diff --git a/config/v1alpha1/register.go b/config/v1alpha1/register.go
index 4b30ea380b1..c9096249505 100644
--- a/config/v1alpha1/register.go
+++ b/config/v1alpha1/register.go
@@ -40,6 +40,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&ImagePolicyList{},
 		&ClusterImagePolicy{},
 		&ClusterImagePolicyList{},
+		&CRIOCredentialProviderConfig{},
+		&CRIOCredentialProviderConfigList{},
 	)
 	metav1.AddToGroupVersion(scheme, GroupVersion)
 	return nil
diff --git a/config/v1alpha1/tests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml b/config/v1alpha1/tests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml
new file mode 100644
index 00000000000..84e9433b473
--- /dev/null
+++ b/config/v1alpha1/tests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml
@@ -0,0 +1,72 @@
+apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
+name: "CRIOCredentialProviderConfig"
+crdName: "criocredentialproviderconfigs.config.openshift.io"
+featureGates:
+  - CRIOCredentialProviderConfig
+tests:
+  onCreate:
+    - name: Should create a valid CRIOCredentialProviderConfig
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: CRIOCredentialProviderConfig
+        metadata:
+          name: cluster
+        spec:
+          matchImages:
+          - 123456789.dkr.ecr.us-east-1.amazonaws.com
+          - "*.azurecr.io"
+          - gcr.io
+          - "*.*.registry.io"
+          - registry.io:8080/path
+      expected: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: CRIOCredentialProviderConfig
+        metadata:
+          name: cluster
+        spec:
+          matchImages:
+          - 123456789.dkr.ecr.us-east-1.amazonaws.com
+          - "*.azurecr.io"
+          - gcr.io
+          - "*.*.registry.io"
+          - registry.io:8080/path
+    - name: Should reject matchImages with invalid characters
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: CRIOCredentialProviderConfig
+        metadata:
+          name: cluster
+        spec:
+          matchImages:
+          - "reg!stry.io"
+      expectedError: "spec.matchImages[0]: Invalid value: \"string\": invalid matchImages value, must be a valid fully qualified domain name with optional wildcard, port, and path"
+    - name: Should reject matchImages wildcard in the path
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: CRIOCredentialProviderConfig
+        metadata:
+          name: cluster
+        spec:
+          matchImages:
+          - "registry.io:8080/pa*th"
+      expectedError: "spec.matchImages[0]: Invalid value: \"string\": invalid matchImages value, must be a valid fully qualified domain name with optional wildcard, port, and path"
+    - name: Should reject wildcard for partial subdomains
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: CRIOCredentialProviderConfig
+        metadata:
+          name: cluster
+        spec:
+          matchImages:
+          - "example.app*.com"
+      expectedError: "spec.matchImages[0]: Invalid value: \"string\": invalid matchImages value, must be a valid fully qualified domain name with optional wildcard, port, and path"
+    - name: Should reject global wildcard '*'
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: CRIOCredentialProviderConfig
+        metadata:
+          name: cluster
+        spec:
+          matchImages:
+          - "*"
+      expectedError: "spec.matchImages[0]: Invalid value: \"string\": global wildcard '*' is not allowed"
diff --git a/config/v1alpha1/types_crio_credential_provider_config.go b/config/v1alpha1/types_crio_credential_provider_config.go
new file mode 100644
index 00000000000..6abdb2123b4
--- /dev/null
+++ b/config/v1alpha1/types_crio_credential_provider_config.go
@@ -0,0 +1,179 @@
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CRIOCredentialProviderConfig holds cluster-wide singleton resource configurations for CRI-O credential provider, the name of this instance is "cluster". CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources.
+// For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in.
+// CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation.
+// Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.
+//
+// The resource is a singleton named "cluster".
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=criocredentialproviderconfigs,scope=Cluster
+// +kubebuilder:subresource:status
+// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/1929
+// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01
+// +openshift:enable:FeatureGate=CRIOCredentialProviderConfig
+// +openshift:compatibility-gen:level=4
+// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'cluster'",message="criocredentialproviderconfig is a singleton, .metadata.name must be 'cluster'"
+type CRIOCredentialProviderConfig struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata"`
+
+	// spec defines the desired configuration of the CRI-O Credential Provider.
+	// This field is required and must be provided when creating the resource.
+	// +required
+	Spec CRIOCredentialProviderConfigSpec `json:"spec,omitzero"`
+
+	// status represents the current state of the CRIOCredentialProviderConfig.
+	// When omitted or nil, it indicates that the status has not yet been set by the controller.
+	// The controller will populate this field with validation conditions and operational state.
+	// +optional
+	Status *CRIOCredentialProviderConfigStatus `json:"status,omitempty"`
+}
+
+// CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.
+type CRIOCredentialProviderConfigSpec struct {
+	// matchImages is a required list of string patterns used to determine whether
+	// the CRI-O credential provider should be invoked for a given image. This list is
+	// passed to the kubelet CredentialProviderConfig, and if any pattern matches
+	// the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling
+	// that image or its mirrors.
+	//
+	// This field is required and must contain between 1 and 50 entries.
+	// The list is treated as a set, so duplicate entries are not allowed.
+	//
+	// For more details, see:
+	// - https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/
+	// - https://github.com/cri-o/crio-credential-provider#architecture
+	//
+	// Each entry in matchImages is a pattern which can optionally contain a port and a path. Each entry no longer than 512 characters.
+	// Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io',
+	// and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net').
+	// A global wildcard '*' (matching any domain) is not allowed.
+	// Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path.
+	// For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not.
+	// Each wildcard matches only a single domain label,
+	// so '*.io' does **not** match '*.k8s.io'.
+	//
+	// A match exists between an image and a matchImage when all of the below are true:
+	// Both contain the same number of domain parts and each part matches.
+	// The URL path of an matchImages must be a prefix of the target image URL path.
+	// If the matchImages contains a port, then the port must match in the image as well.
+	//
+	// Example values of matchImages:
+	//
+	// - 123456789.dkr.ecr.us-east-1.amazonaws.com
+	//
+	// - *.azurecr.io
+	//
+	// - gcr.io
+	//
+	// - *.*.registry.io
+	//
+	// - registry.io:8080/path
+	//
+	// +kubebuilder:validation:MaxItems=50
+	// +kubebuilder:validation:MinItems=1
+	// +listType=set
+	// +required
+	MatchImages []MatchImage `json:"matchImages,omitempty"`
+}
+
+// MatchImage is a string pattern used to match container image registry addresses.
+// It must be a valid fully qualified domain name with optional wildcard, port, and path.
+// The maximum length is 512 characters.
+//
+// Wildcards ('*') are supported for full subdomain labels and top-level domains.
+// Each entry can optionally contain a port (e.g., :8080) and a path (e.g., /path).
+// Wildcards are not allowed in the port or path portions.
+//
+// Examples:
+// - "registry.io" - matches exactly registry.io
+// - "*.azurecr.io" - matches any single subdomain of azurecr.io
+// - "registry.io:8080/path" - matches with specific port and path prefix
+//
+// +kubebuilder:validation:MaxLength=512
+// +kubebuilder:validation:XValidation:rule="self != '*'",message="global wildcard '*' is not allowed"
+// +kubebuilder:validation:XValidation:rule=`self.matches('^((\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)(\\.(\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?))*)(:[0-9]+)?(/[-a-zA-Z0-9_/]*)?$')`,message="invalid matchImages value, must be a valid fully qualified domain name with optional wildcard, port, and path"
+type MatchImage string
+
+// +k8s:deepcopy-gen=true
+// CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig
+type CRIOCredentialProviderConfigStatus struct {
+	// conditions represent the latest available observations of the configuration state.
+	// When omitted or empty, it indicates that no conditions have been reported yet.
+	// The maximum number of conditions is 4.
+	// Conditions are stored as a map keyed by condition type, ensuring uniqueness.
+	//
+	// Expected condition types include:
+	// "Validated": indicates whether the matchImages configuration is valid
+	// +optional
+	// +kubebuilder:validation:MaxItems=4
+	// +listType=map
+	// +listMapKey=type
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CRIOCredentialProviderConfigList contains a list of CRIOCredentialProviderConfig resources
+//
+// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+// +openshift:compatibility-gen:level=4
+type CRIOCredentialProviderConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata is the standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	Items []CRIOCredentialProviderConfig `json:"items"`
+}
+
+const (
+	// ConditionTypeValidated is a condition type that indicates whether the CRIOCredentialProviderConfig
+	// matchImages configuration has been validated successfully.
+	// When True, all matchImage patterns are valid and have been applied.
+	// When False, the configuration contains errors (see Reason for details).
+	// Possible reasons for False status:
+	// - ValidationFailed: matchImages contains invalid patterns
+	// - ConfigurationPartiallyApplied: some matchImage entries were ignored due to conflicts
+	ConditionTypeValidated = "Validated"
+
+	// ReasonValidationFailed is a condition reason used with ConditionTypeValidated=False
+	// to indicate that the matchImages configuration contains one or more invalid registry patterns
+	// that do not conform to the required format (valid FQDN with optional wildcard, port, and path).
+	ReasonValidationFailed = "ValidationFailed"
+
+	// ReasonConfigurationPartiallyApplied is a condition reason used with ConditionTypeValidated=False
+	// to indicate that some matchImage entries were ignored due to conflicts or overlapping patterns.
+	// The condition message will contain details about which entries were ignored and why.
+	ReasonConfigurationPartiallyApplied = "ConfigurationPartiallyApplied"
+
+	// ConditionTypeMachineConfigRendered is a condition type that indicates whether
+	// the CRIOCredentialProviderConfig has been successfully rendered into a
+	// MachineConfig object.
+	// When True, the corresponding MachineConfig is present in the cluster.
+	// When False, rendering failed.
+	ConditionTypeMachineConfigRendered = "MachineConfigRendered"
+
+	// ReasonMachineConfigRenderingSucceeded is a condition reason used with ConditionTypeMachineConfigRendered=True
+	// to indicate that the MachineConfig was successfully created/updated in the API server.
+	ReasonMachineConfigRenderingSucceeded = "MachineConfigRenderingSucceeded"
+
+	// ReasonMachineConfigRenderingFailed is a condition reason used with ConditionTypeMachineConfigRendered=False
+	// to indicate that the MachineConfig creation/update failed.
+	// The condition message will contain details about the failure.
+	ReasonMachineConfigRenderingFailed = "MachineConfigRenderingFailed"
+)
diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_criocredentialproviderconfigs-CustomNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_criocredentialproviderconfigs-CustomNoUpgrade.crd.yaml
new file mode 100644
index 00000000000..ccb2c467406
--- /dev/null
+++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_criocredentialproviderconfigs-CustomNoUpgrade.crd.yaml
@@ -0,0 +1,209 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/1929
+    api.openshift.io/merged-by-featuregates: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    release.openshift.io/feature-set: CustomNoUpgrade
+  name: criocredentialproviderconfigs.config.openshift.io
+spec:
+  group: config.openshift.io
+  names:
+    kind: CRIOCredentialProviderConfig
+    listKind: CRIOCredentialProviderConfigList
+    plural: criocredentialproviderconfigs
+    singular: criocredentialproviderconfig
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          CRIOCredentialProviderConfig holds cluster-wide singleton resource configurations for CRI-O credential provider, the name of this instance is "cluster". CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources.
+          For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in.
+          CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation.
+          Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.
+
+          The resource is a singleton named "cluster".
+
+          Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: |-
+              spec defines the desired configuration of the CRI-O Credential Provider.
+              This field is required and must be provided when creating the resource.
+            properties:
+              matchImages:
+                description: |-
+                  matchImages is a required list of string patterns used to determine whether
+                  the CRI-O credential provider should be invoked for a given image. This list is
+                  passed to the kubelet CredentialProviderConfig, and if any pattern matches
+                  the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling
+                  that image or its mirrors.
+
+                  This field is required and must contain between 1 and 50 entries.
+                  The list is treated as a set, so duplicate entries are not allowed.
+
+                  For more details, see:
+                  - https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/
+                  - https://github.com/cri-o/crio-credential-provider#architecture
+
+                  Each entry in matchImages is a pattern which can optionally contain a port and a path. Each entry no longer than 512 characters.
+                  Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io',
+                  and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net').
+                  A global wildcard '*' (matching any domain) is not allowed.
+                  Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path.
+                  For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not.
+                  Each wildcard matches only a single domain label,
+                  so '*.io' does **not** match '*.k8s.io'.
+
+                  A match exists between an image and a matchImage when all of the below are true:
+                  Both contain the same number of domain parts and each part matches.
+                  The URL path of an matchImages must be a prefix of the target image URL path.
+                  If the matchImages contains a port, then the port must match in the image as well.
+
+                  Example values of matchImages:
+
+                  - 123456789.dkr.ecr.us-east-1.amazonaws.com
+
+                  - *.azurecr.io
+
+                  - gcr.io
+
+                  - *.*.registry.io
+
+                  - registry.io:8080/path
+                items:
+                  description: |-
+                    MatchImage is a string pattern used to match container image registry addresses.
+                    It must be a valid fully qualified domain name with optional wildcard, port, and path.
+                    The maximum length is 512 characters.
+
+                    Wildcards ('*') are supported for full subdomain labels and top-level domains.
+                    Each entry can optionally contain a port (e.g., :8080) and a path (e.g., /path).
+                    Wildcards are not allowed in the port or path portions.
+
+                    Examples:
+                    - "registry.io" - matches exactly registry.io
+                    - "*.azurecr.io" - matches any single subdomain of azurecr.io
+                    - "registry.io:8080/path" - matches with specific port and path prefix
+                  maxLength: 512
+                  type: string
+                  x-kubernetes-validations:
+                  - message: global wildcard '*' is not allowed
+                    rule: self != '*'
+                  - message: invalid matchImages value, must be a valid fully qualified
+                      domain name with optional wildcard, port, and path
+                    rule: self.matches('^((\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)(\\.(\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?))*)(:[0-9]+)?(/[-a-zA-Z0-9_/]*)?$')
+                maxItems: 50
+                minItems: 1
+                type: array
+                x-kubernetes-list-type: set
+            required:
+            - matchImages
+            type: object
+          status:
+            description: |-
+              status represents the current state of the CRIOCredentialProviderConfig.
+              When omitted or nil, it indicates that the status has not yet been set by the controller.
+              The controller will populate this field with validation conditions and operational state.
+            properties:
+              conditions:
+                description: |-
+                  conditions represent the latest available observations of the configuration state.
+                  When omitted or empty, it indicates that no conditions have been reported yet.
+                  The maximum number of conditions is 4.
+                  Conditions are stored as a map keyed by condition type, ensuring uniqueness.
+
+                  Expected condition types include:
+                  "Validated": indicates whether the matchImages configuration is valid
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                maxItems: 4
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
+        required:
+        - spec
+        type: object
+        x-kubernetes-validations:
+        - message: criocredentialproviderconfig is a singleton, .metadata.name must
+            be 'cluster'
+          rule: self.metadata.name == 'cluster'
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_criocredentialproviderconfigs-DevPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_criocredentialproviderconfigs-DevPreviewNoUpgrade.crd.yaml
new file mode 100644
index 00000000000..d34578f8d27
--- /dev/null
+++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_criocredentialproviderconfigs-DevPreviewNoUpgrade.crd.yaml
@@ -0,0 +1,209 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/1929
+    api.openshift.io/merged-by-featuregates: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    release.openshift.io/feature-set: DevPreviewNoUpgrade
+  name: criocredentialproviderconfigs.config.openshift.io
+spec:
+  group: config.openshift.io
+  names:
+    kind: CRIOCredentialProviderConfig
+    listKind: CRIOCredentialProviderConfigList
+    plural: criocredentialproviderconfigs
+    singular: criocredentialproviderconfig
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          CRIOCredentialProviderConfig holds cluster-wide singleton resource configurations for CRI-O credential provider, the name of this instance is "cluster". CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources.
+          For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in.
+          CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation.
+          Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.
+
+          The resource is a singleton named "cluster".
+
+          Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: |-
+              spec defines the desired configuration of the CRI-O Credential Provider.
+              This field is required and must be provided when creating the resource.
+            properties:
+              matchImages:
+                description: |-
+                  matchImages is a required list of string patterns used to determine whether
+                  the CRI-O credential provider should be invoked for a given image. This list is
+                  passed to the kubelet CredentialProviderConfig, and if any pattern matches
+                  the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling
+                  that image or its mirrors.
+
+                  This field is required and must contain between 1 and 50 entries.
+                  The list is treated as a set, so duplicate entries are not allowed.
+
+                  For more details, see:
+                  - https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/
+                  - https://github.com/cri-o/crio-credential-provider#architecture
+
+                  Each entry in matchImages is a pattern which can optionally contain a port and a path. Each entry no longer than 512 characters.
+                  Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io',
+                  and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net').
+                  A global wildcard '*' (matching any domain) is not allowed.
+                  Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path.
+                  For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not.
+                  Each wildcard matches only a single domain label,
+                  so '*.io' does **not** match '*.k8s.io'.
+
+                  A match exists between an image and a matchImage when all of the below are true:
+                  Both contain the same number of domain parts and each part matches.
+                  The URL path of an matchImages must be a prefix of the target image URL path.
+                  If the matchImages contains a port, then the port must match in the image as well.
+
+                  Example values of matchImages:
+
+                  - 123456789.dkr.ecr.us-east-1.amazonaws.com
+
+                  - *.azurecr.io
+
+                  - gcr.io
+
+                  - *.*.registry.io
+
+                  - registry.io:8080/path
+                items:
+                  description: |-
+                    MatchImage is a string pattern used to match container image registry addresses.
+                    It must be a valid fully qualified domain name with optional wildcard, port, and path.
+                    The maximum length is 512 characters.
+
+                    Wildcards ('*') are supported for full subdomain labels and top-level domains.
+                    Each entry can optionally contain a port (e.g., :8080) and a path (e.g., /path).
+                    Wildcards are not allowed in the port or path portions.
+
+                    Examples:
+                    - "registry.io" - matches exactly registry.io
+                    - "*.azurecr.io" - matches any single subdomain of azurecr.io
+                    - "registry.io:8080/path" - matches with specific port and path prefix
+                  maxLength: 512
+                  type: string
+                  x-kubernetes-validations:
+                  - message: global wildcard '*' is not allowed
+                    rule: self != '*'
+                  - message: invalid matchImages value, must be a valid fully qualified
+                      domain name with optional wildcard, port, and path
+                    rule: self.matches('^((\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)(\\.(\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?))*)(:[0-9]+)?(/[-a-zA-Z0-9_/]*)?$')
+                maxItems: 50
+                minItems: 1
+                type: array
+                x-kubernetes-list-type: set
+            required:
+            - matchImages
+            type: object
+          status:
+            description: |-
+              status represents the current state of the CRIOCredentialProviderConfig.
+              When omitted or nil, it indicates that the status has not yet been set by the controller.
+              The controller will populate this field with validation conditions and operational state.
+            properties:
+              conditions:
+                description: |-
+                  conditions represent the latest available observations of the configuration state.
+                  When omitted or empty, it indicates that no conditions have been reported yet.
+                  The maximum number of conditions is 4.
+                  Conditions are stored as a map keyed by condition type, ensuring uniqueness.
+
+                  Expected condition types include:
+                  "Validated": indicates whether the matchImages configuration is valid
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                maxItems: 4
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
+        required:
+        - spec
+        type: object
+        x-kubernetes-validations:
+        - message: criocredentialproviderconfig is a singleton, .metadata.name must
+            be 'cluster'
+          rule: self.metadata.name == 'cluster'
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_criocredentialproviderconfigs-TechPreviewNoUpgrade.crd.yaml b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_criocredentialproviderconfigs-TechPreviewNoUpgrade.crd.yaml
new file mode 100644
index 00000000000..c6c77bc3ebe
--- /dev/null
+++ b/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_criocredentialproviderconfigs-TechPreviewNoUpgrade.crd.yaml
@@ -0,0 +1,209 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/1929
+    api.openshift.io/merged-by-featuregates: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    release.openshift.io/feature-set: TechPreviewNoUpgrade
+  name: criocredentialproviderconfigs.config.openshift.io
+spec:
+  group: config.openshift.io
+  names:
+    kind: CRIOCredentialProviderConfig
+    listKind: CRIOCredentialProviderConfigList
+    plural: criocredentialproviderconfigs
+    singular: criocredentialproviderconfig
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          CRIOCredentialProviderConfig holds cluster-wide singleton resource configurations for CRI-O credential provider, the name of this instance is "cluster". CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources.
+          For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in.
+          CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation.
+          Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.
+
+          The resource is a singleton named "cluster".
+
+          Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: |-
+              spec defines the desired configuration of the CRI-O Credential Provider.
+              This field is required and must be provided when creating the resource.
+            properties:
+              matchImages:
+                description: |-
+                  matchImages is a required list of string patterns used to determine whether
+                  the CRI-O credential provider should be invoked for a given image. This list is
+                  passed to the kubelet CredentialProviderConfig, and if any pattern matches
+                  the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling
+                  that image or its mirrors.
+
+                  This field is required and must contain between 1 and 50 entries.
+                  The list is treated as a set, so duplicate entries are not allowed.
+
+                  For more details, see:
+                  - https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/
+                  - https://github.com/cri-o/crio-credential-provider#architecture
+
+                  Each entry in matchImages is a pattern which can optionally contain a port and a path. Each entry no longer than 512 characters.
+                  Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io',
+                  and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net').
+                  A global wildcard '*' (matching any domain) is not allowed.
+                  Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path.
+                  For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not.
+                  Each wildcard matches only a single domain label,
+                  so '*.io' does **not** match '*.k8s.io'.
+
+                  A match exists between an image and a matchImage when all of the below are true:
+                  Both contain the same number of domain parts and each part matches.
+                  The URL path of an matchImages must be a prefix of the target image URL path.
+                  If the matchImages contains a port, then the port must match in the image as well.
+
+                  Example values of matchImages:
+
+                  - 123456789.dkr.ecr.us-east-1.amazonaws.com
+
+                  - *.azurecr.io
+
+                  - gcr.io
+
+                  - *.*.registry.io
+
+                  - registry.io:8080/path
+                items:
+                  description: |-
+                    MatchImage is a string pattern used to match container image registry addresses.
+                    It must be a valid fully qualified domain name with optional wildcard, port, and path.
+                    The maximum length is 512 characters.
+
+                    Wildcards ('*') are supported for full subdomain labels and top-level domains.
+                    Each entry can optionally contain a port (e.g., :8080) and a path (e.g., /path).
+                    Wildcards are not allowed in the port or path portions.
+
+                    Examples:
+                    - "registry.io" - matches exactly registry.io
+                    - "*.azurecr.io" - matches any single subdomain of azurecr.io
+                    - "registry.io:8080/path" - matches with specific port and path prefix
+                  maxLength: 512
+                  type: string
+                  x-kubernetes-validations:
+                  - message: global wildcard '*' is not allowed
+                    rule: self != '*'
+                  - message: invalid matchImages value, must be a valid fully qualified
+                      domain name with optional wildcard, port, and path
+                    rule: self.matches('^((\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)(\\.(\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?))*)(:[0-9]+)?(/[-a-zA-Z0-9_/]*)?$')
+                maxItems: 50
+                minItems: 1
+                type: array
+                x-kubernetes-list-type: set
+            required:
+            - matchImages
+            type: object
+          status:
+            description: |-
+              status represents the current state of the CRIOCredentialProviderConfig.
+              When omitted or nil, it indicates that the status has not yet been set by the controller.
+              The controller will populate this field with validation conditions and operational state.
+            properties:
+              conditions:
+                description: |-
+                  conditions represent the latest available observations of the configuration state.
+                  When omitted or empty, it indicates that no conditions have been reported yet.
+                  The maximum number of conditions is 4.
+                  Conditions are stored as a map keyed by condition type, ensuring uniqueness.
+
+                  Expected condition types include:
+                  "Validated": indicates whether the matchImages configuration is valid
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                maxItems: 4
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
+        required:
+        - spec
+        type: object
+        x-kubernetes-validations:
+        - message: criocredentialproviderconfig is a singleton, .metadata.name must
+            be 'cluster'
+          rule: self.metadata.name == 'cluster'
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/config/v1alpha1/zz_generated.deepcopy.go b/config/v1alpha1/zz_generated.deepcopy.go
index 6549f6cbe43..8fecc97f9fa 100644
--- a/config/v1alpha1/zz_generated.deepcopy.go
+++ b/config/v1alpha1/zz_generated.deepcopy.go
@@ -192,6 +192,115 @@ func (in *BackupStatus) DeepCopy() *BackupStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRIOCredentialProviderConfig) DeepCopyInto(out *CRIOCredentialProviderConfig) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(CRIOCredentialProviderConfigStatus)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfig.
+func (in *CRIOCredentialProviderConfig) DeepCopy() *CRIOCredentialProviderConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(CRIOCredentialProviderConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CRIOCredentialProviderConfig) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRIOCredentialProviderConfigList) DeepCopyInto(out *CRIOCredentialProviderConfigList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CRIOCredentialProviderConfig, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfigList.
+func (in *CRIOCredentialProviderConfigList) DeepCopy() *CRIOCredentialProviderConfigList {
+	if in == nil {
+		return nil
+	}
+	out := new(CRIOCredentialProviderConfigList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CRIOCredentialProviderConfigList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRIOCredentialProviderConfigSpec) DeepCopyInto(out *CRIOCredentialProviderConfigSpec) {
+	*out = *in
+	if in.MatchImages != nil {
+		in, out := &in.MatchImages, &out.MatchImages
+		*out = make([]MatchImage, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfigSpec.
+func (in *CRIOCredentialProviderConfigSpec) DeepCopy() *CRIOCredentialProviderConfigSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CRIOCredentialProviderConfigSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CRIOCredentialProviderConfigStatus) DeepCopyInto(out *CRIOCredentialProviderConfigStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CRIOCredentialProviderConfigStatus.
+func (in *CRIOCredentialProviderConfigStatus) DeepCopy() *CRIOCredentialProviderConfigStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(CRIOCredentialProviderConfigStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy) {
 	*out = *in
diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
index 2f79f801dd4..42e96ed45fa 100644
--- a/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
+++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml
@@ -21,6 +21,29 @@ backups.config.openshift.io:
   - AutomatedEtcdBackup
   Version: v1alpha1
 
+criocredentialproviderconfigs.config.openshift.io:
+  Annotations: {}
+  ApprovedPRNumber: https://github.com/openshift/api/pull/1929
+  CRDName: criocredentialproviderconfigs.config.openshift.io
+  Capability: ""
+  Category: ""
+  FeatureGates:
+  - CRIOCredentialProviderConfig
+  FilenameOperatorName: config-operator
+  FilenameOperatorOrdering: "01"
+  FilenameRunLevel: "0000_10"
+  GroupName: config.openshift.io
+  HasStatus: true
+  KindName: CRIOCredentialProviderConfig
+  Labels: {}
+  PluralName: criocredentialproviderconfigs
+  PrinterColumns: []
+  Scope: Cluster
+  ShortNames: null
+  TopLevelFeatureGates:
+  - CRIOCredentialProviderConfig
+  Version: v1alpha1
+
 clusterimagepolicies.config.openshift.io:
   Annotations: {}
   ApprovedPRNumber: https://github.com/openshift/api/pull/1457
diff --git a/config/v1alpha1/zz_generated.featuregated-crd-manifests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml b/config/v1alpha1/zz_generated.featuregated-crd-manifests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml
new file mode 100644
index 00000000000..9071e007bb3
--- /dev/null
+++ b/config/v1alpha1/zz_generated.featuregated-crd-manifests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml
@@ -0,0 +1,209 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/1929
+    api.openshift.io/filename-cvo-runlevel: "0000_10"
+    api.openshift.io/filename-operator: config-operator
+    api.openshift.io/filename-ordering: "01"
+    feature-gate.release.openshift.io/CRIOCredentialProviderConfig: "true"
+  name: criocredentialproviderconfigs.config.openshift.io
+spec:
+  group: config.openshift.io
+  names:
+    kind: CRIOCredentialProviderConfig
+    listKind: CRIOCredentialProviderConfigList
+    plural: criocredentialproviderconfigs
+    singular: criocredentialproviderconfig
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          CRIOCredentialProviderConfig holds cluster-wide singleton resource configurations for CRI-O credential provider, the name of this instance is "cluster". CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources.
+          For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in.
+          CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation.
+          Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.
+
+          The resource is a singleton named "cluster".
+
+          Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: |-
+              spec defines the desired configuration of the CRI-O Credential Provider.
+              This field is required and must be provided when creating the resource.
+            properties:
+              matchImages:
+                description: |-
+                  matchImages is a required list of string patterns used to determine whether
+                  the CRI-O credential provider should be invoked for a given image. This list is
+                  passed to the kubelet CredentialProviderConfig, and if any pattern matches
+                  the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling
+                  that image or its mirrors.
+
+                  This field is required and must contain between 1 and 50 entries.
+                  The list is treated as a set, so duplicate entries are not allowed.
+
+                  For more details, see:
+                  - https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/
+                  - https://github.com/cri-o/crio-credential-provider#architecture
+
+                  Each entry in matchImages is a pattern which can optionally contain a port and a path. Each entry no longer than 512 characters.
+                  Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io',
+                  and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net').
+                  A global wildcard '*' (matching any domain) is not allowed.
+                  Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path.
+                  For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not.
+                  Each wildcard matches only a single domain label,
+                  so '*.io' does **not** match '*.k8s.io'.
+
+                  A match exists between an image and a matchImage when all of the below are true:
+                  Both contain the same number of domain parts and each part matches.
+                  The URL path of an matchImages must be a prefix of the target image URL path.
+                  If the matchImages contains a port, then the port must match in the image as well.
+
+                  Example values of matchImages:
+
+                  - 123456789.dkr.ecr.us-east-1.amazonaws.com
+
+                  - *.azurecr.io
+
+                  - gcr.io
+
+                  - *.*.registry.io
+
+                  - registry.io:8080/path
+                items:
+                  description: |-
+                    MatchImage is a string pattern used to match container image registry addresses.
+                    It must be a valid fully qualified domain name with optional wildcard, port, and path.
+                    The maximum length is 512 characters.
+
+                    Wildcards ('*') are supported for full subdomain labels and top-level domains.
+                    Each entry can optionally contain a port (e.g., :8080) and a path (e.g., /path).
+                    Wildcards are not allowed in the port or path portions.
+
+                    Examples:
+                    - "registry.io" - matches exactly registry.io
+                    - "*.azurecr.io" - matches any single subdomain of azurecr.io
+                    - "registry.io:8080/path" - matches with specific port and path prefix
+                  maxLength: 512
+                  type: string
+                  x-kubernetes-validations:
+                  - message: global wildcard '*' is not allowed
+                    rule: self != '*'
+                  - message: invalid matchImages value, must be a valid fully qualified
+                      domain name with optional wildcard, port, and path
+                    rule: self.matches('^((\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)(\\.(\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?))*)(:[0-9]+)?(/[-a-zA-Z0-9_/]*)?$')
+                maxItems: 50
+                minItems: 1
+                type: array
+                x-kubernetes-list-type: set
+            required:
+            - matchImages
+            type: object
+          status:
+            description: |-
+              status represents the current state of the CRIOCredentialProviderConfig.
+              When omitted or nil, it indicates that the status has not yet been set by the controller.
+              The controller will populate this field with validation conditions and operational state.
+            properties:
+              conditions:
+                description: |-
+                  conditions represent the latest available observations of the configuration state.
+                  When omitted or empty, it indicates that no conditions have been reported yet.
+                  The maximum number of conditions is 4.
+                  Conditions are stored as a map keyed by condition type, ensuring uniqueness.
+
+                  Expected condition types include:
+                  "Validated": indicates whether the matchImages configuration is valid
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                maxItems: 4
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
+        required:
+        - spec
+        type: object
+        x-kubernetes-validations:
+        - message: criocredentialproviderconfig is a singleton, .metadata.name must
+            be 'cluster'
+          rule: self.metadata.name == 'cluster'
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/config/v1alpha1/zz_generated.swagger_doc_generated.go b/config/v1alpha1/zz_generated.swagger_doc_generated.go
index 6ba6ad11f44..731f3357922 100644
--- a/config/v1alpha1/zz_generated.swagger_doc_generated.go
+++ b/config/v1alpha1/zz_generated.swagger_doc_generated.go
@@ -226,6 +226,44 @@ func (UserDefinedMonitoring) SwaggerDoc() map[string]string {
 	return map_UserDefinedMonitoring
 }
 
+var map_CRIOCredentialProviderConfig = map[string]string{
+	"":         "CRIOCredentialProviderConfig holds cluster-wide singleton resource configurations for CRI-O credential provider, the name of this instance is \"cluster\". CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources. For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in. CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation. Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.\n\nThe resource is a singleton named \"cluster\".\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+	"spec":     "spec defines the desired configuration of the CRI-O Credential Provider. This field is required and must be provided when creating the resource.",
+	"status":   "status represents the current state of the CRIOCredentialProviderConfig. When omitted or nil, it indicates that the status has not yet been set by the controller. The controller will populate this field with validation conditions and operational state.",
+}
+
+func (CRIOCredentialProviderConfig) SwaggerDoc() map[string]string {
+	return map_CRIOCredentialProviderConfig
+}
+
+var map_CRIOCredentialProviderConfigList = map[string]string{
+	"":         "CRIOCredentialProviderConfigList contains a list of CRIOCredentialProviderConfig resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+	"metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+}
+
+func (CRIOCredentialProviderConfigList) SwaggerDoc() map[string]string {
+	return map_CRIOCredentialProviderConfigList
+}
+
+var map_CRIOCredentialProviderConfigSpec = map[string]string{
+	"":            "CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.",
+	"matchImages": "matchImages is a required list of string patterns used to determine whether the CRI-O credential provider should be invoked for a given image. This list is passed to the kubelet CredentialProviderConfig, and if any pattern matches the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling that image or its mirrors.\n\nThis field is required and must contain between 1 and 50 entries. The list is treated as a set, so duplicate entries are not allowed.\n\nFor more details, see: - https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/ - https://github.com/cri-o/crio-credential-provider#architecture\n\nEach entry in matchImages is a pattern which can optionally contain a port and a path. Each entry no longer than 512 characters. Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io', and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net'). A global wildcard '*' (matching any domain) is not allowed. Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path. For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not. Each wildcard matches only a single domain label, so '*.io' does **not** match '*.k8s.io'.\n\nA match exists between an image and a matchImage when all of the below are true: Both contain the same number of domain parts and each part matches. The URL path of an matchImages must be a prefix of the target image URL path. If the matchImages contains a port, then the port must match in the image as well.\n\nExample values of matchImages:\n\n- 123456789.dkr.ecr.us-east-1.amazonaws.com\n\n- *.azurecr.io\n\n- gcr.io\n\n- *.*.registry.io\n\n- registry.io:8080/path",
+}
+
+func (CRIOCredentialProviderConfigSpec) SwaggerDoc() map[string]string {
+	return map_CRIOCredentialProviderConfigSpec
+}
+
+var map_CRIOCredentialProviderConfigStatus = map[string]string{
+	"":           "CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig",
+	"conditions": "conditions represent the latest available observations of the configuration state. When omitted or empty, it indicates that no conditions have been reported yet. The maximum number of conditions is 4. Conditions are stored as a map keyed by condition type, ensuring uniqueness.\n\nExpected condition types include: \"Validated\": indicates whether the matchImages configuration is valid",
+}
+
+func (CRIOCredentialProviderConfigStatus) SwaggerDoc() map[string]string {
+	return map_CRIOCredentialProviderConfigStatus
+}
+
 var map_FulcioCAWithRekor = map[string]string{
 	"":              "FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.",
 	"fulcioCAData":  "fulcioCAData contains inline base64-encoded data for the PEM format fulcio CA. fulcioCAData must be at most 8192 characters.",
diff --git a/features.md b/features.md
index 7b858756db3..c0b6f48c275 100644
--- a/features.md
+++ b/features.md
@@ -33,6 +33,7 @@
 | BootcNodeManagement| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | CBORServingAndStorage| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | CRDCompatibilityRequirementOperator| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
+| CRIOCredentialProviderConfig| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ClientsPreferCBOR| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ClusterAPIInstallIBMCloud| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ClusterAPIMachineManagement| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
diff --git a/features/features.go b/features/features.go
index 9705466b968..ceab32f338a 100644
--- a/features/features.go
+++ b/features/features.go
@@ -131,6 +131,14 @@ var (
 						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
 						mustRegister()
 
+	FeatureGateCRIOCredentialProviderConfig = newFeatureGate("CRIOCredentialProviderConfig").
+						reportProblemsToJiraComponent("node").
+						contactPerson("QiWang").
+						productScope(ocpSpecific).
+						enhancementPR("https://github.com/openshift/enhancements/pull/1861").
+						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						mustRegister()
+
 	FeatureGateAlibabaPlatform = newFeatureGate("AlibabaPlatform").
 					reportProblemsToJiraComponent("cloud-provider").
 					contactPerson("jspeed").
diff --git a/hack/update-payload-crds.sh b/hack/update-payload-crds.sh
index 1c49d4d7bae..fd18b781d66 100755
--- a/hack/update-payload-crds.sh
+++ b/hack/update-payload-crds.sh
@@ -26,6 +26,7 @@ crd_globs="\
     machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_osimagestreams-*.crd.yaml
     operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations*.crd.yaml
     config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitoring*.crd.yaml
+    config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_criocredentialproviderconfigs*.crd.yaml
     operator/v1/zz_generated.crd-manifests/*_storage_01_storages*.crd.yaml
     operator/v1/zz_generated.crd-manifests/*_csi-driver_01_clustercsidrivers*.crd.yaml
     insights/v1alpha2/zz_generated.crd-manifests/0000_10_insights_01_datagathers*.crd.yaml
diff --git a/machine/v1beta1/types_awsprovider.go b/machine/v1beta1/types_awsprovider.go
index 0cc634a5fd2..4971990d5e9 100644
--- a/machine/v1beta1/types_awsprovider.go
+++ b/machine/v1beta1/types_awsprovider.go
@@ -425,7 +425,7 @@ type HostPlacement struct {
 	// When Affinity is set to AnyAvailable, and you stop and restart the instance, it can be restarted on any available host.
 	// +required
 	// +unionDiscriminator
-	Affinity *HostAffinity `json:"affinity,omitempty"`
+	Affinity HostAffinity `json:"affinity,omitempty"`
 
 	// dedicatedHost specifies the exact host that an instance should be restarted on if stopped.
 	// dedicatedHost is required when 'affinity' is set to DedicatedHost, and forbidden otherwise.
diff --git a/machine/v1beta1/zz_generated.deepcopy.go b/machine/v1beta1/zz_generated.deepcopy.go
index 0150060f466..abe5c4c9745 100644
--- a/machine/v1beta1/zz_generated.deepcopy.go
+++ b/machine/v1beta1/zz_generated.deepcopy.go
@@ -932,11 +932,6 @@ func (in *GCPShieldedInstanceConfig) DeepCopy() *GCPShieldedInstanceConfig {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HostPlacement) DeepCopyInto(out *HostPlacement) {
 	*out = *in
-	if in.Affinity != nil {
-		in, out := &in.Affinity, &out.Affinity
-		*out = new(HostAffinity)
-		**out = **in
-	}
 	if in.DedicatedHost != nil {
 		in, out := &in.DedicatedHost, &out.DedicatedHost
 		*out = new(DedicatedHost)
diff --git a/machineconfiguration/v1alpha1/types_internalreleaseimage.go b/machineconfiguration/v1alpha1/types_internalreleaseimage.go
index cd888c96783..456329838eb 100644
--- a/machineconfiguration/v1alpha1/types_internalreleaseimage.go
+++ b/machineconfiguration/v1alpha1/types_internalreleaseimage.go
@@ -86,7 +86,7 @@ type InternalReleaseImageStatus struct {
 	// +listMapKey=name
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=32
-	// +required
+	// +optional
 	Releases []InternalReleaseImageBundleStatus `json:"releases,omitempty"`
 }
 
diff --git a/machineconfiguration/v1alpha1/types_osimagestream.go b/machineconfiguration/v1alpha1/types_osimagestream.go
index cb6163ddb73..943af95a3df 100644
--- a/machineconfiguration/v1alpha1/types_osimagestream.go
+++ b/machineconfiguration/v1alpha1/types_osimagestream.go
@@ -51,11 +51,11 @@ type OSImageStreamStatus struct {
 	// availableStreams is required, must have at least one item, must not exceed
 	// 100 items, and must have unique entries keyed on the name field.
 	//
-	// +required
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=100
 	// +listType=map
 	// +listMapKey=name
+	// +optional
 	AvailableStreams []OSImageStreamSet `json:"availableStreams,omitempty"`
 
 	// defaultStream is the name of the stream that should be used as the default
@@ -65,10 +65,10 @@ type OSImageStreamStatus struct {
 	// consisting of lowercase alphanumeric characters, hyphens ('-'), and periods ('.'),
 	// and must reference the name of one of the streams in availableStreams.
 	//
-	// +required
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:MaxLength=253
 	// +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character."
+	// +optional
 	DefaultStream string `json:"defaultStream,omitempty"`
 }
 
diff --git a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_internalreleaseimages-CustomNoUpgrade.crd.yaml b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_internalreleaseimages-CustomNoUpgrade.crd.yaml
index c74586c5ca1..bc4830f0615 100644
--- a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_internalreleaseimages-CustomNoUpgrade.crd.yaml
+++ b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_internalreleaseimages-CustomNoUpgrade.crd.yaml
@@ -274,8 +274,6 @@ spec:
                 x-kubernetes-list-map-keys:
                 - name
                 x-kubernetes-list-type: map
-            required:
-            - releases
             type: object
         required:
         - metadata
diff --git a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_internalreleaseimages-DevPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_internalreleaseimages-DevPreviewNoUpgrade.crd.yaml
index 69153b31c06..455e6114775 100644
--- a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_internalreleaseimages-DevPreviewNoUpgrade.crd.yaml
+++ b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_internalreleaseimages-DevPreviewNoUpgrade.crd.yaml
@@ -273,8 +273,6 @@ spec:
                 x-kubernetes-list-map-keys:
                 - name
                 x-kubernetes-list-type: map
-            required:
-            - releases
             type: object
         required:
         - metadata
diff --git a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_internalreleaseimages-TechPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_internalreleaseimages-TechPreviewNoUpgrade.crd.yaml
index 6c01040a915..6b63a319182 100644
--- a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_internalreleaseimages-TechPreviewNoUpgrade.crd.yaml
+++ b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_internalreleaseimages-TechPreviewNoUpgrade.crd.yaml
@@ -273,8 +273,6 @@ spec:
                 x-kubernetes-list-map-keys:
                 - name
                 x-kubernetes-list-type: map
-            required:
-            - releases
             type: object
         required:
         - metadata
diff --git a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_osimagestreams-CustomNoUpgrade.crd.yaml b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_osimagestreams-CustomNoUpgrade.crd.yaml
index acaf0745872..d75b0e0011c 100644
--- a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_osimagestreams-CustomNoUpgrade.crd.yaml
+++ b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_osimagestreams-CustomNoUpgrade.crd.yaml
@@ -148,9 +148,6 @@ spec:
                     characters, '-' or '.', and must start and end with an alphanumeric
                     character.
                   rule: '!format.dns1123Subdomain().validate(self).hasValue()'
-            required:
-            - availableStreams
-            - defaultStream
             type: object
             x-kubernetes-validations:
             - message: defaultStream must reference a stream name from availableStreams
diff --git a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_osimagestreams-DevPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_osimagestreams-DevPreviewNoUpgrade.crd.yaml
index 51fa1e09b0e..b3aa672dbcd 100644
--- a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_osimagestreams-DevPreviewNoUpgrade.crd.yaml
+++ b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_osimagestreams-DevPreviewNoUpgrade.crd.yaml
@@ -148,9 +148,6 @@ spec:
                     characters, '-' or '.', and must start and end with an alphanumeric
                     character.
                   rule: '!format.dns1123Subdomain().validate(self).hasValue()'
-            required:
-            - availableStreams
-            - defaultStream
             type: object
             x-kubernetes-validations:
             - message: defaultStream must reference a stream name from availableStreams
diff --git a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_osimagestreams-TechPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_osimagestreams-TechPreviewNoUpgrade.crd.yaml
index 428efa66414..3644e39d396 100644
--- a/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_osimagestreams-TechPreviewNoUpgrade.crd.yaml
+++ b/machineconfiguration/v1alpha1/zz_generated.crd-manifests/0000_80_machine-config_01_osimagestreams-TechPreviewNoUpgrade.crd.yaml
@@ -148,9 +148,6 @@ spec:
                     characters, '-' or '.', and must start and end with an alphanumeric
                     character.
                   rule: '!format.dns1123Subdomain().validate(self).hasValue()'
-            required:
-            - availableStreams
-            - defaultStream
             type: object
             x-kubernetes-validations:
             - message: defaultStream must reference a stream name from availableStreams
diff --git a/machineconfiguration/v1alpha1/zz_generated.featuregated-crd-manifests/internalreleaseimages.machineconfiguration.openshift.io/NoRegistryClusterInstall.yaml b/machineconfiguration/v1alpha1/zz_generated.featuregated-crd-manifests/internalreleaseimages.machineconfiguration.openshift.io/NoRegistryClusterInstall.yaml
index 340564eb94d..3da9585aa5d 100644
--- a/machineconfiguration/v1alpha1/zz_generated.featuregated-crd-manifests/internalreleaseimages.machineconfiguration.openshift.io/NoRegistryClusterInstall.yaml
+++ b/machineconfiguration/v1alpha1/zz_generated.featuregated-crd-manifests/internalreleaseimages.machineconfiguration.openshift.io/NoRegistryClusterInstall.yaml
@@ -274,8 +274,6 @@ spec:
                 x-kubernetes-list-map-keys:
                 - name
                 x-kubernetes-list-type: map
-            required:
-            - releases
             type: object
         required:
         - metadata
diff --git a/machineconfiguration/v1alpha1/zz_generated.featuregated-crd-manifests/osimagestreams.machineconfiguration.openshift.io/OSStreams.yaml b/machineconfiguration/v1alpha1/zz_generated.featuregated-crd-manifests/osimagestreams.machineconfiguration.openshift.io/OSStreams.yaml
index b8a42fe76ef..20383595d85 100644
--- a/machineconfiguration/v1alpha1/zz_generated.featuregated-crd-manifests/osimagestreams.machineconfiguration.openshift.io/OSStreams.yaml
+++ b/machineconfiguration/v1alpha1/zz_generated.featuregated-crd-manifests/osimagestreams.machineconfiguration.openshift.io/OSStreams.yaml
@@ -148,9 +148,6 @@ spec:
                     characters, '-' or '.', and must start and end with an alphanumeric
                     character.
                   rule: '!format.dns1123Subdomain().validate(self).hasValue()'
-            required:
-            - availableStreams
-            - defaultStream
             type: object
             x-kubernetes-validations:
             - message: defaultStream must reference a stream name from availableStreams
diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go
index 776207869f0..747745ac176 100644
--- a/openapi/generated_openapi/zz_generated.openapi.go
+++ b/openapi/generated_openapi/zz_generated.openapi.go
@@ -428,6 +428,10 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"github.com/openshift/api/config/v1alpha1.BackupList":                                                schema_openshift_api_config_v1alpha1_BackupList(ref),
 		"github.com/openshift/api/config/v1alpha1.BackupSpec":                                                schema_openshift_api_config_v1alpha1_BackupSpec(ref),
 		"github.com/openshift/api/config/v1alpha1.BackupStatus":                                              schema_openshift_api_config_v1alpha1_BackupStatus(ref),
+		"github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfig":                              schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfig(ref),
+		"github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfigList":                          schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfigList(ref),
+		"github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfigSpec":                          schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfigSpec(ref),
+		"github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfigStatus":                        schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfigStatus(ref),
 		"github.com/openshift/api/config/v1alpha1.ClusterImagePolicy":                                        schema_openshift_api_config_v1alpha1_ClusterImagePolicy(ref),
 		"github.com/openshift/api/config/v1alpha1.ClusterImagePolicyList":                                    schema_openshift_api_config_v1alpha1_ClusterImagePolicyList(ref),
 		"github.com/openshift/api/config/v1alpha1.ClusterImagePolicySpec":                                    schema_openshift_api_config_v1alpha1_ClusterImagePolicySpec(ref),
@@ -21528,6 +21532,177 @@ func schema_openshift_api_config_v1alpha1_BackupStatus(ref common.ReferenceCallb
 	}
 }
 
+func schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfig(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "CRIOCredentialProviderConfig holds cluster-wide singleton resource configurations for CRI-O credential provider, the name of this instance is \"cluster\". CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources. For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in. CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation. Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.\n\nThe resource is a singleton named \"cluster\".\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Description: "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+							Default:     map[string]interface{}{},
+							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+						},
+					},
+					"spec": {
+						SchemaProps: spec.SchemaProps{
+							Description: "spec defines the desired configuration of the CRI-O Credential Provider. This field is required and must be provided when creating the resource.",
+							Default:     map[string]interface{}{},
+							Ref:         ref("github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfigSpec"),
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "status represents the current state of the CRIOCredentialProviderConfig. When omitted or nil, it indicates that the status has not yet been set by the controller. The controller will populate this field with validation conditions and operational state.",
+							Ref:         ref("github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfigStatus"),
+						},
+					},
+				},
+				Required: []string{"spec"},
+			},
+		},
+		Dependencies: []string{
+			"github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfigSpec", "github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfigStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+	}
+}
+
+func schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfigList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "CRIOCredentialProviderConfigList contains a list of CRIOCredentialProviderConfig resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Description: "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+							Default:     map[string]interface{}{},
+							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+						},
+					},
+					"items": {
+						SchemaProps: spec.SchemaProps{
+							Type: []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref("github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfig"),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"metadata", "items"},
+			},
+		},
+		Dependencies: []string{
+			"github.com/openshift/api/config/v1alpha1.CRIOCredentialProviderConfig", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+	}
+}
+
+func schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfigSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"matchImages": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "set",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "matchImages is a required list of string patterns used to determine whether the CRI-O credential provider should be invoked for a given image. This list is passed to the kubelet CredentialProviderConfig, and if any pattern matches the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling that image or its mirrors.\n\nThis field is required and must contain between 1 and 50 entries. The list is treated as a set, so duplicate entries are not allowed.\n\nFor more details, see: - https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/ - https://github.com/cri-o/crio-credential-provider#architecture\n\nEach entry in matchImages is a pattern which can optionally contain a port and a path. Each entry no longer than 512 characters. Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io', and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net'). A global wildcard '*' (matching any domain) is not allowed. Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path. For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not. Each wildcard matches only a single domain label, so '*.io' does **not** match '*.k8s.io'.\n\nA match exists between an image and a matchImage when all of the below are true: Both contain the same number of domain parts and each part matches. The URL path of an matchImages must be a prefix of the target image URL path. If the matchImages contains a port, then the port must match in the image as well.\n\nExample values of matchImages:\n\n- 123456789.dkr.ecr.us-east-1.amazonaws.com\n\n- *.azurecr.io\n\n- gcr.io\n\n- *.*.registry.io\n\n- registry.io:8080/path",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: "",
+										Type:    []string{"string"},
+										Format:  "",
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"matchImages"},
+			},
+		},
+	}
+}
+
+func schema_openshift_api_config_v1alpha1_CRIOCredentialProviderConfigStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"conditions": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-map-keys": []interface{}{
+									"type",
+								},
+								"x-kubernetes-list-type": "map",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "conditions represent the latest available observations of the configuration state. When omitted or empty, it indicates that no conditions have been reported yet. The maximum number of conditions is 4. Conditions are stored as a map keyed by condition type, ensuring uniqueness.\n\nExpected condition types include: \"Validated\": indicates whether the matchImages configuration is valid",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"),
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"k8s.io/apimachinery/pkg/apis/meta/v1.Condition"},
+	}
+}
+
 func schema_openshift_api_config_v1alpha1_ClusterImagePolicy(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
@@ -42538,7 +42713,6 @@ func schema_openshift_api_machineconfiguration_v1alpha1_InternalReleaseImageStat
 						},
 					},
 				},
-				Required: []string{"releases"},
 			},
 		},
 		Dependencies: []string{
@@ -43064,7 +43238,6 @@ func schema_openshift_api_machineconfiguration_v1alpha1_OSImageStreamStatus(ref
 						},
 					},
 				},
-				Required: []string{"availableStreams", "defaultStream"},
 			},
 		},
 		Dependencies: []string{
diff --git a/openapi/openapi.json b/openapi/openapi.json
index e1ff54c9c11..0726e379379 100644
--- a/openapi/openapi.json
+++ b/openapi/openapi.json
@@ -11721,6 +11721,103 @@
     "com.github.openshift.api.config.v1alpha1.BackupStatus": {
       "type": "object"
     },
+    "com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfig": {
+      "description": "CRIOCredentialProviderConfig holds cluster-wide configurations for CRI-O credential provider. CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources. For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in. CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+      "type": "object",
+      "required": [
+        "spec"
+      ],
+      "properties": {
+        "apiVersion": {
+          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+          "type": "string"
+        },
+        "kind": {
+          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+          "type": "string"
+        },
+        "metadata": {
+          "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+          "default": {},
+          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
+        },
+        "spec": {
+          "description": "spec defines the desired configuration of the CRIO Credential Provider.",
+          "default": {},
+          "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigSpec"
+        },
+        "status": {
+          "description": "status represents the current state of the CRIOCredentialProviderConfig.",
+          "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigStatus"
+        }
+      }
+    },
+    "com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigList": {
+      "description": "CRIOCredentialProviderConfigList contains a list of CRIOCredentialProviderConfig resources\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
+      "type": "object",
+      "required": [
+        "metadata",
+        "items"
+      ],
+      "properties": {
+        "apiVersion": {
+          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+          "type": "string"
+        },
+        "items": {
+          "type": "array",
+          "items": {
+            "default": {},
+            "$ref": "#/definitions/com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfig"
+          }
+        },
+        "kind": {
+          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+          "type": "string"
+        },
+        "metadata": {
+          "description": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+          "default": {},
+          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"
+        }
+      }
+    },
+    "com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigSpec": {
+      "description": "CRIOCredentialProviderConfigSpec defines the desired configuration of the CRI-O Credential Provider.",
+      "type": "object",
+      "required": [
+        "matchImages"
+      ],
+      "properties": {
+        "matchImages": {
+          "description": "matchImages is a required list of string patterns used to determine whether the CRI-O credential provider should be invoked for a given image. This list is passed to the kubelet CredentialProviderConfig, and if any pattern matches the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling that image or its mirrors.\n\nFor more details, see: - https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/ - https://github.com/cri-o/crio-credential-provider#architecture\n\nEach entry in matchImages is a pattern which can optionally contain a port and a path. Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io', and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net'). Wildcards are not allowed in the port or path, nor may they appear in the middle of a hostname label. For example, '*.example.com' is valid, but 'example*.*.com' is not. Each wildcard matches only a single domain label, so '*.io' does **not** match '*.k8s.io'.\n\nA match exists between an image and a matchImage when all of the below are true: - Both contain the same number of domain parts and each part matches. - The URL path of an matchImages must be a prefix of the target image URL path. - If the matchImages contains a port, then the port must match in the image as well.\n\nExample values of matchImages: - 123456789.dkr.ecr.us-east-1.amazonaws.com - *.azurecr.io - gcr.io - *.*.registry.io - registry.io:8080/path",
+          "type": "array",
+          "items": {
+            "type": "string",
+            "default": ""
+          },
+          "x-kubernetes-list-type": "set"
+        }
+      }
+    },
+    "com.github.openshift.api.config.v1alpha1.CRIOCredentialProviderConfigStatus": {
+      "description": "CRIOCredentialProviderConfigStatus defines the observed state of CRIOCredentialProviderConfig",
+      "type": "object",
+      "properties": {
+        "conditions": {
+          "description": "conditions represent the latest available observations of the configuration state",
+          "type": "array",
+          "items": {
+            "default": {},
+            "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"
+          },
+          "x-kubernetes-list-map-keys": [
+            "type"
+          ],
+          "x-kubernetes-list-type": "map"
+        }
+      }
+    },
     "com.github.openshift.api.config.v1alpha1.ClusterImagePolicy": {
       "description": "ClusterImagePolicy holds cluster-wide configuration for image signature verification\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.",
       "type": "object",
diff --git a/payload-manifests/crds/0000_10_config-operator_01_criocredentialproviderconfigs-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_criocredentialproviderconfigs-CustomNoUpgrade.crd.yaml
new file mode 100644
index 00000000000..8cf4a29d9c6
--- /dev/null
+++ b/payload-manifests/crds/0000_10_config-operator_01_criocredentialproviderconfigs-CustomNoUpgrade.crd.yaml
@@ -0,0 +1,209 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/1929
+    api.openshift.io/merged-by-featuregates: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    release.openshift.io/feature-set: CustomNoUpgrade
+  name: criocredentialproviderconfigs.config.openshift.io
+spec:
+  group: config.openshift.io
+  names:
+    kind: CRIOCredentialProviderConfig
+    listKind: CRIOCredentialProviderConfigList
+    plural: criocredentialproviderconfigs
+    singular: criocredentialproviderconfig
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          CRIOCredentialProviderConfig holds cluster-wide configurations for CRI-O credential provider. CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources.
+          For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in.
+          CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation.
+          Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.
+
+          The resource is a singleton named "cluster".
+
+          Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: |-
+              spec defines the desired configuration of the CRI-O Credential Provider.
+              This field is required and must be provided when creating the resource.
+            properties:
+              matchImages:
+                description: |-
+                  matchImages is a required list of string patterns used to determine whether
+                  the CRI-O credential provider should be invoked for a given image. This list is
+                  passed to the kubelet CredentialProviderConfig, and if any pattern matches
+                  the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling
+                  that image or its mirrors.
+
+                  This field is required and must contain between 1 and 50 entries.
+                  The list is treated as a set, so duplicate entries are not allowed.
+
+                  For more details, see:
+                  - https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/
+                  - https://github.com/cri-o/crio-credential-provider#architecture
+
+                  Each entry in matchImages is a pattern which can optionally contain a port and a path. Each entry no longer than 512 characters.
+                  Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io',
+                  and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net').
+                  A global wildcard '*' (matching any domain) is not allowed.
+                  Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path.
+                  For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not.
+                  Each wildcard matches only a single domain label,
+                  so '*.io' does **not** match '*.k8s.io'.
+
+                  A match exists between an image and a matchImage when all of the below are true:
+                  Both contain the same number of domain parts and each part matches.
+                  The URL path of an matchImages must be a prefix of the target image URL path.
+                  If the matchImages contains a port, then the port must match in the image as well.
+
+                  Example values of matchImages:
+
+                  - 123456789.dkr.ecr.us-east-1.amazonaws.com
+
+                  - *.azurecr.io
+
+                  - gcr.io
+
+                  - *.*.registry.io
+
+                  - registry.io:8080/path
+                items:
+                  description: |-
+                    MatchImage is a string pattern used to match container image registry addresses.
+                    It must be a valid fully qualified domain name with optional wildcard, port, and path.
+                    The maximum length is 512 characters.
+
+                    Wildcards ('*') are supported for full subdomain labels and top-level domains.
+                    Each entry can optionally contain a port (e.g., :8080) and a path (e.g., /path).
+                    Wildcards are not allowed in the port or path portions.
+
+                    Examples:
+                    - "registry.io" - matches exactly registry.io
+                    - "*.azurecr.io" - matches any single subdomain of azurecr.io
+                    - "registry.io:8080/path" - matches with specific port and path prefix
+                  maxLength: 512
+                  type: string
+                  x-kubernetes-validations:
+                  - message: global wildcard '*' is not allowed
+                    rule: self != '*'
+                  - message: invalid matchImages value, must be a valid fully qualified
+                      domain name with optional wildcard, port, and path
+                    rule: self.matches('^((\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)(\\.(\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?))*)(:[0-9]+)?(/[-a-zA-Z0-9_/]*)?$')
+                maxItems: 50
+                minItems: 1
+                type: array
+                x-kubernetes-list-type: set
+            required:
+            - matchImages
+            type: object
+          status:
+            description: |-
+              status represents the current state of the CRIOCredentialProviderConfig.
+              When omitted or nil, it indicates that the status has not yet been set by the controller.
+              The controller will populate this field with validation conditions and operational state.
+            properties:
+              conditions:
+                description: |-
+                  conditions represent the latest available observations of the configuration state.
+                  When omitted or empty, it indicates that no conditions have been reported yet.
+                  The maximum number of conditions is 4.
+                  Conditions are stored as a map keyed by condition type, ensuring uniqueness.
+
+                  Expected condition types include:
+                  "Validated": indicates whether the matchImages configuration is valid
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                maxItems: 4
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
+        required:
+        - spec
+        type: object
+        x-kubernetes-validations:
+        - message: criocredentialproviderconfig is a singleton, .metadata.name must
+            be 'cluster'
+          rule: self.metadata.name == 'cluster'
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/payload-manifests/crds/0000_10_config-operator_01_criocredentialproviderconfigs-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_criocredentialproviderconfigs-DevPreviewNoUpgrade.crd.yaml
new file mode 100644
index 00000000000..778097ea178
--- /dev/null
+++ b/payload-manifests/crds/0000_10_config-operator_01_criocredentialproviderconfigs-DevPreviewNoUpgrade.crd.yaml
@@ -0,0 +1,209 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/1929
+    api.openshift.io/merged-by-featuregates: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    release.openshift.io/feature-set: DevPreviewNoUpgrade
+  name: criocredentialproviderconfigs.config.openshift.io
+spec:
+  group: config.openshift.io
+  names:
+    kind: CRIOCredentialProviderConfig
+    listKind: CRIOCredentialProviderConfigList
+    plural: criocredentialproviderconfigs
+    singular: criocredentialproviderconfig
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          CRIOCredentialProviderConfig holds cluster-wide configurations for CRI-O credential provider. CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources.
+          For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in.
+          CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation.
+          Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.
+
+          The resource is a singleton named "cluster".
+
+          Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: |-
+              spec defines the desired configuration of the CRI-O Credential Provider.
+              This field is required and must be provided when creating the resource.
+            properties:
+              matchImages:
+                description: |-
+                  matchImages is a required list of string patterns used to determine whether
+                  the CRI-O credential provider should be invoked for a given image. This list is
+                  passed to the kubelet CredentialProviderConfig, and if any pattern matches
+                  the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling
+                  that image or its mirrors.
+
+                  This field is required and must contain between 1 and 50 entries.
+                  The list is treated as a set, so duplicate entries are not allowed.
+
+                  For more details, see:
+                  - https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/
+                  - https://github.com/cri-o/crio-credential-provider#architecture
+
+                  Each entry in matchImages is a pattern which can optionally contain a port and a path. Each entry no longer than 512 characters.
+                  Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io',
+                  and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net').
+                  A global wildcard '*' (matching any domain) is not allowed.
+                  Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path.
+                  For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not.
+                  Each wildcard matches only a single domain label,
+                  so '*.io' does **not** match '*.k8s.io'.
+
+                  A match exists between an image and a matchImage when all of the below are true:
+                  Both contain the same number of domain parts and each part matches.
+                  The URL path of an matchImages must be a prefix of the target image URL path.
+                  If the matchImages contains a port, then the port must match in the image as well.
+
+                  Example values of matchImages:
+
+                  - 123456789.dkr.ecr.us-east-1.amazonaws.com
+
+                  - *.azurecr.io
+
+                  - gcr.io
+
+                  - *.*.registry.io
+
+                  - registry.io:8080/path
+                items:
+                  description: |-
+                    MatchImage is a string pattern used to match container image registry addresses.
+                    It must be a valid fully qualified domain name with optional wildcard, port, and path.
+                    The maximum length is 512 characters.
+
+                    Wildcards ('*') are supported for full subdomain labels and top-level domains.
+                    Each entry can optionally contain a port (e.g., :8080) and a path (e.g., /path).
+                    Wildcards are not allowed in the port or path portions.
+
+                    Examples:
+                    - "registry.io" - matches exactly registry.io
+                    - "*.azurecr.io" - matches any single subdomain of azurecr.io
+                    - "registry.io:8080/path" - matches with specific port and path prefix
+                  maxLength: 512
+                  type: string
+                  x-kubernetes-validations:
+                  - message: global wildcard '*' is not allowed
+                    rule: self != '*'
+                  - message: invalid matchImages value, must be a valid fully qualified
+                      domain name with optional wildcard, port, and path
+                    rule: self.matches('^((\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)(\\.(\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?))*)(:[0-9]+)?(/[-a-zA-Z0-9_/]*)?$')
+                maxItems: 50
+                minItems: 1
+                type: array
+                x-kubernetes-list-type: set
+            required:
+            - matchImages
+            type: object
+          status:
+            description: |-
+              status represents the current state of the CRIOCredentialProviderConfig.
+              When omitted or nil, it indicates that the status has not yet been set by the controller.
+              The controller will populate this field with validation conditions and operational state.
+            properties:
+              conditions:
+                description: |-
+                  conditions represent the latest available observations of the configuration state.
+                  When omitted or empty, it indicates that no conditions have been reported yet.
+                  The maximum number of conditions is 4.
+                  Conditions are stored as a map keyed by condition type, ensuring uniqueness.
+
+                  Expected condition types include:
+                  "Validated": indicates whether the matchImages configuration is valid
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                maxItems: 4
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
+        required:
+        - spec
+        type: object
+        x-kubernetes-validations:
+        - message: criocredentialproviderconfig is a singleton, .metadata.name must
+            be 'cluster'
+          rule: self.metadata.name == 'cluster'
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/payload-manifests/crds/0000_10_config-operator_01_criocredentialproviderconfigs-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_criocredentialproviderconfigs-TechPreviewNoUpgrade.crd.yaml
new file mode 100644
index 00000000000..07790299347
--- /dev/null
+++ b/payload-manifests/crds/0000_10_config-operator_01_criocredentialproviderconfigs-TechPreviewNoUpgrade.crd.yaml
@@ -0,0 +1,209 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.openshift.io: https://github.com/openshift/api/pull/1929
+    api.openshift.io/merged-by-featuregates: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    release.openshift.io/feature-set: TechPreviewNoUpgrade
+  name: criocredentialproviderconfigs.config.openshift.io
+spec:
+  group: config.openshift.io
+  names:
+    kind: CRIOCredentialProviderConfig
+    listKind: CRIOCredentialProviderConfigList
+    plural: criocredentialproviderconfigs
+    singular: criocredentialproviderconfig
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          CRIOCredentialProviderConfig holds cluster-wide configurations for CRI-O credential provider. CRI-O credential provider is a binary shipped with CRI-O that provides a way to obtain container image pull credentials from external sources.
+          For example, it can be used to fetch mirror registry credentials from secrets resources in the cluster within the same namespace the pod will be running in.
+          CRIOCredentialProviderConfig configuration specifies the pod image sources registries that should trigger the CRI-O credential provider execution, which will resolve the CRI-O mirror configurations and obtain the necessary credentials for pod creation.
+          Note: Configuration changes will only take effect after the kubelet restarts, which is automatically managed by the cluster during rollout.
+
+          The resource is a singleton named "cluster".
+
+          Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: |-
+              spec defines the desired configuration of the CRI-O Credential Provider.
+              This field is required and must be provided when creating the resource.
+            properties:
+              matchImages:
+                description: |-
+                  matchImages is a required list of string patterns used to determine whether
+                  the CRI-O credential provider should be invoked for a given image. This list is
+                  passed to the kubelet CredentialProviderConfig, and if any pattern matches
+                  the requested image, CRI-O credential provider will be invoked to obtain credentials for pulling
+                  that image or its mirrors.
+
+                  This field is required and must contain between 1 and 50 entries.
+                  The list is treated as a set, so duplicate entries are not allowed.
+
+                  For more details, see:
+                  - https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/
+                  - https://github.com/cri-o/crio-credential-provider#architecture
+
+                  Each entry in matchImages is a pattern which can optionally contain a port and a path. Each entry no longer than 512 characters.
+                  Wildcards ('*') are supported for full subdomain labels, such as '*.k8s.io' or 'k8s.*.io',
+                  and for top-level domains, such as 'k8s.*' (which matches 'k8s.io' or 'k8s.net').
+                  A global wildcard '*' (matching any domain) is not allowed.
+                  Wildcards may replace an entire hostname label (e.g., *.example.com), but they cannot appear within a label (e.g., f*oo.example.com) and are not allowed in the port or path.
+                  For example, 'example.*.com' is valid, but 'exa*mple.*.com' is not.
+                  Each wildcard matches only a single domain label,
+                  so '*.io' does **not** match '*.k8s.io'.
+
+                  A match exists between an image and a matchImage when all of the below are true:
+                  Both contain the same number of domain parts and each part matches.
+                  The URL path of an matchImages must be a prefix of the target image URL path.
+                  If the matchImages contains a port, then the port must match in the image as well.
+
+                  Example values of matchImages:
+
+                  - 123456789.dkr.ecr.us-east-1.amazonaws.com
+
+                  - *.azurecr.io
+
+                  - gcr.io
+
+                  - *.*.registry.io
+
+                  - registry.io:8080/path
+                items:
+                  description: |-
+                    MatchImage is a string pattern used to match container image registry addresses.
+                    It must be a valid fully qualified domain name with optional wildcard, port, and path.
+                    The maximum length is 512 characters.
+
+                    Wildcards ('*') are supported for full subdomain labels and top-level domains.
+                    Each entry can optionally contain a port (e.g., :8080) and a path (e.g., /path).
+                    Wildcards are not allowed in the port or path portions.
+
+                    Examples:
+                    - "registry.io" - matches exactly registry.io
+                    - "*.azurecr.io" - matches any single subdomain of azurecr.io
+                    - "registry.io:8080/path" - matches with specific port and path prefix
+                  maxLength: 512
+                  type: string
+                  x-kubernetes-validations:
+                  - message: global wildcard '*' is not allowed
+                    rule: self != '*'
+                  - message: invalid matchImages value, must be a valid fully qualified
+                      domain name with optional wildcard, port, and path
+                    rule: self.matches('^((\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)(\\.(\\*|[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?))*)(:[0-9]+)?(/[-a-zA-Z0-9_/]*)?$')
+                maxItems: 50
+                minItems: 1
+                type: array
+                x-kubernetes-list-type: set
+            required:
+            - matchImages
+            type: object
+          status:
+            description: |-
+              status represents the current state of the CRIOCredentialProviderConfig.
+              When omitted or nil, it indicates that the status has not yet been set by the controller.
+              The controller will populate this field with validation conditions and operational state.
+            properties:
+              conditions:
+                description: |-
+                  conditions represent the latest available observations of the configuration state.
+                  When omitted or empty, it indicates that no conditions have been reported yet.
+                  The maximum number of conditions is 4.
+                  Conditions are stored as a map keyed by condition type, ensuring uniqueness.
+
+                  Expected condition types include:
+                  "Validated": indicates whether the matchImages configuration is valid
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                maxItems: 4
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
+        required:
+        - spec
+        type: object
+        x-kubernetes-validations:
+        - message: criocredentialproviderconfig is a singleton, .metadata.name must
+            be 'cluster'
+          rule: self.metadata.name == 'cluster'
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/payload-manifests/crds/0000_80_machine-config_01_internalreleaseimages-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_internalreleaseimages-CustomNoUpgrade.crd.yaml
index c74586c5ca1..bc4830f0615 100644
--- a/payload-manifests/crds/0000_80_machine-config_01_internalreleaseimages-CustomNoUpgrade.crd.yaml
+++ b/payload-manifests/crds/0000_80_machine-config_01_internalreleaseimages-CustomNoUpgrade.crd.yaml
@@ -274,8 +274,6 @@ spec:
                 x-kubernetes-list-map-keys:
                 - name
                 x-kubernetes-list-type: map
-            required:
-            - releases
             type: object
         required:
         - metadata
diff --git a/payload-manifests/crds/0000_80_machine-config_01_internalreleaseimages-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_internalreleaseimages-DevPreviewNoUpgrade.crd.yaml
index 69153b31c06..455e6114775 100644
--- a/payload-manifests/crds/0000_80_machine-config_01_internalreleaseimages-DevPreviewNoUpgrade.crd.yaml
+++ b/payload-manifests/crds/0000_80_machine-config_01_internalreleaseimages-DevPreviewNoUpgrade.crd.yaml
@@ -273,8 +273,6 @@ spec:
                 x-kubernetes-list-map-keys:
                 - name
                 x-kubernetes-list-type: map
-            required:
-            - releases
             type: object
         required:
         - metadata
diff --git a/payload-manifests/crds/0000_80_machine-config_01_internalreleaseimages-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_internalreleaseimages-TechPreviewNoUpgrade.crd.yaml
index 6c01040a915..6b63a319182 100644
--- a/payload-manifests/crds/0000_80_machine-config_01_internalreleaseimages-TechPreviewNoUpgrade.crd.yaml
+++ b/payload-manifests/crds/0000_80_machine-config_01_internalreleaseimages-TechPreviewNoUpgrade.crd.yaml
@@ -273,8 +273,6 @@ spec:
                 x-kubernetes-list-map-keys:
                 - name
                 x-kubernetes-list-type: map
-            required:
-            - releases
             type: object
         required:
         - metadata
diff --git a/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml b/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml
index 8ad3c12bc1a..462e7bf9ec6 100644
--- a/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml
+++ b/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml
@@ -54,6 +54,9 @@
                     {
                         "name": "CRDCompatibilityRequirementOperator"
                     },
+                    {
+                        "name": "CRIOCredentialProviderConfig"
+                    },
                     {
                         "name": "ClientsAllowCBOR"
                     },
diff --git a/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml
index 6ef86f1aa10..813cd6ad0c8 100644
--- a/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml
@@ -115,6 +115,9 @@
                     {
                         "name": "CRDCompatibilityRequirementOperator"
                     },
+                    {
+                        "name": "CRIOCredentialProviderConfig"
+                    },
                     {
                         "name": "ClientsPreferCBOR"
                     },
diff --git a/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml
index e3c80881325..69df58de921 100644
--- a/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml
@@ -130,6 +130,9 @@
                     {
                         "name": "CRDCompatibilityRequirementOperator"
                     },
+                    {
+                        "name": "CRIOCredentialProviderConfig"
+                    },
                     {
                         "name": "ClientsPreferCBOR"
                     },
diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml
index 06f46c99da6..7fd25b9c22f 100644
--- a/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml
+++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml
@@ -54,6 +54,9 @@
                     {
                         "name": "CRDCompatibilityRequirementOperator"
                     },
+                    {
+                        "name": "CRIOCredentialProviderConfig"
+                    },
                     {
                         "name": "ClientsAllowCBOR"
                     },
diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml
index c5e5e3d78b7..d696ed1256f 100644
--- a/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml
@@ -100,6 +100,9 @@
                     {
                         "name": "CRDCompatibilityRequirementOperator"
                     },
+                    {
+                        "name": "CRIOCredentialProviderConfig"
+                    },
                     {
                         "name": "ClientsPreferCBOR"
                     },
diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml
index c598cbfa831..9e90963e5ff 100644
--- a/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml
@@ -115,6 +115,9 @@
                     {
                         "name": "CRDCompatibilityRequirementOperator"
                     },
+                    {
+                        "name": "CRIOCredentialProviderConfig"
+                    },
                     {
                         "name": "ClientsPreferCBOR"
                     },