Back to all scenarios
Scenario #306
Storage
Kubernetes v1.25, Vault CSI Provider

CSI Volume Plugin Crash Loops Due to Secret Rotation

Volume plugin entered crash loop after secret provider’s token was rotated unexpectedly.

Find this helpful?
What Happened

A service account used by the Vault CSI plugin had its token rotated mid-operation. The plugin couldn’t fetch new credentials and crashed.

Diagnosis Steps
  • 1CrashLoopBackOff on csi-vault-provider pods.
  • 2Logs showed "401 Unauthorized" from Vault.
  • 3Verified service account token changed recently.
Root Cause

No logic in plugin to handle token change or re-auth.

Fix/Workaround
• Restarted the CSI plugin pods.
• Upgraded plugin to a version with token refresh logic.
Lessons Learned

CSI providers must gracefully handle credential rotations.

How to Avoid
  • 1Use projected service account tokens with auto-refresh.
  • 2Monitor plugin health on secret rotations.
Previous ScenarioNext Scenario