Docs  >  Development  >  Setup  >  Container Registries

Container Registries

Configure OpenShift to pull images from external container registries including private registries.

Introduction

Container registries store your Docker/container images. OpenShift can pull from public registries without authentication, but private registries require credentials configured as pull secrets.

Security Best Practice

Use service accounts or tokens with minimal required permissions instead of personal credentials for registry authentication.

Creating Pull Secrets

Create authentication credentials for private registries using the OpenShift web console:

1. Navigate to Workloads → Secrets
2. Click Create → Image pull secret
3. Configure the secret:
4. Secret name: my-registry-secret
5. Authentication type: Image registry credentials
6. Registry server address: registry.example.com
7. Username: Your registry username
8. Password: Your registry password
9. Email (optional): Your email address
10. Click Create

Using Pull Secrets in Deployments

Add pull secrets to your deployments:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  template:
    spec:
      imagePullSecrets:
      - name: my-registry-secret
      containers:
      - name: my-app
        image: registry.example.com/my-app:latest

Common Registry Examples

GitHub Container Registry

Create a secret for GitHub Container Registry:

1. Navigate to Workloads → Secrets
2. Click Create → Image pull secret
3. Configure:
4. Secret name: ghcr-secret
5. Registry server address: ghcr.io
6. Username: Your GitHub username
7. Password: Your GitHub personal access token
8. Click Create

Image Pull Policies

Control when OpenShift pulls images:

containers:
- name: my-app
  image: my-app:latest
  imagePullPolicy: Always  # Always pull

Pull Policy Options

• Always - Always pull the image, even if cached locally
  • Use for latest tags or when images change frequently
• IfNotPresent (default) - Pull only if image not already present
  • Most efficient for tagged releases
• Never - Only use cached images, never pull
  • Use for images you know are already present

Best Practices

# Good: Specific version with IfNotPresent
containers:
- name: my-app
  image: my-app:v1.2.3
  imagePullPolicy: IfNotPresent

# Avoid: latest tag without Always policy
containers:
- name: my-app
  image: my-app:latest
  imagePullPolicy: Always

Troubleshooting

ImagePullBackOff Error

Check pod events for details using the OpenShift web console:

1. Navigate to Workloads → Pods
2. Click on the pod with ImagePullBackOff status
3. Review the Events tab for error details
4. Check the Logs tab if the pod started

Next Steps

Now that you can pull images from registries:

• Deploy Your First Application - Use your private images
• Deploy with GitOps - Automated deployments with private images
• Secrets - Secure handling of registry credentials