Skip to main content

Using the Replicated Registry for KOTS Installations

This topic describes how to use the Replicated private image registry for Replicated KOTS installations.


For applications installed with KOTS, you can host private images on the Replicated registry. Hosting your images on the Replicated registry is useful if you do not already have your images in an existing private registry. It is also useful for testing purposes.

For more information about security for the Replicated registry, see Replicated Registry Security.


When using Docker Build to build and push images to the Replicated registry, provenance attestations are not supported. To avoid a 400 error, include the --provenance=false flag to disable all provenance attestations. For more information, see docker buildx build and Provenance Attestations in the Docker documentation.

Push Images to the Replicated Registry

This procedure describes how to tag and push images to the Replicated registry. For more information about building, tagging, and pushing Docker images, see the Docker CLI documentation.

To push images to the Replicated registry:

  1. Do one of the following to connect with the container registry:

    • (Recommended) Log in with a user token: Use docker login with your vendor portal email as the username and a vendor portal user token as the password. For more information, see User API Tokens in Generating API Tokens.

    • Log in with a service account token: Use docker login with a Replicated vendor portal service account as the password. If you have an existing team token, you can use that instead. You can use any string as the username. For more information, see Service Accounts in Generating API Tokens.


      Team API tokens are deprecated and cannot be generated. If you are already using team API tokens, Replicated recommends that you migrate to Service Accounts or User API tokens instead because these options provide better granular control over token access.

    • Log in with your credentials: Use docker login with your vendor portal email and password as the credentials.

  2. Tag your private image with the Replicated registry hostname in the standard Docker format:

    docker tag IMAGE_NAME


    • IMAGE_NAME is the name of the existing private image for your application.
    • APPLICATION_SLUG is the slug assigned to your application. You can find your application slug on the Application Settings page in the vendor portal. For more information, see Get the Application Slug in Managing Applications.
    • TARGET_IMAGE_NAME is a name for the image. Replicated recommends that the TARGET_IMAGE_NAME is the same as the IMAGE_NAME.
    • TAG is a tag for the image.

    For example:

    docker tag worker
  3. Push your private image to the Replicated registry:

    docker push