Starting March 1, 2025 DockerHub will limit unauthenticated image pulls further from 100 per 6-hours per IP address to 10 per hour per IP address: https://docs.docker.com/docker-hub/usage/. This is a reduction of 40%! Please read this post carefully to understand what it is about and to determine whether you need to take action.
How does this affect you?
This applies only to customers who use images hosted on DockerHub.
Pulling images from DockerHub without authentication can quickly lead to hitting the new rate limits. Once those limits are reached, image pulls are blocked until the limit resets.
In Kubernetes, when new containers are launched, the images must first be downloaded to the node’s disk. If the pull rate limit has already been exceeded, workers will receive HTTP 429 errors, preventing new pods from starting. This can disrupt the availability of your applications.
Do note that this limit is per IP. By default our Kubernetes workers run in private subnets. This means that you don’t get a rate limit per worker, but instead per NAT gateway instance (on production there is usually 1 per availability zone).
There are a few steps that need to be taken to make sure we avoid rate limiting issues:
To help you in this process, we’ve checked which workloads might be affected by this as they use DockerHub, you will soon find a GitHub Issue for the affected containers in your customer repository. Please use this issue for communication regarding this.
Please, revise all of your workloads, to make sure we haven’t missed anything, and check whether or not they use unauthenticated pulls towards DockerHub.
Please let us know if you are (not) using authenticated pulls towards DockerHub already today.
If not we’ll have to take action in order to ensure stability.
If you want to remain using DockerHub images we will help you mitigate the issue by using imagePullSecrets in your deployments (see our related documentation on how to configure this). Do note that this will require a paying DockerHub account.
Alternatively where possible, you can switch to an alternative container registry like ECR, GHCR, Quay,…