Private Registry configuration seemingly ignored

[hardlycharred]

Actual Behavior

Private registry configuration does not seem to be applied using either moby or containerd backends. The override successfully creates the config file at /etc/rancher/k3s/registries.yaml, but the configuration seems to have no effect.

Steps to Reproduce

Per the override documentation here and k3s private registry documentation here:

1. Create a file at ~/.local/share/rancher-desktop/lima/_config/override.yaml with contents like below:

provision:
  - mode: system
    script: |
      #!/bin/sh
      set -eux
      mkdir -p /etc/rancher/k3s
      cat <<EOF >/etc/rancher/k3s/registries.yaml
      mirrors:
        docker.io:
          endpoint:
          - https://artifactory.<domain>
         rewrite:
           "^(.*)$": "docker-internal/docker.io/\$1"
        quay.io:
          endpoint:
          - https://artifactory.<domain>
         rewrite:
           "^(.*)$": "docker-internal/quay.io/\$1"
      configs:
        "artifactory.<domain>":
          auth:
            username: <username>
            password: <password>
      EOF

2. Start Rancher Desktop
3. Start a pod with an image we have available internally, e.g.kubectl run --image caddy:2.7 caddy, kubectl run --image docker.io/caddy:2.7 caddy, or kubectl run --image docker.io/library/caddy:2.7 caddy

Result

Pod fails with ImagePullBackoff and manifest for caddy:2.7 not found.

Expected Behavior

Images pulled within the cluster with the tag prefix docker.io/$TAG should instead pull artifactory.<domain>/docker-internal/docker.io/$TAG

Additional Information

• We have a DNS poisoned docker.io domain internally that points to a separate repository that does not contain caddy:2.7. Pulling images from the repository at docker.io works, but this is not the desired behavior.
• The same registry YAML config works fine on non-Rancher Desktop instances of k3s v1.29.4+k3s1 (e.g. ones installed manually)
• The other k3s instances I administer with custom registry configuration have /etc/containerd/certs.d populated with a directory and hosts.toml for each repository (e.g. docker.io, quay.io). The instance provisioned by Rancher Desktop does not, regardless of using moby or containerd runtimes.

Rancher Desktop Version

1.13.1

Rancher Desktop K8s Version

1.29.4

Which container engine are you using?

moby (docker cli)

What operating system are you using?

Ubuntu

Operating System / Build Version

Ubuntu 22.04

What CPU architecture are you using?

x64

Linux only: what package format did you use to install Rancher Desktop?

deb

Windows User Only

No response

[jandubois]

The documentation is incorrect. Rancher Desktop no longer uses containerd from k3s but always configures its own version (so even older versions of k3s run with the latest version of containerd).

That means the registries.yaml feature of k3s has no effect and Rancher Desktop needs to provide its own mechanism to configure private registries.

[stephanbertl]

Any update? This breaks offline use or usage with proxies.