Documentation Index
Fetch the complete documentation index at: https://docs.nebius.com/llms.txt
Use this file to discover all available pages before exploring further.
If a node group in a Managed Service for Kubernetes cluster has a service account added to it, pods hosted by the group’s nodes can pull images from Container Registry without additional authentication.
We recommend using the service account from the same project as the node group.
-
Make sure that you, or the service account that you use on your behalf, is in a group that has the
admin role within your tenant; for example, the default admins group. You can check this in the Administration → IAM section of the web console.
-
In your Managed Kubernetes cluster, create or modify a node group so that a service account from a group with at least the
viewer role is added to it. A service account for node groups that your project came with, k8s-node-group-sa, is in the default viewers group.
Currently, it is not possible to create a node group with a service account using the web console.
The commands below assume that the Nebius AI Cloud CLI is configured as described in its documentation, including adding the project ID in the CLI profile’s parent-id, and that the Managed Kubernetes cluster ID is stored in the NB_MK8S_CLUSTER_ID environment variable.export NB_MK8S_SA_ID=$(
nebius iam service-account get-by-name \
--name k8s-node-group-sa --format json \
| jq -r '.metadata.id'
)
nebius mk8s node-group create \
--parent-id $NB_MK8S_CLUSTER_ID \
--name node-group-example \
--fixed-node-count 2 \
--template-service-account-id $NB_MK8S_SA_ID \
--template-resources-platform cpu-e2 \
--template-resources-preset 2vcpu-8gb
nebius mk8s node-group create, see the CLI reference. The configuration below assumes that the project ID and Managed Kubernetes cluster ID are stored in the project_id and mk8s_cluster_id Terraform input variables, respectively.data "nebius_iam_v1_service_account" "k8s_node_group" {
parent_id = var.project_id
name = "k8s-node-group-sa"
}
resource "nebius_mk8s_v1_node_group" "example" {
parent_id = var.mk8s_cluster_id
name = "node-group-example"
fixed_node_count = 2
template = {
service_account_id = data.nebius_iam_v1_service_account.k8s_node_group.id
resources = {
platform = "cpu-e2"
preset = "2vcpu-8gb"
}
}
}
nebius_mk8s_v1_node_group Terraform resource, see the provider reference.
After setting up node groups, you can just refer to Container Registry images in your manifests (for pods or other resources that manage pods, such as deployments) without providing credentials to pull them.
For example, if your nginx image is at cr.eu-north1.nebius.cloud/<registry_ID>/nginx:mynginx (you can get the registry ID in the web console or with the nebius registry list) CLI command), here is how to refer to it in a deployment manifest:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: cr.eu-north1.nebius.cloud/<registry_ID>/nginx:mynginx
ports:
- containerPort: 80
