Why are my agents trying to pull images from quay.io when I have my private repo defined in

/etc/rancher/k3s/registries.yaml

Are you sure that they’re actually doing that? Just adding your private repo as an endpoint for a public registry doesn’t make the image names change. The image will still be pulled as

<http://quay.io/foo|quay.io/foo>

, it will just connect to your endpoint instead of

<https://quay.io/v2>

for the actual pull operation.

I'm pretty sure that is what they are doing.

"Error syncing pod, skipping" err="failed to \"StartContainer\" for \"speaker\" with ErrImagePull: \"failed to pull and unpack image \\\"<http://quay.io/metallb/speaker:v0.14.5\\\|quay.io/metallb/speaker:v0.14.5\\\>": failed to resolve reference \\\"<http://quay.io/metallb/speaker:v0.14.5\\\|quay.io/metallb/speaker:v0.14.5\\\>": failed to do request: Head \\\"<https://quay.io/v2/metallb/speaker/manifests/v0.14.5>\\\": dial tcp: lookup <http://quay.io|quay.io>

re: docs - I have

--disable-default-registry-endpoint

did you put your registries.yaml on the agent, and specify --disable-default-registry-endpoint, on the agent as well? registries.yaml and that cli flag are node-local configuration and must be configured on each node individually.

Yes I did.

can you show the content of reistries.yaml, and the output of

find /var/lib/rancher/k3s/agent/etc/containerd/ -type f

on the agent?

@creamy-pencil-82913 sorry for the noise, I needed to change the image location in the manifest to point to my internal repo.