We ran into a problem while deploying magnum when another project exhausted the dockerhub limit on anonymous pulls from a few of the kube-system pods that are deployed. Namely:

daemonset.apps/k8s-keystone-auth
daemonset.apps/openstack-cloud-controller-manager
deployment.apps/kubernetes-dashboard
deployment.apps/dashboard-metrics-scraper

This would fail with an error noting that dockerhub was blocking the request as too many pulls had happened. We could get around this by adding in a secret with a docker login, and editing those deployments and daemonsets to use that credential.

It would appear the container_infra_prefix label can be modified to point to a different registry. Though this would mean we would have to clone all of the images, including images that are from registries other than dockerhub. Leading me to wonder if there isn't an existing registry that one can use using magnum, on quay.io or some host that isn't limiting pulls?

Alternatively, is it possible that the dockerhub images that do not pull (some do, coredns for instance does, I suspect it is due to it having "Sponsored OSS" status on dockerhub) without limits could be hosted elsewhere? Or perhaps already are and the default that magnum sets to pull could be updated to those?

Alternatively, alternatively, I haven't found an option for giving a dockerhub user/pass to magnum in the documentation, and looking at the code it doesn't appear that there is a variable for one, so I suspect it is not there. Could such an option be added?

Thank you

Vivian Rook (They/Them)

Site Reliability Engineer

Wikimedia Foundation