diff --git a/ansible/group_vars/all/docker-registry b/ansible/group_vars/all/docker-registry
index 13e959fbe790993bcca06e9a16bb9bd8c3ba7fc5..2ace208ac1f6f937276f8da5d4e0b3d57956cd69 100644
--- a/ansible/group_vars/all/docker-registry
+++ b/ansible/group_vars/all/docker-registry
@@ -14,6 +14,9 @@ docker_registry_enabled: False
 # pull through cache.
 docker_registry_env: {}
 
+# The network mode of the docker registry container. Default is 'host'.
+docker_registry_network_mode: host
+
 # The port on which the docker registry server should listen.
 # NOTE: This is set to 4000 rather than the default of 5000 to avoid clashing
 #       with keystone.
diff --git a/ansible/roles/docker-registry/defaults/main.yml b/ansible/roles/docker-registry/defaults/main.yml
index 66c631ee1de3cf6a10e226e85851873cc9c4fdb1..f7ecce4d7b8e4e0800dcf3c7c80265d3de6d8812 100644
--- a/ansible/roles/docker-registry/defaults/main.yml
+++ b/ansible/roles/docker-registry/defaults/main.yml
@@ -43,13 +43,17 @@ docker_registry_services:
      {{ {} |
         combine(docker_registry_env_tls if docker_registry_enable_tls | bool else {}) |
         combine(docker_registry_env_basic_auth if docker_registry_enable_basic_auth | bool else {}) |
-        combine(docker_registry_env_listen) |
+        combine(docker_registry_env_listen if docker_registry_network_mode == 'host' else {}) |
         combine(docker_registry_env) }}
     enabled: "{{ docker_registry_enabled }}"
     image: "{{ docker_registry_image_full }}"
-    network_mode: host
+    network_mode: "{{ docker_registry_network_mode }}"
+    ports: "{{ [docker_registry_port ~ ':5000'] if docker_registry_network_mode == 'bridge' else [] }}"
     volumes: "{{ docker_registry_volumes | select | list }}"
 
+# The network mode of the docker registry container.
+docker_registry_network_mode: host
+
 # The port on which the docker registry server should listen.
 docker_registry_port: 5000
 
diff --git a/doc/source/configuration/reference/docker-registry.rst b/doc/source/configuration/reference/docker-registry.rst
index dd459077d009aef5a489bf65a9b383a94e26c989..44f768c6627734627b6d9e425e1ae7ca1273eb79 100644
--- a/doc/source/configuration/reference/docker-registry.rst
+++ b/doc/source/configuration/reference/docker-registry.rst
@@ -27,9 +27,16 @@ Configuring the registry
     Docker Hub by setting REGISTRY_PROXY_REMOTEURL to
     "https://registry-1.docker.io".  Note that it is not possible to push to a
     registry configured as a pull through cache. Default is ``{}``.
+``docker_registry_network_mode``
+    The network mode used for the docker registry container. Default is
+    ``host``. When set to ``bridge``, port mapping is configured to expose the
+    registry through port ``docker_registry_port``.
 ``docker_registry_port``
     The port on which the docker registry server should listen. Default is
-    4000.
+    4000. When ``docker_registry_network_mode`` is set to ``host``, configures
+    the port used by the registry server inside the container. When
+    ``docker_registry_network_mode`` is set to ``bridge``, configures the
+    overlay network port.
 ``docker_registry_datadir_volume``
     Name or path to use as the volume for the docker registry. Default is
     ``docker_registry``.
diff --git a/etc/kayobe/docker-registry.yml b/etc/kayobe/docker-registry.yml
index 7ba79ed90c2125bffed7759925d98baf175f2438..ea6ca9c8418edabedee2dc7fbaa3010ec35a2a91 100644
--- a/etc/kayobe/docker-registry.yml
+++ b/etc/kayobe/docker-registry.yml
@@ -14,6 +14,9 @@
 # pull through cache. Default is an empty dict.
 #docker_registry_env:
 
+# The network mode of the docker registry container. Default is 'host'.
+#docker_registry_network_mode:
+
 # The port on which the docker registry server should listen. Default is 4000.
 #docker_registry_port:
 
diff --git a/releasenotes/notes/docker-registry-network-mode-3c678295b51d69c1.yaml b/releasenotes/notes/docker-registry-network-mode-3c678295b51d69c1.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..17fb9240871c5108df3fd89c9c22b17185a5aa4e
--- /dev/null
+++ b/releasenotes/notes/docker-registry-network-mode-3c678295b51d69c1.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Adds a new flag, ``docker_registry_network_mode``, which defaults to
+    ``host``. This may be used to set the network mode of the Docker registry
+    container.