Articles

Push and Pull Images with DigitalOcean Container Registry (2026)

April 16, 2026 3 min read

DigitalOcean Container Registry (DOCR) is a managed Docker image registry that lets you store, manage, and deploy your container images. It’s built on the same infrastructure as DigitalOcean’s Kubernetes clusters, so it’s fast and reliable.

Here’s how to push and pull images with DOCR:

Pushing an Image

  1. Log in to DOCR:

    doctl registry login

    This command will prompt you for your DigitalOcean API token.

  2. Tag your image: Before you can push an image, you need to tag it with your DOCR hostname. Your DOCR hostname is in the format your-region.digitalocean.com/your-slug. You can find your slug in the DigitalOcean control panel under "Container Registry."

    Let’s say your image is named my-app and your DOCR hostname is nyc3.digitalocean.com/my-registry. You would tag your image like this:

    docker tag my-app nyc3.digitalocean.com/my-registry/my-app:latest

  3. Push the image: Now you can push the tagged image to your DOCR:

    docker push nyc3.digitalocean.com/my-registry/my-app:latest

Pulling an Image

  1. Log in to DOCR: As before, you need to be logged in:

    doctl registry login

  2. Pull the image: To pull an image, you use the docker pull command with the full image name, including your DOCR hostname:

    docker pull nyc3.digitalocean.com/my-registry/my-app:latest

Using DOCR with Kubernetes

When you’re using DOCR with DigitalOcean Kubernetes (DOKS), you can configure your cluster to automatically authenticate with your registry. This is done by creating a Kubernetes secret of type docker-registry.

  1. Create a Kubernetes secret:

    kubectl create secret docker-registry regcred \
  --docker-server=<your-registry-hostname> \
  --docker-username=_your-do-api-token \
  --docker-password=<your-do-api-token> \
  --docker-email=your-email@example.com

    Replace <your-registry-hostname> with your DOCR hostname (e.g., nyc3.digitalocean.com/my-registry). For --docker-username, use _your-do-api-token and for --docker-password, use your actual DigitalOcean API token. The email can be anything.

  2. Reference the secret in your Pods/Deployments: In your Kubernetes deployment YAML, you’ll need to specify the imagePullSecrets:

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: my-app
        image: nyc3.digitalocean.com/my-registry/my-app:latest
      imagePullSecrets:
      - name: regcred

    When your DOKS cluster tries to pull the my-app image, it will use the regcred secret to authenticate with DOCR.

Key Concepts

  • Registry Hostname: The unique address for your DOCR instance.
  • Image Tagging: Crucial for associating your local image with a remote registry location.
  • doctl: The DigitalOcean command-line interface, used for interacting with various DigitalOcean services, including the container registry.
  • Kubernetes Secrets: The mechanism Kubernetes uses to securely store sensitive information, like registry credentials.

The next step in managing your containerized applications on DigitalOcean is to explore integrating DOCR with CI/CD pipelines for automated image building and deployment.

Want structured learning?

Take the full Digitalocean course →