Kubernetes 1.20: Pod Impersonation and Short-lived Volumes in CSI Drivers

Friday, December 18, 2020

Author: Shihang Zhang (Google)

Typically when a

Currently there are two suboptimal approaches to achieve this, either by granting CSI drivers the permission to use TokenRequest API or by reading tokens directly from the host filesystem.

Both of them exhibit the following drawbacks:

Violating the principle of least privilege
Every CSI driver needs to re-implement the logic of getting the pod’s service account token

The second approach is more problematic due to:

The audience of the token defaults to the kube-apiserver

The token is not guaranteed to be available (e.g. AutomountServiceAccountToken=false)

The approach does not work for CSI drivers that run as a different (non-root) user from the pods. See

The token might be legacy Kubernetes service account token which doesn’t expire if BoundServiceAccountTokenVolume=false

Kubernetes 1.20 introduces an alpha feature, CSIServiceAccountToken, to improve the security posture. The new feature allows CSI drivers to receive pods' .

This feature also provides a knob to re-publish volumes so that short-lived volumes can be refreshed.

Pod Impersonation

Using GCP APIs

Using NodePublishVolume RPC calls when the feature CSIServiceAccountToken is enabled. For example: accessing .

To keep short-lived volumes such as certificates effective, CSI drivers can specify RequiresRepublish=true in theirCSIDriver object to have the kubelet periodically call NodePublishVolume on mounted volumes. These republishes allow CSI drivers to ensure that the volume content is up-to-date.

Next steps

This feature is alpha and projected to move to beta in 1.21. See more in the following KEP and CSI documentation:

Your feedback is always welcome!

SIG-Auth

SIG-Storage .

←Previous

Kubernetes Blog

Kubernetes 1.20: Pod Impersonation and Short-lived Volumes in CSI Drivers

Pod Impersonation

Using GCP APIs

Using Vault

Short-lived Volumes

Next steps