diff --git a/charts/admission/charts/runtime/templates/deployment.yaml b/charts/admission/charts/runtime/templates/deployment.yaml
index 9e5cfc0b..d81d4190 100644
--- a/charts/admission/charts/runtime/templates/deployment.yaml
+++ b/charts/admission/charts/runtime/templates/deployment.yaml
@@ -50,6 +50,9 @@ spec:
         {{- if .Values.global.kubeconfig }}
         - --kubeconfig=/kubeconfig/kubeconfig
         {{- end }}
+        {{- if .Values.global.projectedKubeconfig }}
+        - --kubeconfig={{ required ".Values.global.projectedKubeconfig.baseMountPath is required" .Values.global.projectedKubeconfig.baseMountPath }}/kubeconfig
+        {{- end }}
         {{- if .Values.global.metricsPort }}
         - --metrics-bind-address=:{{ .Values.global.metricsPort }}
         {{- end }}
@@ -88,6 +91,11 @@ spec:
           mountPath: /var/run/secrets/projected/serviceaccount
           readOnly: true
         {{- end }}
+        {{- if .Values.global.projectedKubeconfig }}
+        - name: kubeconfig
+          mountPath: {{ required ".Values.global.projectedKubeconfig.baseMountPath is required" .Values.global.projectedKubeconfig.baseMountPath }}
+          readOnly: true
+        {{- end }}
       volumes:
       - name: tls
         secret:
@@ -110,3 +118,21 @@ spec:
               audience: {{ .Values.global.serviceAccountTokenVolumeProjection.audience }}
               {{- end }}
       {{- end }}
+      {{- if .Values.global.projectedKubeconfig }}
+      - name: kubeconfig
+        projected:
+          defaultMode: 420
+          sources:
+          - secret:
+              items:
+              - key: kubeconfig
+                path: kubeconfig
+              name: {{ required ".Values.global.projectedKubeconfig.genericKubeconfigSecretName is required" .Values.global.projectedKubeconfig.genericKubeconfigSecretName }}
+              optional: false
+          - secret:
+              items:
+              - key: token
+                path: token
+              name: {{ required ".Values.global.projectedKubeconfig.tokenSecretName is required" .Values.global.projectedKubeconfig.tokenSecretName }}
+              optional: false
+      {{- end }}
diff --git a/charts/admission/values.yaml b/charts/admission/values.yaml
index 5dcc79a8..6b8fc4b5 100644
--- a/charts/admission/values.yaml
+++ b/charts/admission/values.yaml
@@ -37,6 +37,10 @@ global:
     useObjectSelector: true
   # Kubeconfig to the target cluster. In-cluster configuration will be used if not specified.
   kubeconfig:
+# projectedKubeconfig:
+#   baseMountPath: /var/run/secrets/gardener.cloud
+#   genericKubeconfigSecretName: generic-token-kubeconfig
+#   tokenSecretName: access-registry-cache-admission
   serviceAccountTokenVolumeProjection:
     enabled: false
     expirationSeconds: 43200