Kubelet Credential Provider Configuration Details

# Plugins may use this field to extract additional information required to fetch credentials. # The keys defined in this list must be unique and not overlap with the keys defined in the # requiredServiceAccountAnnotationKeys list. # +optional optionalServiceAccountAnnotationKeys: - "example.com/optional-annotation-key-1" - "example.com/optional-annotation-key-2" ``` The `providers` field is a list of enabled plugins used by the kubelet. Each entry has a few required fields: * `name`: the name of the plugin which MUST match the name of the executable binary that exists in the directory passed into `--image-credential-provider-bin-dir`. * `matchImages`: a list of strings used to match against images in order to determine if this provider should be invoked. More on this below. * `defaultCacheDuration`: the default duration the kubelet will cache credentials in-memory if a cache duration was not specified by the plugin. * `apiVersion`: the API version that the kubelet and the exec plugin will use when communicating. Each credential provider can also be given optional args and environment variables as well. Consult the plugin implementors to determine what set of arguments and environment variables are required for a given plugin. If you are using the KubeletServiceAccountTokenForCredentialProviders feature gate and configuring the plugin to use the service account token by setting the tokenAttributes field, the following fields are required: * `serviceAccountTokenAudience`: the intended audience for the projected service account token. This cannot be the empty string. * `requireServiceAccount`: whether the plugin requires the pod to have a service account. * If set to `true`, kubelet will only invoke the plugin if the pod has a service account. * If set to `false`, kubelet will invoke the plugin even if the pod does not have a service account and will not include a token in the `CredentialProviderRequest`. This is useful for plugins that are used to pull images for pods without service accounts (e.g., static pods). #### Configure image matching The `matchImages` field for each credential provider is used by the kubelet to determine whether a plugin should be invoked for a given image that a Pod is using. Each entry in `matchImages` is an image pattern which can optionally contain a port and a path. Globs can be used in the domain, but not in the port or the path. Globs are supported as subdomains like `*.k8s.io` or `k8s.*.io`, and top-level domains such as `k8s.*`. Matching partial subdomains like `app*.k8s.io` is also supported. Each glob can only match a single subdomain segment, so `*.io` does NOT match `*.k8s.io`. A match exists between an image name and a `matchImage` entry when all of the below are true: * Both contain the same number of domain parts and each part matches. * The URL path of match image must be a prefix of the target image URL path. * If the matchImages contains a port, then the port must match in the image as well. Some example values of `matchImages` patterns are: * `123456789.dkr.ecr.us-east-1.amazonaws.com` * `*.azurecr.io` * `gcr.io` * `*.*.registry.io` * `foo.registry.io:8080/path` ## {{% heading "whatsnext" %}} * Read the details about `CredentialProviderConfig` in the [kubelet configuration API (v1) reference](/docs/reference/config-api/kubelet-config.v1/). * Read the [kubelet credential provider API reference (v1)](/docs/reference/config-api/kubelet-credentialprovider.v1/).

This section elaborates on configuring kubelet credential providers, covering optional arguments, environment variables, and the KubeletServiceAccountTokenForCredentialProviders feature. It details the required fields when using service account tokens, such as `serviceAccountTokenAudience` and `requireServiceAccount`. The section also explains how to configure image matching using the `matchImages` field, outlining the rules for determining if a plugin should be invoked for a given image. It concludes with references to the kubelet configuration and credential provider APIs.