Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Granting access to an application running in a Kubernetes cluster

Written by
Updated at November 11, 2025

To grant access to an application running in a Kubernetes cluster, you can use various types of public and internal services.

To publish an application, use a LoadBalancer type service. The following options are supported:

When using an external load balancer, you can specify a static public IP address in the loadBalancerIP field. You need to reserve such an address in advance. When reserving a public IP address, you can enable DDoS protection. If you do not specify a static public IP address, the network load balancer will get a dynamic public IP address.

Note

Unlike an IP address of a pod or node, which may change if node group resources are updated, the static public IP address of a LoadBalancer type service does not change.

When using an internal load balancer, you can specify an internal IP address. Make sure the specified internal IP address is not assigned to some other resource in the same cloud network.

Warning

Once removed from the specification, the internal IP address may be automatically assigned to a different resource in the same cloud network. We recommend selecting the address closer to the upper bound of your subnet's IP address range.

In your Kubernetes cluster, prepare and run the application you need to grant access to with the help of a LoadBalancer type service. As an example, use an application that responds to HTTP requests on port 8080.

  1. Create a simple application.
  2. Create a LoadBalancer type service with a public IP address.
  3. Create a LoadBalancer type service with an internal IP address.
  4. Specify the advanced settings.
  5. Specify the node health check parameters.
  6. Optionally, create a NetworkPolicy object.
How to ensure access to an application via HTTPS

Check these tutorials:

If you no longer need the resources you created, delete them.

Getting started

Set up the required infrastructure:

  1. Create a cloud network and subnet.

  2. Create a service account with the k8s.clusters.agent, vpc.publicAdmin, and load-balancer.admin role. It needs the load-balancer.admin role to create a network load balancer.

  3. Create security groups for the Managed Service for Kubernetes cluster and its node groups.

    Warning

    The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

  4. Create a Managed Service for Kubernetes cluster and node group with public internet access and preconfigured security groups.

  1. If you do not have Terraform yet, install it.

  2. Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.

  3. Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it.

  4. Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.

  5. Download the k8s-load-balancer.tf Managed Service for Kubernetes cluster configuration file to the same working directory. This file describes:

    • Network.

    • Subnet.

    • Managed Service for Kubernetes cluster.

    • Service account required for the Managed Service for Kubernetes cluster and node group.

    • Security groups which contain rules required for the Managed Service for Kubernetes cluster and its node groups.

      Warning

      The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

  6. Specify the following in the configuration file:

    • Folder ID.
    • Kubernetes version for the Managed Service for Kubernetes cluster and node groups.
    • Name of the Managed Service for Kubernetes cluster service account.

  7. Make sure the Terraform configuration files are correct using this command:

    terraform validate

    Terraform will show any errors found in your configuration files.

  8. Create the required infrastructure:

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

    All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.

    Timeouts

    The Terraform provider sets time limits for operations with Managed Service for Kubernetes cluster and node group:

    • Creating and editing a cluster: 30 minutes.
    • Creating and updating a node group: 60 minutes.
    • Deleting a node group: 20 minutes.

    Operations in excess of this time will be interrupted.

    How do I modify these limits?

    Add the timeouts sections (the yandex_kubernetes_cluster and yandex_kubernetes_node_group resources, respectively) to the cluster and node group description.

    Here is an example:

    resource "yandex_kubernetes_node_group" "<node_group_name>" {
  ...
  timeouts {
    create = "1h30m"
    update = "1h30m"
    delete = "30m"
  }
}

Create a simple application

  1. Save the following application creation specification to a YAML file named hello.yaml.

    Deployment is a Kubernetes API object that manages the replicated application.

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello
spec:
  replicas: 2
  selector:
    matchLabels:
      app: hello
  template:
    metadata:
      labels:
        app: hello
    spec:
      containers:
      - name: hello-app
        image: cr.yandex/crpjd37scfv653nl11i9/hello:1.1

  2. Create an application:

    If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

    By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

    kubectl apply -f hello.yaml

    Result:

    deployment.apps/hello created

  3. View the information about the new application:

    kubectl describe deployment hello

    Result:

    Name:                   hello
Namespace:              default
CreationTimestamp:      Wed, 28 Oct 2020 23:15:25 +0300
Labels:                 <none>
Annotations:            deployment.kubernetes.io/revision: 1
Selector:               app=hello
Replicas:               2 desired | 2 updated | 2 total | 1 available | 1 unavailable
StrategyType:           RollingUpdate
MinReadySeconds:        0
RollingUpdateStrategy:  25% max unavailable, 25% max surge
Pod Template:
  Labels:  app=hello
  Containers:
   hello-app:
    Image:        cr.yandex/crpjd37scfv653nl11i9/hello:1.1
    Port:         <none>
    Host Port:    <none>
    Environment:  <none>
    Mounts:       <none>
  Volumes:        <none>
Conditions:
  Type           Status  Reason
  ----           ------  ------
  Available      False   MinimumReplicasUnavailable
  Progressing    True    ReplicaSetUpdated
OldReplicaSets:  <none>
NewReplicaSet:   hello-******** (2/2 replicas created)
Events:
  Type    Reason             Age   From                   Message
  ----    ------             ----  ----                   -------
  Normal  ScalingReplicaSet  10s   deployment-controller  Scaled up replica set hello-******** to 2

Create a LoadBalancer type service with a public IP address

When you create a LoadBalancer type service, the Yandex Cloud controller creates and configures for you a network load balancer with a public IP address in your folder.

Warning

  • You will be charged for the network load balancer you created based on the pricing policy.
  • Do not modify or delete the network load balancer and the target groups that are automatically created in your folder after creating a LoadBalancer type service.

  1. Save the following specification for creating a LoadBalancer type service to a YAML file named load-balancer.yaml:

    apiVersion: v1
kind: Service
metadata:
  name: hello
spec:
  type: LoadBalancer
  ports:
  - port: 80
    name: plaintext
    targetPort: 8080
  # Selector Kubernetes labels used in the pod template when creating the Deployment object.
  selector:
    app: hello

    For more information, see the Service resource reference for Yandex Network Load Balancer.

  2. Create a network load balancer:

    kubectl apply -f load-balancer.yaml

    Result:

    service/hello created

  3. View the information about the network load balancer you created:

    1. In the management console, select your default folder.
    2. Select Network Load Balancer.
    3. The Load balancers tab shows the network load balancer with the k8s prefix in the name and the unique ID of your Kubernetes cluster in the description.
    kubectl describe service hello

    Result:

    Name:                     hello
Namespace:                default
Labels:                   <none>
Annotations:              <none>
Selector:                 app=hello
Type:                     LoadBalancer
IP:                       172.20.169.7
LoadBalancer Ingress:     130.193.50.111
Port:                     plaintext 80/TCP
TargetPort:               8080/TCP
NodePort:                 plaintext 32302/TCP
Endpoints:                10.1.130.4:8080
Session Affinity:         None
External Traffic Policy:  Cluster
Events:
  Type    Reason                Age    From                Message
  ----    ------                ----   ----                -------
  Normal  EnsuringLoadBalancer  2m43s  service-controller  Ensuring load balancer
  Normal  EnsuredLoadBalancer   2m17s  service-controller  Ensured load balancer

  4. Make sure the application is available from the internet:

    curl http://130.193.50.111

    Where 130.193.50.111 is the public IP address from the LoadBalancer Ingress field.

    Result:

    Hello, world!
Running in 'hello-********'

    Note

    If the resource is unavailable at the specified URL, make sure that the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If any rule is missing, add it.

Create a LoadBalancer type service with an internal IP address

  1. Edit the specification in the load-balancer.yaml file:

    apiVersion: v1
kind: Service
metadata:
  name: hello
  annotations:
    # Load balancer type.
    yandex.cloud/load-balancer-type: internal
    # ID of the subnet for the internal network load balancer.
    yandex.cloud/subnet-id: e1b23q26ab1c********
spec:
  type: LoadBalancer
  ports:
  - port: 80
    name: plaintext
    targetPort: 8080
  # Selector Kubernetes labels used in the pod template when creating the Deployment object.
  selector:
    app: hello

    For more information, see the Service resource reference for Yandex Network Load Balancer.

  2. Delete the external network load balancer you created earlier:

    kubectl delete service hello

    Result:

    service "hello" deleted

  3. Create an internal network load balancer:

    kubectl apply -f load-balancer.yaml

    Result:

    service/hello created

Specify the advanced settings

In Managed Service for Kubernetes, you can specify the following additional parameters for your LoadBalancer type service:

Example
apiVersion: v1
kind: Service
metadata:
  name: hello
spec:
  type: LoadBalancer
  ports:
  - port: 80
    name: plaintext
    targetPort: 8080
  selector:
    app: hello
  loadBalancerIP: 159.161.32.22
  externalTrafficPolicy: Cluster

For more information, see the Service resource reference for Yandex Network Load Balancer.

Specify the node health check parameters

LoadBalancer type services in Managed Service for Kubernetes can run health check requests for a target group of Kubernetes nodes. Based on the metrics delivered to the service, Managed Service for Kubernetes decides if the nodes are available.

To enable node health check mode, specify the yandex.cloud/load-balancer-healthcheck-* annotations in the service specification, e.g.:

apiVersion: v1
kind: Service
metadata:
  name: hello
  annotations:
    # Node health check parameters
    yandex.cloud/load-balancer-healthcheck-healthy-threshold: "2"
    yandex.cloud/load-balancer-healthcheck-interval: "2s"

For more information, see the Service resource reference for Yandex Network Load Balancer.

Create a NetworkPolicy object

To connect to services published via Network Load Balancer from particular IP addresses, enable network policies in the cluster. To set up access via the load balancer, create a NetworkPolicy object with an Ingress type policy.

NetworkPolicy object configuration example
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: whitelist-netpol
  namespace: ns-example
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  ingress:
  - from:
    # Address ranges used by the load balancer to health check nodes.
    - ipBlock:
        cidr: 198.18.235.0/24
    - ipBlock:
        cidr: 198.18.248.0/24
    # Pod address ranges.
    - ipBlock:
        cidr: 172.16.1.0/12
    - ipBlock:
        cidr: 172.16.2.0/12

For more information, see the NetworkPolicy resource reference for Yandex Network Load Balancer.

Delete the resources you created

Delete the resources you no longer need to avoid paying for them:

  1. Delete the resources depending on how you created them:

    1. In the terminal window, go to the directory containing the infrastructure plan.

      Warning

      Make sure the directory has no Terraform manifests with the resources you want to keep. Terraform deletes all resources that were created using the manifests in the current directory.

    2. Delete resources:

      1. Run this command:

        terraform destroy

      2. Confirm deleting the resources and wait for the operation to complete.

      All the resources described in the Terraform manifests will be deleted.

  2. If you used static public IP addresses to access your Managed Service for Kubernetes cluster or nodes, release and delete them.

Previous
Installing VictoriaLogs
Next
Configuring the Calico network policy controller