K8s Private Registry

Configuring Nodes to Authenticate to a Private Registry

Note: Kubernetes as of now only supports the auths and HttpHeaders section of docker config. This means credential helpers (credHelpers or credsStore) are not supported.

Docker stores keys for private registries in the $HOME/.dockercfg or $HOME/.docker/config.json file. If there are files in the search paths list below, kubelet uses it as the credential provider when pulling images.

  • {–root-dir:-/var/lib/kubelet}/config.json
  • {cwd of kubelet}/config.json
  • ${HOME}/.docker/config.json
  • /.docker/config.json
  • {–root-dir:-/var/lib/kubelet}/.dockercfg
  • {cwd of kubelet}/.dockercfg
  • ${HOME}/.dockercfg
  • /.dockercfg


"auths": {      
        "registry.cn-hangzhou.aliyuncs.com": {
            "auth": "d3ViaWdvOjEyMzEyMwo="
    "HttpHeaders": {
        "User-Agent": "Docker-Client/17.03.3-ce (linux)"
  • convert the base64-encoded auth data to a readable format
echo "d3ViaWdvOjEyMzEyMwo=" | base64 --decode 
nodes=$(kubectl get nodes -o jsonpath='{range.items[*].metadata}{.name} {end}')
for n in $nodes; do scp ~/.docker/config.json [email protected]$n:/var/lib/kubelet/config.json; done