Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Zones of control between the the Yandex Managed Service for Kubernetes users and Yandex Cloud

Written by
Updated at January 29, 2026

The shared responsibility model for Managed Service for Kubernetes in Yandex Cloud splits the zones of control between the cloud provider and the user.

Yandex Cloud control zone

The Yandex Cloud control zone covers:

Managed control plane

Yandex Cloud manages all control plane components in Kubernetes and ensures they work correctly. This enables the claimed functionality:

  • Fault-tolerant cluster or control plane components if selecting the Highly available master type with hosts across three availability zones.
  • Automatic or user-initiated updates of control plane components if new versions are out.
  • Monitoring of control plane components and response to Managed Service for Kubernetes cluster alerts related to control plane level issues.
  • Collection and storage of control plane logs when the Write logs setting is on.

Note

The user cannot modify the control plane component configuration directly. The extent of influence on configuration is limited to the options available when creating or updating a cluster. For example, the user can enable workload identity federation integration at the Managed Service for Kubernetes cluster level.

More on Kubernetes control plane components.

Backup and recovery

Yandex Cloud provides etcd monitoring, backup, and recovery.

Cluster maintenance

Yandex Cloud issues security updates for:

  • Control plane components.
  • Operating systems of master and node VMs when vulnerabilities are detected.
  • System components on nodes.

Cluster infrastructure

Yandex Cloud manages the following cluster infrastructure components:

  • Network: Yandex Cloud provides Yandex Network Load Balancer creation, configuration, and deletion using the LoadBalancer type Service object.

  • Storage: Yandex Cloud creates, configures, connects to pods, and deletes Yandex Cloud network disks using the PersistentVolume objects.

  • System components on nodes: Yandex Cloud installs the following components on nodes:

    • kubelet and, optionally, kube-proxy.
    • Container runtime.
    • CNI network plugins, such as Calico or Cilium.
    • CSI drivers for cloud storage integration.
    • Guest OS (Ubuntu).

  • Computing and network infrastructure of virtual machines: Yandex Cloud provides a VM infrastructure for the master and nodes.

  • Integration with other Yandex Cloud services: There is interaction with Yandex Identity and Access Management, Yandex Virtual Private Cloud, and Yandex Container Registry, with encryption via Yandex Key Management Service.

System plugins

Note

The user cannot modify or delete system plugins.

Managed Service for Kubernetes uses the following system plugins managed by Yandex Cloud:

  • csi-driver: A DaemonSet resource deployed on all cluster nodes to enable csi-driver.
  • kube-proxy: Maintains network rules on nodes. These rules allow network communication with pods both from inside and from outside the cluster.
  • coreDNS: Primary DNS server responsible for name resolution inside the Kubernetes cluster.
  • cilium: A network policy manager. It includes cilium-cni, cilium-agent, cilium-operator, and hubble. When deployed, replaces kube-proxy.
  • cluster-autoscaler: A node group autoscaling manager.
  • metrics-server: Collects resource (CPU, RAM) utilization metrics from nodes, pods, and, to a limited extent, masters.
  • node-problem-detector: Detects and reports cluster node issues.
  • nvidia-device-plugin: Enables cluster nodes to automatically allocate and manage GPUs for containerized applications.
  • ip-masq-agent: Manages IP masquerading in the cluster for containers to communicate with external services, and cluster nodes to access external IP addresses.
  • metadata-server: A DaemonSet resource you install on all cluster nodes for automatic exchange of the Kubernetes service account JWT for the IAM token of the cloud service account.
  • bindings: Roles for the system components of the cluster.

Note

The list of system plugins can be revised and expanded.

Yandex Cloud customer control zone

The Yandex Cloud customer control zone covers:

Cluster configuration

The user controls the cluster configuration, which comprises the following:

  • Master host arrangement, i.e., basic or highly available master (in the same or different availability zones).

  • Kubernetes version for the master and release channel.

  • Network configuration (network, subnets, public IP address, security groups, network policies, tunnel mode, etc.).

  • Service accounts with relevant permissions for resources and nodes.

  • Encryption keys.

  • Master computing resources (platform type, vCPUs, RAM).

  • Cluster update window setup.

  • Activation of control plane logging: audit logs, cluster autoscaler logs, event logs, Kubernetes API server logs.

    Note

    If the user does not activate the delivery of control plane cluster logs to Cloud Logging or Audit Trails, service-side log storage will be subject to the following time and size limits in case of incidents or other events:

    • Audit logs are kept for a maximum of five days or until they reach 5 GB.
    • Other system logs are kept for a maximum of one day or until they reach 7 GB.

Cluster resources

The user controls the configuration and content of the nodes:

  • Node computing resources (platform type, vCPUs, RAM, disk type and size, etc.).
  • Network configuration (public address, security groups, subnets, and availability zones).
  • Scaling settings for node groups.
  • Kubernetes version for node groups.
  • Installing additional packages or agents.
  • Setting up node access (SSH and OS Login).
  • Setting up metadata, sysctl variables, etc.
  • Setting up the node group update window.

Warning

Users have full access to the Managed Service for Kubernetes cluster nodes and can modify system components, packages, and their configurations. This may lead to unpredictable behavior and disrupt node operation. We do not recommend making such modifications for node groups.

Configurable resources

The user can manage the following resources:

  • Configuration of some plugins: Users can modify the ConfigMap resources in the ip-masq-agent and coreDNS plugins.

  • Applications:

    • Deployment of objects like Deployment, StatefulSet, DaemonSet, etc., in Kubernetes clusters.
    • Ingress controller management, e.g., NGINX Ingress.

  • Data:

Access management

The user can manage access using Kubernetes RBAC:

  • Configure ServiceAccounts, ClusterRoles, and other Kubernetes objects.
  • Manage cluster access permissions.

Cluster performance analysis

The user can use the monitoring and logging functionality to analyze cluster performance:

  • Configure alerts for application metrics.
  • Analyze pod logs using Fluent Bit or third-party tools.

Self-managed software version upgrades

The user can:

  • Upgrade node groups to new minor Kubernetes versions supported by Managed Service for Kubernetes, e.g., from 1.32 to 1.33.

  • Monitor application-level cluster vulnerabilities, including:

    • Scan and update container images of user applications.
    • Fix vulnerabilities in user code and dependencies.
    • Apply pod security policies or equivalents to limit pod privileges.
Previous
Zones of control in MDB
Next
Deleting user data