Using an insecure container registry

An insecure registry typically refers to an image registry that uses the HTTP protocol instead of HTTPS, or an HTTPS registry with a self-signed certificate. If you are using an insecure registry, complete the corresponding configuration based on your cluster type.

Static node cluster configuration

Configure your insecure registry on all control plane nodes and cluster nodes.

On the control plane nodes and cluster nodes, edit the Docker configuration file /etc/docker/daemon.json and add the following content:
```
{
  "insecure-registries": ["<image_registry_access_url>:<port>"]
}
```
Replace <image_registry_access_url> with the access address of the image registry and <port> with the access port of the image registry.

Note
If /etc/docker/daemon.json already contains other configuration items, merge the insecure-registries field into the existing configuration to avoid overwriting existing settings.
Restart the Docker service to apply the configuration:
Terminal window
```
 sudo systemctl restart docker
```

Kubernetes cluster configuration

If you are using AKE, refer to the Managing the AKE service settings > Managing global configurations > Configuring trusted container registries section in the corresponding version of the Arcfra Kubernetes Engine Administration Guide for instructions.

If you are using another standard Kubernetes cluster, complete the following configuration on all nodes of the Kubernetes cluster as described in this section.

Configure the container runtime.

Three configuration methods are available for container runtimes, and containerd is recommended.
1. Create the registry directory:
  Terminal window
  mkdir -p /etc/containerd/certs.d/<image_registry_access_url>:<port>
  Replace <image_registry_access_url> with the access address of the image registry and <port> with the access port of the image registry.
2. Create hosts.toml:
  # /etc/containerd/certs.d/<image_registry_access_url>:<port>/hosts.toml server = "http://<image_registry_access_url>:<port>" [host."http://<image_registry_access_url>:<port>"] capabilities = ["pull", "resolve", "push"] skip_verify = true
3. Modify the containerd main configuration:
  
  Ensure that the hosts directory is enabled in /etc/containerd/config.toml:
  [plugins."io.containerd.grpc.v1.cri".registry] config_path = "/etc/containerd/certs.d"
4. Restart the service:
  Terminal window
  systemctl restart containerd
1. Edit /etc/docker/daemon.json:
  { "insecure-registries": [ "<image_registry_access_url>:<port>", "my-registry.internal" ] }
  Replace <image_registry_access_url> with the access address of the image registry and <port> with the access port of the image registry.
2. Restart the service:
  Terminal window
  systemctl restart docker
1. Edit /etc/containers/registries.conf:
  [[registry]] location = "<image_registry_access_url>:<port>" insecure = true
  Replace <image_registry_access_url> with the access address of the image registry and <port> with the access port of the image registry.
2. Restart the service:
  Terminal window
  systemctl restart crio
Verify that the configuration takes effect.

You can verify the configuration by pulling an image or creating a test Pod.
- Pull image at node level
- Create test Pod at cluster level
Terminal window
crictl pull <image_registry_access_url>:<port>/myimage:latest
Terminal window
kubectl run test --image=<image_registry_access_url>:<port>/myimage:latest --restart=Never kubectl describe pod test

(Optional) To add authentication for the insecure image registry, create an imagePullSecret and reference it in the Pod.

Create an imagePullSecret:

kubectl create secret docker-registry regcred \
  --docker-server=<image_registry_access_url>:<port> \
  --docker-username=admin \
  --docker-password=yourpassword

Reference the imagePullSecret in the Pod:

spec:
  imagePullSecrets:
    - name: regcred
  containers:
    - image: <image_registry_access_url>:<port>/myimage:latest