diff --git a/cmd/cache/main.go b/cmd/cache/main.go
index ed3eb7c8..26e4b0d9 100644
--- a/cmd/cache/main.go
+++ b/cmd/cache/main.go
@@ -95,6 +95,7 @@ func main() {
 		Client:      mgr.GetClient(),
 		Scheme:      mgr.GetScheme(),
 		Recorder:    mgr.GetEventRecorderFor("cachedimage-controller"),
+		ApiReader:   mgr.GetAPIReader(),
 		ExpiryDelay: time.Duration(expiryDelay*24) * time.Hour,
 	}).SetupWithManager(mgr, maxConcurrentCachedImageReconciles); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "CachedImage")
diff --git a/controllers/cachedimage_controller.go b/controllers/cachedimage_controller.go
index 07fb9d04..e6843c7b 100644
--- a/controllers/cachedimage_controller.go
+++ b/controllers/cachedimage_controller.go
@@ -38,6 +38,7 @@ type CachedImageReconciler struct {
 	client.Client
 	Scheme      *runtime.Scheme
 	Recorder    record.EventRecorder
+	ApiReader   client.Reader
 	ExpiryDelay time.Duration
 }
 
@@ -128,7 +129,7 @@ func (r *CachedImageReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 
 	if !isCached {
 		r.Recorder.Eventf(&cachedImage, "Normal", "Caching", "Start caching image %s", cachedImage.Spec.SourceImage)
-		keychain := registry.NewKubernetesKeychain(r.Client, cachedImage.Spec.PullSecretsNamespace, cachedImage.Spec.PullSecretNames)
+		keychain := registry.NewKubernetesKeychain(r.ApiReader, cachedImage.Spec.PullSecretsNamespace, cachedImage.Spec.PullSecretNames)
 		if err := registry.CacheImage(cachedImage.Spec.SourceImage, keychain); err != nil {
 			log.Error(err, "failed to cache image")
 			r.Recorder.Eventf(&cachedImage, "Warning", "CacheFailed", "Failed to cache image %s, reason: %s", cachedImage.Spec.SourceImage, err)
diff --git a/internal/registry/keychain.go b/internal/registry/keychain.go
index ef7099ea..c83e65f2 100644
--- a/internal/registry/keychain.go
+++ b/internal/registry/keychain.go
@@ -24,13 +24,13 @@ const (
 )
 
 type kubernetesKeychain struct {
-	client     client.Client
+	client     client.Reader
 	mu         sync.Mutex
 	namespace  string
 	pullSecret string
 }
 
-func NewKubernetesKeychain(client client.Client, namespace string, pullSecrets []string) authn.Keychain {
+func NewKubernetesKeychain(client client.Reader, namespace string, pullSecrets []string) authn.Keychain {
 	keychains := []authn.Keychain{}
 	for _, pullSecret := range pullSecrets {
 		keychains = append(keychains, &kubernetesKeychain{