Add registry credentials rate limit and self-hosted guidance

src/content/admin/registry-credentials/index.mdx

@@ -9,6 +9,31 @@ import Image from "@theme/Image";
 In the Admin Dashboard, you can set up private registry credentials for your Okteto instance. These credentials are automatically used by Okteto for various developer operations like building and deploying, so developers don't need direct credential access. Once set, all developers can access the registries through Okteto without additional steps.
 Additionally, you have the option to manage these credentials via [Kubernetes CRDs provided by Okteto](self-hosted/manage/crds.mdx#private-registries).
 
+## Why configure registry credentials?
+
+Some container registries, most notably Docker Hub, enforce pull rate limits for unauthenticated requests. Without registry credentials configured, image pulls can fail with errors like:
+
+```
+toomanyrequests: You have reached your unauthenticated pull rate limit.
+```
+
+This can affect two flows in Okteto:
+
+- **Image builds** — when Dockerfiles pull base images from public registries during dev environment builds
+- **Pod deployments** — when Kubelet pulls images for pods running in Okteto-managed namespaces
+
+Authenticated requests have significantly higher (or unlimited) rate limits, so configuring credentials avoids these failures across both flows.
+
+### Registries that enforce rate limits
+
+**Docker Hub** is the most common source of rate limit issues. Unauthenticated pulls are limited to 100 pulls per 6 hours (per IP), while authenticated users get 200 pulls per 6 hours, with higher limits on paid plans. Since many Dockerfiles use Docker Hub base images (e.g., `python:3`, `node:18`, `ruby:3-slim`), teams can hit this limit quickly.
+
+Other registries like **GitHub Container Registry (ghcr.io)** don't currently enforce pull rate limits for public images, but do throttle API requests (2,000/minute). Configuring credentials is still recommended where supported, as registry policies can change.
+
+:::tip
+Even if you only use public images, configuring Docker Hub credentials is recommended to avoid hitting rate limits as your team scales.
+:::
+
 <p align="center">
   <Image
     src={require("@site/static/img/registry_credentials_view+1.32.png").default}
@@ -92,6 +117,17 @@ This is useful, for example, if you have your own mechanism to provision credent
 To make sure Okteto is able to access your private registries, you can check if they are available from the [Admin dashboard](admin/dashboard.mdx#registry-credentials).
 If you add credentials using CRDs they will be displayed in the UI, but they can't be modified from the UI. If you want to manage them from the UI, they must be created from there.
 
+## Self-hosted: Node-level credentials
+
+If you are running Okteto in a self-hosted environment, you may already have registry credentials configured at the node level (e.g., through instance profiles, credential helpers, or pre-pulled secrets on each node). This is a valid alternative to configuring credentials through the Okteto UI.
+
+Keep in mind that node-level credentials are not visible to Okteto. This means:
+
+- The Okteto [Build Service](core/build-service.mdx) won't use them — node-level credentials only apply to Kubelet image pulls, not to image builds
+- Any installation task prompting you to configure registry credentials can be safely dismissed if your nodes already handle authentication
+
+If your builds also need authenticated access to private registries, configure credentials through the Okteto UI or [CRDs](self-hosted/manage/crds.mdx#private-registries) in addition to your node-level setup.
+
 ## How it works
 
 Okteto runs a dedicated Kubernetes Controller to manage Registry Credentials. As part of this process, the Controller creates and manages a [Docker Config JSON](https://kubernetes.io/docs/concepts/configuration/secret/#docker-config-secrets) secret in the Okteto namespace.