Contact UsGet started

Connecting to a node over SSH

Written by
Updated at May 5, 2025

To connect to a Managed Service for Kubernetes cluster node over SSH:

  • Add the public key to the metadata when creating a Managed Service for Kubernetes node group.

    Note

    SSH connection using a login and password is disabled by default on Linux images that are used on Managed Service for Kubernetes nodes.

  • Configure security groups for the Managed Service for Kubernetes cluster.

    Warning

    Security group settings may prevent connection to the Managed Service for Kubernetes cluster.

For more information, see Connecting to a VM via SSH.

Individual nodes in node groups are Yandex Compute Cloud virtual machines with automatically generated names. To configure nodes, follow the instructions below or other node group management guides.

Alert

Do not change node VM settings, including names, network interfaces, and SSH keys, using the Compute Cloud interfaces or SSH connections to the VM.

This can disrupt the operation of individual nodes, groups of nodes, and the whole Managed Service for Kubernetes cluster.

Create SSH key pairs

Prepare the keys for use with your Managed Service for Kubernetes cluster node. To do this:

  1. Open the terminal.

  2. Use the ssh-keygen command to create a new key:

    ssh-keygen -t ed25519

    After you run the command, you will be asked to specify the names of files where the keys will be saved and enter the password for the private key. The default name is id_ed25519. Keys are created in the ~/.ssh directory.

    The public part of the key will be saved to a file named <key name>.pub.

  1. Run cmd.exe or powershell.exe.

  2. Use the ssh-keygen command to create a new key. Run this command:

    ssh-keygen -t ed25519

    After you run the command, you will be asked to specify the names of files where the keys will be saved and enter the password for the private key. The default name is id_ed25519. Keys are created in the C:\Users\<username>\.ssh\ directory.

    The public part of the key will be saved to a file named <key name>.pub.

Create keys using the PuTTY app:

  1. Download and install PuTTY.

  2. Add the folder with PuTTY to the PATH variable:

    1. Click Start and type Change system environment variables in the Windows search bar.
    2. Click Environment Variables... at the bottom right.
    3. In the window that opens, find the PATH parameter and click Edit.
    4. Add your folder path to the list.
    5. Click OK.

  3. Launch the PuTTYgen app.

  4. Select Ed25519 as the pair type to generate. Click Generate and move the cursor in the field above it until key creation is complete.

    ssh_generate_key

  5. In Key passphrase, enter a strong password. Enter it again in the field below.

  6. Click Save private key and save the private key. Do not share its key phrase with anyone.

  7. Save the key in a text file in a single line. To do this, copy the public key from the text field to a text file named id_ed25519.pub.

Convert the public key to the metadata format

The credentials for connecting to the Managed Service for Kubernetes cluster nodes over SSH are the username and public key. These credentials are provided using metadata in a specific format.

The previously created public key has the following format:

<key_type> <public_key_body> <optional_comment>

Example:

ssh-ed25519 AAAAB3NzaC***********lP1ww ed25519-key-20190412

Create a file with credentials for connecting over SSH in the following format:

<username>:<key_type> <public_key_body> <username>

Example:

testuser:ssh-ed25519 AAAAB3NzaC***********lP1ww testuser

This format is suitable for creating and updating a Managed Service for Kubernetes node group using the CLI, Terraform, and API interfaces, and for updating a node group using the management console. When creating a node group, separate Login and SSH key fields are used in the management console.

You can provide credentials for multiple users in one file.

Example:

testuser1:ssh-ed25519 AAAAB3NzaC***********lP1ww testuser1
testuser2:ssh-ed25519 ONEMOREkey***********avEHw testuser2

Create a node group and add the public key

  1. In the management console, go to the folder page and select Managed Service for Kubernetes.
  2. Select the Managed Service for Kubernetes cluster.
  3. In the left-hand panel, select Node manager.
  4. Click Create a node group.
  5. Set the node group parameters.
  6. Under Access, specify the information required to access the Managed Service for Kubernetes node:
    • Under Login, enter the username.
    • In the SSH key field, paste the contents of the public key file.
  7. Click Create.

Metadata with credentials for connecting over SSH is provided to the Managed Service for Kubernetes node group as key=value pairs.

Warning

The user-data VM metadata key is not supported for user data transmission. Use the ssh-keys key to provide parameters for SSH connections.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

To create a Managed Service for Kubernetes node group and provide user credentials for connecting over SSH, run the following command:

yc managed-kubernetes node-group create \
  --name <node_group_name> \
  --cluster-name <cluster_name> \
  --fixed-size <node_number_in_group> \
  --network-interface security-group-ids=[<list_of_security_groups>],subnets=<subnet_name>,ipv4-address=nat \
  --metadata-from-file ssh-keys=<credentials_file_path>

Where --metadata-from-file is the parameter to transfer metadata to the node group as key=value pairs. In ssh-keys, specify the path to the file with credentials for connecting over SSH.

Metadata with credentials for connecting over SSH is provided to the Managed Service for Kubernetes node group as key=value pairs.

Warning

The user-data VM metadata key is not supported for user data transmission. Use the ssh-keys key to provide parameters for SSH connections.

  1. Create a Terraform configuration file describing the Managed Service for Kubernetes node group by following the steps described in Creating a node group.

  2. In the node group description, set the ssh-keys metadata key value for the instance_template.metadata parameter:

    resource "yandex_kubernetes_node_group" "<node_group_name>" {
  cluster_id = yandex_kubernetes_cluster.<cluster_name>.id
  ...
  instance_template {
    metadata = {
      "ssh-keys" = file("<credentials_file_path>")
      ...
    }
    ...
  }
  ...
}

  3. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see the Terraform provider documentation.

Metadata with credentials for connecting over SSH is provided to the Managed Service for Kubernetes node group as key=value pairs.

Warning

The user-data VM metadata key is not supported for user data transmission. Use the ssh-keys key to provide parameters for SSH connections.

To provide multiple credentials for connecting over SSH, convert the contents of the credentials file to a single line by separating the credentials from each other with a sequence of special CRLF characters (\r\n). You cannot use multiline messages in an API request with a JSON body.

Example of converted credentials:

testuser1:ssh-ed25519 AAAAB3NzaC***********lP1ww testuser1\r\ntestuser2:ssh-ed25519 ONEMOREkey***********avEHw testuser2

Use the create REST API method for the NodeGroup resource or the NodeGroupService/Create gRPC API call.

Credentials for connecting over SSH are provided in the nodeTemplate.metadata parameter in ssh-keys.

For more information about creating a Managed Service for Kubernetes node group and parameters to provide, see Creating a node group.

Update node group keys

To change the credentials for connecting over SSH to a Managed Service for Kubernetes node group, update its metadata.

Warning

The credentials for connecting over SSH will be completely overwritten. You will not be able to connect to the Managed Service for Kubernetes cluster nodes using the previous credentials.

Warning

After you change the metadata using the management console, the node group status will temporarily change to Reconciling: all the group's nodes will be recreated for the changes to take effect.

  1. In the management console, go to the folder page and select Managed Service for Kubernetes.
  2. Select the Managed Service for Kubernetes cluster.
  3. In the left-hand panel, select Node manager.
  4. On the Node group tab, select the node group in which you want to update the credentials.
  5. In the top panel, click Edit.
  6. Open Metadata.
  7. Replace the current value of ssh-keys with the contents of the credentials file.
  8. Click Save.

  1. View the description of the CLI command for adding and updating the Managed Service for Kubernetes node group metadata:

    yc managed-kubernetes node-group add-metadata --help

  2. Run this command:

    yc managed-kubernetes node-group add-metadata \
  --name <node_group_name> \
  --metadata-from-file ssh-keys=<credentials_file_path>

    You can request the name of a node group with the list of node groups in the folder.

  1. Open the Terraform configuration file describing the Managed Service for Kubernetes node group.

    For more information about creating this file, see Creating a node group.

  2. In the node group description, change the value of the ssh-keys metadata key for the instance_template.metadata parameter:

    resource "yandex_kubernetes_node_group" "<node_group_name>" {
  cluster_id = yandex_kubernetes_cluster.<cluster_name>.id
  ...
  instance_template {
    metadata = {
      "ssh-keys" = file("<credentials_file_path>")
      ...
    }
    ...
  }
  ...
}

  3. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see the Terraform provider documentation.

  1. To provide multiple credentials for connecting over SSH, convert the contents of the credentials file to a single line by separating the credentials from each other with a sequence of special CRLF characters (\r\n). You cannot use multiline messages in an API request with a JSON body.

    Example of converted credentials:

    testuser1:ssh-ed25519 AAAAB3NzaC***********lP1ww testuser1\r\ntestuser2:ssh-ed25519 ONEMOREkey***********avEHw testuser2

  2. Get all the existing metadata for the node group using the get REST API method for the NodeGroup resource, and provide the node group ID in the nodeGroupId request parameter.

    You can request the name of a node group with a list of node groups in the folder.

    The metadata will be listed as key=value pairs in the nodeTemplate.metadata field of the response.

  3. Use the update REST API method for the NodeGroup resource and include the following in the request:

    • Node group ID in the nodeGroupId parameter.

    • updateMask parameter set to nodeTemplate.metadata.

      Warning

      The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    • nodeTemplate.metadata listing all existing node group metadata as key=value pairs without modification.

      For ssh-keys, replace the current value with the created line with credentials.

      Example of listing metadata in a parameter

      • Existing metadata keys in a node group:

        "nodeTemplate": {
    "metadata": {
        "ssh-keys": "<existing_credentials_in_single_line>",
        "<existing_key_1>": "<existing_value_1>",
        "<existing_key_2>": "<existing_value_2>"
    },
    ...
}

      • Metadata keys to provide in an API request:

        "nodeTemplate": {
    "metadata": {
        "ssh-keys": "<new_credentials_in_single_line>",
        "<existing_key_1>": "<existing_value_1>",
        "<existing_key_2>": "<existing_value_2>"
    }
}

      Alert

      Any metadata not listed in the nodeTemplate.metadata parameter will be deleted.

      Then the node group status will temporarily change to Reconciling: all the nodes in the group will be recreated for the changes to apply.

Get the public IP address of the node

To connect to a Managed Service for Kubernetes cluster node, specify the public IP address of a Managed Service for Kubernetes node. You can find it using one of the following methods.

  1. Open the Compute Cloud section in the folder where you created your Managed Service for Kubernetes cluster.
  2. In the left-hand panel, select Instance groups.
  3. Click the instance group with the name that matches the Managed Service for Kubernetes node group ID.
  4. In the window that opens, go to the Virtual machines tab.
  5. Click the VM that you want to find the public address for.
  6. The public IP address is shown in the Network section in Public IPv4 address.

  1. Find out the ID of the instance group that corresponds to the Managed Service for Kubernetes node group.

    The ID is shown in the INSTANCE GROUP ID column.

    yc managed-kubernetes node-group list

    Result:

    +----------------------+----------------------+----------------+----------------------+---------------------+---------+------+
|          ID          |      CLUSTER ID      |      NAME      |  INSTANCE GROUP ID   |     CREATED AT      | STATUS  | SIZE |
+----------------------+----------------------+----------------+----------------------+---------------------+---------+------+
| cat684ojo3ir******** | cata9ertn6tc******** | test-nodegroup | cl17i6943n92******** | 2019-04-12 12:38:35 | RUNNING |    2 |
+----------------------+----------------------+----------------+----------------------+---------------------+---------+------+

  2. View the list of Managed Service for Kubernetes nodes that belong to this group.

    The public IP address of the Managed Service for Kubernetes node is shown in the IP column after ~.

    yc compute instance-group list-instances cl17i6943n92********

    Result:

    +----------------------+---------------------------+--------------------------+---------------+----------------+
|     INSTANCE ID      |           NAME            |            IP            |    STATUS     | STATUS MESSAGE |
+----------------------+---------------------------+--------------------------+---------------+----------------+
| ef31h24k03pg******** | cl17i6943n92********-itif | 10.0.0.27~84.201.145.251 | RUNNING [53m] |                |
| ef37ddhg9i7j******** | cl17i6943n92********-ovah | 10.0.0.22~84.201.149.184 | RUNNING [53m] |                |
+----------------------+---------------------------+--------------------------+---------------+----------------+

  1. Install kubect and configure it to work with the new cluster.

  2. Run this command:

    kubectl get nodes -o wide

    Result:

    NAME                       STATUS  ROLES   AGE  VERSION  INTERNAL-IP  EXTERNAL-IP     OS-IMAGE            KERNEL-VERSION     CONTAINER-RUNTIME
cl17i6943n92********-itif  Ready   <none>  31m  v1.13.3  10.0.0.27    84.201.145.251  Ubuntu 18.04.1 LTS  4.15.0-29-generic  docker://18.6.2
cl17i6943n92********-ovah  Ready   <none>  31m  v1.13.3  10.0.0.22    84.201.149.184  Ubuntu 18.04.1 LTS  4.15.0-29-generic  docker://18.6.2

    The public IP address is listed in the EXTERNAL-IP column.

Connect to the node

You can connect to a Managed Service for Kubernetes node over SSH once it is started (with the RUNNING status). To do this, use ssh in Linux or macOS, or PuTTY in Windows.

In the terminal, run the following command, specifying the username and public IP address of the node:

ssh <username>@<node_public_IP_address>

If you provided SSH connection credentials when you created the node group using the management console, use the username you specified in the Login field.

If you provided SSH connection credentials when you created the node group using the CLI, Terraform, API, or updated the credentials, use the username that you specified in the SSH connection credentials file.

If this is your first time connecting to a Managed Service for Kubernetes node, you may get an unknown host warning:

The authenticity of host '130.193.40.101 (130.193.40.101)' can't be established.
ECDSA key fingerprint is SHA256:PoaSwqxRc8g6iOXtiH7ayGHpSN0MXwUfWHk********.
Are you sure you want to continue connecting (yes/no)?

Type yes in the terminal and press Enter.

In Windows, a connection is established using the PuTTY application.

  1. Run Pageant.
    1. Right-click the Pageant icon in the task bar.
    2. In the context menu, select Add key.
    3. Select a PuTTY-generated private key in .ppk format. Enter the password for this key, if any.
  2. Run PuTTY.

    1. In the Host Name (or IP address) field, enter the public IP address of the VM you want to connect to. Set the port to 22 and connection type to SSH.

      ssh_add_ip

    2. In the tree on the left, select Connection - SSH - Auth.

    3. Enable Allow agent forwarding.

    4. In the Private key file for authentication field, select the private key file.

      ssh_choose_private_key

    5. Go back to the Sessions menu. In the Saved sessions field, enter any name for the session and click Save. This will save the session settings under the specified name. You can use this session profile to connect with Pageant.

      ssh_save_session

    6. Click Open. If connecting to the Managed Service for Kubernetes node for the first time, you may get an unknown host warning:

      ssh_unknown_host_warning

      Click Yes. This will open a terminal window prompting you to enter the username to use for connection.

      Enter the username:

      Click Enter. If everything is configured correctly, a connection to the server will be established.

      ssh_login

If you saved the session profile in PuTTY, you can use Pageant for future connections:

  1. Right-click the pageant icon in the task bar.
  2. Select Saved sessions.
  3. In the saved sessions list, select the session you need.
Previous
All guides
Next
Connecting to a node via OS Login