How to deal with Docker Hub pull request limits
Situation
Section titled “Situation”Docker Hub is a popular registry for hosting public container images. Even though there are other public container registries available like ghcr.io, Docker Hub remains to be the de facto standard for most container images like for example nginx, debian, ubuntu or alpine to only name a few. In August 2020 Docker announced a rate limitation that took effect November 1, 2020. Since then the free plan has been reduced to 100 pulls per 6 hours for anonymous users and 200 pulls for authenticated users.
Effect
Section titled “Effect”This situation is challenging for all users of Docker but especially SKE customers since rate limits can easily be reached even when you’re only trying out the service.
That becomes worse if installed helm charts or beginner Kubernetes examples set the imagePullPolicy of container images to Always or the image tag to latest since this will lead to redownloading the image whenever a Pod with those settings is scheduled on a Kubernetes node.
Mitigation
Section titled “Mitigation”Unfortunately, there is not easy way to get around the pull request limits of Docker Hub.
In spite of that there are some options to mitigate the effect:
- As mentioned before a first way of reducing the image pulls in general is making sure that all imagePullPolicy fields are either unset or explicitly set to IfNotPresent (which is the default). Of course this does not provide full protection, but it’s a first easy step. Of course this is only important for images that are pulled from Docker Hub. If the image is loaded from another registry like quay.io (For example: used by cert-manager) it won’t have any impact on the Docker Hub limits.
- The next option would be hosting your own private registry service. This can then either run as a proxy cache to Docker Hub (which will also not resolve the problem completely) or you can push images to that registry manually to make them available there. This sync of images can also be partly automated with open-source tools like dregsy. A guide on how to set up a private registry for development environments can be found in this article: How to setup a private container registry. Please be aware that the described setup is not intended for production environments. For that we would either recommend setting up a more advanced registry like Harbor or using the next option.
- The arguably easiest option to get around the limits of Docker Hub free users is getting a paid account for Docker Hub. Of course this option is not free of charge though and therefore the most expensive on the list.