diff --git a/docs/src/overview/isolated-kubernetes.md b/docs/src/overview/isolated-kubernetes.md
index 31f0328084..c85c4957d1 100644
--- a/docs/src/overview/isolated-kubernetes.md
+++ b/docs/src/overview/isolated-kubernetes.md
@@ -297,25 +297,23 @@ If a cluster is either configured with `restricted` or `forbidden`, the configur
 config.toml
 
 ```toml
-imports = ["/etc/containerd/conf.d/*.toml"]
+# Generated by os-extension-metal
 version = 2
+imports = ["/etc/containerd/conf.d/*.toml"]
 
+disabled_plugins = []
 [plugins."io.containerd.grpc.v1.cri".registry]
-  [plugins."io.containerd.grpc.v1.cri".reg
-    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
-      endpoint = ["https://some.private.registry"]
-    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."quay.io"]
-      endpoint = ["https://some.private.registry"]
-    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.lightbitslabs.com"]
-      endpoint = ["https://some.private.registry"]
-    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."eu.gcr.io"]
-      endpoint = ["https://some.private.registry"]
-    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."ghcr.io"]
-      endpoint = ["https://some.private.registry"]
-    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.k8s.io"]
-      endpoint = ["https://some.private.registry"]
-    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."r.metal-stack.io"]
-      endpoint = ["https://some.private.registry"]
+  config_path = "/etc/containerd/certs.d"
+```
+
+And for every registry mirror an additional `certs.d/$HOST/hosts.yaml` will be created. This is in line with [Gardener's containerd Registry Configuration](https://gardener.cloud/docs/gardener/advanced/containerd-registry-configuration/).
+
+```toml
+# certs.d/docker.io/hosts.yaml
+
+server = "https://docker.io"
+[host."https://some.private.registry"]
+  capabilities = ["pull", "resolve"]
 ```
 
 DNS and NTP must also be adopted according to the configuration in the CloudProfile.