Image Repository Handling

Often, a Kubernetes manifest (or skaffold.yaml) makes references to images that push to registries that we might not have access to. Modifying these individual image names manually is tedious, so Skaffold supports automatically prefixing these image names with a registry specified by the user. Using this, any project configured with Skaffold can be run by any user with minimal configuration, and no manual YAML editing!

This is accomplished through the default-repo functionality, and can be used one of three ways:

  1. --default-repo flag

    skaffold dev --default-repo <myrepo>
  2. SKAFFOLD_DEFAULT_REPO environment variable

    SKAFFOLD_DEFAULT_REPO=<myrepo> skaffold dev
  3. Skaffold’s global config

    skaffold config set default-repo <myrepo>

If no default-repo is provided by the user, there is no automated image name rewriting, and Skaffold will try to push the image as provided in the yaml.

The image name rewriting strategies are designed to be conflict-free: the full image name is rewritten on top of the default-repo so similar image names don’t collide in the base namespace (e.g.: repo1/example and repo2/example would collide in the target_namespace/example without this)

Automated image name rewriting strategies are determined based on the default-repo and the original image repository:

  • default-repo domain does not contain or

    • strategy: escape & concat & truncate to 256

       original image:
       rewritten image:
  • default-repo contain or (special cases - as GCR and AR allow for arbitrarily deep directory structure in image repo names)

    • strategy: concat unless prefix matches

    • example1: prefix doesn’t match:

        original image:
        rewritten image:
    • example2: prefix matches:

        original image:
        rewritten image:
    • example3: shared prefix:

        original image:
        rewritten image:

Insecure image registries

During development you may be forced to push images to a registry that does not support HTTPS. By itself, Skaffold will never try to downgrade a connection to a registry to plain HTTP. In order to access insecure registries, this has to be explicitly configured per registry name.

There are several levels of granularity to allow insecure communication with some registry:

  1. Per Skaffold run via the repeatable --insecure-registry flag

    skaffold dev --insecure-registry --insecure-registry
  2. Per Skaffold run via SKAFFOLD_INSECURE_REGISTRY environment variable

  3. Per project via the Skaffold pipeline config skaffold.yaml

  4. Per user via Skaffold’s global config

    skaffold config set insecure-registries           # for the current kube-context
    skaffold config set --global insecure-registries  # for any kube-context

    Note that multiple set commands add to the existing list of insecure registries. To clear the list, run skaffold config unset insecure-registries.

Skaffold will join the lists of insecure registries, if configured via multiple sources.

Last modified April 2, 2024: release: v2.11.0 (#9376) (5431c6b)