diff --git a/docs/cri-o.md b/docs/cri-o.md
index 5644d2e037e2dd61aa687e9238cbb18bb895a682..c4831529e7e850bd06051260446c40d48a79c5e5 100644
--- a/docs/cri-o.md
+++ b/docs/cri-o.md
@@ -33,7 +33,7 @@ etcd_deployment_type: host # optionally and mutually exclusive with etcd_kubeadm
 Enable docker hub registry mirrors
 
 ```yaml
-crio_registries_mirrors:
+crio_registries:
   - prefix: docker.io
     insecure: false
     blocked: false
diff --git a/roles/container-engine/cri-o/defaults/main.yml b/roles/container-engine/cri-o/defaults/main.yml
index 9dd07074b42e524494679d17669d780fc194ce69..912428ff021e01fab4ac7c50a811c9e1c3081184 100644
--- a/roles/container-engine/cri-o/defaults/main.yml
+++ b/roles/container-engine/cri-o/defaults/main.yml
@@ -7,32 +7,25 @@ crio_log_level: "info"
 crio_metrics_port: "9090"
 crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}"
 
-# Trusted registries to pull unqualified images (e.g. alpine:latest) from
+# Registries defined within cri-o.
 # By default unqualified images are not allowed for security reasons
 crio_registries: []
-
-# Configure insecure registries.
-crio_insecure_registries: []
-
-# Configure registry auth (if applicable to secure/insecure registries)
-crio_registry_auth: []
-#  - registry: 10.0.0.2:5000
-#    username: user
-#    password: pass
-
-# Define registiries mirror
-
-crio_registries_mirrors: []
 #  - prefix: docker.io
 #    insecure: false
 #    blocked: false
-#    location: registry-1.docker.io
+#    location: registry-1.docker.io ## REQUIRED
+#    unqualified: false
 #    mirrors:
 #      - location: 172.20.100.52:5000
 #        insecure: true
 #      - location: mirror.gcr.io
 #        insecure: false
 
+crio_registry_auth: []
+#  - registry: 10.0.0.2:5000
+#    username: user
+#    password: pass
+
 crio_seccomp_profile: ""
 crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}"
 crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"
diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml
index 9283a772a036ce756035028290eb2f81ed1d3fbc..d8ae4ad447d35a42739c8b80433aee19eda0e966 100644
--- a/roles/container-engine/cri-o/tasks/main.yaml
+++ b/roles/container-engine/cri-o/tasks/main.yaml
@@ -166,12 +166,18 @@
     owner: root
     mode: 0755
 
-- name: Write registries mirror configs
+- name: Write registries configs
   template:
-    src: registry-mirror.conf.j2
-    dest: "/etc/containers/registries.conf.d/{{ item.prefix }}.conf"
+    src: registry.conf.j2
+    dest: "/etc/containers/registries.conf.d/10-{{ item.prefix | default(item.location) | regex_replace(':', '_') }}.conf"
     mode: 0644
-  loop: "{{ crio_registries_mirrors }}"
+  loop: "{{ crio_registries }}"
+  notify: restart crio
+
+- name: Configure unqualified registry settings
+  template:
+    src: unqualified.conf.j2
+    dest: "/etc/containers/registries.conf.d/01-unqualified.conf"
   notify: restart crio
 
 - name: Write cri-o proxy drop-in
diff --git a/roles/container-engine/cri-o/templates/crio.conf.j2 b/roles/container-engine/cri-o/templates/crio.conf.j2
index 8fbd23a1d40f05296a5c302a057e0564d298ae25..780044c71d64444b9509cbbdea3130ada51d6ddb 100644
--- a/roles/container-engine/cri-o/templates/crio.conf.j2
+++ b/roles/container-engine/cri-o/templates/crio.conf.j2
@@ -338,31 +338,10 @@ pause_command = "/pause"
 # refer to containers-policy.json(5) for more details.
 signature_policy = "{{ crio_signature_policy }}"
 
-# List of registries to skip TLS verification for pulling images. Please
-# consider configuring the registries via /etc/containers/registries.conf before
-# changing them here.
-insecure_registries = [
-  {% for insecure_registry in crio_insecure_registries %}
-  "{{ insecure_registry }}",
-  {% endfor %}
-]
-
 # Controls how image volumes are handled. The valid values are mkdir, bind and
 # ignore; the latter will ignore volumes entirely.
 image_volumes = "mkdir"
 
-# List of registries to be used when pulling an unqualified image (e.g.,
-# "alpine:latest"). By default, registries is set to "docker.io" for
-# compatibility reasons. Depending on your workload and usecase you may add more
-# registries (e.g., "quay.io", "registry.fedoraproject.org",
-# "registry.opensuse.org", etc.).
-registries = [
-  {% for registry in crio_registries %}
-  "{{ registry }}",
-  {% endfor %}
-]
-
-
 # The crio.network table containers settings pertaining to the management of
 # CNI plugins.
 [crio.network]
diff --git a/roles/container-engine/cri-o/templates/registry-mirror.conf.j2 b/roles/container-engine/cri-o/templates/registry-mirror.conf.j2
deleted file mode 100644
index 3c55026eaff900c58c5393c43ce7d8a3e8da754e..0000000000000000000000000000000000000000
--- a/roles/container-engine/cri-o/templates/registry-mirror.conf.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-[[registry]]
-prefix = "{{ item.prefix }}"
-insecure = {{ item.insecure | d('false') | string | lower }}
-blocked = {{ item.blocked | d('false') | string | lower }}
-location = "{{ item.location | d(item.prefix) }}"
-{% for mirror in item.mirrors %}
-
-[[registry.mirror]]
-location = "{{ mirror.location }}"
-insecure = {{ mirror.insecure | d ('false') | string | lower }}
-{% endfor %}
diff --git a/roles/container-engine/cri-o/templates/registry.conf.j2 b/roles/container-engine/cri-o/templates/registry.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..38368f989c921f7d9f546451f253c37bfcd54716
--- /dev/null
+++ b/roles/container-engine/cri-o/templates/registry.conf.j2
@@ -0,0 +1,13 @@
+[[registry]]
+prefix = "{{ item.prefix | default(item.location) }}"
+insecure = {{ item.insecure | default('false') | string | lower }}
+blocked = {{ item.blocked | default('false') | string | lower }}
+location = "{{ item.location }}"
+{% if item.mirrors is defined %}
+{% for mirror in item.mirrors %}
+
+[[registry.mirror]]
+location = "{{ mirror.location }}"
+insecure = {{ mirror.insecure | default('false') | string | lower }}
+{% endfor %}
+{% endif %}
diff --git a/roles/container-engine/cri-o/templates/unqualified.conf.j2 b/roles/container-engine/cri-o/templates/unqualified.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..8d690dc24f30de62bf540730fe9b785f23f32548
--- /dev/null
+++ b/roles/container-engine/cri-o/templates/unqualified.conf.j2
@@ -0,0 +1,10 @@
+{%- set _unqualified_registries = [] -%}
+{% for _registry in crio_registries if _registry.unqualified -%}
+{% if _registry.prefix is defined -%}
+{{ _unqualified_registries.append(_registry.prefix) }}
+{% else %}
+{{ _unqualified_registries.append(_registry.location) }}
+{%- endif %}
+{%- endfor %}
+
+unqualified-search-registries = {{ _unqualified_registries | to_yaml }}