Kubernetes and drone, docker.io rate limits

Failed to pull image "drone/placeholder:1": rpc error: code = Unknown desc = Error response from daemon: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit

I have drone and drone-runner-kube installed on kubernetes via the official helm charts.

I need to apply a docker configuration (or secret?) somewhere to use the paid docker.io user I have to avoid rate limits and I cannot find a way to do that, I’ve read the FAQ.

Any hint? Thanks.

Mount the docker config.json file into the runner container, and then tell the runner container the location at which it can load this file using the DRONE_DOCKER_CONFIG configuration parameter.


apiVersion: helm.fluxcd.io/v1
kind: HelmRelease
  name: drone-runner-kube
  namespace: drone
    fluxcd.io/ignore: "false"
  releaseName: drone-runner-kube
    git: https://github.com/drone/charts.git
    ref: master
    path: charts/drone-runner-kube
    - name: regcred
    replicaCount: 2
      DRONE_RPC_SECRET: drone-secret
      # DRONE_TRACE: true
      # DRONE_DEBUG: true
      DRONE_DOCKER_CONFIG: /root/.docker/config.json
      - name: auth
        mountPath: /root/.docker/
      - name: auth
          claimName: drone-runner-kube-auth
        - drone

kind: PersistentVolumeClaim
apiVersion: v1
  name: drone-runner-kube-auth
  namespace: drone
    app.kubernetes.io/instance: drone-runner-kube-auth
    app.kubernetes.io/name: drone-runner-kube-auth
    - ReadWriteMany
      storage: 1Gi
  storageClassName: efs

thanks for taking the time to share your solution :slight_smile: … out of curiosity, could you also mount from a secret?

      - name: auth
          secretName: my-registry-credentials-secret

good idea, I’m going to try given I already have a secret, will report back – the problem is that I don’t have a clear indicator (beside failure) that credentials are in use and working (not rate limited at this time)

seems fine, thanks for the hint :+1:

Thanks a lot for this solution :star_struck:
I still have this message when the build step starts
Registry credentials or Docker config not provided. Guest mode enabled.
Is it normal ? How can I check that, while building a docker image with plugins/docker, the credentials are used to pull the base image ?
Thanks a lot for your help

not sure about that but you might try adding

- mysecretname

in your .drone.yml

I found all suggested options very unpractical. It should be in GUI like secrets, preferably as a global setting for all jobs.

I set global creds on the entire Kubernetes node (to avoid being banned on DockerHub, because someone didn’t set a drone.yml properly)

In /etc/crio/crio.conf

global_auth_file = "/etc/kubernetes/dockerauth.json"

podman login docker.io --authfile=/etc/kubernetes/dockerauth.json

There are many options for providing credentials (not all are discussed in this thread). See How to prevent DockerHub pull rate limit errors

We try to avoid global configuration in the user interface; Drone has hundreds of configuration parameters and creating and maintaining a UI to manage all of them would require substantial effort with (in my opinion) limited overall benefit.

I think the best option is to provide the global credentials to the runner is to provide a json credentials file (as shown in the link I provided). This may not be as easy as managing the setting in the user interface, but it is also not that difficult.