Container Registry Proxy

Unified mirror endpoints for popular Docker/OCI registries under the kubectl.net and *.m.kubectl.net domains.
Use Docker daemon mirror configuration for Docker Hub, and registry-specific mirror endpoints for other supported registries.

Access control

This service enforces network-level access authorization.

Test connectivity:

1	`curl -s https://docker.m.kubectl.net/-/access/test`

Expected responses:

Access Allowed
Access Denied

For support or inquiries: dev@intellij.io

Available mirrors

Mirror	Pull Source	Push Target	Description
docker.kubectl.net	registry-1.docker.io	registry-1.docker.io	Docker Hub
docker.m.kubectl.net	registry-1.docker.io	registry-1.docker.io	Docker Hub
dhi.kubectl.net	dhi.io	-	Docker Hub Hardened Images (read-only)
dhi.m.kubectl.net	dhi.io	-	Docker Hub Hardened Images (read-only)
k8s.m.kubectl.net	registry.k8s.io	-	Kubernetes (read-only)
gcr.m.kubectl.net	gcr.io	gcr.io	Google Container Registry
ghcr.m.kubectl.net	ghcr.io	ghcr.io	GitHub Container Registry
quay.m.kubectl.net	quay.io	quay.io	Red Hat Quay
mcr.m.kubectl.net	mcr.microsoft.com	-	Microsoft Container Registry
nvcr.m.kubectl.net	nvcr.io	-	NVIDIA Container Registry
elastic.m.kubectl.net	docker.elastic.co	-	Elastic Container Registry

Mirrors without a push target are read-only and support pull operations only.

Pull and push support

All listed mirrors support image pulls. Push support is available only for mirrors that list a push target.

Push-capable mirrors: docker.kubectl.net, docker.m.kubectl.net, gcr.m.kubectl.net, ghcr.m.kubectl.net, quay.m.kubectl.net
Read-only mirrors: dhi.kubectl.net, dhi.m.kubectl.net, k8s.m.kubectl.net, mcr.m.kubectl.net, nvcr.m.kubectl.net, elastic.m.kubectl.net
Do not use read-only mirrors for docker login, docker push, or CI image publishing.

Usage

There are two common ways to use these mirrors:

Configure Docker Hub as a Docker daemon registry mirror.
Replace the registry hostname in an image path for registry-specific mirrors such as GHCR, Quay, GCR, MCR, Kubernetes, NVIDIA, or Elastic.

Docker Hub daemon mirror

Configure Docker daemon settings with either a simple Docker Hub mirror or the full mirror list below.

1. Edit Docker daemon settings

1	`sudo vim /etc/docker/daemon.json`

2. Simple Docker Hub mirror

{
  "insecure-registries": [],
  "registry-mirrors": [
    "docker.m.kubectl.net"
  ],
  "data-root": "/var/lib/docker",
  "default-address-pools": [
    {
      "base": "172.11.0.0/16",
      "size": 24
    }
  ],
  "bip": "172.10.0.1/16",
  "log-opts": {
    "max-file": "5",
    "max-size": "20m"
  }
}

3. Full mirror configuration

{
  "insecure-registries": [],
  "registry-mirrors": [
    "docker.m.kubectl.net",
    "k8s.m.kubectl.net",
    "ghcr.m.kubectl.net",
    "quay.m.kubectl.net",
    "mcr.m.kubectl.net",
    "nvcr.m.kubectl.net"
  ],
  "default-address-pools": [
    {
      "base": "172.11.0.0/16",
      "size": 24
    }
  ],
  "data-root": "/var/lib/docker",
  "log-opts": {
    "max-file": "5",
    "max-size": "20m"
  }
}

4. Restart Docker

sudo systemctl restart docker

Tips & notes

Push operations work only for mirrors with an available push target.
Choose either the simple Docker Hub mirror or the full mirror configuration for Docker daemon settings.
Use image path replacement when a registry-specific mirror is not covered by daemon mirror behavior.
Read-only mirrors support pull operations only.
Using mirrors reduces latency and improves reliability during image pulls.

Summary

Choose the simple Docker Hub mirror or the full mirror configuration.
Update /etc/docker/daemon.json with your selected configuration.
Restart Docker.
Pull images using Docker CLI or mirrored image paths.
Push images only to mirrors with an available push target.

Using registry mirrors boosts image pull performance and improves reliability across constrained networks.