diff --git a/pkg/controller/template/render.go b/pkg/controller/template/render.go
index 53f54ebcfd..020ed1e01b 100644
--- a/pkg/controller/template/render.go
+++ b/pkg/controller/template/render.go
@@ -18,6 +18,7 @@ import (
 	"github.com/ghodss/yaml"
 	"github.com/golang/glog"
 	mcfgv1 "github.com/openshift/machine-config-operator/pkg/apis/machineconfiguration.openshift.io/v1"
+	"github.com/openshift/machine-config-operator/lib/resourcemerge"
 	"github.com/openshift/machine-config-operator/pkg/controller/common"
 	"github.com/openshift/machine-config-operator/pkg/version"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -73,7 +74,11 @@ func generateMachineConfigs(config *RenderConfig, templateDir string) ([]*mcfgv1
 		if err != nil {
 			return nil, fmt.Errorf("failed to create MachineConfig for role %s: %v", role, err)
 		}
+		if len(roleConfigs) > 0 {
+			injectDockerConfigKubeletAuthSymlink(roleConfigs[len(roleConfigs)-1])
+		}
 		cfgs = append(cfgs, roleConfigs...)
+
 	}
 
 	// tag all the machineconfigs with version of the controller.
@@ -87,6 +92,24 @@ func generateMachineConfigs(config *RenderConfig, templateDir string) ([]*mcfgv1
 	return cfgs, nil
 }
 
+// injectDockerConfigKubeletAuthSymlink is a hack to symlink /var/lib/kubelet/auth.json -> ~/.docker/config.json
+// See https://bugzilla.redhat.com/show_bug.cgi?id=1686556
+// https://github.com/containers/skopeo/pull/612
+func injectDockerConfigKubeletAuthSymlink(cfg *mcfgv1.MachineConfig) {
+	authLink := ignv2_2types.Link{
+		Node: ignv2_2types.Node{
+			Filesystem: "root",
+			Path:       "/root/.docker/config.json",
+			Overwrite:  resourcemerge.BoolPtr(false),
+		},
+		LinkEmbedded1: ignv2_2types.LinkEmbedded1{
+			Hard:   false,
+			Target: "/var/lib/kubelet/config.json",
+		},
+	}
+	cfg.Spec.Config.Storage.Links = append(cfg.Spec.Config.Storage.Links, authLink)
+}
+
 // GenerateMachineConfigsForRole creates MachineConfigs for the role provided
 func GenerateMachineConfigsForRole(config *RenderConfig, role string, path string) ([]*mcfgv1.MachineConfig, error) {
 	infos, err := ioutil.ReadDir(path)
diff --git a/pkg/operator/bootstrap.go b/pkg/operator/bootstrap.go
index c14f7e2664..1d8ff935ac 100644
--- a/pkg/operator/bootstrap.go
+++ b/pkg/operator/bootstrap.go
@@ -86,7 +86,7 @@ func RenderBootstrap(
 	spec.Images = map[string]string{
 		templatectrl.EtcdImageKey:    imgs.Etcd,
 		templatectrl.SetupEtcdEnvKey: imgs.SetupEtcdEnv,
-		templatectrl.InfraImageKey:   imgs.InfraImage,
+		templatectrl.InfraImageKey:   "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:810ded5c25b9ec252dba6a2497d1eff9ad13a19cc3ac290ef8943b7d658803f2",
 	}
 
 	config := getRenderConfig("", spec, imgs, infra.Status.APIServerURL)
diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go
index d20bb22ab1..8171027d15 100644
--- a/pkg/operator/operator.go
+++ b/pkg/operator/operator.go
@@ -325,7 +325,7 @@ func (optr *Operator) sync(key string) error {
 	spec.Images = map[string]string{
 		templatectrl.EtcdImageKey:    imgs.Etcd,
 		templatectrl.SetupEtcdEnvKey: imgs.SetupEtcdEnv,
-		templatectrl.InfraImageKey:   imgs.InfraImage,
+		templatectrl.InfraImageKey:   "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:810ded5c25b9ec252dba6a2497d1eff9ad13a19cc3ac290ef8943b7d658803f2",
 	}
 
 	// create renderConfig