Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Working with private Docker image registries

Written by
Updated at March 6, 2026

Managed Service for Kubernetes supports integration with private Docker image registries Yandex Container Registry and Yandex Cloud Registry. Managed Service for Kubernetes authenticates with these registries using the cloud service account assigned to the node group. This is the preferred and most secure method because authentication takes place automatically via short-lived IAM tokens.

You can assign a service account to a node group when creating or updating a Managed Service for Kubernetes cluster.

For the service account to be able to access the registries, assign to it the following roles for the registry folder:

With such an integration, you do not need to include any authentication data in the pod manifest, for example:

apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: private-reg-container
    image: cr.yandex/<registry_ID>/<Docker_image_name>:<tag>

If, for any reason, you cannot use a service account with the mentioned roles for authentication in Container Registry or Cloud Registry, use an authorized key with an unlimited TTL.

Warning

A long-lived key is less secure than IAM tokens.

To authenticate with the registry using a key:

  1. If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

    By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  2. Install kubect and configure it to work with the new cluster.

  3. Create an authorized key and save it to a file named key.json:

    yc iam key create \
  --service-account-name <service_account_name> \
  --output key.json

  4. Create a secret with the key data:

    kubectl create secret docker-registry yc-registry-secret \
  --docker-server=cr.yandex \
  --docker-username=json_key \
  --docker-password="$(cat key.json)" \
  --namespace=<namespace>

  5. Create a YAML file for the manifest with a link to the new secret:

    apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: private-reg-container
    image: cr.yandex/<registry_ID>/<Docker_image_name>:<tag>
  imagePullSecrets:
  - name: yc-registry-secret

  6. Apply the new configuration:

    kubectl apply -f <YAML_file_path>

  7. Make sure the image is successfully pulled from the registry:

    kubectl get pods

    Result:

    NAME           READY   STATUS             RESTARTS   AGE
private-reg    1/1     Running            0          7s
Previous
Installing applications from Yandex Cloud Marketplace using Terraform
Next
Connection method overview