Kubernetes v1.35 improves how service account tokens are passed to Container Storage Interface (CSI) drivers, addressing security concerns. Previously, tokens were sent through the volume_context field, which was not suitable for sensitive data. This method led to incidents where tokens were inadvertently logged, such as in CVE-2023-2878 and CVE-2024-3744. The update introduces an opt-in feature allowing drivers to receive tokens via the secrets field in NodePublishVolumeRequest, a more secure option. The new approach requires drivers to implement a fallback mechanism, allowing them to access tokens from both the secrets field and the volume_context field. This ensures compatibility with existing drivers while transitioning to the updated method. The configuration for opting in involves setting the serviceAccountTokenInSecrets field to true in the CSIDriver spec, although it defaults to false, maintaining the current behavior until explicitly changed. The rollout sequence emphasizes careful timing, ensuring the driver and CSIDriver object updates do not interfere with ongoing operations. Adopting this feature enhances security by reducing the risk of logging sensitive tokens and aligns with the CSI specification's intent for handling sensitive data. The protosanitizer tool will now properly manage the secrets field, eliminating the need for driver-specific workarounds. Kubernetes SIG Storage encourages CSI driver authors to implement this feature and share their experiences to improve the migration process.