Skip to main content
Control Plane can pull container images from any Docker-compatible registry. Public images work out of the box, while private registries require pull secrets.

When to use this

Private registries

Pull from Docker Hub private repos, ECR, GCR, ACR, or GHCR

Cross-org images

Use images from another Control Plane organization

Enterprise registries

Connect to self-hosted or enterprise container registries

Secure supply chain

Control access to private images with pull secrets

Prerequisites

The CLI is optional but helpful. See Installation.

Pull from public registries

Public images don’t require pull secrets. Use these formats:
RegistryFormat
Docker HubIMAGE_NAME:TAG
Amazon ECR Publicpublic.ecr.aws/REGISTRY-ALIAS/IMAGE:TAG
Google Artifact RegistryLOCATION-docker.pkg.dev/PROJECT/REPO/IMAGE:TAG
GitHub Container Registryghcr.io/OWNER/IMAGE:TAG

Pull from private registries

1

Create a pull secret

  1. Navigate to Secrets in the left menu
  2. Click New or use the Create dropdown
  3. Enter a name for the secret
  4. Select the secret type:
    • Docker for Docker Hub, ACR, GAR, GHCR, or another Control Plane org
    • ECR for Amazon ECR
    • GCP for Google Container Registry
  5. Enter the credentials
  6. Click Create
Images from your own org’s Control Plane registry don’t need a pull secret.
2

Associate with a GVC

  1. Navigate to your GVC
  2. Click the Pull Secrets link
  3. Click Add and select your secret
  4. Click Save
3

Configure your workload

Reference the image in your workload using the appropriate format:
RegistryImage Format
Control Plane (same org)//image/IMAGE:TAG
Control Plane (cross-org)ORG.registry.cpln.io/IMAGE:TAG
Docker HubIMAGE:TAG
Amazon ECRACCOUNT.dkr.ecr.REGION.amazonaws.com/IMAGE:TAG
Azure CRREGISTRY.azurecr.io/IMAGE:TAG
GCRgcr.io/PROJECT/IMAGE:TAG
GitHub CRghcr.io/OWNER/IMAGE:TAG

Pull from Control Plane registry

Same organization

No pull secret needed: 
containers:
  - name: my-container
    image: //image/my-app:v1

Cross-organization

  1. Create a Docker secret with the other org’s credentials
  2. Add it as a pull secret to your GVC
  3. Reference the image:
containers:
  - name: my-container
    image: other-org.registry.cpln.io/my-app:v1

Troubleshooting

  1. Verify the secret credentials are correct
  2. Check the secret is associated with the GVC
  3. Ensure the secret type matches your registry
Verify the image name and tag are correct. Check the registry for the exact image path.
Ensure the source org has granted access and your Docker secret has the correct credentials. Learn more about configuring a secret for pulling images from other Control Plane orgs.

Next steps

Push Images

Push images to Control Plane registry

Copy Images

Copy images between organizations

Create a Workload

Deploy containers with your images

Secrets Reference

Learn about secret types