We use the jenkins cloudbees folder plugin to give a jenkins space per software team. They also store their own credentials in their folder scope.  With the kubernetes plugin we would like to give each software team their own configured cloud (locked to their folder)

With the Kubernetes plugin the cloud configuration is stored globally. This is fine, however the used credential ID must therefore also be in the global credential store. This means that scoped software teams could possibly read each other credential ID's which is not fine.

We tried changing the credential ID (programmatically) to a folder scoped credential, however this is not allowed as the routine assumes the credential is in the global credential store: https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesFactoryAdapter.java#L256

So it would be nice to store the cloud configuration without a credential (which is already possible), and then dynamically inject the credential on the spot using an extra property (in the declarative pipeline), something like this

pipeline {
  agent {
    kubernetes {
      cloud 'team-a-cloud'
      credentialId 'team-a-credential-id'
      yamlFile 'KubernetesPod.yaml'
    }
  }
  // ... stages, etc
} 

So when "credentialId" is specified it would do a dynamic lookup (in global AND folder scoped credential folder), find it and use it instead