Setup the cluster to use

export FEATURE_GATES=KubeletServiceAccountTokenForCredentialProviders=true
export KUBELET_FLAGS='--image-credential-provider-bin-dir=/path/to/provider/dir --image-credential-provider-config=/path/to/credential-provider-config.yml'

Start Kubernetes, and apply the demo files

kubectl apply -f required-rbac.yml example-secret.yml pod.yml

Verify that everything works by the logs:

cat logs

Thu Aug 28 02:40:49 PM CEST 2025: Request: {
  "kind": "CredentialProviderRequest",
  "apiVersion": "credentialprovider.kubelet.k8s.io/v1",
  "image": "docker.io/library/nginx",
  "serviceAccountToken": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFhSFBaWXYxaVBrM3Bad3VzTzE0eUx5VlpiS0NvY0szUFpyRmJpcTlJTzgifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjIl0sImV4cCI6MTc1NjM4ODQ0OSwiaWF0IjoxNzU2Mzg0ODQ5LCJpc3MiOiJodHRwczovL2t1YmVybmV0ZXMuZGVmYXVsdC5zdmMiLCJqdGkiOiJlYzRlMjhhMC1lMmE0LTRlMzctOTE4OC00MTdkZWY2MWMxOGMiLCJrdWJlcm5ldGVzLmlvIjp7Im5hbWVzcGFjZSI6ImRlZmF1bHQiLCJub2RlIjp7Im5hbWUiOiIxMjcuMC4wLjEiLCJ1aWQiOiJjNDEzZWQwZC1lMGI2LTRhMmQtODMxMy0xOTc0M2M3NzRiMTEifSwicG9kIjp7Im5hbWUiOiJ0ZXN0LXBvZCIsInVpZCI6ImFjMjU2NThkLTY3NzYtNDUyNC05ODE2LWRlNjk4Njk1ZGYxZSJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiZGVmYXVsdCIsInVpZCI6IjY2ZGIzYTc5LTFkYTEtNDQ1Mi05ZDhjLWQ4NzNhYmUxMjY1ZCJ9fSwibmJmIjoxNzU2Mzg0ODQ5LCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWZhdWx0In0.LsYqWXd5opcbqc4nDWbuiEN24f1hNs8UpLRHTpGJg54Y9NM_LlMTXKt9-_EQbQ36lF6pNOt05sRBFXTmD7OV9sfqGH7cHbM0COGxx1z8KMoUWYtHo6UmrsOvaVQ0d-telMLAMW0JGKmzqAZZgbB9WK_4toVWGGTn91yYPcDJ5l7L6vUXuQkKFz50tRrXHABnFALnYuAWHtjd-Xg6r2dUEVyjmooFL5DFFmUmibY0REBhKaD6xvXOtmeJ1J-p1qbjWEuoBD9ZFzwLfnmb9qn2FG0ovgWvQb1BrU38IZ5oH0dxynIESEaln8K6aPjiRAnTvmHUqRC_0ydXq-5aYvoZew"
}
Thu Aug 28 02:40:49 PM CEST 2025: Using Service Account "default" from namespace "default"
Thu Aug 28 02:40:49 PM CEST 2025: Secret: {
  "kind": "Secret",
  "apiVersion": "v1",
  "metadata": {
    "name": "my-secret",
    "namespace": "default",
    "uid": "fffc1832-7cce-453d-92dd-cc9163407f98",
    "resourceVersion": "353",
    "creationTimestamp": "2025-08-28T12:40:32Z",
    "annotations": {
      "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"data\":{\"key\":\"c3VwZXJzZWNyZXQ=\"},\"kind\":\"Secret\",\"metadata\":{\"annotations\":{},\"name\":\"my-secret\",\"namespace\":\"default\"}}\n"
    },
    "managedFields": [
      {
        "manager": "kubectl-client-side-apply",
        "operation": "Update",
        "apiVersion": "v1",
        "time": "2025-08-28T12:40:32Z",
        "fieldsType": "FieldsV1",
        "fieldsV1": {
          "f:data": {
            ".": {},
            "f:key": {}
          },
          "f:metadata": {
            "f:annotations": {
              ".": {},
              "f:kubectl.kubernetes.io/last-applied-configuration": {}
            }
          },
          "f:type": {}
        }
      }
    ]
  },
  "data": {
    "key": "c3VwZXJzZWNyZXQ="
  },
  "type": "Opaque"
}
Thu Aug 28 02:40:49 PM CEST 2025: Response: {
  "kind": "CredentialProviderResponse",
  "apiVersion": "credentialprovider.kubelet.k8s.io/v1",
  "cacheKeyType": "Registry",
  "cacheDuration": "0h5m0s",
  "auth": {
    "docker.io/library/nginx": {
      "username": "",
      "password": ""
    }
  }
}