⚠️ Upgrade Notes
- This is a pure bug-fix patch: existing clusters should see a no-op
terraform planafter upgrading (verified against v2.20.0 — no resource changes, no recreation). The agent-startup and kustomization fixes take effect on fresh applies and node replacements; the SELinux fix applies to newly provisioned/replaced nodes only.
🐛 Bug Fixes
- Traefik Gateway API CRDs - Install the Kubernetes Gateway API standard CRDs before Traefik when
traefik_provider_kubernetes_gateway_enabledis enabled, preventing Helm install failures forGatewayClassandGatewayresources (#2211). - Agent Startup Race on Fresh Deploys - Agent nodes now start only after the kustomization that deploys the Hetzner CCM, fixing consistent
exit 124timeouts on fresh single-apply deployments. The agent start is also observable now: on failure it dumpssystemctl statusand journal output instead of failing silently (#2215, #2220). - User Kustomization Failures No Longer Masked - A failed
kubectl apply -kin the user kustomization deploy now fails the apply loudly instead of being masked by trailingextra_kustomize_deployment_commands(#2225). - Packer Snapshot Build Overrides - The MicroOS snapshot template now exposes
x86_server_type,x86_location,arm_server_type, andarm_locationpacker variables, so builds can be pointed at available server types/locations with-varinstead of editing the template when Hetzner capacity shifts (#2214). - SELinux: CSI Liveness Probes - Added
allow container_t kernel_t:tcp_socket { read write }to the kube-hetzner SELinux policy, fixing hcloud-csi-driver (and similar CSI) crash-loops caused by liveness-probe denials under enforcing SELinux. Applies to newly provisioned/replaced nodes; on existing nodes either replace nodes or apply the module manually as described in #2203.
👥 Contributors
Thanks to all contributors who made this release possible:
-
@pgrig — diagnosed the SELinux CSI liveness-probe denial and authored the policy fix shipped in #2229
-
@shyblower — root-caused the agent startup race (#2215) and verified the fix in production
-
Claude Opus 4.8
-
K. N.
-
Karim Naufal
-
Nikolaus Schuetz
-
dependabot[bot]
-
knuurr
-
mysticaltech
What's Changed
📚 Documentation
- [AUTO] Update Terraform Documentation by @github-actions[bot] in #2209
Other Changes
- fix(agents): order agents after kustomization and surface start failures by @nikolauspschuetz in #2220
- fix(kustomize): don't mask a failed kubectl apply -k in user kustomization deploy by @knuurr in #2225
- fix: install Gateway API CRDs for Traefik by @mysticaltech in #2212
- fix(packer): expose server type/location overrides for snapshot builds by @mysticaltech in #2228
- fix(selinux): allow container liveness probes on kernel-labeled tcp sockets by @mysticaltech in #2229
New Contributors
- @nikolauspschuetz made their first contribution in #2220
- @knuurr made their first contribution in #2225
Full Changelog: v2.20.0...v2.20.1