Failing to configure private registry accesss via registries.yaml

[jceb]

Environmental Info:
K3s Version:

k3s version v1.33.1+k3s1 (99d9153)
go version go1.24.2

Node(s) CPU architecture, OS, and Version:

Linux k3d-test-k3s-server-0 6.12.31 #1-NixOS SMP PREEMPT_DYNAMIC Thu May 29 09:03:27 UTC 2025 x86_64 GNU/Linux

Cluster Configuration:

1 server

Describe the bug:

I've been trying to configure a private registry by creating this file: /etc/rancher/k3s/registries.yaml following this guide https://docs.k3s.io/installation/private-registry. I tried many variants but none of them managed to convince k3s to pull images from the private registry using the provided credentials.

Steps To Reproduce:

• Create a private image on Docker Hub
• Create registries.yaml with the following contents (I tried the following variants: with and without mirrors, (username, password), auth, identity_token, with just docker.io and with the full endpoint URL):

# mirrors:
#   "*": null
configs:
  "https://index.docker.io/v2/":
    auth:
      # username: yyy
      # password: dckr_pat_xxx
      auth: dckr_pat_xxx
      # identity_token: dckr_pat_xxx
  docker.io:
    auth:
      # username: yyy
      # password: dckr_pat_xxx
      auth: dckr_pat_xxx
      # identity_token: dckr_pat_xxx

• Create a k3s cluster: k3d cluster create test-k3s -i rancher/k3s:v1.33.1-k3s1 --registry-config ./registries.yaml -s 1
• Run a pod that uses the private image: kubectl run -it --rm --image docker.io/myorg/private-image test-pod /bin/sh

Expected behavior:

• Image is pulled from private registry.

Actual behavior:

• Pod's state is set to ErrImagePull - image can't be pulled due to failed authentication.

Additional context / logs:

• It was very difficult to establish what the correct property name for the access token is. The documentation lists token in this example https://docs.k3s.io/installation/private-registry#registries-configuration-file and auth a bit further down https://docs.k3s.io/installation/private-registry#configs. I tried both without success.
• I tried different access tokens that immediately worked when I passed them to docker login.
• I get the impression that the authentication credentials aren't used at all. However, I haven't been able to determine from log files whether this is the case.
• I also tried to activate the embedded registry via the --embedded-registry flag. This didn't change the behavior either.

[brandond]

index.docker.io and docker.io are the same thing, why do you have it twice?

There is no "auth" key under the registry auth entry, where did you get that from?

What exactly are you trying to do here? You should be using the same username and password you'd use for docker login.