> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nebius.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Pulling images from Container Registry for workloads in Managed Service for Kubernetes® clusters
If a node group in a Managed Service for Kubernetes cluster has a [service account](../../iam/overview#accounts-and-members) added to it, pods hosted by the group's nodes can pull images from Container Registry without additional authentication.
We recommend using the service account from the same [project](../../iam/overview#projects) as the node group.
To set up pulling images without authentication:
1. Make sure that you, or the service account that you use on your behalf, is in a [group](/iam/authorization/groups) that has the `admin` role within your tenant; for example, the default `admins` group. You can check this in the [Administration → IAM](https://console.nebius.com/iam) section of the web console.
2. In your Managed Kubernetes cluster, [create or modify a node group](../node-groups/manage) so that a service account from a group with at least the `viewer` role is added to it. A service account for node groups that your project came with, `k8s-node-group-sa`, is in the default `viewers` group.
Currently, it is not possible to create a node group with a service account using the web console.
For example:
The commands below assume that the Nebius AI Cloud CLI is configured as described in its [documentation](../../cli/configure), including adding the [project](../../iam/overview#projects) ID in the CLI profile's `parent-id`, and that the Managed Kubernetes cluster ID is stored in the `MK8S_CLUSTER_ID` environment variable.
```bash theme={null}
export MK8S_SA_ID=$(
nebius iam service-account get-by-name \
--name k8s-node-group-sa --format json \
| jq -r '.metadata.id'
)
nebius mk8s node-group create \
--parent-id $MK8S_CLUSTER_ID \
--name node-group-example \
--fixed-node-count 2 \
--template-service-account-id $MK8S_SA_ID \
--template-resources-platform cpu-e2 \
--template-resources-preset 2vcpu-8gb
```
For details about nebius mk8s node-group create, see the [CLI reference](/cli/reference/mk8s/node-group/create).
The configuration below assumes that the [project](../../iam/overview#projects) ID and Managed Kubernetes cluster ID are stored in the `project_id` and `mk8s_cluster_id` [Terraform input variables](https://developer.hashicorp.com/terraform/language/values/variables), respectively.
```hcl theme={null}
data "nebius_iam_v1_service_account" "k8s_node_group" {
parent_id = var.project_id
name = "k8s-node-group-sa"
}
resource "nebius_mk8s_v1_node_group" "example" {
parent_id = var.mk8s_cluster_id
name = "node-group-example"
fixed_node_count = 2
template = {
service_account_id = data.nebius_iam_v1_service_account.k8s_node_group.id
resources = {
platform = "cpu-e2"
preset = "2vcpu-8gb"
}
}
}
```
For details about the nebius\_mk8s\_v1\_node\_group Terraform resource, see the [provider reference](/terraform-provider/reference/resources/mk8s_v1_node_group).
After setting up node groups, you can just refer to Container Registry images in your manifests (for pods or other resources that manage pods, such as deployments) without providing credentials to pull them.
> For example, if your nginx image is at cr.eu-north1.nebius.cloud/\/nginx:mynginx (you can get the registry ID in the web console or with the [nebius registry list](/cli/reference/registry/list)) CLI command), here is how to refer to it in a deployment manifest:
>
> ```yaml theme={null}
> apiVersion: apps/v1
> kind: Deployment
> metadata:
> name: nginx-deployment
> spec:
> replicas: 1
> selector:
> matchLabels:
> app: nginx
> template:
> metadata:
> labels:
> app: nginx
> spec:
> containers:
> - name: nginx
> image: cr.eu-north1.nebius.cloud//nginx:mynginx
> ports:
> - containerPort: 80
> ```