatableUpdatePeriodSeconds b.NodeAllocatableUpdatePeriodSeconds = &value return b } + +// WithServiceAccountTokenInSecrets sets the ServiceAccountTokenInSecrets field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ServiceAccountTokenInSecrets field is set to the value of the last call. +func (b *CSIDriverSpecApplyConfiguration) WithServiceAccountTokenInSecrets(value bool) *CSIDriverSpecApplyConfiguration { + b.ServiceAccountTokenInSecrets = &value + return b +} diff --git a/applyconfigurations/storage/v1beta1/csidriverspec.go b/applyconfigurations/storage/v1beta1/csidriverspec.go index 69c994ace..323065d2a 100644 --- a/applyconfigurations/storage/v1beta1/csidriverspec.go +++ b/applyconfigurations/storage/v1beta1/csidriverspec.go @@ -158,6 +158,26 @@ type CSIDriverSpecApplyConfiguration struct { // // This field is mutable. NodeAllocatableUpdatePeriodSeconds *int64 `json:"nodeAllocatableUpdatePeriodSeconds,omitempty"` + // serviceAccountTokenInSecrets is an opt-in for CSI drivers to indicate that + // service account tokens should be passed via the Secrets field in NodePublishVolumeRequest + // instead of the VolumeContext field. The CSI specification provides a dedicated Secrets + // field for sensitive information like tokens, which is the appropriate mechanism for + // handling credentials. This addresses security concerns where sensitive tokens were being + // logged as part of volume context. + // + // When "true", kubelet will pass the tokens only in the Secrets field with the key + // "csi.storage.k8s.io/serviceAccount.tokens". The CSI driver must be updated to read + // tokens from the Secrets field instead of VolumeContext. + // + // When "false" or not set, kubelet will pass the tokens in VolumeContext with the key + // "csi.storage.k8s.io/serviceAccount.tokens" (existing behavior). This maintains backward + // compatibility with existing CSI drivers. + // + // This field can only be set when TokenRequests is configured. The API server will reject + // CSIDriver specs that set this field without TokenRequests. + // + // Default behavior if unset is to pass tokens in the VolumeContext field. + ServiceAccountTokenInSecrets *bool `json:"serviceAccountTokenInSecrets,omitempty"` } // CSIDriverSpecApplyConfiguration constructs a declarative configuration of the CSIDriverSpec type for use with @@ -244,3 +264,11 @@ func (b *CSIDriverSpecApplyConfiguration) WithNodeAllocatableUpdatePeriodSeconds b.NodeAllocatableUpdatePeriodSeconds = &value return b } + +// WithServiceAccountTokenInSecrets sets the ServiceAccountTokenInSecrets field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ServiceAccountTokenInSecrets field is set to the value of the last call. +func (b *CSIDriverSpecApplyConfiguration) WithServiceAccountTokenInSecrets(value bool) *CSIDriverSpecApplyConfiguration { + b.ServiceAccountTokenInSecrets = &value + return b +}