Skip to content(if available)orjump to list(if available)

Preventing Kubernetes from Pulling the Pause Image from the Internet

Preventing Kubernetes from Pulling the Pause Image from the Internet

9 comments

·November 5, 2025
Visit

cmckn

It bugs me that this implementation detail of containerd has leaked to such an extent. This should be part of the containerd distribution, and should not be pulled at runtime.

Instead of just swapping out the registry, try baking it into your machine image.

nneonneo

O/T, but I'm getting a cert error on this page - wonder if it's just me or if this site is just serving a weird cert. Looks like it's signed by some Fortinet appliance - maybe I'm getting MITMed? Would be kind of exciting/frightening if so.

EDIT: I loaded the page from a cloud box, and wow, I'm getting MITMed! Seems to only be for this site, wonder if it's some kind of sensitivity to the .family TLD.

gregoryl

Ooft. If it helps, this is the PEM I'm getting. LetEncrypt signed.

  -----BEGIN CERTIFICATE-----
  MIIFAjCCA+qgAwIBAgISBZR6PR4jNhx4fBFvqKwzJWx4MA0GCSqGSIb3DQEBCwUA
  MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
  EwNSMTMwHhcNMjUwOTE4MTM1OTEwWhcNMjUxMjE3MTM1OTA5WjAeMRwwGgYDVQQD
  ExNreWxlLmNhc2NhZGUuZmFtaWx5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
  CgKCAQEA55JknkVzyq5QGaRXn2TAzaOGYTHUVxl89lGOFgEEaWEvH5pcZL7xkqfv
  Edee7l5MeRKuK1zJ+ISPQQaEjGTk51y1aXXfOKs62NiNy6QQUbzQ+euecqrKsJVN
  l3PC3EYlEGibKI1gZ2x/ht8WJU9o4KiswCLqHrY7nC7BeEByv/ehiYyRTTxAXJsr
  2X4LgPX6MQ1Iu10S2Bp9jnOlEV7n4RCTPFeWtfQ0CdXH45ykuwL/zrTaD111oNQE
  BQPNq7Ig7OihLZcJQo8TMJ3FUgzDI9z6kMy7QHNR1I8uODVUohQCO6E7A29x8nRJ
  UBV5DN1as3aHYFJ4FbX9s2tuLwCTiwIDAQABo4ICIzCCAh8wDgYDVR0PAQH/BAQD
  AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
  MB0GA1UdDgQWBBTXwJ21Mudr9rplbA970jxJk44pEDAfBgNVHSMEGDAWgBTnq58P
  LDOgU9NeT3jIsoQOO9aSMzAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAKGF2h0
  dHA6Ly9yMTMuaS5sZW5jci5vcmcvMB4GA1UdEQQXMBWCE2t5bGUuY2FzY2FkZS5m
  YW1pbHkwEwYDVR0gBAwwCjAIBgZngQwBAgEwLwYDVR0fBCgwJjAkoCKgIIYeaHR0
  cDovL3IxMy5jLmxlbmNyLm9yZy8xMjEuY3JsMIIBAwYKKwYBBAHWeQIEAgSB9ASB
  8QDvAHYApELFBklgYVSPD9TqnPt6LSZFTYepfy/fRVn2J086hFQAAAGZXVTEhwAA
  BAMARzBFAiAVfJZ/XSqNq0sdf49o/8Mhs1uG9H/iPAHynYubtxfw4wIhAPiDa5S5
  DoawcZlWePa+uKZRiIaZwlVVOigiZEfm+75VAHUAzPsPaoVxCWX+lZtTzumyfCLp
  hVwNl422qX5UwP5MDbAAAAGZXVTEmAAABAMARjBEAiAJTtUg1SkZlRsuvXiWbeon
  ehJiRiOvQBBjCrDhPk+EmAIgRy7+96Uq7sFF2iQqlDbBJTbfxqVxsLAKKsv/4mUQ
  76gwDQYJKoZIhvcNAQELBQADggEBADwJpGkcEI9YQJBcBqJ1k4lkUBI4zdhjYYuv
  Z2kbXFRkl041ulyel48qZZW20T9myTL4dI/2kqLP4VSrz+vk4xTzyXtTCJZHDeke
  dzoQ7lplxTfZRwDVx19PkJIFPIShHyS/Ia0XTqHC8F81PmwXULRAgMYrBS3sKLXg
  aIyf00xq7W6s0uPd0XDn5CsmJgHzEcBZ0F423V42iedwgGNv6GnlgzKP3Q8fkf21
  4KdRYBgyYBfi33jQFf5fuMuSTtFak++BYe/ZWVAoehlw0gLh5BBmBXtCFrVFZc+q
  uXXe4q5MVQmDRa0A+QtKbwkyZxIiwJ8Xi+eBTKQSscpdINy5bUs=
  -----END CERTIFICATE-----

fred_is_fred

I've used k8s before a lot and at several companies. I am convinced that 99.9% of the people who use it should not be. But it's more fun than deploying VM images at least.

SlavikCA

I'm running k3s at home on single node with local storage. Few blogs, forum, minIO.

Very easy, reliable.

Without k3s I would have use Docker, but k3s really adds important features: easier to manage network, more declarative configuration, bundled Traefik...

So, I'm convinced that quite a few people can happily and efficiently use k8s.

In the past I used other k8s distro (Harvester) which was much more complicated to use and fragile to maintain.

esseph

Check out Talos Linux if you haven't already, it's pretty cool (if you want k8s).

kachapopopow

I use k3s for my home and for dev envs I think it's completely fine especially when it comes to deployment documentation.

I am way more comfortable managing a system that is k3s rather than something that is still using tmux that gets wiped every reboot.

Well... it's what I would have said until bitnami pulled the rug and pretty much ruined the entire ecosystem as now you don't have a way to pull something that you know is trusted with similar configuration and all from a single repository which makes deployments a pain in the ass.

However, on the plus side I've just been creating my own every time I need one with the help of claude using bitnami as reference and honestly it doesn't take that much more time and keeping them up to date is relatively easy as well with ci automations.

nodesocket

Nice to know, though I wonder how many companies are really using all private images? I've certainly had a client running their own Harbor instance, but almost all others pulled from Docker Hub or Github (ghcr.io).

redrove

Pretty much all enterprises are using their own ECR/GCR/ACR.