According to QE, the .docker/config.json is no longer read by the kubelet to specify pull credentials.
tl;dr switching to the dockershim client for the CRI changed this behavior
And fix (for kube 1.7);
Origin 1.6 PR
Verified this bug with atomic-openshift-184.108.40.206.27-1.git.0.c1ae33f.el7.x86_64, and PASS.
In my previous verification - comment 6, the failure is because I saved docker registry creds in /var/lib/origin/, but not /var/lib/origin/.docker, after move it to /var/lib/origin/.docker, it works (though it also worked when docker registry creds is saved in /var/lib/origin/ before this regression was introduced, now user have to save docker registry creds in /var/lib/origin/).
Also run the same testing with atomic-openshift-220.127.116.11.21-1.git.0.f95b0e7.el7.x86_64, also PASS.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.