What about embedded registry mirror and

pull-policy=always

? Following the GitLab's security recommandation about shared runner, I configured a gitlab-runner with a pull-policy=always on a k3s. As Docker images grow, I'm interested in the embedded registry mirror as it could be a good solution to reduce bootstrap when a CI job move from one node to another. But what is the effect of pull-policy=always on such configuration? Ideally, I imagine that pull-policy=always will force the redownload of the manifest, enforcing the usage of a possible credential. But once the manifest is downloaded and thus the securty gate is passed, are the layers downloaded or reused?

Pulling from the embedded mirror counts as pulling as far as the Kubelet is concerned. If ensuring a pull from the upstream is important, you should not use the embedded mirror.