Pulling images from Container Registry for workloads in Managed Service for Kubernetes® clusters

If a node group in a Managed Service for Kubernetes cluster has a service account added to it, pods hosted by the group’s nodes can pull images from Container Registry without additional authentication.

We recommend using the service account from the same project as the node group.

To set up pulling images without authentication:

Make sure that you (if you are not your tenant’s owner), or the service account that you use on your behalf to manage clusters, are in a group that has the admin role within your tenant; for example, the default admins group. You can check this in the Administration → IAM section of the web console.

In your Managed Kubernetes cluster, create or modify a node group so that a service account from a group with at least the viewer role is added to it. A service account for node groups that your project came with, k8s-node-group-sa, is in the default viewers group.

Currently, it is not possible to create a node group with a service account using the web console.

For example:

CLI
Terraform

The commands below assume that the Nebius AI Cloud CLI is configured as described in its documentation, including adding the project ID in the CLI profile’s parent-id, and that the Managed Kubernetes cluster ID is stored in the NB_MK8S_CLUSTER_ID environment variable.

export NB_MK8S_SA_ID=$(
  nebius iam service-account get-by-name \
    --name k8s-node-group-sa --format json \
    | jq -r '.metadata.id'
)
nebius mk8s node-group create \
  --parent-id $NB_MK8S_CLUSTER_ID \
  --name node-group-example \
  --fixed-node-count 2 \
  --template-service-account-id $NB_MK8S_SA_ID \
  --template-resources-platform cpu-e2 \
  --template-resources-preset 2vcpu-8gb

For details about nebius mk8s node-group create, see the CLI reference.

The configuration below assumes that the project ID and Managed Kubernetes cluster ID are stored in the project_id and mk8s_cluster_id Terraform input variables, respectively.

data "nebius_iam_v1_service_account" "k8s_node_group" {
  parent_id = var.project_id
  name      = "k8s-node-group-sa"
}

resource "nebius_mk8s_v1_node_group" "example" {
  parent_id = var.mk8s_cluster_id
  name      = "node-group-example"

  fixed_node_count = 2

  template = {
    service_account_id = data.nebius_iam_v1_service_account.k8s_node_group.id

    resources = {
      platform = "cpu-e2"
      preset   = "2vcpu-8gb"
    }
  }
}

For details about the nebius_mk8s_v1_node_group Terraform resource, see the provider reference.

After setting up node groups, you can just refer to Container Registry images in your manifests (for pods or other resources that manage pods, such as deployments) without providing credentials to pull them.

For example, if your nginx image is at cr.eu-north1.nebius.cloud/<registry_ID>/nginx:mynginx (you can get the registry ID in the web console or with the nebius registry list) CLI command), here is how to refer to it in a deployment manifest:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: cr.eu-north1.nebius.cloud/<registry_ID>/nginx:mynginx
          ports:
            - containerPort: 80

Virtual machines

Slurm and Soperator in Nebius AI Cloud

Managed Service for Kubernetes®

Pulling images from Container Registry for workloads in Managed Service for Kubernetes® clusters