Bootstrapping Kubernetes Before the Registry Exists - Pre-Tagging Images for containerd

Nikita Vakula Posted on May 31           Bootstrapping Kubernetes Before the Registry Exists - Pre-Tagging Images for containerd # devops # kubernetes # helm # containerd If you're setting up Kubernetes for a private project — internal tools, an isolated network, an in-house stack — at some point you hit the question: where do the images come from? Every tutorial assumes public registries like docker.io , ghcr.io , or quay.io are reachable. When they aren't, the chicken-and-egg starts. You can't pull your registry image from your registry. You can't authenticate against your IdP before the IdP is up. Each foundation service has the same shape. There isn't much written about how to actually bootstrap from this state. Here's the approach I've been using. Foundation services all have the same problem The same pattern shows up everywhere: Registry : kubelet needs to pull the registry image from somewhere, but the registry is what would serve it. Identity provider : anything that does OIDC depends on the IdP being up — and the IdP pod doesn't start without an image pull either. If you treat each one as a special case, you end up with a pile of "first time only" scripts that drift out of sync with your normal deploy path. A workable approach The mechanic itself is plain: Build the image with docker build . Save it to a tarball with docker save . Copy the tarball to every Kubernetes node. Import it into containerd with ctr -n k8s.io images import <tar> . With imagePullPolicy: IfNotPresent set on the pod spec, kubelet uses the cached image and doesn't try to pull. The registry doesn't have to be up. Nothing has to be reachable. None of these steps are exotic. What matters is step 2 — specifically, which name you tag the image with before saving. The naming has to line up When you import an image into containerd, it ends up in the cache under whatever name the tarball says. That name is just a string. There's nothing special about repo/registry