apiVersion: apps/v1 kind: DaemonSet metadata: name: insecure-registries namespace: default labels: k8s-app: insecure-registries spec: selector: matchLabels: name: insecure-registries updateStrategy: type: RollingUpdate template: metadata: labels: name: insecure-registries spec: nodeSelector: cloud.google.com/gke-container-runtime: "containerd" hostPID: true containers: - name: startup-script image: gcr.io/google-containers/startup-script:v1 imagePullPolicy: Always securityContext: privileged: true env: - name: ADDRESS value: "REGISTRY_ADDRESS" - name: STARTUP_SCRIPT value: | set -o errexit set -o pipefail set -o nounset if [[ -z "$ADDRESS" || "$ADDRESS" == "REGISTRY_ADDRESS" ]]; then echo "Error: Environment variable ADDRESS is not set in containers.spec.env" exit 1 fi echo "Allowlisting insecure registries..." containerd_config="/etc/containerd/config.toml" hostpath=$(sed -nr 's; config_path = "([-/a-z0-9_.]+)";\1;p' "$containerd_config") if [[ -z "$hostpath" ]]; then echo "Node uses CRI config model V1 (deprecated), adding mirror under $containerd_config..." grep -qxF '[plugins."io.containerd.grpc.v1.cri".registry.mirrors."'$ADDRESS'"]' "$containerd_config" || \ echo -e '[plugins."io.containerd.grpc.v1.cri".registry.mirrors."'$ADDRESS'"]\n endpoint = ["http://'$ADDRESS'"]' >> "$containerd_config" else host_config_dir="$hostpath/$ADDRESS" host_config_file="$host_config_dir/hosts.toml" echo "Node uses CRI config model V2, adding mirror under $host_config_file..." if [[ ! -e "$host_config_file" ]]; then mkdir -p "$host_config_dir" echo -e "server = \"https://$ADDRESS\"\n" > "$host_config_file" fi echo -e "[host.\"http://$ADDRESS\"]\n capabilities = [\"pull\", \"resolve\"]\n" >> "$host_config_file" fi echo "Reloading systemd management configuration" systemctl daemon-reload echo "Restarting containerd..." systemctl restart containerd