Pod Level Identity Support For JFrog Artifactory on GCP

[oumkale]

Pod Level Identity Support For JFrog Artifactory on GCP:

Traditionally, Kubernetes kubelet used a single "Node-level" identity to pull images. KEP-4412 enables a move to Pod-level identity, where the Kubelet uses a Pod's own ServiceAccount token to authorize image pulls.

For teams running JFrog Artifactory on Google Cloud (GCP), this configuration allows the JFrog Credential Provider to leverage GKE Workload Identity. The Kubelet generates a token for the Pod's identity, which the JFrog plugin then uses to authenticate with Artifactory, ensuring that image pull permissions are tied directly to the specific workload.

[ WORKLOAD POD ]
       | (Uses KSA)
       v
[   KUBELET    ] <--- Requests JWT for Audience: identityconfig.googleapis.com ---> [ K8s API SERVER ]
       |
       | (Executes Plugin with JWT)
       v
[ JFROG PLUGIN ] <--- Exchanges K8s JWT for Access Token ---------------> [ GCP STS / IAM ]
       |
       | (Requests Registry Credentials)
       v
[ ARTIFACTORY  ] <--- Validates Identity and provides Pull Token
       |
       | (Returns Credentials to Kubelet)
       v
[   KUBELET    ] <--- Performs Docker Pull -----------------------------> [ ARTIFACTORY ]