diff --git a/README.md b/README.md
index ae698b8adb2..e346022e15e 100644
--- a/README.md
+++ b/README.md
@@ -308,6 +308,7 @@ The following settings can be optionally set to customize the node labels and ta
 The following settings are optional and allow you to further configure your cluster.
 * `settings.kubernetes.cluster-domain`: The DNS domain for this cluster, allowing all Kubernetes-run containers to search this domain before the host's search domains.  Defaults to `cluster.local`.
 * `settings.kubernetes.standalone-mode`: Whether to run the kubelet in standalone mode, without connecting to an API server.  Defaults to `false`.
+* `settings.kubernetes.cloud-provider`: The cloud provider for this cluster. Defaults to `aws` for AWS variants, and `external` for other variants.
 * `settings.kubernetes.authentication-mode`: Which authentication method the kubelet should use to connect to the API server, and for incoming requests.  Defaults to `aws` for AWS variants, and `tls` for other variants.
 * `settings.kubernetes.server-tls-bootstrap`: Enables or disables server certificate bootstrap.  When enabled, the kubelet will request a certificate from the certificates.k8s.io API.  This requires an approver to approve the certificate signing requests (CSR).  Defaults to `true`.
 * `settings.kubernetes.bootstrap-token`: The token to use for [TLS bootstrapping](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/).  This is only used with the `tls` authentication mode, and is otherwise ignored.
diff --git a/packages/kubernetes-1.16/kubelet-exec-start-conf b/packages/kubernetes-1.16/kubelet-exec-start-conf
index 1cc4d9cf246..4395e39318e 100644
--- a/packages/kubernetes-1.16/kubelet-exec-start-conf
+++ b/packages/kubernetes-1.16/kubelet-exec-start-conf
@@ -2,7 +2,7 @@
 ExecStart=
 ExecStart=/usr/bin/kubelet \
 {{~#unless settings.kubernetes.standalone-mode}}
-    --cloud-provider aws \
+    --cloud-provider {{default "external" settings.kubernetes.cloud-provider}} \
     --kubeconfig /etc/kubernetes/kubelet/kubeconfig \
 {{~#if (eq settings.kubernetes.authentication-mode "tls")}}
     --bootstrap-kubeconfig /etc/kubernetes/kubelet/bootstrap-kubeconfig \
diff --git a/packages/kubernetes-1.17/kubelet-exec-start-conf b/packages/kubernetes-1.17/kubelet-exec-start-conf
index 1cc4d9cf246..4395e39318e 100644
--- a/packages/kubernetes-1.17/kubelet-exec-start-conf
+++ b/packages/kubernetes-1.17/kubelet-exec-start-conf
@@ -2,7 +2,7 @@
 ExecStart=
 ExecStart=/usr/bin/kubelet \
 {{~#unless settings.kubernetes.standalone-mode}}
-    --cloud-provider aws \
+    --cloud-provider {{default "external" settings.kubernetes.cloud-provider}} \
     --kubeconfig /etc/kubernetes/kubelet/kubeconfig \
 {{~#if (eq settings.kubernetes.authentication-mode "tls")}}
     --bootstrap-kubeconfig /etc/kubernetes/kubelet/bootstrap-kubeconfig \
diff --git a/packages/kubernetes-1.18/kubelet-exec-start-conf b/packages/kubernetes-1.18/kubelet-exec-start-conf
index 1cc4d9cf246..4395e39318e 100644
--- a/packages/kubernetes-1.18/kubelet-exec-start-conf
+++ b/packages/kubernetes-1.18/kubelet-exec-start-conf
@@ -2,7 +2,7 @@
 ExecStart=
 ExecStart=/usr/bin/kubelet \
 {{~#unless settings.kubernetes.standalone-mode}}
-    --cloud-provider aws \
+    --cloud-provider {{default "external" settings.kubernetes.cloud-provider}} \
     --kubeconfig /etc/kubernetes/kubelet/kubeconfig \
 {{~#if (eq settings.kubernetes.authentication-mode "tls")}}
     --bootstrap-kubeconfig /etc/kubernetes/kubelet/bootstrap-kubeconfig \
diff --git a/packages/kubernetes-1.19/kubelet-exec-start-conf b/packages/kubernetes-1.19/kubelet-exec-start-conf
index 65a693cb49b..ee65537d040 100644
--- a/packages/kubernetes-1.19/kubelet-exec-start-conf
+++ b/packages/kubernetes-1.19/kubelet-exec-start-conf
@@ -2,7 +2,7 @@
 ExecStart=
 ExecStart=/usr/bin/kubelet \
 {{~#unless settings.kubernetes.standalone-mode}}
-    --cloud-provider aws \
+    --cloud-provider {{default "external" settings.kubernetes.cloud-provider}} \
     --kubeconfig /etc/kubernetes/kubelet/kubeconfig \
 {{~#if (eq settings.kubernetes.authentication-mode "tls")}}
     --bootstrap-kubeconfig /etc/kubernetes/kubelet/bootstrap-kubeconfig \
diff --git a/sources/models/src/aws-k8s-1.19/defaults.d/50-aws-k8s.toml b/sources/models/src/aws-k8s-1.19/defaults.d/50-aws-k8s.toml
index 7adb5f41dcc..1830b8e4c8f 100644
--- a/sources/models/src/aws-k8s-1.19/defaults.d/50-aws-k8s.toml
+++ b/sources/models/src/aws-k8s-1.19/defaults.d/50-aws-k8s.toml
@@ -59,6 +59,7 @@ cluster-domain = "cluster.local"
 standalone-mode = false
 authentication-mode = "aws"
 server-tls-bootstrap = true
+cloud-provider = "aws"
 
 # Metrics
 [settings.metrics]
diff --git a/sources/models/src/lib.rs b/sources/models/src/lib.rs
index 6fab14f51e9..039106fac42 100644
--- a/sources/models/src/lib.rs
+++ b/sources/models/src/lib.rs
@@ -95,9 +95,10 @@ use std::net::Ipv4Addr;
 use crate::modeled_types::{
     BootstrapContainerMode, DNSDomain, ECSAgentLogLevel, ECSAttributeKey, ECSAttributeValue,
     FriendlyVersion, Identifier, KubernetesAuthenticationMode, KubernetesBootstrapToken,
-    KubernetesClusterName, KubernetesEvictionHardKey, KubernetesLabelKey, KubernetesLabelValue,
-    KubernetesQuantityValue, KubernetesReservedResourceKey, KubernetesTaintValue,
-    KubernetesThresholdValue, Lockdown, SingleLineString, SysctlKey, Url, ValidBase64,
+    KubernetesCloudProvider, KubernetesClusterName, KubernetesEvictionHardKey, KubernetesLabelKey,
+    KubernetesLabelValue, KubernetesQuantityValue, KubernetesReservedResourceKey,
+    KubernetesTaintValue, KubernetesThresholdValue, Lockdown, SingleLineString, SysctlKey, Url,
+    ValidBase64,
 };
 
 // Kubernetes static pod manifest settings
@@ -127,6 +128,7 @@ struct KubernetesSettings {
     kube_reserved: HashMap<KubernetesReservedResourceKey, KubernetesQuantityValue>,
     allowed_unsafe_sysctls: Vec<SingleLineString>,
     server_tls_bootstrap: bool,
+    cloud_provider: KubernetesCloudProvider,
 
     // Settings where we generate a value based on the runtime environment.  The user can specify a
     // value to override the generated one, but typically would not.
diff --git a/sources/models/src/modeled_types/kubernetes.rs b/sources/models/src/modeled_types/kubernetes.rs
index 6263b7e5b9c..e1fd1b781c5 100644
--- a/sources/models/src/modeled_types/kubernetes.rs
+++ b/sources/models/src/modeled_types/kubernetes.rs
@@ -723,3 +723,48 @@ mod test_kubernetes_quantity_value {
         }
     }
 }
+
+// =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=
+
+/// KubernetesCloudProvider represents a string that is a valid cloud provider for the
+/// kubelet.  It stores the original string and makes it accessible through standard traits.
+#[derive(Debug, Clone, Eq, PartialEq, Hash)]
+pub struct KubernetesCloudProvider {
+    inner: String,
+}
+
+impl TryFrom<&str> for KubernetesCloudProvider {
+    type Error = error::Error;
+
+    fn try_from(input: &str) -> Result<Self, error::Error> {
+        ensure!(
+            matches!(input, "aws" | "external"),
+            error::InvalidAuthenticationMode { input }
+        );
+        Ok(KubernetesCloudProvider {
+            inner: input.to_string(),
+        })
+    }
+}
+
+string_impls_for!(KubernetesCloudProvider, "KubernetesCloudProvider");
+
+#[cfg(test)]
+mod test_kubernetes_cloud_provider {
+    use super::KubernetesCloudProvider;
+    use std::convert::TryFrom;
+
+    #[test]
+    fn good_modes() {
+        for ok in &["aws", "external"] {
+            KubernetesCloudProvider::try_from(*ok).unwrap();
+        }
+    }
+
+    #[test]
+    fn bad_modes() {
+        for err in &["", "internal"] {
+            KubernetesCloudProvider::try_from(*err).unwrap_err();
+        }
+    }
+}