Connecting a Yandex BareMetal server as an external node to a Yandex Managed Service for Kubernetes cluster

Written by

Updated at November 27, 2025

Required paid resources
Getting started
Creating an external node group
Installing system components on a BareMetal server
- Automated installation
- Semi-automated installation
External node status check
How to cancel a lease and delete resources
See also

Note

Connecting external nodes to a Managed Service for Kubernetes cluster is currently at the Preview stage and free of charge.

You can connect BareMetal servers to a Managed Service for Kubernetes cluster as external nodes using special Kubernetes API resources. The definitions of these resources (CustomResourceDefinitions) are automatically pre-installed to the Managed Service for Kubernetes cluster. These resources allow the cluster to manage connections of nodes located in other Yandex Cloud network segments, e.g., the BareMetal VRF network. Network connectivity between the VRF network of the BareMetal server and the Managed Service for Kubernetes cluster's virtual network is ensured via Yandex Cloud Interconnect.

Required paid resources

The support cost for this solution includes:

Fee for the Managed Service for Kubernetes master (see Yandex Managed Service for Kubernetes pricing).
Fee for Managed Service for Kubernetes standard cluster nodes (if any): use of computing resources and storage (see Yandex Compute Cloud pricing).
VM fee: use of computing resources and storage (see Yandex Compute Cloud pricing).

Note

Your operating system fee depends on its type (see Compute Cloud pricing).
Fee for using a public IP address for a VM (see Yandex Virtual Private Cloud pricing).
BareMetal server lease fee (see Yandex BareMetal pricing).

To connect a BareMetal server as an external node to a Managed Service for Kubernetes cluster:

Getting started

Create a service account with the k8s.clusters.agent, vpc.publicAdmin, and k8s.tunnelClusters.agent roles for the folder you are creating the Managed Service for Kubernetes cluster in.
Create a Managed Service for Kubernetes cluster of any suitable configuration, operating in tunnel mode. When doing so, specify the service account you created earlier.

Warning

Tunnel mode can only be activated at the step of creating a cluster.
Install kubect and configure it to work with the new cluster.
Create a VRF segment and a private BareMetal subnet.
Lease a BareMetal server with an Ubuntu 24.04 OS image and internet access.

You can also use BareMetal servers with other operating systems.
Create a VM.
Create a routing instance.
Create a private connection.

Creating an external node group

Management console

On the Managed Service for Kubernetes cluster page, go to the Node manager tab.
Click Create a node group and then External.
Enter a name for the Managed Service for Kubernetes node group.
In the Node IP addresses field, specify the private IP address of the BareMetal server you are connecting.
Click Add.

Installing system components on a BareMetal server

To connect servers to a Managed Service for Kubernetes cluster, you need to install their system components.

You can install system components in any of the following ways:

Automated installation

With automated installation, the Managed Service for Kubernetes cluster connects to the BareMetal server over SSH and installs all required system components all by itself.

To run an automated installation:

In your Managed Service for Kubernetes cluster, create a secret with a private SSH key for connection to the BareMetal server:
```
kubectl -n yandex-system create secret generic <secret_name> \
  --from-file=ssh-privatekey=<SSH_key_file_path> \
  --type=kubernetes.io/ssh-auth
```
Warning

If you have lost the private SSH key specified when leasing the server, you can add a new public SSH key to the server's root user account.
Specify the name of the secret in the node group specification:
Management console
1. On the Managed Service for Kubernetes cluster page, go to the Node manager tab.
2. Select the new Managed Service for Kubernetes node group from the list.
3. In the top-right corner, click Edit.
4. In the Secret with private SSH key field, select the new secret from the drop-down list.
5. Click Save.

Semi-automated installation

With semi-automated installation, you prepare the BareMetal server manually by installing the maintainer component and setting up access for the Managed Service for Kubernetes cluster. With that done, the maintainer component will automatically download and install the remaining system components.

To run a semi-automated installation:

Use kubectl to get a secret containing kubeconfig for the BareMetal server you are connecting and save it to a file:
```
kubectl -n yandex-system get secret <node_group_name>-maintainer-kube-config \
  -o json | jq -r '.data."kube-config"' | base64 -d > kube.config
```
This secret becomes available after the node group is created in the Managed Service for Kubernetes cluster.

Move the kube.config file to the BareMetal server:

scp kube.config root@<baremetal_server_public_IP>:/

Connect to the BareMetal server:
```
ssh root@<server_public_IP_address>
```

Create a folder named /etc/yandex-maintainer and move the kube.config file into it:

sudo mkdir -p /etc/yandex-maintainer
sudo mv /kube.config /etc/yandex-maintainer/

Run the following commands on the BareMetal server:

sudo mkdir -p /home/kubernetes/bin
sudo curl --output /home/kubernetes/bin/maintainer https://storage.yandexcloud.net/mk8s-maintainer/v1/maintainer
sudo chmod +x /home/kubernetes/bin/maintainer
sudo /home/kubernetes/bin/maintainer install

External node status check

Once the system components are installed, the BareMetal server will initiate the Managed Service for Kubernetes cluster connection.

To make sure the BareMetal server is successfully connected:

Management console

On the Managed Service for Kubernetes cluster page, go to the Node manager tab.
Click the name of the new Managed Service for Kubernetes node group.
Navigate to the Nodes tab.
Check that the new Managed Service for Kubernetes node is now Ready.
Open the new node and go to the Events tab.
Check that all server connection steps have been successful.

How to cancel a lease and delete resources

Some resources are not free of charge. Delete the resources you no longer need to avoid paying for them:

Delete the Managed Service for Kubernetes cluster.
Delete the service accounts you created.
Delete the VM.
Cancel your BareMetal server lease renewal. After canceling the lease, the server will remain active until the paid period ends, after which it will be automatically deleted.
Delete the private connection.

Connecting a Yandex BareMetal server as an external node to a Yandex Managed Service for Kubernetes cluster

Required paid resourcesRequired paid resources

Getting startedGetting started

Creating an external node groupCreating an external node group

Installing system components on a BareMetal serverInstalling system components on a BareMetal server

Automated installationAutomated installation

Semi-automated installationSemi-automated installation

External node status checkExternal node status check

How to cancel a lease and delete resourcesHow to cancel a lease and delete resources

See alsoSee also

Was the article helpful?