Skip to content

KinD Configuration - Registry Mirror Patching

The KinD configuration exposes many controller-level options to us.

One of these options is containerd's registry.mirrors config defines alternative endpoints for pulling container images from specific registries. The following guide goes through how to 'mirror' images from one registry to another.

# file: ./kind-config-rewrite-harbor-to-my-registry-example.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
containerdConfigPatches:
    - |-
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
          [plugins."io.containerd.grpc.v1.cri".registry.mirrors."harbor.atlnz.lc"]
            endpoint = ["https://my-registry"]
            username = "[username]"
            password = "[password]"

This will have the following effect:

manifest -> declares `harbor.atlnz.lc/oneconnect/abc:latest`
               |
            containerd -> rewrites `harbor.atlnz.lc` -> `my-registry`
               |
            `my-registry/oneconnect/abc:latest` pulled inside KinD

Use Cases

Rate Limiting Errors (429) when pulling from DockerHub:

We can use repository mirror patching to address this, by pushing all images from the remote registry (docker.io), to be forced to go through a proxy cache.

# file: ./kind-harbor-proxy-cache.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
containerdConfigPatches:
    - |-
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
          [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
            endpoint = ["https://harbor.atlnz.lc/v2/proxy_cache"]

This will force all images pulled within KinD, that are coming from host docker.io to go through harbor.atlnz.lc/v2/proxy_cache. as a pull-through cache).

Patching to ECR for cluster tests:

We can use repository mirror patching to address this case. Conceptually we want all images that are provided by harbor.atlnz.lc to instead pull from a hosted private registry, and we want to authenticate and pull from our private registry instead.

To do this, we need to get the following information:

  1. The registry endpoint
  2. The registry username
  3. The registry password

In the case of AWS, if we are authentcated. The username will be 'AWS', we can obtain the password by running aws ecr get-login-password --region $REGION, and get our registry endpoint/URL via the AWS Web UI.

With this information we can create the following file:

[!WARNING]

Because this file now contains secret values. The following file should not be stored in git

# file: ./kind-aws-hosted-mirror.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
containerdConfigPatches:
    - |-
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
          [plugins."io.containerd.grpc.v1.cri".registry.mirrors."harbor.atlnz.lc"]
            endpoint = ["https://[account-id].dkr.ecr.ap-northeast-1.amazonaws.com"]
            username = "AWS"
            password = "c5dzBCQndFd0hnWUpZSVpJQVdVREJBRXVNQkVFREZ2djJYTFdhQ..."

This will have the following effect:

manifest -> declares `harbor.atlnz.lc/oneconnect/abc:latest`
               |
            containerd -> rewrites `harbor.atlnz.lc` -> `account-id.dkr.ecr.region.amazonaws.com`
               |
            `account-id.dkr.ecr.region.amazonaws.com/oneconnect/abc:latest` pulled inside KinD