Hi there,
All of suddent, I have got such message during my K8s deployment,

Normal   Pulling    30s   kubelet            Pulling image "busybox"
  Warning  Failed     0s    kubelet            Failed to pull image "busybox": reading manifest latest in docker.io/library/busybox: toomanyrequests: You have reached your unauthenticated pull rate limit. https://www.docker.com/increase-rate-limit
  Warning  Failed     0s    kubelet            Error: ErrImagePull

that I never hit before, and I am blocked.

Qs:
Is that the limitation on my docker account ? or on this IP address ?
Is there any way for me to check ?
What are my options at this point ?

Thanks,

Jack

ChatGPT said I may have hit 100 pulling for the past 6 hours, but I don’t think that is the reason, as I just back from my 2-day vacation.

Looks like you are not using valid credentials in your image pull secret, otherwise it would not indicate that the pull was done unauthenticated.

Note: the unauthorized pull limit is per public ip.

If there a way for me to check the pull usage by my ip address ? Also is there so-called 100 pull per 6 hours for unauthenticated user ? Thanks.

I googled the terms “image pull rate limit docker hub” for you. The first result is this one:

I know it can be queried by api, but I never bothered researching how it’s done.
@rimelek do you happen to have a curl command to query the pull limit?

There is a “Pull usage and limits” link on the page you linked, and that page has a section called “View pull rate and limit”.

Quoting only the commands:

Note
To check your limits, you need curl, grep, and jq installed.

1. Get a token.

• To get a token anonymously, if you are pulling anonymously:

 TOKEN=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)

• To get a token with a user account, if you are authenticated, insert your username and password in the following command:

 TOKEN=$(curl --user 'username:password' "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)

2. Get the headers that contain your limits. These headers are returned on both GET and HEAD requests. Using GET emulates a real pull and counts towards the limit. Using HEAD won’t.

 curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest

Thanks for the Tips. I have tried your curl call with the Token, and here is the response:

curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest 
HTTP/1.1 200 OK
content-length: 527
content-type: application/vnd.docker.distribution.manifest.v2+json
docker-content-digest: sha256:c2d41d2ba6d8b7b4a3ffec621578eb4d9a0909df29dfa2f6fd8a2e5fd0836aed
docker-distribution-api-version: registry/2.0
etag: "sha256:c2d41d2ba6d8b7b4a3ffec621578eb4d9a0909df29dfa2f6fd8a2e5fd0836aed"
date: Tue, 05 Aug 2025 19:45:42 GMT
strict-transport-security: max-age=31536000
ratelimit-limit: 100;w=21600
ratelimit-remaining: 84;w=21600
docker-ratelimit-source: 96.45.36.254

84/100, still good ? Anyway, I have found a work around for my case.

1. login to docker hub with my gmail account => profile => setting => personal access tokens = > To create a new token

2. Using this command to create a secret:

kubectl  create secret docker-registry dockerhub-secret --docker-username=<user_id>  --docker-password=<token_value>  --docker-email=<email>

3. In my k8s project, I have added this piece:

imagePullSecrets:
  - name: dockerhub-secret

It seems working now in my k8s deployment.

Thanks for the help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.