diff --git a/pkg/kubelet/token/token_manager.go b/pkg/kubelet/token/token_manager.go
index 72c067f74ac..49f58fae564 100644
--- a/pkg/kubelet/token/token_manager.go
+++ b/pkg/kubelet/token/token_manager.go
@@ -168,7 +168,9 @@ func (m *Manager) expired(t *authenticationv1.TokenRequest) bool {
 // ttl, or if the token is older than 24 hours.
 func (m *Manager) requiresRefresh(tr *authenticationv1.TokenRequest) bool {
 	if tr.Spec.ExpirationSeconds == nil {
-		klog.Errorf("expiration seconds was nil for tr: %#v", tr)
+		cpy := tr.DeepCopy()
+		cpy.Status.Token = ""
+		klog.Errorf("expiration seconds was nil for tr: %#v", cpy)
 		return false
 	}
 	now := m.clock.Now()
diff --git a/pkg/kubelet/token/token_manager_test.go b/pkg/kubelet/token/token_manager_test.go
index 3bf7724cd9a..a92ed4412c9 100644
--- a/pkg/kubelet/token/token_manager_test.go
+++ b/pkg/kubelet/token/token_manager_test.go
@@ -130,6 +130,7 @@ func TestRequiresRefresh(t *testing.T) {
 	cases := []struct {
 		now, exp      time.Time
 		expectRefresh bool
+		requestTweaks func(*authenticationv1.TokenRequest)
 	}{
 		{
 			now:           start.Add(10 * time.Minute),
@@ -151,6 +152,15 @@ func TestRequiresRefresh(t *testing.T) {
 			exp:           start.Add(60 * time.Minute),
 			expectRefresh: true,
 		},
+		{
+			// expiry will be overwritten by the tweak below.
+			now:           start.Add(0 * time.Minute),
+			exp:           start.Add(60 * time.Minute),
+			expectRefresh: false,
+			requestTweaks: func(tr *authenticationv1.TokenRequest) {
+				tr.Spec.ExpirationSeconds = nil
+			},
+		},
 	}
 
 	for i, c := range cases {
@@ -165,6 +175,11 @@ func TestRequiresRefresh(t *testing.T) {
 					ExpirationTimestamp: metav1.Time{Time: c.exp},
 				},
 			}
+
+			if c.requestTweaks != nil {
+				c.requestTweaks(tr)
+			}
+
 			mgr := NewManager(nil)
 			mgr.clock = clock