This document describes the method to configure the image registry for containerd for use with the cri plugin.
With containerd, docker.io is the default image registry. You can also set up other image registries similar to docker.
To configure image registries create/modify the /etc/containerd/config.toml as follows:
[plugins.cri.registry.mirrors]
[plugins.cri.registry.mirrors."docker.io"]
endpoint = ["https://registry-1.docker.io"]
[plugins.cri.registry.mirrors."test.secure-registry.io"]
endpoint = ["https://HostIP1:Port1"]
[plugins.cri.registry.mirrors."test.insecure-registry.io"]
endpoint = ["http://HostIP2:Port2"]
# wildcard matching is supported but not required.
[plugins.cri.registry.mirrors."*"]
endpoint = ["http://HostIP3:Port3"]The default configuration can be generated by containerd config default > /etc/containerd/config.toml.
The endpoint is a list that can contain multiple image registry URLs split by commas. When pulling an image
from a registry, containerd will try these endpoint URLs one by one, and use the first working one. Please note
that if the default registry endpoint is not already specified in the endpoint list, it will be automatically
tried at the end with scheme https and path v2, e.g. https://gcr.io/v2 for gcr.io.
As an example, for the image gcr.io/library/busybox:latest, the endpoints are:
gcr.iois configured: endpoints forgcr.io+ default endpointhttps://gcr.io/v2.*is configured, andgcr.iois not: endpoints for*+ default endpointhttps://gcr.io/v2.- None of above is configured: default endpoint
https:/gcr.io/v2.
After modify this config, you need restart the containerd service.
cri plugin also supports configuring TLS settings when communicating with a registry.
To configure the TLS settings for a specific registry, create/modify the /etc/containerd/config.toml as follows:
# The registry host has to be an domain name or IP.
[plugins.cri.registry.configs."my.custom.registry".tls]
ca_file = "ca.pem"
cert_file = "cert.pem"
key_file = "key.pem"In the config example shown above, TLS mutual authentication will be used for communications with the registry endpoint located at https://my.custom.registry.
ca_file is file name of the certificate authority (CA) certificate used to authenticate the x509 certificate/key pair specified by the files respectively pointed to by cert_file and key_file.
cert_file and key_file are not needed when TLS mutual authentication is unused.
# The registry host has to be an domain name or IP.
[plugins.cri.registry.configs."my.custom.registry".tls]
ca_file = "ca.pem"cri plugin also supports docker like registry credential config.
To configure a credential for a specific registry, create/modify the
/etc/containerd/config.toml as follows:
# The registry host has to be an domain name or IP.
[plugins.cri.registry.configs."gcr.io".auth]
username = ""
password = ""
auth = ""
identitytoken = ""The meaning of each field is the same with the corresponding field in .docker/config.json.
Please note that auth config passed by CRI takes precedence over this config. The registry credential in this config will only be used when auth config is not specified by Kubernetes via CRI.
After modify this config, you need restart the containerd service.