Skip to content
Switch branches/tags

Latest commit

Bumps []( from 1.18.3 to 1.18.19.
- [Release notes](
- [Commits](kubernetes/kubernetes@v1.18.3...v1.18.19)

- dependency-name:
  dependency-type: direct:production

Signed-off-by: dependabot[bot] <>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]>

Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Kubernetes Cloud Controller Manager for Hetzner Cloud

GitHub Actions status

The Hetzner Cloud cloud controller manager integrates your Kubernets cluster with the Hetzner Cloud API. Read more about kubernetes cloud controller managers in the kubernetes documentation.


  • instances interface: adds the server type to the label, sets the external ipv4 and ipv6 addresses and deletes nodes from Kubernetes that were deleted from the Hetzner Cloud.
  • zones interface: makes Kubernetes aware of the failure domain of the server by setting the and labels on the node.
  • Private Networks: allows to use Hetzner Cloud Private Networks for your pods traffic.
  • Load Balancers: allows to use Hetzner Cloud Load Balancers with Kubernetes Services


apiVersion: v1
kind: Node
  annotations: '{"VtepMAC":"06:b3:ee:88:92:36"}' vxlan "true" "0" "true"
  creationTimestamp: 2018-01-24T15:59:45Z
  labels: amd64 cx11 # <-- server type linux fsn1 # <-- location fsn1-dc8 # <-- datacenter master ""
  name: master
  resourceVersion: "183932"
  selfLink: /api/v1/nodes/master
  uid: 98acdedc-011f-11e8-9ed3-9600000780bf
  externalID: master
  providerID: hcloud://123456 # <-- Server ID
  - address: master
    type: Hostname
  - address: # <-- public ipv4
    type: ExternalIP


This deployment example uses kubeadm to bootstrap an Kubernetes cluster, with flannel as overlay network agent. Feel free to adapt the steps to your preferred method of installing Kubernetes.

These deployment instructions are designed to guide with the installation of the hcloud-cloud-controller-manager and are by no means an in depth tutorial of setting up Kubernetes clusters. Previous knowledge about the involved components is required.

Please refer to the kubeadm cluster creation guide, which these instructions are meant to argument and the kubeadm documentation.

  1. The cloud controller manager adds its labels when a node is added to the cluster. For Kubernetes versions prior to 1.23, this means we have to add the --cloud-provider=external flag to the kubelet before initializing the cluster master with kubeadm init. To do accomplish this we add this systemd drop-in unit /etc/systemd/system/kubelet.service.d/20-hcloud.conf:


    Note: the --cloud-provider flag is deprecated since K8S 1.19. You will see a log message regarding this.

  2. Now the cluster master can be initialized:

    sudo kubeadm init --pod-network-cidr=
  3. Configure kubectl to connect to the kube-apiserver:

    mkdir -p $HOME/.kube
    sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
    sudo chown $(id -u):$(id -g) $HOME/.kube/config
  4. Deploy the flannel CNI plugin:

    kubectl apply -f
  5. Patch the flannel deployment to tolerate the uninitialized taint:

    kubectl -n kube-system patch ds kube-flannel-ds --type json -p '[{"op":"add","path":"/spec/template/spec/tolerations/-","value":{"key":"","value":"true","effect":"NoSchedule"}}]'
  6. Create a secret containing your Hetzner Cloud API token.

    kubectl -n kube-system create secret generic hcloud --from-literal=token=<hcloud API token>
  7. Deploy the hcloud-cloud-controller-manager:

    kubectl apply -f

Networks support

When you use the Cloud Controller Manager with networks support, the CCM is in favor of allocating the IPs (& setup the routing) (Docs: The CNI plugin you use needs to support this k8s native functionality (Cilium does it, I don't know about Calico & WeaveNet), so basically you use the Hetzner Cloud Networks as the underlying networking stack.

When you use the CCM without Networks support it just disables the RouteController part, all other parts work completely the same. Then just the CNI is in charge of making all the networking stack things. Using the CCM with Networks support has the benefit that your node is connected to a private network so the node doesn't need to encrypt the connections and you have a bit less operational overhead as you don't need to manage the Network.

If you want to use the Hetzner Cloud Networks Feature, head over to the Deployment with Networks support documentation.

If you manage the network yourself it might still be required to let the CCM know about private networks. You can do this by adding the environment variable with the network name/ID in the CCM deployment.

            - name: HCLOUD_NETWORK
                  name: hcloud
                  key: network

You also need to add the network name/ID to the secret: kubectl -n kube-system create secret generic hcloud --from-literal=token=<hcloud API token> --from-literal=network=<hcloud Network_ID_or_Name>.

Kube-proxy mode IPVS and HCloud LoadBalancer

If kube-proxy is run in IPVS mode, the Service manifest needs to have the annotation where the FQDN resolves to the HCloud LoadBalancer IP.


Versioning policy

We aim to support the latest three versions of Kubernetes. After a new Kubernetes version has been released we will stop supporting the oldest previously supported version. This does not necessarily mean that the Cloud Controller Manager does not still work with this version. However, it means that we do not test that version anymore. Additionally, we will not fix bugs related only to an unsupported version. We also try to keep compatibility with the respective k3s release for a specific Kubernetes release.

With Networks support

Kubernetes k3s cloud controller Manager Deployment File
1.21 - 1.12.0, master
1.20 v1.20.0+k3s2 1.12.0, master
1.19 v1.19.5+k3s2 1.8.1, master

Without Networks support

Kubernetes k3s cloud controller Manager Deployment File
1.21 - 1.12.0, master
1.20 v1.20.0+k3s2 1.12.0, master
1.19 v1.19.5+k3s2 1.8.1, master

E2E Tests

The Hetzner Cloud cloud controller manager was tested against all supported Kubernetes versions. We also test against the same k3s releases (Sample: When we support testing against Kubernetes 1.20.x we also try to support k3s 1.20.x). We try to keep compatibility with k3s but never guarantee this.

You can run the tests with the following commands. Keep in mind, that these tests run on real cloud servers and will create Load Balancers that will be billed.

Test Server Setup:

1x CPX21 (Ubuntu 18.04)

Requirements: Docker and Go 1.17

  1. Configure your environment correctly
export HCLOUD_TOKEN=<specifiy a project token>
export K8S_VERSION=k8s-1.21.0 # The specific (latest) version is needed here
export USE_SSH_KEYS=key1,key2 # Name or IDs of your SSH Keys within the Hetzner Cloud, the servers will be accessable with that keys
export USE_NETWORKS=yes # if `yes` this identidicates that the tests should provision the server with cilium as CNI and also enable the Network related tests
## Optional configuration env vars:
export TEST_DEBUG_MODE=yes # With this env you can toggle the output of the provision and test commands. With `yes` it will log the whole output to stdout
export KEEP_SERVER_ON_FAILURE=yes # Keep the test server after a test failure.
  1. Run the tests
go test $(go list ./... | grep e2etests) -v -timeout 60m

The tests will now run and cleanup themselves afterwards. Sometimes it might happen that you need to clean up the project manually via the Hetzner Cloud Console or the hcloud-cli .

For easier debugging on the server we always configure the latest version of the hcloud-cli with the given HCLOUD_TOKEN and a few bash aliases on the host:

alias k="kubectl"
alias ksy="kubectl -n kube-system"
alias kgp="kubectl get pods"
alias kgs="kubectl get services"


Apache License, Version 2.0