Kubernetes v1.33: From Secrets... Note

Kubernetes v1.33: From Secrets to Service Accounts: Kubernetes Image Pulls Evolved

Kubernetes has been evolving to reduce its reliance on long-lived credentials stored in the API, with a notable example being the transition of Kubernetes Service Account tokens from static to ephemeral tokens with OpenID Connect-compliant semantics. However, a major gap remains in image pull authentication, where Kubernetes clusters currently rely on long-lived image pull secrets or node-level kubelet credential providers. This presents security and operational challenges, as image pull secrets are difficult to rotate and compromise can lead to unauthorized image access. To address this, Kubernetes is introducing Service Account Token Integration for Kubelet Credential Providers, which allows credential providers to use pod-specific service account tokens to obtain registry credentials. This enhancement eliminates the need for long-lived image pull secrets and provides workload-specific authentication, ephemeral credentials, and seamless integration with existing Kubernetes authentication mechanisms. The new approach enables kubelet credential providers to use workload identity when fetching image registry credentials, providing benefits such as security, granular access control, and operational simplicity. The feature is currently available in alpha and is expected to ship in beta for Kubernetes v1.34, with further development focusing on implementing caching mechanisms and improving flexibility for credential providers. Users can try out the feature by enabling the ServiceAccountTokenForKubeletCredentialProviders feature gate and modifying their credential provider to use service account tokens for authentication. The Kubernetes community welcomes feedback and encourages users to get involved in the development of this feature through the SIG Auth channel on Kubernetes Slack.