From k8s 1.33 (Behind a FG), the kubelet can be configured to send a service account token bound to the pod for which the image pull is being performed to the credential provider plugin.

Using service account token credentials can enable the following use-cases:

• Avoid needing a kubelet/node-based identity to pull images from a registry.
• Allow workloads to pull images based on their own runtime identity without long-lived/persisted secrets.

The first of which the installer team expressed interest in doing when we originally shipped credential providers. 

(It may allow us to use a credentialsrequest rather than node based idenity for authentication).

More reading: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/#service-account-token-for-image-pulls

https://kubernetes.io/docs/reference/config-api/kubelet-credentialprovider.v1/

I think we need to understand if upstream supports this currently (e.g does. the gcp/aws/azure providers have an understanding of the new api) and come up with a plan for updating our implementation once the new features GA.

Definition of Done: A document that contains the research on what has to be done. And to explain whether this is required work, optional and the potential options we have here.