You can access the keys for private docker registries in $HOME/.dockercfg or $HOME/.docker/config.json . If you add it to one of these search paths kubelet should use it as a credential when pulling the images.

• {--root-dir:-/var/lib/kubelet}/config.json
• {cwd of kubelet}/config.json
• ${HOME}/.docker/config.json
• /.docker/config.json
• {--root-dir:-/var/lib/kubelet}/.dockercfg
• {cwd of kubelet}/.dockercfg
• ${HOME}/.dockercfg
• /.dockercfg

https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry

The "Configuring Nodes to Authenticate to a Private Registry" section gives you a step by step on how to do it.

Kubernetes is likely using the docker daemon on the Kubernetes cluster nodes. For them to trust your local registry, you can the trusted registry hostnname to the file /etc/docker/daemon.json as follows:

{ "insecure-registries":["some.local.registry"] }

where some.local.registry is the hostname of the registry.

You need to restart the docker process(es) to make this effective. I did this for a domain that is not public and has no valid TLD, so I could not use cert-manager with letsencrypt.

You need to do the same on every machine that uses docker to connect to that registry.

You basically have to tell the Docker daemon to trust your self-signed certificate by telling it to trust the Certificate Authority (CA) that you used to sign the certificate. You can find more information here on the section that says "Use self-signed certificates".

In particular for example for Linux:

Linux: Copy the domain.crt file to /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt on every Docker host. You do not need to restart Docker.

This all different from authenticating by specifying ImagePullSecrets on your pods or docker login credentials in your docker config files.