Prerequisites
Before creating a Hetzner cluster, you need two credentials:Hetzner API Credential
A Hetzner Cloud API token with read/write permissions. See Hetzner Credentials.
SSH Key Credentials
One or more SSH public keys for server access. You can provide your own or let Ankra generate one. Multiple keys can be attached to a single cluster. See SSH Key Credentials.
Creating a Hetzner Cluster
Via the Platform UI
Configure Cluster
Fill in the cluster configuration:
- Name — a unique name for your cluster
- Hetzner Credential — select your Hetzner API credential
- SSH Keys — select one or more SSH key credentials
- Location — Hetzner datacenter (e.g.,
fsn1,nbg1,hel1) - Control Plane — count and server type (e.g.,
cx33) - Workers — count and server type
- Distribution — Kubernetes distribution (
k3s) - Include Ingress — optionally deploy an ingress stack (ingress-nginx, cert-manager, Let’s Encrypt)
Via the CLI
Via the API
The
worker_count and worker_server_type fields are still accepted for backward compatibility. If node_groups is provided, it takes precedence.
The singular ssh_key_credential_id field is also still accepted. If both fields are provided, they are merged.Access Settings
The Access tab in cluster settings provides SSH access commands and SSH key management for Hetzner clusters.SSH Access
The Access page displays copy-pasteable commands for connecting to your cluster: SSH to the control plane via the bastion host:kubectl access:
kubectl to use https://localhost:6443.
The Access page also shows the network topology with the bastion host and all control plane nodes.
Managing SSH Keys
You can add or remove SSH key credentials from a running cluster in Settings > Access. Changes are synced to all servers on the next reconciliation — SSH keys are registered with the Hetzner API andauthorized_keys is updated on all nodes.
SSH keys can also be managed via the SSH key API.
Node Groups
Node groups let you organize worker nodes into logical groups with independent instance types, counts, labels, and taints. Each group can be scaled, upgraded, and configured independently.Via the Platform UI
Navigate to cluster Settings > Nodes to manage node groups. From this tab you can:- View all node groups with their instance type, count, labels, and taints
- Add new node groups with a name, instance type, count, and optional labels/taints
- Scale individual groups up or down (0–100 nodes)
- Upgrade the instance type (upgrade only — see Instance Type Changes)
- Edit labels and taints per group
- Delete a node group and all its nodes
List Node Groups
Add a Node Group
Scale a Node Group
Instance Type Changes
Delete a Node Group
Update Labels and Taints
Node Group API Reference
All node-group operations are also available via the REST API — see the Node Group API.Scaling Up After Termination
When a cluster’s Kubernetes has been deleted, all infrastructure is destroyed but the cluster record remains in Ankra. You can bring the cluster back online by adding a new node group.How It Works
Add a Node Group
Use the UI, CLI, or API to add a node group to the terminated cluster (same as adding to a running cluster).
Ankra Restores Infrastructure
Ankra detects the cluster is stopped and automatically restores the full control plane:
- Private network and subnet
- SSH keys
- Bastion host
- Control plane servers (same count and type as before termination)
- Kubernetes (k3s) installation on all control plane nodes
Workers Join the Cluster
The new node group workers are created and join the restored Kubernetes cluster. The worker k8s jobs wait for the first control plane to be ready before attempting to join.
The restored cluster gets entirely fresh infrastructure — new Hetzner servers, new IP addresses, new k3s installation. Data from before the termination is not preserved on the servers. Persistent data stored in Hetzner Volumes (via the CSI driver) is preserved if the volumes were not deleted.
Only the control plane configuration from before termination is restored. Previously existing worker node groups are not restored — the node group you add is the only worker pool. Add additional node groups as needed.
Legacy Worker Scaling
The legacyscale-workers and worker-count endpoints still work for backward compatibility. They operate on all workers as a single pool.
For new clusters, prefer using Node Groups for more granular control.
Upgrading Kubernetes Version
You can upgrade the Kubernetes (k3s) version on all nodes in a Hetzner cluster. Upgrades are applied to control plane nodes first, then workers.Check Current Version
Upgrade Version
Cluster Lifecycle
Delete Kubernetes
Deleting the Kubernetes layer destroys all Hetzner infrastructure (servers, networks, SSH keys) but keeps the cluster registered in Ankra. The cluster moves to a stopped state and can be brought back online by adding a node group. This is useful for cost savings when a cluster is not needed temporarily — you stop paying for Hetzner servers while preserving the cluster configuration, credentials, and history in Ankra. What happens when you delete Kubernetes:- All Hetzner servers (control planes, workers, bastion) are deleted from Hetzner Cloud
- Network and SSH keys are deleted from Hetzner Cloud
- All cloud resources are marked as stopped in Ankra
- The cluster record, credentials, and stacks remain in Ankra
- You stop incurring Hetzner infrastructure charges
- Ankra automatically restores the control plane infrastructure (bastion, network, SSH keys, control plane servers)
- Kubernetes is installed on the restored control planes
- The new node group workers are created and join the cluster
- Stacks and addons begin reconciling once the cluster is online
Terminate Cluster
Terminating a cluster permanently deletes all Hetzner resources and removes the cluster from Ankra entirely. The cluster cannot be recovered.GitOps Integration
Hetzner clusters support optional GitOps integration with GitHub. When configured, Ankra pushes the cluster’s stack state to a Git repository, enabling version-controlled infrastructure. To enable GitOps during cluster creation, provide:| Parameter | Description |
|---|---|
gitops_credential_name | Name of a GitHub credential registered in Ankra |
gitops_repository | GitHub repository (e.g., my-org/my-cluster-config) |
gitops_branch | Branch to push to (default: master) |
Troubleshooting
Common Issues
| Issue | Solution |
|---|---|
| Cluster stuck in provisioning | Check Hetzner API token permissions and quota |
| Cannot scale workers | Ensure no operations are running |
| Invalid API token | Re-validate at Hetzner Console |
| Server type unavailable | Try a different location or server type |
| Cannot downgrade instance type | Hetzner disks cannot be shrunk. Create a new node group with the desired type and delete the old one |
412: error during placement | Hetzner capacity issue at that location. Retry later or try a different server type |
Node has uninitialized taint | The CCM removes this taint automatically after initializing the node. If it persists, check that the CCM pods are running in the hcloud namespace |
LoadBalancer service stuck in Pending | Verify the CCM is running: kubectl get pods -n hcloud. Check CCM logs for Hetzner API errors |
PVCs stuck in Pending | Verify the CSI driver is running: kubectl get pods -n hcloud. Check that the hcloud-volumes StorageClass exists |
CCM/CSI pods in CrashLoopBackOff | Check that the hcloud-token secret in the hcloud namespace contains a valid Hetzner API token: kubectl get secret -n hcloud hcloud-token -o yaml |
Ankra Agent pod Pending | Check node taints — the agent tolerates the uninitialized taint but if all nodes are unschedulable for other reasons, verify node status with kubectl describe nodes |
Hetzner API Quota
Hetzner Cloud has default resource limits per project. If provisioning fails, check your quotas in the Hetzner Console:- Servers
- Networks
- SSH Keys