Creating a Managed Service for Kubernetes cluster
Create a Managed Service for Kubernetes cluster and then create a node group.
To create a cluster with no internet access, see Creating and configuring a Managed Service for Kubernetes cluster with no internet access.
Getting started
-
Go to the management console. If not signed up yet, navigate to the management console and follow the instructions.
-
On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the
ACTIVEorTRIAL_ACTIVEstatus. If you do not have a billing account yet, create one. -
If you do not have a folder yet, create one.
-
Make sure that the account you are using to create the Managed Service for Kubernetes cluster has all the relevant roles.
-
Make sure you have enough resources available in the cloud.
-
If you do not have a network yet, create one.
-
If you do not have any subnets yet, create them in the availability zones where your Managed Service for Kubernetes cluster and node group will be created.
-
Create service accounts:
- Service account with the
k8s.clusters.agentrole for the folder where your Managed Service for Kubernetes cluster will reside. This service account will be used to create the resources required for the Managed Service for Kubernetes cluster. - Service account with the container-registry.images.puller role for the folder containing the Docker image registry. Nodes will pull the required Docker images from the registry on behalf of this account.
You can use the same service account for both operations.
Note
To create a cluster with tunnel mode, the cluster service account requires the
k8s.tunnelClusters.agentrole. - Service account with the
-
Review the recommendations for using Managed Service for Kubernetes.
Create a Managed Service for Kubernetes cluster
-
In the management console, select the folder where you want to create a Managed Service for Kubernetes cluster.
-
Select Managed Service for Kubernetes.
-
Click Create cluster.
-
Enter a name and description for the Managed Service for Kubernetes cluster. The Managed Service for Kubernetes cluster name must be unique within Yandex Cloud.
-
Specify a Service account for resources to be used to create your resources.
-
Specify a Service account for nodes to be used by the Managed Service for Kubernetes nodes to access the Yandex Container Registry Docker image registry.
-
(Optional) Specify the Encryption key that will be used for encrypting secrets.
Warning
You cannot edit this setting after you create a cluster.
-
Specify a release channel. You cannot edit this setting after you create a Managed Service for Kubernetes cluster.
-
Under Master configuration:
-
In the Kubernetes version field, select the Kubernetes version to be installed on the Managed Service for Kubernetes master.
-
In the Public address field, choose a method for IP address assignment:
Auto: Assign a random IP address from the Yandex Cloud IP pool.No address: Do not assign a public IP address.
-
In the Type of master field, select the Managed Service for Kubernetes master type:
-
Zonal: Master created in a subnet in one availability zone. -
Regional: Master created and distributed in three subnets in each availability zone. -
Select the availability zone to create a Managed Service for Kubernetes master in.
This step is only available for the Managed Service for Kubernetes zonal master.
-
-
In the Cloud network field, select the network to create a Managed Service for Kubernetes master in. If there are no networks available, create one.
Note
If you select a cloud network from another folder, assign the resource service account the following roles in this folder:
To use a public IP address, also assign the vpc.publicAdmin role.
-
In the Subnet field, select the subnet to create a Managed Service for Kubernetes master in. If there are no subnets available, create one.
For the Managed Service for Kubernetes regional master, specify a subnet in each availability zone.
-
Select security groups for the Managed Service for Kubernetes cluster's network traffic.
Warning
The configuration of security groups determines cluster performance, availability, and services running in the cluster.
-
-
Under Maintenance window settings:
- In the Maintenance frequency / Disable field, configure the maintenance window:
Disabled: Automatic updates disabled.Anytime: Updates allowed at any time.Daily: Updates will take place within the time interval specified in the Time (UTC) and duration field.On selected days: Updates will take place within the time interval specified in the Weekly schedule field.
- In the Maintenance frequency / Disable field, configure the maintenance window:
-
Under Cluster network settings:
- (Optional) Select the network policy controller:
- Enable network policy to use Calico.
- Enable tunnel mode to use Cilium.
- Specify the CIDR cluster, which is a range of IP addresses to allocate pod IPs from.
- Specify the CIDR services, which is a range of IP addresses to allocate service IPs from.
- Set the Managed Service for Kubernetes node subnet mask and the maximum number of pods per node.
- (Optional) Select the network policy controller:
-
Click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.
To create a cluster:
-
Specify the Managed Service for Kubernetes cluster parameters in the create command (the example below does not list all possible parameters):
yc managed-kubernetes cluster create \ --name test-k8s \ --network-name default \ --zone ru-central1-a \ --subnet-name default-a \ --public-ip \ --release-channel regular \ --version 1.13 \ --cluster-ipv4-range 10.1.0.0/16 \ --service-ipv4-range 10.2.0.0/16 \ --security-group-ids enpe5sdn7vs5********,enpj6c5ifh75******** \ --service-account-name default-sa \ --node-service-account-name default-sa \ --daily-maintenance-window start=22:00,duration=10hWhere:
-
--name: Managed Service for Kubernetes cluster name. -
--network-name: Network name.Note
If you select a cloud network from another folder, assign the resource service account the following roles in this folder:
To use a public IP address, also assign the vpc.publicAdmin role.
-
--zone: Availability zone. -
--subnet-name: Subnet name. -
--public-ip: Flag indicating that the Managed Service for Kubernetes cluster needs a public IP address. -
--release-channel: Release channel. -
--version: Kubernetes version. -
--cluster-ipv4-range: Range of IP addresses for allocating pod addresses. -
--service-ipv4-range: Range of IP addresses for allocating service addresses. -
--security-group-ids: List of Managed Service for Kubernetes cluster security group IDs.Warning
The configuration of security groups determines cluster performance, availability, and services running in the cluster.
-
--service-account-id: Unique ID of the service account for the resources. This service account will be used to create the resources required for the Managed Service for Kubernetes cluster. -
--node-service-account-id: Unique ID of the service account for the nodes. Nodes will pull the required Docker images from the registry on behalf of this account. -
--daily-maintenance-window: Maintenance window settings.
Result:
done (5m47s) id: cathn0s6qobf******** folder_id: b1g66jflru0e******** ... service_account_id: aje3932acd0c******** node_service_account_id: aje3932acd0c******** release_channel: REGULAR -
-
To enable the Calico network policy controller, set the
--enable-network-policyflag in the Managed Service for Kubernetes cluster create command:yc managed-kubernetes cluster create \ ... --enable-network-policy -
To use the Yandex Key Management Service encryption key for protecting sensitive data, provide the key name or ID in the Managed Service for Kubernetes cluster creation command:
yc managed-kubernetes cluster create \ ... --kms-key-name <encryption_key_name> \ --kms-key-id <encryption_key_ID>Warning
You cannot edit this setting after you create a cluster.
-
To enable sending logs to Yandex Cloud Logging, provide the logging settings in the
--master-loggingproperty of the Managed Service for Kubernetes cluster create command:yc managed-kubernetes cluster create \ ... --master-logging enabled=<send_logs>,` `log-group-id=<log_group_ID>,` `folder-id=<folder_ID>,` `kube-apiserver-enabled=<send_kube-apiserver_logs>,` `cluster-autoscaler-enabled=<send_cluster-autoscaler_logs>,` `events-enabled=<send_Kubernetes_events>` `audit-enabled=<send_audit_events>Where:
enabled: Flag that enables log sending,trueorfalse.log-group-id: ID of the log group to send the logs to.folder-id: ID of the folder to send the logs to. The logs will be sent to the log group of the default folder.kube-apiserver-enabled: Flag that enables kube-apiserver log sending,trueorfalse.cluster-autoscaler-enabled: Flag that enablescluster-autoscalerlog sending,trueorfalse.events-enabled: Flag that enables Kubernetes event sending,trueorfalse.audit-enabled: Flag that enables audit event sending,trueorfalse.
If log sending is enabled but neither
log-group-idnorfolder-idis specified, the logs will be sent to the default log group of the folder with the Managed Service for Kubernetes cluster. You cannot set bothlog-group-idandfolder-idat the same time.
Terraform allows you to quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. Configuration files store the infrastructure description in the HashiCorp Configuration Language (HCL). Terraform and its providers are distributed under the Business Source License.
For more information about the provider resources, see the documentation on the Terraform website or the mirror.
If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
To create a Managed Service for Kubernetes cluster:
-
In the configuration file, describe the parameters of the resources you want to create:
-
Managed Service for Kubernetes cluster: Cluster description.
-
Network: Description of the cloud network to host the Managed Service for Kubernetes cluster. If you already have a suitable network, you do not need to describe it again.
Note
If you select a cloud network from another folder, assign the resource service account the following roles in this folder:
To use a public IP address, also assign the vpc.publicAdmin role.
-
Subnets: Description of the subnets to connect the Managed Service for Kubernetes cluster hosts to. If you already have suitable subnets, you do not need to describe them again.
-
Service account for the Managed Service for Kubernetes cluster and nodes and role settings for this account. Create separate service accounts for the Managed Service for Kubernetes cluster and nodes, as required. If you already have a suitable service account, you do not need to describe it again.
Here is an example of the configuration file structure:
resource "yandex_kubernetes_cluster" "<Managed_Service_for_Kubernetes_cluster_name>" { network_id = yandex_vpc_network.<network_name>.id master { master_location { zone = yandex_vpc_subnet.<subnet_name>.zone subnet_id = yandex_vpc_subnet.<subnet_name>.id } } service_account_id = yandex_iam_service_account.<service_account_name>.id node_service_account_id = yandex_iam_service_account.<service_account_name>.id depends_on = [ yandex_resourcemanager_folder_iam_member.editor, yandex_resourcemanager_folder_iam_member.images-puller ] } resource "yandex_vpc_network" "<network_name>" { name = "<network_name>" } resource "yandex_vpc_subnet" "<subnet_name>" { v4_cidr_blocks = ["<subnet_IP_address_range>"] zone = "<availability_zone>" network_id = yandex_vpc_network.<network_name>.id } resource "yandex_iam_service_account" "<service_account_name>" { name = "<service_account_name>" description = "<service_account_description>" } resource "yandex_resourcemanager_folder_iam_member" "editor" { # The service account gets the editor role. folder_id = "<folder_ID>" role = "editor" member = "serviceAccount:${yandex_iam_service_account.<service_account_name>.id}" } resource "yandex_resourcemanager_folder_iam_member" "images-puller" { # The service account gets the "container-registry.images.puller" role. folder_id = "<folder_ID>" role = "container-registry.images.puller" member = "serviceAccount:${yandex_iam_service_account.<service_account_name>.id}" }To enable sending logs to Yandex Cloud Logging, add the
master_loggingsection to the Managed Service for Kubernetes cluster description:resource "yandex_kubernetes_cluster" "<cluster_name>" { ... master { ... master_logging { enabled = <log_sending> log_group_id = "<log_group_ID>" folder_id = "<folder_ID>" kube_apiserver_enabled = <kube-apiserver_log_sending> cluster_autoscaler_enabled = <cluster-autoscaler_log_sending> events_enabled = <Kubernetes_event_sending> audit_enabled = <audit_event_sending> } } }Where:
enabled: Flag that enables log sending,trueorfalse.log_group_id: ID of the log group to send the logs to.folder_id: ID of the folder to send the logs to. The logs will be sent to the log group of the default folder.kube_apiserver_enabled: Flag that enables kube-apiserver log sending,trueorfalse.cluster_autoscaler_enabled: Flag that enablescluster-autoscalerlog sending,trueorfalse.events_enabled: Flag that enables Kubernetes event sending,trueorfalse.audit_enabled: Flag that enables audit event sending,trueorfalse.
If log sending is enabled but neither
log_group_idnorfolder_idis specified, the logs will be sent to the default log group of the folder with the Managed Service for Kubernetes cluster. You cannot set bothlog_group_idandfolder_idat the same time.For more information, see the Terraform provider documentation.
-
-
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out. This is a test step; no resources will be created.
-
-
Create a Managed Service for Kubernetes cluster.
-
If the configuration does not contain any errors, run this command:
terraform apply -
Confirm that you want to create the resources.
After this, all required resources will be created in the specified folder and the IP addresses of the VMs will be displayed in the terminal. You can check the new resources and their configuration using the management console.
-
To create a Managed Service for Kubernetes cluster, use the create method for the Cluster resource.
Note
If you select a cloud network from another folder, assign the resource service account the following roles in this folder:
To use a public IP address, also assign the vpc.publicAdmin role.
To use a Yandex Key Management Service encryption key to protect secrets, provide its ID in the kmsProvider.keyId parameter.
To enable sending logs to Yandex Cloud Logging, provide the logging settings in the masterSpec.masterLogging parameter.
Examples
Creating a zonal Managed Service for Kubernetes cluster
Create a Managed Service for Kubernetes cluster and a network for it with the following test specifications:
-
Name:
k8s-zonal. -
Folder ID:
b1gia87mbaomkfvsleds. -
Network:
mynet. -
Subnet:
mysubnet. Its network settings are as follows:- Availability zone:
ru-central1-a. - Range:
10.1.0.0/16.
- Availability zone:
-
Service account:
myaccount. -
Service account roles:
k8s.clusters.agent,vpc.publicAdmin,container-registry.images.puller, andkms.keys.encrypterDecrypter. -
Yandex Key Management Service encryption key:
kms-key. -
Security group:
k8s-public-services. It contains rules for connecting to services from the internet.
Install Terraform (unless you already have it), configure the provider according to this guide, and apply the configuration file:
locals {
folder_id = "b1gia87mbaomkfvsleds"
}
resource "yandex_kubernetes_cluster" "k8s-zonal" {
name = "k8s-zonal"
network_id = yandex_vpc_network.mynet.id
master {
master_location {
zone = yandex_vpc_subnet.mysubnet.zone
subnet_id = yandex_vpc_subnet.mysubnet.id
}
security_group_ids = [yandex_vpc_security_group.k8s-public-services.id]
}
service_account_id = yandex_iam_service_account.myaccount.id
node_service_account_id = yandex_iam_service_account.myaccount.id
depends_on = [
yandex_resourcemanager_folder_iam_member.k8s-clusters-agent,
yandex_resourcemanager_folder_iam_member.vpc-public-admin,
yandex_resourcemanager_folder_iam_member.images-puller,
yandex_resourcemanager_folder_iam_member.encrypterDecrypter
]
kms_provider {
key_id = yandex_kms_symmetric_key.kms-key.id
}
}
resource "yandex_vpc_network" "mynet" {
name = "mynet"
}
resource "yandex_vpc_subnet" "mysubnet" {
name = "mysubnet"
v4_cidr_blocks = ["10.1.0.0/16"]
zone = "ru-central1-a"
network_id = yandex_vpc_network.mynet.id
}
resource "yandex_iam_service_account" "myaccount" {
name = "zonal-k8s-account"
description = "K8S zonal service account"
}
resource "yandex_resourcemanager_folder_iam_member" "k8s-clusters-agent" {
# The service account gets the "k8s.clusters.agent" role.
folder_id = local.folder_id
role = "k8s.clusters.agent"
member = "serviceAccount:${yandex_iam_service_account.myaccount.id}"
}
resource "yandex_resourcemanager_folder_iam_member" "vpc-public-admin" {
# The service account gets the "vpc.publicAdmin" role.
folder_id = local.folder_id
role = "vpc.publicAdmin"
member = "serviceAccount:${yandex_iam_service_account.myaccount.id}"
}
resource "yandex_resourcemanager_folder_iam_member" "images-puller" {
# The service account gets the "container-registry.images.puller" role.
folder_id = local.folder_id
role = "container-registry.images.puller"
member = "serviceAccount:${yandex_iam_service_account.myaccount.id}"
}
resource "yandex_resourcemanager_folder_iam_member" "encrypterDecrypter" {
# The service account gets the "kms.keys.encrypterDecrypter" role.
folder_id = local.folder_id
role = "kms.keys.encrypterDecrypter"
member = "serviceAccount:${yandex_iam_service_account.myaccount.id}"
}
resource "yandex_kms_symmetric_key" "kms-key" {
# A Yandex Key Management Service key for encrypting critical information, including passwords, OAuth tokens, and SSH keys.
name = "kms-key"
default_algorithm = "AES_128"
rotation_period = "8760h" # 1 year.
}
resource "yandex_vpc_security_group" "k8s-public-services" {
name = "k8s-public-services"
description = "Group rules allow connections to services from the internet. Apply the rules for node groups only."
network_id = yandex_vpc_network.mynet.id
ingress {
protocol = "TCP"
description = "The rule allows availability checks from the load balancer's range of addresses. It is required for the operation of a fault-tolerant Managed Service for Kubernetes cluster and load balancer services."
predefined_target = "loadbalancer_healthchecks"
from_port = 0
to_port = 65535
}
ingress {
protocol = "ANY"
description = "The rule allows master-to-node and node-to-node communication inside a security group."
predefined_target = "self_security_group"
from_port = 0
to_port = 65535
}
ingress {
protocol = "ANY"
description = "The rule allows sub-sub and service-service interactions. Specify the subnets of your Managed Service for Kubernetes cluster and services."
v4_cidr_blocks = concat(yandex_vpc_subnet.mysubnet.v4_cidr_blocks)
from_port = 0
to_port = 65535
}
ingress {
protocol = "ICMP"
description = "The rule allows debug ICMP packets from internal subnets."
v4_cidr_blocks = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
}
ingress {
protocol = "TCP"
description = "The rule allows incoming traffic from the internet to a range of NodePorts. Add ports or change existing ones to the required ports."
v4_cidr_blocks = ["0.0.0.0/0"]
from_port = 30000
to_port = 32767
}
egress {
protocol = "ANY"
description = "The rule allows all outgoing traffic. Nodes can connect to Yandex Container Registry, Yandex Object Storage, Docker Hub, etc."
v4_cidr_blocks = ["0.0.0.0/0"]
from_port = 0
to_port = 65535
}
}
Creating a regional Managed Service for Kubernetes cluster
Create a Managed Service for Kubernetes cluster and a network for it with the following test specifications:
-
Name:
k8s-regional. -
Folder ID:
b1gia87mbaomkfvsleds. -
Network:
my-regional-net. -
Subnet:
mysubnet-a. Its network settings are as follows:- Availability zone:
ru-central1-a. - Range:
10.5.0.0/16.
- Availability zone:
-
Subnet:
mysubnet-b. Its network settings are as follows:- Availability zone:
ru-central1-b. - Range:
10.6.0.0/16.
- Availability zone:
-
Subnet:
mysubnet-d. Its network settings are as follows:- Availability zone:
ru-central1-d. - Range:
10.7.0.0/16.
- Availability zone:
-
Service account:
regional-k8s-account. -
Service account roles:
k8s.clusters.agent,vpc.publicAdmin,container-registry.images.pullerandkms.keys.encrypterDecrypter. -
Yandex Key Management Service encryption key:
kms-key. -
Security group:
regional-k8s-sg. It contains rules for service traffic.
Install Terraform (unless you already have it), configure the provider according to this guide, and apply the configuration file:
locals {
folder_id = "b1gia87mbaomkfvsleds"
}
resource "yandex_kubernetes_cluster" "k8s-regional" {
name = "k8s-regional"
network_id = yandex_vpc_network.my-regional-net.id
master {
master_location {
zone = yandex_vpc_subnet.mysubnet-a.zone
subnet_id = yandex_vpc_subnet.mysubnet-a.id
}
master_location {
zone = yandex_vpc_subnet.mysubnet-b.zone
subnet_id = yandex_vpc_subnet.mysubnet-b.id
}
master_location {
zone = yandex_vpc_subnet.mysubnet-d.zone
subnet_id = yandex_vpc_subnet.mysubnet-d.id
}
security_group_ids = [yandex_vpc_security_group.regional-k8s-sg.id]
}
service_account_id = yandex_iam_service_account.my-regional-account.id
node_service_account_id = yandex_iam_service_account.my-regional-account.id
depends_on = [
yandex_resourcemanager_folder_iam_member.k8s-clusters-agent,
yandex_resourcemanager_folder_iam_member.vpc-public-admin,
yandex_resourcemanager_folder_iam_member.images-puller,
yandex_resourcemanager_folder_iam_member.encrypterDecrypter
]
kms_provider {
key_id = yandex_kms_symmetric_key.kms-key.id
}
}
resource "yandex_vpc_network" "my-regional-net" {
name = "my-regional-net"
}
resource "yandex_vpc_subnet" "mysubnet-a" {
name = "mysubnet-a"
v4_cidr_blocks = ["10.5.0.0/16"]
zone = "ru-central1-a"
network_id = yandex_vpc_network.my-regional-net.id
}
resource "yandex_vpc_subnet" "mysubnet-b" {
name = "mysubnet-b"
v4_cidr_blocks = ["10.6.0.0/16"]
zone = "ru-central1-b"
network_id = yandex_vpc_network.my-regional-net.id
}
resource "yandex_vpc_subnet" "mysubnet-d" {
name = "mysubnet-d"
v4_cidr_blocks = ["10.7.0.0/16"]
zone = "ru-central1-d"
network_id = yandex_vpc_network.my-regional-net.id
}
resource "yandex_iam_service_account" "my-regional-account" {
name = "regional-k8s-account"
description = "K8S regional service account"
}
resource "yandex_resourcemanager_folder_iam_member" "k8s-clusters-agent" {
# The service account gets the "k8s.clusters.agent" role.
folder_id = local.folder_id
role = "k8s.clusters.agent"
member = "serviceAccount:${yandex_iam_service_account.my-regional-account.id}"
}
resource "yandex_resourcemanager_folder_iam_member" "vpc-public-admin" {
# The service account gets the "vpc.publicAdmin" role.
folder_id = local.folder_id
role = "vpc.publicAdmin"
member = "serviceAccount:${yandex_iam_service_account.my-regional-account.id}"
}
resource "yandex_resourcemanager_folder_iam_member" "images-puller" {
# The service account gets the "container-registry.images.puller" role.
folder_id = local.folder_id
role = "container-registry.images.puller"
member = "serviceAccount:${yandex_iam_service_account.my-regional-account.id}"
}
resource "yandex_resourcemanager_folder_iam_member" "encrypterDecrypter" {
# The service account gets the "kms.keys.encrypterDecrypter" role.
folder_id = local.folder_id
role = "kms.keys.encrypterDecrypter"
member = "serviceAccount:${yandex_iam_service_account.my-regional-account.id}"
}
resource "yandex_kms_symmetric_key" "kms-key" {
# A Yandex Key Management Service key for encrypting critical information, including passwords, OAuth tokens, and SSH keys.
name = "kms-key"
default_algorithm = "AES_128"
rotation_period = "8760h" # 1 year.
}
resource "yandex_vpc_security_group" "regional-k8s-sg" {
name = "regional-k8s-sg"
description = "Group rules ensure the basic performance of the Managed Service for Kubernetes cluster. Apply it to the cluster and node groups."
network_id = yandex_vpc_network.my-regional-net.id
ingress {
protocol = "TCP"
description = "The rule allows availability checks from the load balancer's range of addresses. It is required for the operation of a fault-tolerant Managed Service for Kubernetes cluster and load balancer services."
predefined_target = "loadbalancer_healthchecks"
from_port = 0
to_port = 65535
}
ingress {
protocol = "ANY"
description = "The rule allows master-to-node and node-to-node communication inside a security group."
predefined_target = "self_security_group"
from_port = 0
to_port = 65535
}
ingress {
protocol = "ANY"
description = "The rule allows sub-sub and service-service interactions. Specify the subnets of your Managed Service for Kubernetes cluster and services."
v4_cidr_blocks = concat(yandex_vpc_subnet.mysubnet-a.v4_cidr_blocks, yandex_vpc_subnet.mysubnet-b.v4_cidr_blocks, yandex_vpc_subnet.mysubnet-d.v4_cidr_blocks)
from_port = 0
to_port = 65535
}
ingress {
protocol = "ICMP"
description = "The rule allows debug ICMP packets from internal subnets."
v4_cidr_blocks = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
}
ingress {
protocol = "TCP"
description = "The rule allows incoming traffic from the internet to a range of NodePorts. Add ports or change existing ones to the required ports."
v4_cidr_blocks = ["0.0.0.0/0"]
from_port = 30000
to_port = 32767
}
egress {
protocol = "ANY"
description = "The rule allows all outgoing traffic. Nodes can connect to Yandex Container Registry, Yandex Object Storage, Docker Hub, etc."
v4_cidr_blocks = ["0.0.0.0/0"]
from_port = 0
to_port = 65535
}
}