diff --git a/images/hub/jupyterhub_config.py b/images/hub/jupyterhub_config.py
index 6f7cae23ea..99054d2cef 100644
--- a/images/hub/jupyterhub_config.py
+++ b/images/hub/jupyterhub_config.py
@@ -48,6 +48,8 @@
 
 c.KubeSpawner.image_pull_policy = get_config('singleuser.image-pull-policy')
 
+c.KubeSpawner.image_pull_secrets = get_config('singleuser.image-pull-secret-name', None)
+
 c.KubeSpawner.events_enabled = get_config('singleuser.events', False)
 
 c.KubeSpawner.extra_labels = get_config('singleuser.extra-labels', {})
diff --git a/jupyterhub/schema.yaml b/jupyterhub/schema.yaml
index fc9b643359..a83fbfaecd 100644
--- a/jupyterhub/schema.yaml
+++ b/jupyterhub/schema.yaml
@@ -305,6 +305,48 @@ properties:
             type:
             - string
             - "null"
+      imagePullPolicy:
+        type: string
+        enum:
+          - IfNotPresent
+          - Always
+          - Never
+        description: |
+          Set the imagePullPolicy on the singleuser pods that are spun up by the hub.
+
+          See [the kubernetes docs](https://kubernetes.io/docs/concepts/containers/images/#updating-images)
+          for more info on what the values mean.
+      imagePullSecret:
+        type: object
+        description: |
+          Create a custom image pull secert used for spawned users.
+
+          This secret is created in the same namespace as your jupyterhub deployment and will be used to pull your single user image.
+        properties:
+          registry:
+            type: string
+            description: |
+              Name of the private registry you want to create a credential set for.
+
+              Examples:
+                - private.jfrog.io
+                - alexmorreale.privatereg.net
+          username:
+            type: string
+            description: |
+              Name of the user you want to use to connect to your private registry.
+
+              Examples:
+                - alexmorreale
+                - alex@pfc.com
+          password:
+            type: string
+            description: |
+              Password of the user you want to use to connect to your private registry.
+
+              Examples:
+                - plaintextpassword
+                - abc123SECRETzyx098
       image:
         type: object
         description: |
diff --git a/jupyterhub/templates/_helpers.tpl b/jupyterhub/templates/_helpers.tpl
index b1cf6added..08b5646129 100644
--- a/jupyterhub/templates/_helpers.tpl
+++ b/jupyterhub/templates/_helpers.tpl
@@ -9,7 +9,7 @@
   generate some output based on one single dictionary of input that we call the
   helpers scope. When you are in helm, you access your current scope with a
   single a single punctuation (.).
-  
+
   When you ask a helper to render its content, one often forward the current
   scope to the helper in order to allow it to access .Release.Name,
   .Values.rbac.enabled and similar values.
@@ -27,7 +27,7 @@
   To let a helper access the current scope along with additional values we have
   opted to create dictionary containing additional values that is then populated
   with additional values from the current scope through a the merge function.
-  
+
   #### Example - Passing a new scope augmented with the old
   {{- $_ := merge (dict "appLabel" "kube-lego") . }}
   {{- include "jupyterhub.matchLabels" $_ | nindent 6 }}
@@ -97,7 +97,7 @@
     Used by "jupyterhub.labels" and "jupyterhub.nameField".
 
     NOTE: The component label is determined by either...
-    - 1: The provided scope's .componentLabel 
+    - 1: The provided scope's .componentLabel
     - 2: The template's filename if living in the root folder
     - 3: The template parent folder's name
     -  : ...and is combined with .componentPrefix and .componentSuffix
@@ -172,3 +172,11 @@ component: {{ include "jupyterhub.componentLabel" . }}
 {{- $_ := merge (dict "componentLabel" "singleuser-server") . -}}
 {{ include "jupyterhub.matchLabels" $_ | replace ": " "=" | replace "\n" "," | quote }}
 {{- end }}
+
+{{- /*
+  singleuser.imagePullSecret:
+    allows creating a base64 encoded docker registry json blob
+*/}}
+{{- define "singleuser.imagePullSecret" }}
+{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.singleuser.imagePullSecret.registry (printf "%s:%s" .Values.singleuser.imagePullSecret.username .Values.singleuser.imagePullSecret.password | b64enc) | b64enc }}
+{{- end }}
diff --git a/jupyterhub/templates/hub/configmap.yaml b/jupyterhub/templates/hub/configmap.yaml
index d828c4d58f..2e2ac9222b 100644
--- a/jupyterhub/templates/hub/configmap.yaml
+++ b/jupyterhub/templates/hub/configmap.yaml
@@ -67,7 +67,7 @@ data:
   auth.gitlab.client-secret: {{ .Values.auth.gitlab.clientSecret | quote }}
   auth.gitlab.callback-url: {{ .Values.auth.gitlab.callbackUrl | quote }}
   {{- end }}
-  
+
   {{- if eq .Values.auth.type "mediawiki" }}
   auth.mediawiki.client-id: {{ .Values.auth.mediawiki.clientId | quote }}
   auth.mediawiki.client-secret: {{ .Values.auth.mediawiki.clientSecret | quote }}
@@ -80,7 +80,7 @@ data:
   auth.globus.callback-url: {{ .Values.auth.globus.callbackUrl | quote }}
   auth.globus.identity-provider: {{ .Values.auth.globus.identityProvider | quote }}
   {{- end }}
-  
+
   {{- if eq .Values.auth.type "lti" }}
   auth.lti.consumers: |
     {{- .Values.auth.lti.consumers | toYaml | trimSuffix "\n" | nindent 4 }}
@@ -108,7 +108,7 @@ data:
   auth.ldap.dn.user.search-base: {{ .Values.auth.ldap.dn.user.searchBase | quote }}
   auth.ldap.dn.user.attribute: {{ .Values.auth.ldap.dn.user.attribute | quote }}
   {{- end }}
-  
+
   {{- if eq .Values.auth.type "dummy" }}
   {{- if .Values.auth.dummy.password }}
   auth.dummy.password: {{ .Values.auth.dummy.password | quote }}
@@ -133,6 +133,9 @@ data:
     {{- .Values.singleuser.cloudMetadata | toYaml | trimSuffix "\n" | nindent 4 }}
   singleuser.start-timeout: {{ .Values.singleuser.startTimeout | quote }}
   singleuser.image-pull-policy: {{ .Values.singleuser.image.pullPolicy | quote }}
+  {{- if .Values.singleuser.imagePullSecret }}
+  singleuser.image-pull-secret-name: singleuser-image-credentials
+  {{- end }}
   {{- if .Values.singleuser.cmd }}
   singleuser.cmd: {{ .Values.singleuser.cmd | quote }}
   {{- end }}
@@ -190,8 +193,8 @@ data:
     {{ $key | quote }}: {{ $value | quote }}
     {{- end }}
   {{- end }}
-  
-  
+
+
   {{- /* KubeSpawner */}}
   kubespawner.common-labels: |
     {{- $_ := merge (dict "heritageLabel" "jupyterhub") . }}
diff --git a/jupyterhub/templates/singleuser/image-credentials-secret.yaml b/jupyterhub/templates/singleuser/image-credentials-secret.yaml
new file mode 100644
index 0000000000..2a6073a87a
--- /dev/null
+++ b/jupyterhub/templates/singleuser/image-credentials-secret.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.singleuser.imagePullSecret }}
+kind: Secret
+apiVersion: v1
+metadata:
+  name: singleuser-image-credentials
+  labels:
+    {{- $_ := merge (dict "componentSuffix" "-image-credentials") . }}
+    {{- include "jupyterhub.labels" $_ | nindent 4 }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ include "singleuser.imagePullSecret" . }}
+{{- end }}