secrets store csi driver should NOT have serviceaccounts/token create permission when tokenRequests feature is enabled.

[zshihang]

What steps did you take and what happened:

When the CSI driver's tokenRequests feature is enabled, you should not grant serviceaccounts/token creation permissions to the secrets-store-csi-driver. This is because the feature delegates token provisioning to the kubelet, which was the primary motivation behind the CSI Service Account Token enhancement.

What did you expect to happen:

No serviceaccounts/token create permission is granted so this binding should be removed and the README file needs to be updated.

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Which provider are you using:
[e.g. Azure Key Vault, HashiCorp Vault, etc. Have you checked out the provider's repo for more help?]

This is a bug in secrets store csi driver. Not tied to specific provider.

Environment:

• Secrets Store CSI Driver version: (use the image tag):
• Kubernetes version: (use kubectl version):

[k8s-ci-robot]

This issue is currently awaiting triage.

If secrets-store-csi-driver contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.