Kubelet Credential Provider Support

[junshun]

What I'd like: Allow credential-provider settings to be passed into a credential helper. In this case I would like to use IAM Roles Anywhere with ecr-credential-provider. For this particular case it would require an api setting

settings.eks.ecr-credential-provider-iam-roles-anywhere
enabled = true
profile-arn = "..."
role-arn = "..."
trust-anchor-arn = "..."

These values would get piped down into a configuration file for kubelet credential provider.

If this setting is enabled the feature gate in #1702 could just be enabled for the kubelet, as those are needed for kubelet-credential-provider.

[somnusfish]

thanks for bringing this up, we'll take a look at it.

[somnusfish]

Previous related discussion #1702, #1227 .

[stmcginnis]

Status update on this work... I think I have most things in place with #2377, but having some trouble validating things.

I've verified with the team that it looks like all the right configuration is in place, but things are not working as expected. The current theory is there is some conflict between our use of the in-tree AWS cloud provider and this newer functionality that may actually need the out-of-tree cloud provider. Still working on trying to validate that assumption.

Since there is still a bit of work to do here, it doesn't look like this will make it into the 1.10.0 release. Retargeting this to 1.11.0 and will update as we find out more.

[stmcginnis]

This support has merged, but I wanted to point out the final implementation is slightly different than what was originally requested in this issue. Please take a look at the current settings in the README file for settings.kubernetes.credential-providers.