This ticket is to answer open questions around using image pull secrets for container repo auth. Using image pull secrets for workloads has been validated in connected environments, where the pause image can be pulled (without using the pull secret) from the MSFT repo through the internet. But we see issues doing this in envs where a pull secret is needed to grab the pause image (like our disconnected job which pulls from a secure mirror registry). Error example:

Failed to create pod sandbox: rpc error: code = Unknown desc = failed to get sandbox image \"mcr.microsoft.com/oss/kubernetes/pause:3.9\": failed to pull image \"mcr.microsoft.com/oss/kubernetes/pause:3.9\": failed to pull and unpack image \"mcr.microsoft.com/oss/kubernetes/pause:3.9\": failed to resolve reference \"mcr.microsoft.com/oss/kubernetes/pause:3.9\": pull access denied, repository does not exist or may require authorization: authorization failed: no basic auth credentials 

We should answer the following questions and understand if there is a workaround.

• why does pause image pull fail even when using imagePullSecrets in a pod spec?
• if you pre-pull pause image, can you use image pull secrets for other workload images?