Air-Gap-Systems: Running with private docker registry?


can I configure ECK to use a private docker registry? Target infrastructure will be a bare-metal kubernetes cluster which is air-gap, so the elastic registry will not be available for me.


Hi Andreas,

In principle what is written in the Kubernetes documentation applies also to ECK .

For ECK 0.8.0 we don't support a full podTemplate yet which means you cannot unfortunately specify the necessary imagePullSecrets. It is fixed in the master branch and will be available in the next release.

Hello All,
We air-gap our systems to make sure that everything is scanned for insecure images and other potential problems. If the systems are pulling from our internal repo they don't need to authenticate. It appears though that there is no way to change where the images are pulled from at a hostname level. So this means we can't use the ECK correct? Seems like an easily fixable problem. Plus you can also set the authentication at the Docker on the host/node level so that wouldn't require imagePullSecrets.

Am I correct? Is there no way to use any other Repo?

If your internal repo does not require authentication, you can simply set the spec.image field to the full image name. See

That is exactly what I would like to do. How can I do it with the ECK operator? The operator is providing no method I can see to change that. When we do the initial deploy of the CRD we can change where the operator comes from but once deployed the operator defaults back to which our servers cannot reach to deploy all of the rest of the ELK Stack.

I am not sure I understand your question correctly. If you want to use your internal registry to deploy the operator itself, you can do so by first downloading the deployment manifest, editing the elastic-operator StatefulSet definition to point to the internal image and then applying that modified manifest to deploy ECK.

Once ECK is up and running, for every Elasticsearch, Kibana or APM resource you want to deploy, you have to explicitly set the spec.image field to the internal image URL as pointed out in my previous reply.

We have an open issue about letting users specify the default container registry as an operator flag so that they don't need to worry about setting spec.image every time. Unfortunately it is not yet implemented.

I hope that answers your question.

The open issue is more what I was looking for. One of the biggest benefits of ECK is that Elastic just configures all the matched and tested pieces for me. I don't have to think about it just do it.

A PR to support overriding the default container registry has been merged to master: