Skip to main content

Requirements for Air Gap Image Registry

To install an application into an air gapped network, you must have a Docker image registry that is available inside the network. The app manager rewrites the application image names in all application manifests to read from the on-premises registry, and it re-tags and pushes the images to the on-premises registry. When authenticating to the registry, credentials with push permissions are required.

A single application expects to use a single namespace in the Docker image registry.

The namespace name can be any valid URL-safe string, supplied at installation time. A registry typically expects the namespace to exist before any images can be pushed into it.


ECR does not use namespaces.

For information about Docker image registry compatibility, see Docker Image Registry Compatibility.

Docker Image Registry Compatibility

The app manager has been tested for compatibility with the following registries:

  • Docker Hub


    To avoid the November 20, 2020 Docker Hub rate limits, use the kots docker ensure-secret CLI command. For more information, see Avoiding Docker Hub Rate Limits.

  • Quay

  • Amazon Elastic Container Registry (ECR)

  • Google Container Registry (GCR)

  • Azure Container Registry (ACR)

  • Harbor

  • Sonatype Nexus