stackrox · porridge · Jun 9, 2026 · Jun 9, 2026 · Jun 10, 2026 · Jun 10, 2026
diff --git a/README.md b/README.md
@@ -51,10 +51,12 @@ It also optionally collects each pull attempt's duration and result.
    - `--collect-metrics`: if the image pull metrics should be collected.
    - `--use-kubelet-image-credential-integration=MODE`: enables kubelet [credential provider](https://kubernetes.io/blog/2022/12/22/kubelet-credential-providers/) plugin integration.
      Plugin credentials fetched dynamically and tried for the images configured in the `CredentialProviderConfig` before pull secrets.
-     Currently only supports mode `GKE`, which uses `/etc/srv/kubernetes/cri_auth_config.yaml` and `/home/kubernetes/bin` mounted from the host.
-
      Note that in this case, the tool uses distro-based prefetcher images, to provide the dynamic
      linker and shared libraries that a credential plugin binary might need.
+     Currently supported modes are:
+       - `GKE`, which uses `/etc/srv/kubernetes/cri_auth_config.yaml` and `/home/kubernetes/bin` mounted from the host.
+       - `OCP-GCR`, `OCP-ECR`, `OCP-ACR`, for OCP on GCP, AWS, and Azure respectively.
+         These use the corresponding credential provider config from `/etc/kubernetes/credential-providers/` and binaries from `/usr/libexec/kubelet-image-credential-provider-plugins` mounted from the host.
 
    Example:
 

diff --git a/deploy/deployment.yaml.gotpl b/deploy/deployment.yaml.gotpl
@@ -129,6 +129,7 @@ metadata:
     ignore-check.kube-linter.io/privilege-escalation-container: "Needs access to CRI socket."
     ignore-check.kube-linter.io/privileged-container: "Needs access to CRI socket."
     ignore-check.kube-linter.io/run-as-non-root: "Needs access to CRI socket."
+    ignore-check.kube-linter.io/host-network: "Credential provider plugins may need host network access."
 spec:
   selector:
     matchLabels:
@@ -142,6 +143,9 @@ spec:
         openshift.io/required-scc: privileged
       {{ end }}
     spec:
+      {{ if .UseKubeletImageCredentialIntegration }}
+      hostNetwork: true
+      {{ end }}
       serviceAccountName: {{ .Name }}
       tolerations:
       # Broad toleration to match stackrox collector.
@@ -167,6 +171,18 @@ spec:
         - "--image-credential-provider-config=/tmp/credential-provider/cri_auth_config.yaml"
         - "--image-credential-provider-bin-dir=/tmp/credential-provider-bin"
         {{ end }}
+        {{ if eq .UseKubeletImageCredentialIntegration "OCP-GCR" }}
+        - "--image-credential-provider-config=/tmp/credential-provider/gcr-credential-provider.yaml"
+        - "--image-credential-provider-bin-dir=/tmp/credential-provider-bin"
+        {{ end }}
+        {{ if eq .UseKubeletImageCredentialIntegration "OCP-ECR" }}
+        - "--image-credential-provider-config=/tmp/credential-provider/ecr-credential-provider.yaml"
+        - "--image-credential-provider-bin-dir=/tmp/credential-provider-bin"
+        {{ end }}
+        {{ if eq .UseKubeletImageCredentialIntegration "OCP-ACR" }}
+        - "--image-credential-provider-config=/tmp/credential-provider/acr-credential-provider.yaml"
+        - "--image-credential-provider-bin-dir=/tmp/credential-provider-bin"
+        {{ end }}
         env:
         - name: NODE_NAME
           valueFrom:
@@ -193,7 +209,7 @@ spec:
           name: pull-secret
           readOnly: true
         {{ end }}
-        {{ if eq .UseKubeletImageCredentialIntegration "GKE" }}
+        {{ if or (eq .UseKubeletImageCredentialIntegration "GKE") (eq .UseKubeletImageCredentialIntegration "OCP-GCR") (eq .UseKubeletImageCredentialIntegration "OCP-ECR") (eq .UseKubeletImageCredentialIntegration "OCP-ACR")}}
         - mountPath: /tmp/credential-provider
           name: credential-provider-config
           readOnly: true
@@ -247,3 +263,13 @@ spec:
           path: /home/kubernetes/bin
           type: Directory
       {{ end }}
+      {{ if or (eq .UseKubeletImageCredentialIntegration "OCP-GCR") (eq .UseKubeletImageCredentialIntegration "OCP-ECR") (eq .UseKubeletImageCredentialIntegration "OCP-ACR") }}
+      - name: credential-provider-config
+        hostPath:
+          path: /etc/kubernetes/credential-providers
+          type: Directory
+      - name: credential-provider-bin
+        hostPath:
+          path: /usr/libexec/kubelet-image-credential-provider-plugins
+          type: Directory
+      {{ end }}
diff --git a/deploy/main.go b/deploy/main.go
@@ -50,7 +50,7 @@ func init() {
 	flag.TextVar(&k8sFlavor, "k8s-flavor", flavor(vanillaFlavor), fmt.Sprintf("Kubernetes flavor. Accepted values: %s", strings.Join(allFlavors, ",")))
 	flag.StringVar(&secret, "secret", "", "Kubernetes image pull Secret to use when pulling.")
 	flag.BoolVar(&collectMetrics, "collect-metrics", false, "Whether to collect and expose image pull metrics.")
-	flag.StringVar(&useKubeletImageCredentialIntegration, "use-kubelet-image-credential-integration", "", "Enable kubelet image credential provider plugin integration. Accepted values: GKE")
+	flag.StringVar(&useKubeletImageCredentialIntegration, "use-kubelet-image-credential-integration", "", "Enable kubelet image credential provider plugin integration. Accepted values: GKE, OCP-GCR, OCP-ECR, OCP-ACR.")
 }
 
 // processVersion processes the version string and returns the appropriate format.