Yandex.Cloud
  • Services
  • Why Yandex.Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Yandex Managed Service for Kubernetes
  • Getting started
  • Step-by-step instructions
    • All instructions
    • Connecting to a node over SSH
    • Creating a configuration file
    • Configuring a Kubernetes cluster network
      • Granting access to an app running in a Kubernetes cluster
      • Using Kubernetes cluster network policies
    • Encrypting secrets
    • Using persistent volumes
      • Dynamically preparing volumes
      • Statically preparing volumes
      • Managing storage classes
      • Expanding a volume
      • Mounting a volume in Block mode
    • Managing a Kubernetes cluster
      • Adding Kubernetes cluster credentials to the kubectl configuration file
      • Getting information about a Kubernetes cluster
      • Creating a Kubernetes cluster
      • Editing a Kubernetes cluster
      • Deleting a Kubernetes cluster
    • Managing a node group
      • Getting information about a node group
      • Creating a node group
      • Editing a node group
      • Deleting a node group
  • Solutions
    • Integration with Container Registry
    • Running workloads with GPUs
    • Making backups to Object Storage
  • Concepts
    • Relationship between service resources
    • Release channels and updates
    • Using Kubernetes API objects
      • Volume
      • Service
    • Node group
      • Autoscaling node groups
      • Evicting pods from a node
      • Dynamic resource allocation for a node
      • Node groups with GPUs
    • Kubernetes cluster network policies
    • Quotas and limits
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • ClusterService
      • NodeGroupService
      • VersionService
      • OperationService
    • REST
      • Overview
      • Cluster
        • Overview
        • create
        • delete
        • get
        • list
        • listNodeGroups
        • listNodes
        • listOperations
        • start
        • stop
        • update
      • NodeGroup
        • Overview
        • create
        • delete
        • get
        • list
        • listNodes
        • listOperations
        • update
      • Version
        • Overview
        • list
  • Questions and answers
  1. Solutions
  2. Integration with Container Registry

Integration with Container Registry

  • Before you start
  • Create service accounts
    • Create a service account for resources
    • Create a service account for nodes
  • Prepare Kubernetes resources
    • Create a Kubernetes cluster
    • Create a node group
  • Prepare Container Registry resources
    • Create a registry
    • Configure the Docker Credential helper
    • Prepare a Docker image
  • Connect to the Kubernetes cluster
  • Run the test app
  • Delete the created resources

To integrate Kubernetes with Container Registry, create the following resources: service accounts for managing resources and respective access permissions, a Kubernetes cluster, a node group, and a Docker registry and image. To facilitate authentication, configure the Docker Credential helper and make sure that a pod with an app from Container Registry launches using a service account with no additional authentication.

  1. Create service accounts
    1. Create a service account for resources
    2. Create a service account for nodes
  2. Prepare the necessary Kubernetes resources
    1. Create a Kubernetes cluster
    2. Create a node group
  3. Prepare the necessary Container Registry resources
    1. Create a registry
    2. Configure the Credential helper
    3. Prepare a Docker image
  4. Connect to the Kubernetes cluster
  5. Run the test app
  6. Delete the created resources

Before you start

Go to the Yandex.Cloud management console and select the folder where you want to perform the operations. If there is no such folder, create one:

Management console
CLI
API
  1. Click Create folder in the Home page of the management console.

  2. Enter the folder name.

    • The name must be unique within the folder.
    • The name may contain lowercase Latin letters, numbers, and hyphens.
    • The first character must be a letter. The last character can't be a hyphen.
    • The maximum length of the name is 63 characters.
  3. Select Create a default network. A network is created with subnets in each availability zone.

  4. Click Create.

If you don't have the Yandex.Cloud command line interface yet, install and initialize it.

  1. See a description of the create folder command:

    $ yc resource-manager folder create --help
    
  2. Create a new folder:

    • with a name and without a description:

      $ yc resource-manager folder create \
          --name new-folder
      
      • The name must be unique within the folder.
      • The name may contain lowercase Latin letters, numbers, and hyphens.
      • The first character must be a letter. The last character can't be a hyphen.
      • The maximum length of the name is 63 characters.
    • with a name and description:

      $ yc resource-manager folder create \
          --name new-folder \
          --description "my first folder with description"
      

To create a folder, use the create method for the Folder resource of Yandex Resource Manager.

Create service accounts

Create service accounts:

  • A service account for resources with the editor role for the folder where the Kubernetes cluster will be created. The resources that the Kubernetes cluster needs will be created on behalf of this account.
  • A service account for nodes with the container-registry.images.puller role for the folder containing the Docker image registry. Nodes will download the Docker images they require from the registry on behalf of this account.

Create a service account for resources

To create a service account for making the resources required by the Kubernetes cluster:

  1. Write the folder ID from your CLI profile configuration to the variable:

    Bash
    PowerShell
    $ FOLDER_ID=$(yc config get folder-id)
    
    > $FOLDER_ID = yc config get folder-id
    
  2. Create a service account:

    Bash
    PowerShell
    $ yc iam service-account create --name k8s-res-sa-$FOLDER_ID
    
    > yc iam service-account create --name k8s-res-sa-$FOLDER_ID
    
  3. Write the service account ID to the variable:

    Bash
    PowerShell
    $ RES_SA_ID=$(yc iam service-account get --name k8s-res-sa-${FOLDER_ID} --format json | jq .id -r)
    
    > $RES_SA_ID = (yc iam service-account get --name k8s-res-sa-$FOLDER_ID --format json | ConvertFrom-Json).id
    
  4. Assign to the service account the editor role for the folder:

    yc resource-manager folder add-access-binding --id $FOLDER_ID --role editor --subject serviceAccount:$RES_SA_ID
    

Create a service account for nodes

To create a service account that lets nodes download the necessary Docker images from the registry:

  1. Write the folder ID from your CLI profile configuration to the variable:

    Bash
    PowerShell
    $ FOLDER_ID=$(yc config get folder-id)
    
    > $FOLDER_ID = yc config get folder-id
    
  2. Create a service account:

    Bash
    PowerShell
    $ yc iam service-account create --name k8s-node-sa-$FOLDER_ID
    
    > yc iam service-account create --name k8s-node-sa-$FOLDER_ID
    
  3. Write the service account ID to the variable:

    Bash
    PowerShell
    $ NODE_SA_ID=$(yc iam service-account get --name k8s-node-sa-${FOLDER_ID} --format json | jq .id -r)
    
    > $NODE_SA_ID = (yc iam service-account get --name k8s-node-sa-$FOLDER_ID --format json | ConvertFrom-Json).id
    
  4. Assign to the service account the container-registry.images.puller role for the folder:

    yc resource-manager folder add-access-binding --id $FOLDER_ID --role container-registry.images.puller --subject serviceAccount:$NODE_SA_ID
    

Prepare Kubernetes resources

Create a Kubernetes cluster

Create a Kubernetes cluster and specify the previously created service accounts in the --service-account-id and --node-service-account-id parameters.

Bash
PowerShell

Run the command:

$ yc managed-kubernetes cluster create \
 --name k8s-demo --network-name yc-auto-network \
 --zone ru-central1-a --subnet-name yc-auto-subnet-0 \
 --public-ip \
 --service-account-id $RES_SA_ID \
 --node-service-account-id $NODE_SA_ID

Run the command:

> yc managed-kubernetes cluster create `
 --name k8s-demo --network-name yc-auto-network `
 --zone ru-central1-a --subnet-name yc-auto-subnet-0 `
 --public-ip `
 --service-account-id $RES_SA_ID `
 --node-service-account-id $NODE_SA_ID

Create a node group

  1. Make sure the Kubernetes cluster was created.

    1. In the management console, select the folder where you created the Kubernetes cluster.
    2. In the list of services, select Managed Service for Kubernetes.
    3. Make sure that the Kubernetes cluster was created:
      • The Status column value must be Running.
      • The Health column value must be Healthy.
  2. Create a node group:

    Bash
    PowerShell
    $ yc managed-kubernetes node-group create \
     --name k8s-demo-ng \
     --cluster-name k8s-demo \
     --platform-id standard-v2 \
     --public-ip \
     --cores 2 \
     --memory 4 \
     --core-fraction 50 \
     --disk-type network-ssd \
     --fixed-size 2 \
     --location subnet-name=yc-auto-subnet-0,zone=ru-central1-a \
     --async
    
    > yc managed-kubernetes node-group create `
     --name k8s-demo-ng `
     --cluster-name k8s-demo `
     --platform-id standard-v2 `
     --public-ip `
     --cores 2 `
     --memory 4 `
     --core-fraction 50 `
     --disk-type network-ssd `
     --fixed-size 2 `
     --location subnet-name=yc-auto-subnet-0,zone=ru-central1-a `
     --async
    

Prepare Container Registry resources

Create a registry

Create a container registry:

yc container registry create --name yc-auto-cr

Configure the Docker Credential helper

To facilitate authentication in Container Registry, configure the Docker Credential helper. It lets you use private Yandex.Cloud registries without running the docker login command.

To configure the Credential helper, run the following command:

yc container registry configure-docker

Prepare a Docker image

Build a Docker image and push it to the registry:

  1. Create a Dockerfile named hello.dockerfile and add the following lines to it:

    FROM ubuntu:latest
    CMD echo "Hi, I'm inside"
    
  2. Build a Docker image:

    1. Get the ID of the previously created registry and write it to the variable:

      Bash
      PowerShell
      $ REGISTRY_ID=$(yc container registry get --name yc-auto-cr  --format json | jq .id -r)
      
      > $REGISTRY_ID = (yc container registry get --name yc-auto-cr  --format json | ConvertFrom-Json).id
      
    2. Build a Docker image:

      docker build . -f hello.dockerfile -t cr.yandex/$REGISTRY_ID/ubuntu:hello
      
    3. Push the Docker image to the registry:

      docker push cr.yandex/${REGISTRY_ID}/ubuntu:hello
      
  3. Make sure the Docker image was pushed to the registry:

    yc container image list
    
    +----------------------+---------------------+-----------------------------+-------+-----------------+
    |          ID          |       CREATED       |            NAME             | TAGS  | COMPRESSED SIZE |
    +----------------------+---------------------+-----------------------------+-------+-----------------+
    | crpa2mf008mpjig73rp6 | 2019-11-20 11:52:17 | crp71hkgiolp6677hg9i/ubuntu | hello | 27.5 MB         |
    +----------------------+---------------------+-----------------------------+-------+-----------------+
    

Connect to the Kubernetes cluster

To work with your Kubernetes cluster using kubectl, add the Kubernetes cluster credentials to the kubectl configuration file.

  1. Run the command:

    yc managed-kubernetes cluster get-credentials --external --name k8s-demo
    
  2. Check the kubectl configuration:

    kubectl config view
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: DATA+OMITTED
    ...
    
    • By default, credentials are added to the $HOME/.kube/config directory.
    • If you need to change the configuration location, use the --kubeconfig <file path> flag.

Run the test app

Start the pod with the app from the Docker image and make sure that no additional authentication in Container Registry was required to push the Docker image.

  1. Run the pod with the app from the Docker image:

    kubectl run --attach hello-ubuntu --image cr.yandex/${REGISTRY_ID}/ubuntu:hello
    
  2. Find the running pod to see its full name:

    kubectl get po
    
    NAME                            READY   STATUS      RESTARTS   AGE
    hello-ubuntu-5847fb96b4-54g48   0/1     Completed   3          61s
    
  3. Check the logs of the container running on this pod:

    kubectl logs hello-ubuntu-5847fb96b4-54g48
    
    Hi, I'm inside
    

    The pod pushed the Docker image with no additional authentication on the Container Registry side.

Delete the created resources

  1. Delete the Kubernetes cluster:

    yc managed-kubernetes cluster delete --name k8s-demo
    
  2. Delete the service accounts:

    Warning

    Make sure you don't delete any service accounts before deleting the Kubernetes cluster.

    • Delete the service account created for resources:

      yc iam service-account delete --id $RES_SA_ID
      
    • Delete the service account created for nodes:

      yc iam service-account delete --id $NODE_SA_ID
      
  3. Delete the Container Registry resources:

    1. Find the name of the Docker image pushed to the registry:

      Bash
      PowerShell
      $ IMAGE_ID=$(yc container image list --format json | jq .[0].id -r)
      
      > $IMAGE_ID = (yc container image list --format json | ConvertFrom-Json).id
      
    2. Delete the Docker image:

      yc container image delete --id $IMAGE_ID
      
    3. Delete the registry:

      yc container registry delete --name yc-auto-cr
      

See also

  • Docker image
  • Authentication in Container Registry
  • Step-by-step instructions
In this article:
  • Before you start
  • Create service accounts
  • Create a service account for resources
  • Create a service account for nodes
  • Prepare Kubernetes resources
  • Create a Kubernetes cluster
  • Create a node group
  • Prepare Container Registry resources
  • Create a registry
  • Configure the Docker Credential helper
  • Prepare a Docker image
  • Connect to the Kubernetes cluster
  • Run the test app
  • Delete the created resources
Language
Careers
Privacy policy
Terms of use
© 2021 Yandex.Cloud LLC