diff --git a/manifests/klusterlet/klusterlet-registration-serviceaccount.yaml b/manifests/klusterlet/klusterlet-registration-serviceaccount.yaml
index 3d8f44389..252395aa3 100644
--- a/manifests/klusterlet/klusterlet-registration-serviceaccount.yaml
+++ b/manifests/klusterlet/klusterlet-registration-serviceaccount.yaml
@@ -3,3 +3,5 @@ kind: ServiceAccount
 metadata:
   name: {{ .KlusterletName }}-registration-sa
   namespace: {{ .KlusterletNamespace }}
+imagePullSecrets:
+- name: open-cluster-management-image-pull-credentials
diff --git a/manifests/klusterlet/klusterlet-work-serviceaccount.yaml b/manifests/klusterlet/klusterlet-work-serviceaccount.yaml
index d5c856a79..f06687d28 100644
--- a/manifests/klusterlet/klusterlet-work-serviceaccount.yaml
+++ b/manifests/klusterlet/klusterlet-work-serviceaccount.yaml
@@ -3,3 +3,5 @@ kind: ServiceAccount
 metadata:
   name: {{ .KlusterletName }}-work-sa
   namespace: {{ .KlusterletNamespace }}
+imagePullSecrets:
+- name: open-cluster-management-image-pull-credentials
diff --git a/pkg/operators/klusterlet/bindata/bindata.go b/pkg/operators/klusterlet/bindata/bindata.go
index 775661f74..21f47cc8a 100644
--- a/pkg/operators/klusterlet/bindata/bindata.go
+++ b/pkg/operators/klusterlet/bindata/bindata.go
@@ -287,6 +287,8 @@ kind: ServiceAccount
 metadata:
   name: {{ .KlusterletName }}-registration-sa
   namespace: {{ .KlusterletNamespace }}
+imagePullSecrets:
+- name: open-cluster-management-image-pull-credentials
 `)
 
 func manifestsKlusterletKlusterletRegistrationServiceaccountYamlBytes() ([]byte, error) {
@@ -505,6 +507,8 @@ kind: ServiceAccount
 metadata:
   name: {{ .KlusterletName }}-work-sa
   namespace: {{ .KlusterletNamespace }}
+imagePullSecrets:
+- name: open-cluster-management-image-pull-credentials
 `)
 
 func manifestsKlusterletKlusterletWorkServiceaccountYamlBytes() ([]byte, error) {
diff --git a/pkg/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller.go b/pkg/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller.go
index 810fc414c..3425accd1 100644
--- a/pkg/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller.go
+++ b/pkg/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller.go
@@ -35,6 +35,7 @@ import (
 
 const (
 	klusterletFinalizer = "operator.open-cluster-management.io/klusterlet-cleanup"
+	imagePullSecret     = "open-cluster-management-image-pull-credentials"
 	klusterletApplied   = "Applied"
 )
 
@@ -182,6 +183,26 @@ func (n *klusterletController) sync(ctx context.Context, controllerContext facto
 		return err
 	}
 
+	// Symc pull secret
+	_, _, err = resourceapply.SyncSecret(
+		n.kubeClient.CoreV1(),
+		controllerContext.Recorder(),
+		n.operatorNamespace,
+		imagePullSecret,
+		config.KlusterletNamespace,
+		imagePullSecret,
+		[]metav1.OwnerReference{},
+	)
+
+	if err != nil {
+		helpers.UpdateKlusterletStatus(ctx, n.klusterletClient, klusterletName, helpers.UpdateKlusterletConditionFn(operatorapiv1.StatusCondition{
+			Type: klusterletApplied, Status: metav1.ConditionFalse, Reason: "KlusterletApplyFailed",
+			Message: fmt.Sprintf("Failed to sync image pull secret to namespace %q: %v", config.KlusterletNamespace, err),
+		}))
+
+		return err
+	}
+
 	errs := []error{}
 	// If kube version is less than 1.12, deploy static resource for kube 1.11 at first
 	// TODO remove this when we do not support kube 1.11 any longer
diff --git a/pkg/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller_test.go b/pkg/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller_test.go
index e2beac120..e46e33d70 100644
--- a/pkg/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller_test.go
+++ b/pkg/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller_test.go
@@ -423,6 +423,35 @@ func TestClusterNameChange(t *testing.T) {
 	ensureDeployments(t, controller.kubeClient.Actions(), "update", "https://localhost", "cluster3", "cluster3", 2)
 }
 
+func TestSyncWithPullSecret(t *testing.T) {
+	klusterlet := newKlusterlet("klusterlet", "testns", "cluster1")
+	bootStrapSecret := newSecret(helpers.BootstrapHubKubeConfigSecret, "testns")
+	hubKubeConfigSecret := newSecret(helpers.HubKubeConfigSecret, "testns")
+	hubKubeConfigSecret.Data["kubeconfig"] = []byte("dummuykubeconnfig")
+	namespace := newNamespace("testns")
+	pullSecret := newSecret(imagePullSecret, "open-cluster-management")
+	controller := newTestController(klusterlet, bootStrapSecret, hubKubeConfigSecret, namespace, pullSecret)
+	syncContext := testinghelper.NewFakeSyncContext(t, "klusterlet")
+
+	err := controller.controller.sync(nil, syncContext)
+	if err != nil {
+		t.Errorf("Expected non error when sync, %v", err)
+	}
+
+	var createdSecret *corev1.Secret
+	kubeActions := controller.kubeClient.Actions()
+	for _, action := range kubeActions {
+		if action.GetVerb() == "create" && action.GetResource().Resource == "secrets" {
+			createdSecret = action.(clienttesting.CreateActionImpl).Object.(*corev1.Secret)
+			break
+		}
+	}
+
+	if createdSecret == nil || createdSecret.Name != imagePullSecret {
+		t.Errorf("Failed to sync pull secret")
+	}
+}
+
 func TestDeployOnKube111(t *testing.T) {
 	klusterlet := newKlusterlet("klusterlet", "testns", "cluster1")
 	bootStrapSecret := newSecret(helpers.BootstrapHubKubeConfigSecret, "testns")