Kubelet Credential Provider

Detailed steps to setup out-of-tree Kubelet Credential Provider.

Note: The Kubelet credential provider feature is still in alpha and shouldn’t be used in production environments. Please use --azure-container-registry-config=/etc/kubernetes/cloud-config/azure.json if you need pulling images from ACR in production.

As part of Out-of-Tree Credential Providers, the kubelet builtin image pulling from ACR (which could be enabled by setting kubelet --azure-container-registry-config=<config-file>) would be moved out-of-tree credential plugin acr-credential-provider. Please refer the original KEP for details.

In order to switch the kubelet credential provider to out-of-tree, you’ll have to

Remove --azure-container-registry-config from kubelet configuration options.
Add --feature-gates=KubeletCredentialProviders=true to kubelet configuration options.
Create directory /var/lib/kubelet/credential-provider, download ‘acr-credential-provider’ binary to this directory and add --image-credential-provider-bin-dir=/var/lib/kubelet/credential-provider to kubelet configuration options.
Create the following credential-provider-config.yaml file and add --image-credential-provider-config=/var/lib/kubelet/credential-provider-config.yaml to kubelet configuration options.

# cat /var/lib/kubelet/credential-provider-config.yaml
kind: CredentialProviderConfig
apiVersion: kubelet.config.k8s.io/v1
providers:
- name: acr-credential-provider
  apiVersion: credentialprovider.kubelet.k8s.io/v1
  defaultCacheDuration: 10m
  matchImages:
  - "*.azurecr.io"
  - "*.azurecr.cn"
  - "*.azurecr.de"
  - "*.azurecr.us"
  args:
  - /etc/kubernetes/azure.json

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified June 16, 2023: init documentation branch (6258fe0f8)