Docker push intermittent failure to private docker registry on kubernetes docker-desktop
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
Intermittent docker push failures to a private registry running inside Docker Desktop Kubernetes are usually caused by unstable plumbing around the registry, not by the image itself. The upload path crosses Docker, local networking, Kubernetes service routing, registry storage, and often TLS or ingress. The fastest way to fix the issue is to isolate which layer is failing instead of retrying random pushes.
Start by Testing the Registry Directly
A good first step is to bypass ingress and host name mapping so you can see whether the registry itself is stable.
If the direct port-forward path works reliably, but pushes fail through your usual host name or NodePort, the registry pod is probably fine and the problem is further out in the network path.
Once direct access is up, push a tiny image first:
Using a tiny image keeps the test focused on basic connectivity and authentication rather than upload size.
Common Failure Sources
Several issues show up frequently in Docker Desktop Kubernetes setups.
TLS and Certificate Trust
If the registry is served over HTTPS with a self-signed or private certificate, Docker must trust that certificate. Browser trust is not enough, because the Docker daemon has its own trust path.
Ingress Limits and Timeouts
Large image layers can fail intermittently when ingress or reverse proxy settings are too small or too strict. Request body size limits and idle timeouts are common culprits.
Registry Storage Problems
The registry writes uploaded blobs to storage before finalizing the manifest. If the pod restarts, the disk is full, or the PVC is misconfigured, pushes may fail midway with errors such as 500, EOF, or blob upload unknown.
DNS or Routing Weirdness
A local host name may resolve differently from the host operating system, from Docker Desktop internals, or from Kubernetes itself. That can make a registry appear flaky only on some requests.
Authentication State
Bad credential helper state, token expiry, or mismatched auth configuration can produce failures that look random because some layers are reused while others need a fresh upload.
Watch the Logs During a Failed Push
Do not debug only from the Docker client output. Follow the registry logs while reproducing the issue:
Registry logs often tell you whether the failure happened during:
- authentication
- blob upload
- manifest commit
- filesystem write
- backend storage access
That distinction matters. A timeout in ingress needs a different fix than a write error on the registry volume.
Check the Deployment and Storage
The registry should use persistent storage rather than ephemeral container storage. A minimal deployment looks like this:
If the registry is writing to temporary container storage, pod restarts can easily break uploads or lose layer data.
A Practical Debug Order
When the failure is intermittent, this order keeps the search tight:
- test the registry with
kubectl port-forward - push a very small image directly
- inspect registry logs during the push
- test again through ingress or NodePort
- check TLS trust, ingress limits, and PVC health
That sequence tells you whether the instability is in the registry itself or in the path in front of it.
Common Pitfalls
One common mistake is testing only through ingress and assuming the registry deployment is broken. Often the registry is fine and the real issue is proxy configuration.
Another pitfall is ignoring storage. Pushes that fail halfway through large layers are often storage or timeout problems, not bad image tags.
People also frequently trust a self-signed certificate in the browser and assume Docker will trust it too. The Docker daemon needs its own trust setup.
Finally, intermittent failures are harder to diagnose with large images. Start with a tiny test image, then move to a real workload once the basic path is stable.
Summary
- Intermittent registry pushes are usually caused by networking, TLS, ingress, auth, or storage issues.
- Test the registry directly with
kubectl port-forwardbefore debugging the full host name path. - Watch registry logs during the failed push to locate the real failure stage.
- Make sure the registry uses persistent storage and sane proxy limits.
- Use tiny images first to separate basic connectivity problems from large-upload problems.

