How to use local image pulled by ctr

Hi community, I am asking this because most of my work nodes cannot pull images from the internet. So what I usually do is:

  • Pull the image from the docker hub on a work node with internet enabled.
  • Tag the image and push it to my private image registry(Harbor)
  • Pull the image from the work nodes that are without internet enabled.
  • Tag the image pulled from the private image registry to the actual image via ctr -n k8s.io image tag <image from private registry>:<tag> <actual image>:<tag>

These will work most of the time. However, I am confused as to why my approach is not always working. Here is an example:

Use helm to install nginx ingress

helm --kubeconfig /root/admin.conf upgrade 
    --install ingress-nginx ingress-nginx   
    --repo https://kubernetes.github.io/ingress-nginx
   --namespace ingress-nginx --create-namespace

[root@k8s-2 ql]# k get po -n ingress-nginx -owide
NAME                                   READY   STATUS             RESTARTS   AGE   IP             NODE       NOMINATED NODE   READINESS GATES
ingress-nginx-admission-create-2947f   0/1     ImagePullBackOff   0          30m   10.244.3.184   asicgcov   <none>           <none>

[root@k8s-2 ql]# k get po -n ingress-nginx ingress-nginx-admission-create-2947f -o yaml | grep -i pull
    imagePullPolicy: IfNotPresent

[root@k8s-2 ql]# k describe po -n ingress-nginx ingress-nginx-admission-create-2947f | grep -i image
    Image:           registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3



So I logged into node asicgcov and pulled the image

ctr -n k8s.io image pull 192.168.38.89:30003/stores/registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3

ctr -n k8s.io image tag 192.168.38.89:30003/stores/registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3 registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3

ctr -n k8s.io image tag 192.168.38.89:30003/stores/registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3 registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3

However, the result shows that k8s is not using the local image. Why?