Kubernetes v1.35 introduces a significant change for CSI drivers regarding how they handle service account tokens. Previously, these tokens were passed through the volume_context field, which is not designed for sensitive data. This method has led to issues, including accidental logging of tokens in some drivers, as seen in CVE-2023-2878 and CVE-2024-3744. The new approach allows drivers to opt in to receive tokens via the secrets field in NodePublishVolumeRequest, which is more appropriate for sensitive information. The change is implemented through an opt-in mechanism. Drivers can now set a new field in their CSIDriver spec called serviceAccountTokenInSecrets. By default, this is set to false, meaning tokens will continue to be passed through the volume_context. If set to true, tokens will only appear in the secrets field. This dual approach ensures that existing drivers remain functional while allowing newer implementations to follow best practices. To adopt this feature, CSI driver authors are advised to implement fallback logic that checks both the secrets field and the volume context for tokens. This ensures compatibility with both the old and new methods. A specific rollout sequence is recommended: upgrade the kube-apiserver and kubelet, deploy the driver with fallback logic, and then update the CSIDriver manifest. Timing is critical during this process to avoid failures in volume mounts. Adopting this feature not only reduces logging risks but also aligns token handling with established security practices in the CSI specification.