This project is currently in its beta phase, meaning it's still under active development. We strongly recommend thorough testing in non-production environments before deployment to any production system.
A Kubernetes kubelet credential provider for Amazon EKS and Azure AKS that enables seamless authentication with JFrog Artifactory for container image pulls, eliminating the need for manual image pull secret management.
Coming Soon: Google Cloud GKE support is currently in development.
The JFrog Kubelet Credential Provider leverages the native Kubernetes kubelet Credential Provider feature to dynamically retrieve credentials for pulling container images from JFrog Artifactory. This approach provides several key benefits:
- No Image Pull Secrets: Eliminates the need to create and manage Kubernetes secrets
- Enhanced Security: Credentials are retrieved dynamically rather than stored in etcd
- Simplified Operations: Reduces operational overhead for credential rotation and management
- Native Integration: Uses built-in Kubernetes capabilities for credential management
- A pod is created with an image stored in JFrog Artifactory
- Kubelet identifies the image URL matches the configured pattern for the JFrog Kubelet Credential Provider
- Kubelet invokes the JFrog Kubelet Credential Provider binary
- The provider authenticates with the cloud provider (AWS IAM roles/OIDC or Azure managed identities) and exchanges credentials with Artifactory
- Valid registry credentials are returned to kubelet for the image pull
The easiest way to deploy the JFrog Kubelet Credential Provider is using our Terraform module:
cd terraform-module
# Copy and customize one of the example configurations
cp examples/terraform.assume_role.tfvars terraform.tfvars
# Edit terraform.tfvars for your environment
terraform init
terraform plan
terraform applyThe JFrog Kubelet Credential Provider supports three deployment methods:
- EKS Node Groups - Creates new node groups with the provider pre-installed
- DaemonSet - Installs the provider on existing EKS clusters
- Launch Template Generation - Generates AWS CLI commands for custom deployments
See the terraform-module directory for detailed deployment instructions and examples.
- AWS IAM Role Assumption: Uses EC2 instance IAM roles for authentication
- AWS Cognito OIDC: Uses OIDC tokens from AWS Cognito for authentication
Note: For AWS, You must select either IAM Role Assumption OR Cognito OIDC as your authentication method. They cannot be used simultaneously in the same deployment.
- Azure Managed Identity OIDC: Uses Azure managed identities with OIDC for authentication
- Amazon EKS cluster or Azure AKS cluster
- JFrog Artifactory instance
- Based on your chosen cloud provider and authentication method:
- For AWS IAM Role Assumption: IAM role mapped to a JFrog Artifactory user
- For AWS Cognito OIDC: OIDC provider and identity mappings
- For Azure Managed Identity: Azure AD application for OIDC and kubelet Identity. For more information, see terraform-module
Plugin logs are available in your kubelet VM at:
tail -f /var/log/jfrog-credential-provider.logFor detailed debugging instructions, see the debug doc file.