> **_NOTE:_** registry.mirrors and registry.configs as previously described in this document

> have been DEPRECATED. As described in [the cri config](./config.md#registry-configuration) you

> should now use the following configuration

config_path = "/etc/containerd/certs.d"

```

config_path = "/etc/containerd/certs.d"

```

If no registry-specific options are set, `config_path` will default to

`/etc/containerd/certs.d:/etc/docker/certs.d`, which enables compatibility with

[the docker method of adding registry configuration](https://docs.docker.com/registry/insecure/#use-self-signed-certificates).

## Configure Registry Credentials

> a suitable secret management alternative is available as a plugin. It remains supported

> in 1.x releases, including the 1.6 LTS release.

# explicitly use v3 config format

version = 3

username = ""

password = ""

auth = ""

identitytoken = ""

# explicitly use v2 config format

version = 2

# The registry host has to be a domain name or IP. Port number is also

# needed if the default HTTPS or HTTP port is not used.

username = ""

password = ""

auth = ""

identitytoken = ""

```

The meaning of each field is the same with the corresponding field in `.docker/config.json`.

Please note that auth config passed by CRI takes precedence over this config.

The registry credential in this config will only be used when auth config is

not specified by Kubernetes via CRI.

* Create a Google Cloud Platform (GCP) account and project if not already created (see [GCP getting started](https://cloud.google.com/gcp/getting-started))

* Enable GCR for your project (see [Quickstart for Container Registry](https://cloud.google.com/container-registry/docs/quickstart))

* For authentication to GCR: Create [service account and JSON key](https://cloud.google.com/container-registry/docs/advanced-authentication#json-key)

* The JSON key file needs to be downloaded to your system from the GCP console

* For access to the GCR storage: Add service account to the GCR storage bucket with storage admin access rights (see [Granting permissions](https://cloud.google.com/container-registry/docs/access-control#grant-bucket))

Refer to [Pushing and pulling images](https://cloud.google.com/container-registry/docs/pushing-and-pulling) for detailed information on the above steps.

It is beneficial to first confirm that from your terminal you can authenticate with your GCR and have access to the storage before hooking it into containerd. This can be verified by performing a login to your GCR and

pushing an image to it as follows:

```console

docker login -u _json_key -p "$(cat key.json)" gcr.io

docker pull busybox

docker tag busybox gcr.io/your-gcp-project-id/busybox

docker push gcr.io/your-gcp-project-id/busybox

docker logout gcr.io

```

Now that you know you can access your GCR from your terminal, it is now time to try out containerd.

Edit the containerd config (default location is at `/etc/containerd/config.toml`)

to add your JSON key for `gcr.io` domain image pull

```toml

version = 3

[plugins."io.containerd.cri.v1.images".registry]

[plugins."io.containerd.cri.v1.images".registry.mirrors]

[plugins."io.containerd.cri.v1.images".registry.mirrors."docker.io"]

endpoint = ["https://registry-1.docker.io"]

[plugins."io.containerd.cri.v1.images".registry.mirrors."gcr.io"]

endpoint = ["https://gcr.io"]

[plugins."io.containerd.cri.v1.images".registry.configs]

[plugins."io.containerd.cri.v1.images".registry.configs."gcr.io".auth]

username = "_json_key"

password = 'paste output from jq'

```

+ In containerd 1.x

```toml

version = 2

[plugins."io.containerd.grpc.v1.cri".registry]

[plugins."io.containerd.grpc.v1.cri".registry.mirrors]

[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]

endpoint = ["https://registry-1.docker.io"]

[plugins."io.containerd.grpc.v1.cri".registry.mirrors."gcr.io"]

endpoint = ["https://gcr.io"]

[plugins."io.containerd.grpc.v1.cri".registry.configs]

[plugins."io.containerd.grpc.v1.cri".registry.configs."gcr.io".auth]

username = "_json_key"

password = 'paste output from jq'

```

Restart containerd:

```console

service containerd restart

```

Pull an image from your GCR with `crictl`:

```console

$ sudo crictl pull gcr.io/your-gcp-project-id/busybox

DEBU[0000] get image connection

DEBU[0000] connect using endpoint 'unix:///run/containerd/containerd.sock' with '3s' timeout

DEBU[0000] connected successfully using endpoint: unix:///run/containerd/containerd.sock

DEBU[0000] PullImageRequest: &PullImageRequest{Image:&ImageSpec{Image:gcr.io/your-gcr-instance-id/busybox,},Auth:nil,SandboxConfig:nil,}

DEBU[0001] PullImageResponse: &PullImageResponse{ImageRef:sha256:78096d0a54788961ca68393e5f8038704b97d8af374249dc5c8faec1b8045e42,}

Image is up to date for sha256:78096d0a54788961ca68393e5f8038704b97d8af374249dc5c8faec1b8045e42

```

---

NOTE: The configuration syntax used in this doc is in version 2 which is the recommended since `containerd` 1.3. For the previous config format you can reference [https://github.com/containerd/cri/blob/release/1.2/docs/registry.md](https://github.com/containerd/cri/blob/release/1.2/docs/registry.md).