[Yandex Cloud documentation](../../index.md) > [Yandex Managed Service for Kubernetes](../index.md) > [Step-by-step guides](index.md) > Working with private Docker image registries

# Working with private Docker image registries

Managed Service for Kubernetes supports integration with private Docker image registries [Yandex Container Registry](../tutorials/container-registry.md) and [Yandex Cloud Registry](../../cloud-registry/concepts/index.md). Managed Service for Kubernetes authenticates with these registries using the [cloud service account](../concepts/index.md#service-accounts) assigned to the node group. This is the preferred and most secure method because authentication takes place automatically via short-lived [IAM tokens](../../iam/concepts/authorization/iam-token.md).

You can assign a service account to a node group when [creating](kubernetes-cluster/kubernetes-cluster-create.md) or [updating](kubernetes-cluster/kubernetes-cluster-update.md) a Managed Service for Kubernetes cluster.

For the service account to be able to access the registries, [assign](../../iam/operations/sa/assign-role-for-sa.md) to it the following roles for the registry folder:

* [container-registry.images.puller](../../container-registry/security/index.md#container-registry-images-puller) for Container Registry.
* [cloud-registry.artifacts.puller](../../cloud-registry/security/index.md#cloud-registry-artifacts-puller) for Cloud Registry.

With such an integration, you do not need to include any authentication data in the pod manifest, for example:

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: private-reg-container
    image: cr.yandex/<registry_ID>/<Docker_image_name>:<tag>
```

If, for any reason, you cannot use a service account with the mentioned roles for authentication in Container Registry or Cloud Registry, use an [authorized key](../../iam/concepts/authorization/key.md) with an unlimited TTL.

{% note warning %}

A long-lived key is less secure than IAM tokens.

{% endnote %}

To authenticate with the registry using a key:

1. If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

   The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

1. [Install kubect](https://kubernetes.io/docs/tasks/tools/install-kubectl) and [configure it to work with the new cluster](connect/index.md#kubectl-connect).

1. Create an authorized key and save it to a file named `key.json`:

    ```bash
    yc iam key create \
      --service-account-name <service_account_name> \
      --output key.json
    ```

1. Create a secret with the key data:

    ```bash
    kubectl create secret docker-registry yc-registry-secret \
      --docker-server=cr.yandex \
      --docker-username=json_key \
      --docker-password="$(cat key.json)" \
      --namespace=<namespace>
    ```

1. Create a YAML file for the manifest with a link to the new secret:

    ```yaml
    apiVersion: v1
    kind: Pod
    metadata:
      name: private-reg
    spec:
      containers:
      - name: private-reg-container
        image: cr.yandex/<registry_ID>/<Docker_image_name>:<tag>
      imagePullSecrets:
      - name: yc-registry-secret
    ```

1. Apply the new configuration:

    ```bash
    kubectl apply -f <YAML_file_path>
    ```

1. Make sure the image is successfully pulled from the registry:

    ```bash
    kubectl get pods
    ```

    Result:

    ```text
    NAME           READY   STATUS             RESTARTS   AGE
    private-reg    1/1     Running            0          7s
    ```