[Yandex Cloud documentation](../../index.md) > [Tutorials](../index.md) > [Container infrastructure](index.md) > Managed Service for Kubernetes > Using Cloud Marketplace products > Integration with Crossplane

# Integrating Yandex Managed Service for Kubernetes with Crossplane

# Integration with Crossplane

[Crossplane](https://crossplane.io/) is an open-source Kubernetes add-on that helps you bring solutions from different providers into a single infrastructure and provide application developers with access to this infrastructure via high-level APIs. With Crossplane, users can manage third-party services in the same way they manage Kubernetes resources.

To create a Yandex Compute Cloud [VM](../../compute/concepts/vm.md) using [Crossplane](https://yandex.cloud/en/marketplace/products/yc/crossplane) installed in a [Kubernetes cluster](../../managed-kubernetes/concepts/index.md#kubernetes-cluster):

1. [Get your cloud ready](#before-you-begin).
1. [Create Managed Service for Kubernetes resources](#k8s-create).
1. [Create Yandex Cloud resources using Crossplane](#create-crossplane-res).

If you no longer need the resources you created, [delete them](#clear-out).


## Required paid resources {#paid-resources}

The support cost for this solution includes:

* Fee for using the master and outgoing traffic in a Managed Service for Kubernetes cluster (see [Managed Service for Kubernetes pricing](../../managed-kubernetes/pricing.md)).
* Fee for using computing resources, OS, and storage in cluster nodes (VMs) (see [Compute Cloud pricing](../../compute/pricing.md)).
* Fee for a public IP address assigned to cluster nodes (see [Virtual Private Cloud pricing](../../vpc/pricing.md#prices-public-ip)).
* Fee for a NAT gateway (see [Virtual Private Cloud pricing](../../vpc/pricing.md#nat-gateways)).


## Get your cloud ready {#before-you-begin}

1. If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

   The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

1. Install [jq](https://stedolan.github.io/jq/).

## Create Managed Service for Kubernetes resources {#k8s-create}

1. Create a Kubernetes cluster and [node group](../../managed-kubernetes/concepts/index.md#node-group).

   {% list tabs group=instructions %}

   - Manually {#manual}

     1. If you do not have a [network](../../vpc/concepts/network.md#network) yet, [create one](../../vpc/operations/network-create.md).
     1. If you do not have any [subnets](../../vpc/concepts/network.md#subnet) yet, [create them](../../vpc/operations/subnet-create.md) in the [availability zones](../../overview/concepts/geo-scope.md) where the new Kubernetes cluster and node group will reside.
     1. [Create these service accounts](../../iam/operations/sa/create.md):
        * Service account with the `k8s.clusters.agent` and `vpc.publicAdmin` [roles](../../managed-kubernetes/security/index.md#yc-api) for the [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) where you want to create a Kubernetes cluster. This service account will be used to create resources for your Kubernetes cluster.
        * Service account with the [container-registry.images.puller](../../container-registry/security/index.md#container-registry-images-puller) [role](../../iam/concepts/access-control/roles.md). Nodes will use this account to pull the required [Docker images](../../container-registry/concepts/docker-image.md) from the [registry](../../container-registry/concepts/registry.md).

        {% note tip %}

        You can use the same [service account](../../iam/concepts/users/service-accounts.md) to manage your Kubernetes cluster and its node groups.

        {% endnote %}

     1. [Create security groups](../../managed-kubernetes/operations/connect/security-groups.md) for the Managed Service for Kubernetes cluster and its node groups.

        {% note warning %}
        
        The configuration of security groups determines performance and availability of the cluster and the services and applications running in it.
        
        {% endnote %}

     1. [Create a Kubernetes cluster](../../managed-kubernetes/operations/kubernetes-cluster/kubernetes-cluster-create.md) and [node group](../../managed-kubernetes/operations/node-group/node-group-create.md) with any suitable configuration. When creating, specify the preconfigured security groups.

   - Terraform {#tf}

     1. If you do not have Terraform yet, [install it](../infrastructure-management/terraform-quickstart.md#install-terraform).
     1. [Get the authentication credentials](../infrastructure-management/terraform-quickstart.md#get-credentials). You can add them to environment variables or specify them later in the provider configuration file.
     1. [Configure and initialize a provider](../infrastructure-management/terraform-quickstart.md#configure-provider). There is no need to create a provider configuration file manually, you can [download it](https://github.com/yandex-cloud-examples/yc-terraform-provider-settings/blob/main/provider.tf).
     1. Place the configuration file in a separate working directory and [specify the parameter values](../infrastructure-management/terraform-quickstart.md#configure-provider). If you did not add the authentication credentials to environment variables, specify them in the configuration file.

     1. Download the [k8s-cluster.tf](https://github.com/yandex-cloud-examples/yc-mk8s-cluster-infrastructure/blob/main/k8s-cluster.tf) cluster configuration file to the same working directory. This file describes:
        * [Network](../../vpc/concepts/network.md#network).
        * [Subnet](../../vpc/concepts/network.md#subnet).
        * Kubernetes cluster.
        * [Service account](../../iam/concepts/users/service-accounts.md) for the Managed Service for Kubernetes cluster and node group.
        * [Security groups](../../vpc/concepts/security-groups.md) which contain [rules](../../managed-kubernetes/operations/connect/security-groups.md) required for the Managed Service for Kubernetes cluster and its node groups.

            {% note warning %}
            
            The configuration of security groups determines performance and availability of the cluster and the services and applications running in it.
            
            {% endnote %}

     1. Specify the following in the configuration file:
        * [Folder ID](../../resource-manager/operations/folder/get-id.md).
        * Kubernetes version for the Kubernetes cluster and node groups.
        * Kubernetes cluster CIDR.
        * Name of the Managed Service for Kubernetes cluster service account.
     1. Validate your Terraform configuration files using this command:

        ```bash
        terraform validate
        ```

        Terraform will display any configuration errors detected in your files.
     1. Create the required infrastructure:

        1. Run this command to view the planned changes:
        
           ```bash
           terraform plan
           ```
        
           If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
        
        1. If everything looks correct, apply the changes:
           1. Run this command:
        
              ```bash
              terraform apply
              ```
        
           1. Confirm updating the resources.
           1. Wait for the operation to complete.

        All the required resources will be created in the specified folder. You can check resource availability and their settings in the [management console](https://console.yandex.cloud).

   {% endlist %}

   {% note warning %}
   
   Do not change or delete Virtual Private Cloud resources used by the Managed Service for Kubernetes cluster. This may cause cluster errors or make it impossible to delete later.
   
   {% endnote %}

1. [Install kubect](https://kubernetes.io/docs/tasks/tools/install-kubectl) and [configure it to work with the new cluster](../../managed-kubernetes/operations/connect/index.md#kubectl-connect).

1. [Install Crossplane in the Kubernetes cluster](../../managed-kubernetes/operations/applications/crossplane.md).
1. [Set up a NAT gateway for the Kubernetes cluster node subnet](../../vpc/operations/create-nat-gateway.md).

## Create Yandex Cloud resources using Crossplane {#create-crossplane-res}

1. Define the resources you want to create with Crossplane. To get the list of available resources, run the following command:

   ```bash
   kubectl get crd | grep yandex-cloud.jet.crossplane.io
   ```

1. Define the parameters for your resources. To view the available parameters for a specific resource, run this command:

   ```bash
   kubectl describe crd <resource_name>
   ```

1. Create the `vm-instance-template.yml` manifest template that describes the network and subnet existing in the folder as well as `crossplane-vm` you are going to create with Crossplane:

    ```yaml
    # Adding an existing network to the configuration
    apiVersion: vpc.yandex-cloud.jet.crossplane.io/v1alpha1
    kind: Network
    metadata:
      name: <name_of_existing_network>
      annotations:
        # Point the provider to the existing network
        crossplane.io/external-name: <ID_of_existing_network>
    spec:
      # Prohibit deletion of the existing network
      deletionPolicy: Orphan
      forProvider:
        name: <name_of_existing_network>
      providerConfigRef:
        name: default
    ---
    # Adding an existing subnet to the configuration
    apiVersion: vpc.yandex-cloud.jet.crossplane.io/v1alpha1
    kind: Subnet
    metadata:
      name: <name_of_existing_subnet>
      annotations:
        # Point the provider to the existing subnet
        crossplane.io/external-name: <ID_of_existing_subnet>
    spec:
      # Prohibit deletion of the existing subnet
      deletionPolicy: Orphan
      forProvider:
        name: <name_of_existing_subnet>
        networkIdRef:
          name: <name_of_existing_network>
        v4CidrBlocks:
          - <IPv4_CIDR_of_existing_subnet>
      providerConfigRef:
        name: default
    ---
    # Creating a VM
    apiVersion: compute.yandex-cloud.jet.crossplane.io/v1alpha1
    kind: Instance
    metadata:
      name: crossplane-vm
    spec:
      forProvider:
        name: crossplane-vm
        platformId: standard-v1
        zone: ru-central1-a
        resources:
          - cores: 2
            memory: 4
        bootDisk:
          - initializeParams:
              - imageId: fd80bm0rh4rkepi5ksdi
        networkInterface:
          - subnetIdRef:
              name: <name_of_existing_subnet>
            # Automatically assign a public IP address to the VM
            nat: true
        metadata:
          ssh-keys: "<public_SSH_key>"
      providerConfigRef:
        name: default
      # Write the VM access credentials into a secret
      writeConnectionSecretToRef:
        name: instance-conn
        namespace: default
      ```

   In the VM configuration section:
   * `zone: ru-central1-a`: [Availability zone](../../overview/concepts/geo-scope.md) to host the new VM.
   * `name: crossplane-vm`: Name of the VM to create with Crossplane.
   * `imageId: fd80bm0rh4rkepi5ksdi`: VM boot image ID. You can get it with the [list of images](../../compute/operations/image-control/get-list.md). This example uses the [Ubuntu 22.04 LTS](https://yandex.cloud/en/marketplace/products/yc/ubuntu-22-04-lts) image.

   For examples of how to configure Yandex Cloud resources, see the [provider's GitHub repository](https://github.com/yandex-cloud/crossplane-provider-yc/tree/main/examples).

1. Apply the `vm-instance-template.yml` manifest:

   ```bash
   kubectl apply -f vm-instance-template.yml
   ```

1. Check the state of the new resources:

   ```bash
   kubectl get network
   kubectl get subnet
   kubectl get instance
   ```

1. Make sure `crossplane-vm` appeared in the folder:

   ```bash
   yc compute instance list
   ```

1. To get the VM access credentials from the secret, run this command:
   
   ```bash
   kubectl get secret instance-conn -o json | jq -r '.data | map_values(@base64d)'
   ```

   Expected result:
   
   ```json
   {
     "external_ip": "<public_IP_address>",
     "fqdn": "<full_domain_name>",
     "internal_ip": "<internal_IP_address>"
   }
   ```

## Delete the resources you created {#clear-out}

Some resources are not free of charge. Delete the resources you no longer need to avoid paying for them:

1. Delete `crossplane-vm`:

   ```bash
   kubectl delete instance crossplane-vm
   ```

1. Delete the other resources:

   {% list tabs group=instructions %}

   - Manually {#manual}

     1. [Delete the Kubernetes cluster](../../managed-kubernetes/operations/kubernetes-cluster/kubernetes-cluster-delete.md).
     1. [Delete the created subnets](../../vpc/operations/subnet-delete.md).
     1. [Delete the route table](../../vpc/operations/delete-route-table.md).
     1. [Delete the NAT gateway](../../vpc/operations/delete-nat-gateway.md).
     1. [Delete the networks](../../vpc/operations/network-delete.md).
     1. [Delete the created service accounts](../../iam/operations/sa/delete.md).

   - Terraform {#tf}

     1. In the terminal window, go to the directory containing the infrastructure plan.
     
         {% note warning %}
     
         Make sure the directory has no Terraform manifests with the resources you want to keep. Terraform deletes all resources that were created using the manifests in the current directory.
     
         {% endnote %}
     
     1. Delete resources:
     
         1. Run this command:
     
             ```bash
             terraform destroy
             ```
     
         1. Confirm deleting the resources and wait for the operation to complete.
     
         All the resources described in the Terraform manifests will be deleted.

   {% endlist %}