Spegel
Peer-to-peer in-cluster OCI image distribution for Kubernetes nodes.
About
Spegel (Swedish for "mirror") is a stateless cluster-local OCI registry mirror. It enables Kubernetes nodes to share already-pulled container images with each other via a peer-to-peer protocol, reducing external registry pulls and improving pull latency for images that exist on any node in the cluster. It is used in this cluster to reduce bandwidth to external registries and speed up pod scheduling when nodes need images already present elsewhere in the cluster.
Installation
Architecture
HelmRelease spegel in namespace spegel, chart version 0.6.0 from OCI registry oci://ghcr.io/spegel-org/helm-charts. Deployed as a DaemonSet. Talos-specific configuration: containerdRegistryConfigPath: /etc/cri/conf.d/hosts (Talos uses a non-standard containerd registry config path). No persistent storage required — Spegel is purely an in-memory/on-node cache layer.
Security
Namespace pod security: enforce: privileged (required for DaemonSet host network access), audit and warn at baseline. Pod securityContext: seccompProfile: RuntimeDefault. The DaemonSet needs access to the containerd socket to register as a registry mirror.
Updates
Managed by Renovate. Chart version is semver-pinned (0.6.0).
Administration
Usage
No operator interaction required after installation. Spegel runs transparently as a DaemonSet. When a node needs to pull an image, containerd checks Spegel first; if another node has it, it is served locally. Particularly useful during cluster upgrades or when many pods start simultaneously.
Metadata
- HelmRelease:
spegel@0.6.0