Kubelet Credential Provider
Detailed steps to setup out-of-tree Kubelet Credential Provider.
Note: The Kubelet credential provider feature is still in alpha and shouldn’t be used in production environments. Please use
--azure-container-registry-config=/etc/kubernetes/cloud-config/azure.jsonif you need pulling images from ACR in production.
As part of Out-of-Tree Credential Providers, the kubelet builtin image pulling from ACR (which could be enabled by setting kubelet --azure-container-registry-config=<config-file>) would be moved out-of-tree credential plugin acr-credential-provider. Please refer the original KEP for details.
In order to switch the kubelet credential provider to out-of-tree, you’ll have to
- Remove
--azure-container-registry-configfrom kubelet configuration options. - Add
--feature-gates=KubeletCredentialProviders=trueto kubelet configuration options. - Create directory
/var/lib/kubelet/credential-provider, download ‘acr-credential-provider’ binary to this directory and add--image-credential-provider-bin-dir=/var/lib/kubelet/credential-providerto kubelet configuration options. - Create the following credential-provider-config.yaml file and add
--image-credential-provider-config=/var/lib/kubelet/credential-provider-config.yamlto kubelet configuration options.
# cat /var/lib/kubelet/credential-provider-config.yaml
kind: CredentialProviderConfig
apiVersion: kubelet.config.k8s.io/v1alpha1
providers:
- name: acr-credential-provider
apiVersion: credentialprovider.kubelet.k8s.io/v1alpha1
defaultCacheDuration: 10m
matchImages:
- "*.azurecr.io"
- "*.azurecr.cn"
- "*.azurecr.de"
- "*.azurecr.us"
- "*.azurecr.*" # Only required for custom Azure cloud.
args:
- /etc/kubernetes/cloud-config/azure.json
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
Last modified
June 21, 2022
: chore(docs): Fix a link to KEP (2f66a6d6a)