Skip to main content

ankra cluster

Commands for managing and operating on clusters. Flags
FlagDefaultDescription
--clusterTarget cluster name or ID for this command, overriding ankra cluster select

ankra cluster access

List, grant, and revoke per-user access to a cluster’s Kubernetes API through the Ankra gateway (the access used by ‘ankra cluster kubeconfig’ and ‘ankra cluster kube-token’). Managing access requires organisation admin rights. Grants apply to one cluster and one organisation member, identified by email. Examples: ankra cluster access list —cluster my-cluster ankra cluster access grant [email protected] —cluster my-cluster —role view ankra cluster access grant [email protected] —cluster my-cluster —role edit —namespace staging ankra cluster access revoke [email protected] —cluster my-cluster ankra cluster access revoke 6f1f9aca-2c3d-4e5f-8a9b-0c1d2e3f4a5b —cluster my-cluster

ankra cluster access grant

Grant an organisation member access to a cluster’s Kubernetes API through the Ankra gateway. The grant is cluster-wide by default; pass —namespace to limit it to one namespace. Roles map to the standard Kubernetes ClusterRoles: view, edit, admin, cluster-admin.
ankra cluster access grant <email> [flags]
Flags
FlagDefaultDescription
--clusterCluster name or ID (defaults to the selected cluster)
--namespaceLimit the grant to one namespace (default: cluster-wide)
-o, --outputOutput format: json or yaml (default: human-readable)
--roleviewKubernetes role for the grant: view, edit, admin, or cluster-admin

ankra cluster access list

List access grants for a cluster
ankra cluster access list [flags]
Flags
FlagDefaultDescription
--clusterCluster name or ID (defaults to the selected cluster)
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster access revoke

Revoke gateway access from a cluster. Pass a grant ID (from ‘ankra cluster access list’) to revoke a single grant, or an email address to revoke every grant that member has on the cluster.
ankra cluster access revoke <grant-id|email> [flags]
Flags
FlagDefaultDescription
--clusterCluster name or ID (defaults to the selected cluster)

ankra cluster addons

Commands to list, manage settings, and uninstall addons.

ankra cluster addons available

List addons available for installation
ankra cluster addons available [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster addons list

List addons for the active cluster; or show details for a single addon
ankra cluster addons list [addon name] [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster addons settings

Get settings for an addon
ankra cluster addons settings <addon_name> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster addons uninstall

Uninstall an addon from the cluster
ankra cluster addons uninstall <addon_name> [flags]
Flags
FlagDefaultDescription
--deletefalseAlso delete the addon permanently
--yesfalseSkip the confirmation prompt

ankra cluster addons update

Update addon settings by providing a JSON file that conforms to the settings schema. Example JSON file: { “retry_policy”: { “limit”: 3, “backoff”: { “duration”: “5s”, “factor”: 2, “max_duration”: “3m” } }, “sync_policy”: { “automated”: true, “self_heal”: true, “auto_prune”: false }, “revision_history_limit”: 10 } Usage: ankra cluster addons update my-addon -f settings.json
ankra cluster addons update <addon_name> [flags]
Flags
FlagDefaultDescription
-f, --filePath to JSON settings file (required)

ankra cluster addons upgrade

Upgrade an addon by patching just the fields you supply. At least one mutating flag is required. Examples:

Bump chart version

ankra cluster addons upgrade ankra-website —chart-version 1.0.146
—cluster website-demo

Tweak a single Helm values field with —set (mutates the existing values)

ankra cluster addons upgrade website —set image.tag=1.0.146
—cluster website-demo

Address a list item by a field instead of an index

ankra cluster addons upgrade website —set ‘env[name=LOG_LEVEL].value=debug’
—cluster website-demo

Replace the whole values document

ankra cluster addons upgrade website
—values-from-file ./values.yaml —cluster website-demo
—set* and —values-from-file are mutually exclusive: —set* mutates the existing values document while —values-from-file replaces it. Changing —namespace is destructive (Helm reinstall in the new namespace, leaves the old release orphaned). Use —yes to skip the confirmation prompt or interactively confirm.
ankra cluster addons upgrade <addon_name> [flags]
Flags
FlagDefaultDescription
--add-parent[]Add a dependency parent, e.g. —add-parent name=infisical-ns,kind=manifest (kind defaults to manifest; repeatable)
--chart-versionNew chart version to install
--clusterTarget cluster (name or ID); defaults to the active selection
--dry-runfalsePrint the proposed before/after spec without applying changes
--namespaceChange the addon’s namespace (destructive: Helm reinstall)
-o, --outputOutput format: json or yaml (default: human-readable)
--registry-credential-nameNew helm registry credential name
--registry-nameNew helm registry name
--registry-urlNew helm registry URL
--remove-parent[]Remove a dependency parent, e.g. —remove-parent name=infisical-ns,kind=manifest (repeatable)
--set[]Helm-style values mutation, e.g. —set image.tag=1.0.0 (MUTATES existing values; repeatable, comma-separated)
--set-file[]Like —set but reads the value from a file: key=path or key=@path
--set-parent[]Replace ALL dependency parents with the given set (repeatable); pass none with the others to clear
--set-string[]Like —set but always treats the value as a string
--stackStack name (required when the addon exists in multiple stacks)
--valuesUse - to read values YAML from stdin (REPLACES the entire values document)
--values-from-filePath to YAML values file (REPLACES the entire values document)
--yesfalseSkip the confirmation prompt for destructive changes (—namespace)

ankra cluster addons values

Print the current Helm values document for an addon. By default the decoded YAML is written to stdout, making it easy to pipe into a file or edit and re-apply with —values-from-file: ankra cluster addons values my-addon > values.yaml ankra cluster addons values my-addon -o raw # base64-encoded form
ankra cluster addons values <addon_name> [flags]
Flags
FlagDefaultDescription
--clusterTarget cluster (name or ID); defaults to the active selection
-o, --outputOutput format: yaml (decoded, default) or raw (base64)

ankra cluster agent

Commands to view agent status, get tokens, and upgrade agents.

ankra cluster agent status

Get agent status for the selected cluster
ankra cluster agent status [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster agent token

Get or generate agent token for the selected cluster
ankra cluster agent token [flags]
Flags
FlagDefaultDescription
--generatefalseGenerate a new agent token
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster agent upgrade

Upgrade the agent on the selected cluster
ankra cluster agent upgrade

ankra cluster apply

Apply an ImportCluster YAML to the Ankra API
ankra cluster apply [flags]
Flags
FlagDefaultDescription
--dry-runfalseValidate the ImportCluster YAML locally without calling the API
-f, --filePath to the ImportCluster YAML file to apply
-o, --outputOutput format: json or yaml (default: human-readable)
--timeout10m0sMaximum time to wait when —wait is set
--waitfalseWait for the operation to finish and report success or failure (default: submit and return immediately)

ankra cluster clear

Clear the active cluster selection
ankra cluster clear

ankra cluster clone

Clone stacks from an existing cluster ImportCluster YAML to a new cluster. The source can be either a local file path or a URL (http/https). Examples: ankra cluster clone cluster.yaml new-cluster.yaml ankra cluster clone https://github.com/user/repo/raw/main/cluster.yaml new-cluster.yaml ankra cluster clone cluster.yaml new-cluster.yaml —stack “monitoring” —stack “networking” Flags: —clean: Replace all stacks in the new cluster with those from the existing cluster —force: Force merge even when stack/addon/manifest names conflict —copy-missing: Copy missing files even for skipped stacks —stack: Clone only specific stacks by name (can be used multiple times) Without flags: Merge stacks, skipping any with conflicting names
ankra cluster clone <existing_cluster_file_or_url> <new_cluster_path> [flags]
Flags
FlagDefaultDescription
--cleanfalseReplace all stacks in the new cluster
--copy-missingfalseCopy missing files even for skipped stacks
--forcefalseForce merge even when names conflict
--stack[]Clone only specific stacks by name (can be used multiple times)

ankra cluster decrypt

Decrypt SOPS-encrypted values stored on a cluster or in a local cluster.yaml.

ankra cluster decrypt addon

Decrypt a SOPS-encrypted addon’s Helm values and print the result to stdout. Two modes: Cluster mode (default): fetch the addon values from a live cluster, decrypt, and print to stdout. File mode (-f cluster.yaml): read the addon values file referenced from a local cluster.yaml, decrypt, and print to stdout. Examples: ankra cluster decrypt addon —name grafana ankra cluster decrypt addon —name grafana —cluster prod —stack monitoring ankra cluster decrypt addon —name grafana -f cluster.yaml
ankra cluster decrypt addon [flags]
Flags
FlagDefaultDescription
--clusterTarget cluster (name or ID); defaults to the active selection (cluster mode)
-f, --filePath to a local cluster YAML (enables file mode)
--nameName of the addon (required)
--stackStack name (cluster mode; required when the addon exists in multiple stacks)

ankra cluster decrypt manifest

Decrypt a SOPS-encrypted manifest and print the result to stdout. Two modes: Cluster mode (default): fetch the manifest from a live cluster, decrypt it, and print to stdout. File mode (-f cluster.yaml): read the manifest file referenced from a local cluster.yaml, decrypt it, and print to stdout. Examples:

Cluster mode against the selected cluster

ankra cluster decrypt manifest db-secret

Cluster mode against a specific cluster

ankra cluster decrypt manifest db-secret —cluster prod

File mode

ankra cluster decrypt manifest db-secret -f cluster.yaml
ankra cluster decrypt manifest <manifest_name> [flags]
Flags
FlagDefaultDescription
--clusterTarget cluster (name or ID); defaults to the active selection (cluster mode)
-f, --filePath to a local cluster YAML (enables file mode)

ankra cluster deprovision

Stop a running managed cluster. This will shut down the cluster but not delete it. If no cluster name is provided, uses the currently selected cluster. For cloud clusters (hetzner, ovh, upcloud) this command routes to the provider-specific deprovision endpoint so cloud resources are released.
ankra cluster deprovision [cluster_name] [flags]
Flags
FlagDefaultDescription
--auto-deletefalseAutomatically delete the cluster after deprovisioning
--forcefalseForce deprovision even if cluster is in an unexpected state
-o, --outputOutput format: json or yaml (default: human-readable)
--yesfalseSkip the confirmation prompt

ankra cluster draft

Stage all changes in an ImportCluster YAML as drafts on the cluster without deploying anything. The local checks run first (the same ones as ‘ankra cluster apply —dry-run’), then each stack in the file is saved as a resource draft you can review, edit, and deploy from the Ankra stack builder. If the cluster does not exist yet it is imported first without its stacks, since drafts can only be attached to an existing cluster; every stack in the file is then staged as a draft. Stacks that already match the cluster’s desired state are reported as “no changes” rather than creating an empty draft.
ankra cluster draft [flags]
Flags
FlagDefaultDescription
-f, --filePath to the ImportCluster YAML file to stage as drafts
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster encrypt

Encrypt sensitive values in manifest or addon configuration files using SOPS.

ankra cluster encrypt addon

Encrypt a specific key in an addon’s Helm values using SOPS. —key takes the YAML key name whose values should be encrypted. SOPS matches key names anywhere in the document, not dotted paths; a dotted —key is normalised to its last segment. A key whose own name starts with a dot (such as “.dockerconfigjson”) is kept literally. After encrypting, the CLI verifies the value is actually ENC[…] ciphertext and fails if it is not. Two modes: Cluster mode (default): fetch the addon’s values from a live cluster, encrypt the key, and push the result back via the partial-stack PATCH endpoint. The owning stack is resolved automatically. File mode (-f cluster.yaml): rewrite the local addon values file referenced by the cluster.yaml in place, adding the key to encrypted_paths. Examples:

Cluster mode against the selected cluster

ankra cluster encrypt addon —name grafana —key adminPassword

Cluster mode against a specific cluster, disambiguating stack

ankra cluster encrypt addon —name grafana —key adminPassword —cluster prod —stack monitoring

File mode

ankra cluster encrypt addon —name grafana —key adminPassword -f cluster.yaml
ankra cluster encrypt addon [flags]
Flags
FlagDefaultDescription
--clusterTarget cluster (name or ID); defaults to the active selection (cluster mode)
-f, --filePath to a local cluster YAML (enables file mode)
--keyYAML key name to encrypt (required); dotted paths are normalised to the last segment, a leading-dot key like .dockerconfigjson is kept literally
--nameName of the addon (required)
--stackStack name (cluster mode; required when the addon exists in multiple stacks)

ankra cluster encrypt manifest

Encrypt a specific key in a manifest using SOPS. —key takes the YAML key name whose values should be encrypted (for a Secret’s data.password, that is “password”). SOPS matches key names anywhere in the document, not dotted paths; a dotted —key is normalised to its last segment. A key whose own name starts with a dot (such as “.dockerconfigjson” in a kubernetes.io/dockerconfigjson Secret) is kept literally. After encrypting, the CLI verifies the value is actually ENC[…] ciphertext and fails if it is not. Two modes: Cluster mode (default): fetch the manifest from a live cluster, encrypt the key, and push the result back via the partial-stack PATCH endpoint. The owning stack is resolved automatically. File mode (-f cluster.yaml): rewrite a local cluster.yaml’s referenced from_file in place, adding the key to encrypted_paths in the file. Used by GitOps workflows where the source of truth is on disk. Examples:

Cluster mode against the selected cluster

ankra cluster encrypt manifest db-secret —key password

Cluster mode against a specific cluster

ankra cluster encrypt manifest db-secret —key password —cluster prod

File mode

ankra cluster encrypt manifest db-secret —key password -f cluster.yaml
ankra cluster encrypt manifest <manifest_name> [flags]
Flags
FlagDefaultDescription
--clusterTarget cluster (name or ID); defaults to the active selection (cluster mode)
-f, --filePath to a local cluster YAML (enables file mode)
--keyYAML key name to encrypt (required); dotted paths are normalised to the last segment, a leading-dot key like .dockerconfigjson is kept literally

ankra cluster get

Get Kubernetes resources from the active cluster. Examples: ankra cluster get pods ankra cluster get deployments -n kube-system ankra cluster get nodes ankra cluster get services —all-namespaces

ankra cluster get configmaps

List configmaps in the cluster
ankra cluster get configmaps [name] [flags]
Flags
FlagDefaultDescription
-A, --all-namespacesfalseList across all namespaces
--nameFilter by resource name
-n, --namespaceKubernetes namespace
-o, --outputtableOutput format: table, json, yaml
-l, --selectorLabel selector

ankra cluster get cronjobs

List cronjobs in the cluster
ankra cluster get cronjobs [name] [flags]
Flags
FlagDefaultDescription
-A, --all-namespacesfalseList across all namespaces
--nameFilter by resource name
-n, --namespaceKubernetes namespace
-o, --outputtableOutput format: table, json, yaml
-l, --selectorLabel selector

ankra cluster get daemonsets

List daemonsets in the cluster
ankra cluster get daemonsets [name] [flags]
Flags
FlagDefaultDescription
-A, --all-namespacesfalseList across all namespaces
--nameFilter by resource name
-n, --namespaceKubernetes namespace
-o, --outputtableOutput format: table, json, yaml
-l, --selectorLabel selector

ankra cluster get deployments

List deployments in the cluster
ankra cluster get deployments [name] [flags]
Flags
FlagDefaultDescription
-A, --all-namespacesfalseList across all namespaces
--nameFilter by resource name
-n, --namespaceKubernetes namespace
-o, --outputtableOutput format: table, json, yaml
-l, --selectorLabel selector

ankra cluster get events

List events in the cluster
ankra cluster get events [name] [flags]
Flags
FlagDefaultDescription
-A, --all-namespacesfalseList across all namespaces
--nameFilter by resource name
-n, --namespaceKubernetes namespace
-o, --outputtableOutput format: table, json, yaml
-l, --selectorLabel selector

ankra cluster get ingresses

List ingresses in the cluster
ankra cluster get ingresses [name] [flags]
Flags
FlagDefaultDescription
-A, --all-namespacesfalseList across all namespaces
--nameFilter by resource name
-n, --namespaceKubernetes namespace
-o, --outputtableOutput format: table, json, yaml
-l, --selectorLabel selector

ankra cluster get k8s-jobs

List Kubernetes jobs in the cluster
ankra cluster get k8s-jobs [name] [flags]
Flags
FlagDefaultDescription
-A, --all-namespacesfalseList across all namespaces
--nameFilter by resource name
-n, --namespaceKubernetes namespace
-o, --outputtableOutput format: table, json, yaml
-l, --selectorLabel selector

ankra cluster get namespaces

List namespaces in the cluster
ankra cluster get namespaces [name] [flags]
Flags
FlagDefaultDescription
--nameFilter by resource name
-o, --outputtableOutput format: table, json, yaml
-l, --selectorLabel selector

ankra cluster get nodes

List nodes in the cluster
ankra cluster get nodes [name] [flags]
Flags
FlagDefaultDescription
--nameFilter by resource name
-o, --outputtableOutput format: table, json, yaml
-l, --selectorLabel selector

ankra cluster get pods

List pods or get a specific pod’s manifest
ankra cluster get pods [name] [flags]
Flags
FlagDefaultDescription
-A, --all-namespacesfalseList across all namespaces
--nameFilter by pod name (contains)
-n, --namespaceKubernetes namespace
--nodeFilter by node name
-o, --outputtableOutput format: table, json, yaml

ankra cluster get resources

Fetch any Kubernetes resource type. Use for kinds not covered by dedicated commands. Example: ankra cluster resources PersistentVolumeClaim -n default ankra cluster resources NetworkPolicy —all-namespaces
ankra cluster get resources <kind> [flags]
Flags
FlagDefaultDescription
-A, --all-namespacesfalseList across all namespaces
--api-versionv1API version (e.g. v1, v1beta1)
--groupAPI group (e.g. apps, networking.k8s.io)
--nameFilter by resource name
-n, --namespaceKubernetes namespace
-o, --outputtableOutput format: table, json, yaml
-l, --selectorLabel selector

ankra cluster get secrets

List secrets in the cluster
ankra cluster get secrets [name] [flags]
Flags
FlagDefaultDescription
-A, --all-namespacesfalseList across all namespaces
--nameFilter by resource name
-n, --namespaceKubernetes namespace
-o, --outputtableOutput format: table, json, yaml
-l, --selectorLabel selector

ankra cluster get services

List services in the cluster
ankra cluster get services [name] [flags]
Flags
FlagDefaultDescription
-A, --all-namespacesfalseList across all namespaces
--nameFilter by resource name
-n, --namespaceKubernetes namespace
-o, --outputtableOutput format: table, json, yaml
-l, --selectorLabel selector

ankra cluster get statefulsets

List statefulsets in the cluster
ankra cluster get statefulsets [name] [flags]
Flags
FlagDefaultDescription
-A, --all-namespacesfalseList across all namespaces
--nameFilter by resource name
-n, --namespaceKubernetes namespace
-o, --outputtableOutput format: table, json, yaml
-l, --selectorLabel selector

ankra cluster helm

Commands to list and uninstall Helm releases running in the cluster.

ankra cluster helm releases

List Helm releases in the cluster
ankra cluster helm releases [flags]
Flags
FlagDefaultDescription
-A, --all-namespacesfalseList across all namespaces (default)
-n, --namespaceKubernetes namespace
-o, --outputtableOutput format: table, json

ankra cluster helm uninstall

Uninstall a Helm release from the cluster
ankra cluster helm uninstall <release_name> [flags]
Flags
FlagDefaultDescription
-n, --namespaceKubernetes namespace (required)
--yesfalseSkip the confirmation prompt

ankra cluster hetzner

Commands to create, deprovision, and scale Hetzner clusters.

ankra cluster hetzner control-plane

Inspect and change the control plane configuration. The cluster must be stopped to change the controller count or instance type. Only 1 or 3 controllers are allowed (etcd needs an odd number of voting members for quorum). Changes apply the next time the cluster is started.

ankra cluster hetzner control-plane get

Show the current control plane configuration
ankra cluster hetzner control-plane get <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster hetzner control-plane set-count

Change the controller count (1 or 3)
ankra cluster hetzner control-plane set-count <cluster_id> <count> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster hetzner control-plane set-instance-type

Change the controller instance type
ankra cluster hetzner control-plane set-instance-type <cluster_id> <instance_type> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster hetzner create

Create a new Hetzner cluster
ankra cluster hetzner create [flags]
Flags
FlagDefaultDescription
--bastion-server-typecx23Bastion server type
--control-plane-count1Number of control plane nodes
--control-plane-server-typecx33Control plane server type
--credential-idHetzner API credential ID (required)
--distributionk3sKubernetes distribution
--external-cloud-providertrueInstall the Hetzner CCM and CSI (cloud-provider=external) for LoadBalancers and persistent volumes (default on; pass —external-cloud-provider=false to skip, which also disables —include-networking)
--gitops-branchmasterGitOps branch to commit to
--gitops-credential-nameGitOps GitHub credential name; when set with —gitops-repository, the generated hcloud stack is committed to Git (optional)
--gitops-repositoryGitOps repository (e.g. org/repo) to commit the generated stack to (optional)
--include-networkingtrueInstall Traefik + cert-manager for ingress (default on; pass —include-networking=false to skip). Requires —external-cloud-provider (the ingress LoadBalancer is provisioned by the cloud controller manager)
--kubernetes-versionKubernetes version (optional)
--locationHetzner location (required)
--nameCluster name (required)
--network-ip-range10.0.0.0/16Network IP range
-o, --outputOutput format: json or yaml (default: human-readable)
--ssh-key-credential-idSSH key credential ID (single key, use —ssh-key-credential-ids for multiple)
--ssh-key-credential-ids[]SSH key credential IDs (comma-separated or repeated)
--subnet-range10.0.1.0/24Subnet range
--worker-count1Number of worker nodes
--worker-server-typecx33Worker server type

ankra cluster hetzner deprovision

Initiate asynchronous deprovision of a Hetzner cluster. The platform schedules teardown jobs that delete cloud resources (servers, networks, SSH keys). Cloud resources are not deleted by the time this command returns; track progress via operations or the UI.
ankra cluster hetzner deprovision <cluster_id> [flags]
Flags
FlagDefaultDescription
--forcefalseForce deprovision without waiting for the cluster agent (use only when the cluster agent is permanently offline; cloud resources may leak)
-o, --outputOutput format: json or yaml (default: human-readable)
--yesfalseSkip the confirmation prompt

ankra cluster hetzner k8s-version

Get current Kubernetes version for a Hetzner cluster
ankra cluster hetzner k8s-version <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster hetzner locations

List the Hetzner Cloud locations the supplied credential can deploy in. Only these locations are valid for cluster creation.
ankra cluster hetzner locations [flags]
Flags
FlagDefaultDescription
--credential-idHetzner API credential ID (required)

ankra cluster hetzner node-group

List, add, scale, upgrade, and delete node groups.

ankra cluster hetzner node-group add

Add a node group
ankra cluster hetzner node-group add <cluster_id> [flags]
Flags
FlagDefaultDescription
--count1Number of nodes (0-100)
--instance-typecx33Server type for nodes
--nameNode group name (required)
-o, --outputOutput format: json or yaml (default: human-readable)
--timeout10m0sMaximum time to wait when —wait is set
--waitfalseWait for the operation to finish and report success or failure (default: submit and return immediately)

ankra cluster hetzner node-group delete

Delete a node group and all its nodes
ankra cluster hetzner node-group delete <cluster_id> <group_name> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)
--timeout10m0sMaximum time to wait when —wait is set
--waitfalseWait for the operation to finish and report success or failure (default: submit and return immediately)
--yesfalseSkip the confirmation prompt

ankra cluster hetzner node-group list

List node groups
ankra cluster hetzner node-group list <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster hetzner node-group scale

Scale a node group
ankra cluster hetzner node-group scale <cluster_id> <group_name> <count> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)
--timeout10m0sMaximum time to wait when —wait is set
--waitfalseWait for the operation to finish and report success or failure (default: submit and return immediately)

ankra cluster hetzner node-group upgrade

Upgrade instance type for a node group (cannot be reversed)
ankra cluster hetzner node-group upgrade <cluster_id> <group_name> <instance_type> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)
--timeout10m0sMaximum time to wait when —wait is set
--waitfalseWait for the operation to finish and report success or failure (default: submit and return immediately)

ankra cluster hetzner nodes

Inspect every server Ankra manages for the cluster (control plane, workers, and bastion or gateway). Soft-deleted entries from a stopped cluster are included so the saved topology is visible before re-provisioning.

ankra cluster hetzner nodes get

Show full spec and metadata for a single node
ankra cluster hetzner nodes get <cluster_id> <node_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster hetzner nodes list

List all nodes for the cluster
ankra cluster hetzner nodes list <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster hetzner scale

Scale the number of worker nodes up or down for a Hetzner cluster.
ankra cluster hetzner scale <cluster_id> <worker_count> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster hetzner server-types

List Hetzner Cloud server types. Pass —location to see which types are currently available for provisioning there, and —available-only to hide the rest.
ankra cluster hetzner server-types [flags]
Flags
FlagDefaultDescription
--available-onlyfalseOnly show server types available for provisioning (use with —location)
--credential-idHetzner API credential ID (required)
--locationFilter availability by location

ankra cluster hetzner upgrade

Upgrade the Kubernetes (k3s) version on all nodes in a Hetzner cluster.
ankra cluster hetzner upgrade <cluster_id> <target_version> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster hetzner workers

Get current worker count for a Hetzner cluster
ankra cluster hetzner workers <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster info

Show details of a specific cluster. If no name is provided, shows details for the currently selected cluster.
ankra cluster info [name] [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster k3s-versions

List the k3s versions the platform can provision or upgrade to. Use one of these values with ankra cluster upgrade &lt;cluster_id&gt; &lt;target_version&gt; (the provider is detected automatically).
ankra cluster k3s-versions

ankra cluster kube-token

Print a short-lived Kubernetes ExecCredential so kubectl can authenticate to the Ankra cluster gateway. This command is intended to be invoked by kubectl as a client-go credential plugin, for example in a kubeconfig: users:
  • name: ankra user: exec: apiVersion: client.authentication.k8s.io/v1 command: ankra args: [“cluster”, “kube-token”, “—cluster”, “<cluster-name-or-id>”, “—org”, “<organisation-id>”]
Pinning —org to the cluster’s organisation ID keeps the entry working when your selected organisation differs from the cluster’s (‘ankra cluster kubeconfig add’ writes it automatically). It prints JSON to stdout and never prompts; run ‘ankra login’ first.
ankra cluster kube-token [flags]
Flags
FlagDefaultDescription
--clusterCluster name or ID (defaults to the selected cluster)

ankra cluster kubeconfig

Add, remove, and list the Ankra cluster contexts in your kubeconfig. By default ‘add’ writes an exec-based context that fetches a short-lived token on demand via ‘ankra cluster kube-token’, so credentials stay ephemeral and SSO-backed (run ‘ankra login’ once). Other clusters/users/contexts already in your kubeconfig are left untouched. These commands read and write a single file: —kubeconfig if given, otherwise the first entry of $KUBECONFIG, otherwise ~/.kube/config. Examples: ankra cluster kubeconfig add —cluster my-cluster —use ankra cluster kubeconfig add —all ankra cluster kubeconfig add —cluster my-cluster —print > my-cluster.yaml ankra cluster kubeconfig list ankra cluster kubeconfig remove —cluster my-cluster ankra cluster kubeconfig remove —all

ankra cluster kubeconfig add

Add or update an Ankra context in your kubeconfig
ankra cluster kubeconfig add [flags]
Flags
FlagDefaultDescription
--allfalseAdd every cluster you can access
--clusterCluster name or ID (defaults to the selected cluster)
--embed-tokenfalseEmbed a short-lived token instead of the exec credential plugin
--exec-commandankraExecutable kubectl invokes for credentials in exec mode (use an absolute path if ‘ankra’ is not on PATH)
--insecure-skip-tls-verifyfalseSkip TLS verification for the cluster server (dev only)
--kubeconfigPath to the kubeconfig file (default: $KUBECONFIG or ~/.kube/config)
--namespaceDefault namespace for the context
--printfalsePrint a standalone kubeconfig to stdout instead of writing the file
--usefalseSet the added context as the active current-context

ankra cluster kubeconfig list

List Ankra-managed contexts in your kubeconfig
ankra cluster kubeconfig list [flags]
Flags
FlagDefaultDescription
--kubeconfigPath to the kubeconfig file (default: $KUBECONFIG or ~/.kube/config)

ankra cluster kubeconfig remove

Remove Ankra contexts from your kubeconfig
ankra cluster kubeconfig remove [flags]
Flags
FlagDefaultDescription
--allfalseRemove all Ankra-managed contexts
--clusterCluster name or ID
--kubeconfigPath to the kubeconfig file (default: $KUBECONFIG or ~/.kube/config)

ankra cluster list

List all clusters
ankra cluster list [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster logs

Stream log output from a pod in the active cluster. Example: ankra cluster logs my-pod -n default -c my-container —tail 100
ankra cluster logs <pod_name> [flags]
Flags
FlagDefaultDescription
-c, --containerContainer name (defaults to pod name)
-n, --namespaceKubernetes namespace (required)
--since0Seconds of logs to retrieve
--tail0Number of lines from the end of the logs

ankra cluster manifests

Commands to list, view, upgrade, and delete manifests.

ankra cluster manifests delete

Disconnect a manifest from its stack. The manifest’s resources are removed from the cluster and dependent resources are reconnected to the manifest’s own parents. The owning stack is discovered automatically (manifest names are unique per cluster). Use —dry-run to preview the target without making changes.
ankra cluster manifests delete <manifest_name> [flags]
Flags
FlagDefaultDescription
--clusterTarget cluster (name or ID); defaults to the active selection
--dry-runfalsePrint the manifest that would be disconnected without making changes
--yesfalseSkip the confirmation prompt

ankra cluster manifests get

Print the current YAML content of a manifest. By default the decoded YAML is written to stdout, making it easy to pipe into a file or edit and re-apply with —from-file: ankra cluster manifests get web > web.yaml ankra cluster manifests get web -o raw # base64-encoded form
ankra cluster manifests get <manifest_name> [flags]
Flags
FlagDefaultDescription
--clusterTarget cluster (name or ID); defaults to the active selection
-o, --outputOutput format: yaml (decoded, default) or raw (base64)

ankra cluster manifests list

List manifests for the active cluster; or show details for a single manifest
ankra cluster manifests list [manifest name] [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster manifests upgrade

Upgrade a manifest by patching just the fields you supply. At least one mutating flag is required. Examples:

Patch a single path in-place, e.g. bump a Deployment image tag

ankra cluster manifests upgrade web
—set ‘spec.template.spec.containers[name=app].image=nginx:1.27’
—cluster website-demo

When the manifest holds multiple documents, select which one to edit

ankra cluster manifests upgrade web —target-kind Deployment —target-name web
—set ‘spec.replicas=3’ —cluster website-demo

Replace the manifest content from a file

ankra cluster manifests upgrade demo-namespace
—from-file manifests/demo-namespace.yaml —cluster website-demo

Read the manifest from stdin

cat manifest.yaml | ankra cluster manifests upgrade demo-namespace
—manifest - —cluster website-demo
—set/—set-string/—set-file MUTATE the existing manifest YAML and address list items by a stable field (e.g. containers[name=app]) as well as by numeric index (containers[0]). —from-file / —manifest - REPLACE the whole manifest and are mutually exclusive with —set*. When no content or —set flag is supplied, the existing content is re-sent unchanged (only namespace is updated). This is required because the backend’s manifest validation rejects empty manifest_base64.
ankra cluster manifests upgrade <manifest_name> [flags]
Flags
FlagDefaultDescription
--add-parent[]Add a dependency parent, e.g. —add-parent name=infisical-ns,kind=manifest (kind defaults to manifest; repeatable)
--clusterTarget cluster (name or ID); defaults to the active selection
--dry-runfalsePrint the proposed before/after spec without applying changes
--from-filePath to manifest YAML file (REPLACES the entire manifest)
--manifestUse - to read manifest YAML from stdin (REPLACES the entire manifest)
--namespaceChange the manifest’s namespace
-o, --outputOutput format: json or yaml (default: human-readable)
--remove-parent[]Remove a dependency parent, e.g. —remove-parent name=infisical-ns,kind=manifest (repeatable)
--set[]In-place edit of the manifest YAML, e.g. —set ‘spec.template.spec.containers[name=app].image=nginx:1.27’ (MUTATES existing content; repeatable, comma-separated)
--set-file[]Like —set but reads the value from a file: key=path or key=@path
--set-parent[]Replace ALL dependency parents with the given set (repeatable)
--set-string[]Like —set but always treats the value as a string
--target-kindWith —set: select the document to edit by Kubernetes kind (e.g. Deployment) when the manifest holds multiple documents
--target-nameWith —set: select the document to edit by metadata.name when the manifest holds multiple documents
--yesfalseSkip confirmation prompts

ankra cluster metrics

Query the Prometheus metrics source configured for a cluster. The query is proxied through the Ankra agent to the in-cluster Prometheus endpoint configured in Cluster Settings > Metrics. Flags
FlagDefaultDescription
--clusterCluster name (defaults to the selected cluster)

ankra cluster metrics query

Run an instant PromQL query against the cluster’s Prometheus source. Examples: ankra cluster metrics query ‘up’ ankra cluster metrics query ‘sum(rate(container_cpu_usage_seconds_total[5m])) by (pod)’
ankra cluster metrics query [promql] [flags]
Flags
FlagDefaultDescription
-o, --outputtableOutput format: table, json, yaml
--timeout0Query timeout in seconds (default server-side)

ankra cluster metrics query-range

Run a range PromQL query against the cluster’s Prometheus source. Provide either —range (a duration relative to now) or both —start and —end (Unix seconds). When —step is omitted a sensible step is chosen automatically. Examples: ankra cluster metrics query-range ‘up’ —range 1h ankra cluster metrics query-range ‘rate(node_cpu_seconds_total[5m])’ —range 6h —step 5m ankra cluster metrics query-range ‘up’ —start 1717000000 —end 1717003600 —step 1m
ankra cluster metrics query-range [promql] [flags]
Flags
FlagDefaultDescription
--endRange end as Unix seconds (use with —start)
-o, --outputtableOutput format: table, json, yaml
--rangeDuration relative to now (e.g. 15m, 1h, 6h, 24h, 7d)
--startRange start as Unix seconds (use with —end)
--stepResolution step (e.g. 30s, 1m, 5m)
--timeout0Query timeout in seconds (default server-side)

ankra cluster node-group

List, add, scale, upgrade, and delete node groups on a cloud cluster. The cloud provider (Hetzner, OVH, or UpCloud) is detected automatically from the cluster.

ankra cluster node-group add

Add a node group
ankra cluster node-group add <cluster_id> [flags]
Flags
FlagDefaultDescription
--count1Number of nodes
--instance-typeServer type / flavor / plan for nodes (required)
--nameNode group name (required)
-o, --outputOutput format: json or yaml (default: human-readable)
--timeout10m0sMaximum time to wait when —wait is set
--waitfalseWait for the operation to finish and report success or failure (default: submit and return immediately)

ankra cluster node-group delete

Delete a node group and all its nodes
ankra cluster node-group delete <cluster_id> <group_name> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)
--timeout10m0sMaximum time to wait when —wait is set
--waitfalseWait for the operation to finish and report success or failure (default: submit and return immediately)
--yesfalseSkip the confirmation prompt

ankra cluster node-group list

List node groups
ankra cluster node-group list <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster node-group scale

Scale a node group
ankra cluster node-group scale <cluster_id> <group_name> <count> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)
--timeout10m0sMaximum time to wait when —wait is set
--waitfalseWait for the operation to finish and report success or failure (default: submit and return immediately)

ankra cluster node-group upgrade

Upgrade instance type for a node group (cannot be reversed)
ankra cluster node-group upgrade <cluster_id> <group_name> <instance_type> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)
--timeout10m0sMaximum time to wait when —wait is set
--waitfalseWait for the operation to finish and report success or failure (default: submit and return immediately)

ankra cluster operations

Commands to list, inspect, retry, and cancel executions and their steps.

ankra cluster operations cancel

Cancel one or more running executions
ankra cluster operations cancel <execution_id> [<execution_id>...] [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster operations cancel-step

Cancel a specific step within an execution
ankra cluster operations cancel-step <execution_id> <step_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster operations list

List executions for the active cluster; optionally, provide an ID for details
ankra cluster operations list [execution ID] [flags]
Flags
FlagDefaultDescription
--failedfalseShortcut for —status failed —status critical
--interval5sPolling interval used when —watch is set
--limit50Maximum number of executions to return (max 100)
-o, --outputOutput format: json or yaml (default: human-readable)
--status[]Filter by execution status (repeatable). Examples: failed, critical, running
-w, --watchfalseContinuously poll and refresh until all executions reach a terminal state

ankra cluster operations retry

Retry a terminal execution (failed/cancelled/timeout)
ankra cluster operations retry <execution_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster operations steps

List steps for a specific execution
ankra cluster operations steps <execution_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster ovh

Commands to create, deprovision, and scale OVH Cloud clusters.

ankra cluster ovh access-info

Show the gateway (bastion) and control plane IPs plus ready-to-use SSH jump and Kubernetes API port-forward commands.
ankra cluster ovh access-info <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster ovh control-plane

Inspect and change the control plane configuration. The cluster must be stopped to change the controller count or instance type. Only 1 or 3 controllers are allowed (etcd needs an odd number of voting members for quorum). Changes apply the next time the cluster is started.

ankra cluster ovh control-plane get

Show the current control plane configuration
ankra cluster ovh control-plane get <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster ovh control-plane set-count

Change the controller count (1 or 3)
ankra cluster ovh control-plane set-count <cluster_id> <count> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster ovh control-plane set-instance-type

Change the controller instance type
ankra cluster ovh control-plane set-instance-type <cluster_id> <instance_type> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster ovh create

Create a new OVH cluster
ankra cluster ovh create [flags]
Flags
FlagDefaultDescription
--control-plane-count1Number of control plane nodes
--control-plane-flavor-idb2-15Control plane instance flavor
--credential-idOVH API credential ID (required)
--dhcp-end10.0.1.200DHCP range end
--dhcp-start10.0.1.100DHCP range start
--distributionk3sKubernetes distribution
--external-cloud-providertrueInstall the OpenStack CCM and Cinder CSI (cloud-provider=external) for LoadBalancers and persistent volumes (default on; pass —external-cloud-provider=false to skip, which also disables —include-networking)
--gateway-flavor-idb2-7Gateway instance flavor
--gitops-branchmasterGitOps branch to commit to
--gitops-credential-nameGitOps GitHub credential name; when set with —gitops-repository, the generated ovh-cloud stack is committed to Git (optional)
--gitops-repositoryGitOps repository (e.g. org/repo) to commit the generated stack to (optional)
--include-networkingtrueInstall Traefik + cert-manager for ingress (default on; pass —include-networking=false to skip). Requires —external-cloud-provider (the ingress LoadBalancer is provisioned by the cloud controller manager)
--kubernetes-versionKubernetes version (optional)
--nameCluster name (required)
--network-vlan-id0Network VLAN ID
-o, --outputOutput format: json or yaml (default: human-readable)
--regionOVH Cloud region (required)
--ssh-key-credential-idSSH key credential ID (required)
--subnet-cidr10.0.1.0/24Subnet CIDR
--worker-count1Number of worker nodes
--worker-flavor-idb2-15Worker instance flavor

ankra cluster ovh deprovision

Deprovision an OVH cluster
ankra cluster ovh deprovision <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)
--yesfalseSkip the confirmation prompt

ankra cluster ovh k8s-version

Get current Kubernetes version for an OVH cluster
ankra cluster ovh k8s-version <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster ovh node-group

List, add, scale, upgrade, label, taint, and delete node groups.

ankra cluster ovh node-group add

Add a node group
ankra cluster ovh node-group add <cluster_id> [flags]
Flags
FlagDefaultDescription
--count1Number of nodes (0-100)
--instance-typeb2-15Instance flavor for nodes
--labelsComma-separated key=value labels to apply to the node group
--nameNode group name (required)
-o, --outputOutput format: json or yaml (default: human-readable)
--taintsComma-separated key=value:Effect taints to apply to the node group
--timeout10m0sMaximum time to wait when —wait is set
--waitfalseWait for the operation to finish and report success or failure (default: submit and return immediately)

ankra cluster ovh node-group delete

Delete a node group and all its nodes
ankra cluster ovh node-group delete <cluster_id> <group_name> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)
--timeout10m0sMaximum time to wait when —wait is set
--waitfalseWait for the operation to finish and report success or failure (default: submit and return immediately)
--yesfalseSkip the confirmation prompt

ankra cluster ovh node-group labels

Replace the labels on every node in the group. Pass —labels as a comma-separated list of key=value pairs, or —clear to remove all labels.
ankra cluster ovh node-group labels <cluster_id> <group_name> [flags]
Flags
FlagDefaultDescription
--clearfalseRemove all labels from the node group
--labelsComma-separated key=value pairs to set on the group
-o, --outputOutput format: json or yaml (default: human-readable)
--timeout10m0sMaximum time to wait when —wait is set
--waitfalseWait for the operation to finish and report success or failure (default: submit and return immediately)

ankra cluster ovh node-group list

List node groups
ankra cluster ovh node-group list <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster ovh node-group scale

Scale a node group
ankra cluster ovh node-group scale <cluster_id> <group_name> <count> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)
--timeout10m0sMaximum time to wait when —wait is set
--waitfalseWait for the operation to finish and report success or failure (default: submit and return immediately)

ankra cluster ovh node-group taints

Replace the taints on every node in the group. Pass —taints as a comma-separated list of key=value:Effect (value optional, effect defaults to NoSchedule), or —clear to remove all taints.
ankra cluster ovh node-group taints <cluster_id> <group_name> [flags]
Flags
FlagDefaultDescription
--clearfalseRemove all taints from the node group
-o, --outputOutput format: json or yaml (default: human-readable)
--taintsComma-separated key=value:Effect taints to set on the group
--timeout10m0sMaximum time to wait when —wait is set
--waitfalseWait for the operation to finish and report success or failure (default: submit and return immediately)

ankra cluster ovh node-group upgrade

Upgrade instance type for a node group (cannot be reversed)
ankra cluster ovh node-group upgrade <cluster_id> <group_name> <instance_type> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)
--timeout10m0sMaximum time to wait when —wait is set
--waitfalseWait for the operation to finish and report success or failure (default: submit and return immediately)

ankra cluster ovh nodes

Inspect every server Ankra manages for the cluster (control plane, workers, and bastion or gateway). Soft-deleted entries from a stopped cluster are included so the saved topology is visible before re-provisioning.

ankra cluster ovh nodes get

Show full spec and metadata for a single node
ankra cluster ovh nodes get <cluster_id> <node_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster ovh nodes list

List all nodes for the cluster
ankra cluster ovh nodes list <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster ovh regions

List the OVH Cloud regions the supplied credential’s project can deploy in. Only these regions are valid for cluster creation.
ankra cluster ovh regions [flags]
Flags
FlagDefaultDescription
--credential-idOVH API credential ID (required)
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster ovh scale

Scale the number of worker nodes up or down for an OVH cluster.
ankra cluster ovh scale <cluster_id> <worker_count> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster ovh ssh-keys

Get and set the SSH key credentials authorised to access an OVH cluster’s nodes.

ankra cluster ovh ssh-keys get

Show SSH keys attached to an OVH cluster
ankra cluster ovh ssh-keys get <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster ovh ssh-keys set

Replace the SSH key credentials attached to an OVH cluster. Changes take effect on the next reconciliation.
ankra cluster ovh ssh-keys set <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)
--ssh-key-credential-ids[]SSH key credential IDs to attach (comma-separated or repeated)

ankra cluster ovh start

Start (re-provision) a stopped OVH cluster. Use —scope control_plane to bring up only the control plane.
ankra cluster ovh start <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)
--scopeallProvisioning scope: ‘all’ or ‘control_plane’

ankra cluster ovh stop

Stop an OVH cluster’s compute while keeping its configuration so it can be started again later.
ankra cluster ovh stop <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster ovh upgrade

Upgrade the Kubernetes (k3s) version on all nodes in an OVH cluster.
ankra cluster ovh upgrade <cluster_id> <target_version> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster ovh workers

Get current worker count for an OVH cluster
ankra cluster ovh workers <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster provision

Start a managed cluster that was previously created but is not yet running. If no cluster name is provided, uses the currently selected cluster.
ankra cluster provision [cluster_name] [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster reconcile

Trigger a reconciliation for a cluster to sync desired state with actual state. If no cluster name is provided, uses the currently selected cluster. If a cluster name is provided, reconciles that specific cluster.
ankra cluster reconcile [cluster_name] [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster roll-to

Roll a cluster to a specific resource version. Uses the currently selected cluster unless —cluster is provided. Example: ankra cluster roll-to —version abc123
ankra cluster roll-to [flags]
Flags
FlagDefaultDescription
--versionResource version ID to roll to (required)

ankra cluster scale

Scale the number of default-pool worker nodes up or down for a cloud cluster. The cloud provider (Hetzner, OVH, or UpCloud) is detected automatically from the cluster, so you do not need to remember which provider it runs on. To scale a named node group instead, use ‘ankra cluster node-group scale’. Example: ankra cluster scale 62f4559a-a44d-46d7-aab3-a57c9dd6b4c6 3
ankra cluster scale <cluster_id> <worker_count> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster select

Select a cluster and save it as the active cluster for subsequent commands. If a cluster name is provided, it will be selected directly without prompting. If no name is provided, an interactive picker is shown. Examples: ankra cluster select ankra cluster select my-cluster
ankra cluster select [cluster_name]

ankra cluster sops-config

Show the SOPS encryption configuration including the public key used for encrypting secrets.
ankra cluster sops-config

ankra cluster ssh-keys

Get, set, and re-sync the SSH key credentials authorised to access a cloud cluster’s nodes. The cloud provider (Hetzner, OVH, or UpCloud) is detected automatically from the cluster.

ankra cluster ssh-keys get

Show SSH keys attached to a cluster
ankra cluster ssh-keys get <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster ssh-keys resync

Re-sync the cluster’s SSH key with the cloud provider. Use this to repair a stale provider-side SSH key reference (for example when the key was deleted and re-created in the provider console) that blocks new node creation, and to re-apply the authorised keys to running nodes.
ankra cluster ssh-keys resync <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster ssh-keys set

Replace the SSH key credentials attached to a cluster. Changes take effect on the next reconciliation and are applied to running nodes. Pass —clear to remove all user SSH keys (the Ankra-managed key always remains).
ankra cluster ssh-keys set <cluster_id> [flags]
Flags
FlagDefaultDescription
--clearfalseRemove all user SSH keys (the Ankra-managed key is retained)
-o, --outputOutput format: json or yaml (default: human-readable)
--ssh-key-credential-ids[]SSH key credential IDs (comma-separated or repeated)

ankra cluster stacks

Commands to list, create, delete, rename, and view history of stacks.

ankra cluster stacks clone

Clone a stack from the current cluster to a target cluster. The cloned stack will be created as a draft in the target cluster, allowing you to review and modify it before deployment. Encrypted values will be stripped during cloning for security reasons and will need to be reconfigured in the target cluster.
ankra cluster stacks clone <stack_name> --to <target_cluster> [flags]
Flags
FlagDefaultDescription
--include-configtrueInclude addon configurations
-n, --nameNew stack name (optional, defaults to original)
-o, --outputOutput format: json or yaml (default: human-readable)
-t, --toTarget cluster name or ID (required)

ankra cluster stacks delete

Delete a stack
ankra cluster stacks delete <name> [flags]
Flags
FlagDefaultDescription
--yesfalseSkip the confirmation prompt

ankra cluster stacks history

Show history of changes for a stack
ankra cluster stacks history <name> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster stacks list

List stacks for the active cluster; or show details for a single stack
ankra cluster stacks list [stack name] [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster stacks rename

Rename a stack
ankra cluster stacks rename <old_name> <new_name>

ankra cluster stacks variables

Manage variables on a specific stack. Stack variables are the most specific scope and shadow cluster and organisation variables of the same name when this stack’s manifests/addons are rendered. ankra cluster stacks variables list <stack> ankra cluster stacks variables get <stack> DB_HOST ankra cluster stacks variables set <stack> DB_HOST db.prod.example.com ankra cluster stacks variables delete <stack> DB_HOST Stack variables are stored on the stack spec itself; edits use the same partial-stack PATCH endpoint as manifests/addons upgrade.

ankra cluster stacks variables delete

Delete a variable from a stack
ankra cluster stacks variables delete <stack> <name> [flags]
Flags
FlagDefaultDescription
--clusterTarget cluster (name or ID); defaults to the active selection
--yesfalseSkip the confirmation prompt

ankra cluster stacks variables get

Get a single stack variable
ankra cluster stacks variables get <stack> <name> [flags]
Flags
FlagDefaultDescription
--clusterTarget cluster (name or ID); defaults to the active selection

ankra cluster stacks variables list

List variables on a stack
ankra cluster stacks variables list <stack> [flags]
Flags
FlagDefaultDescription
--clusterTarget cluster (name or ID); defaults to the active selection
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster stacks variables set

Create or update a stack variable. The value can be read from stdin by passing ”-”.
ankra cluster stacks variables set <stack> <name> <value> [flags]
Flags
FlagDefaultDescription
--clusterTarget cluster (name or ID); defaults to the active selection
--dry-runfalsePrint the proposed change without writing

ankra cluster upcloud

Commands to create, deprovision, and scale UpCloud clusters.

ankra cluster upcloud control-plane

Inspect and change the control plane configuration. The cluster must be stopped to change the controller count or instance type. Only 1 or 3 controllers are allowed (etcd needs an odd number of voting members for quorum). Changes apply the next time the cluster is started.

ankra cluster upcloud control-plane get

Show the current control plane configuration
ankra cluster upcloud control-plane get <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster upcloud control-plane set-count

Change the controller count (1 or 3)
ankra cluster upcloud control-plane set-count <cluster_id> <count> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster upcloud control-plane set-instance-type

Change the controller instance type
ankra cluster upcloud control-plane set-instance-type <cluster_id> <instance_type> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster upcloud create

Create a new UpCloud cluster
ankra cluster upcloud create [flags]
Flags
FlagDefaultDescription
--bastion-plan1xCPU-2GBBastion plan
--control-plane-count1Number of control plane nodes
--control-plane-plan2xCPU-4GBControl plane plan
--credential-idUpCloud API credential ID (required)
--distributionk3sKubernetes distribution
--external-cloud-providertrueInstall the UpCloud CCM and CSI (cloud-provider=external) for LoadBalancers and persistent volumes (default on; pass —external-cloud-provider=false to skip, which also disables —include-networking)
--gitops-branchmasterGitOps branch to commit to
--gitops-credential-nameGitOps GitHub credential name; when set with —gitops-repository, the generated upcloud-cloud-provider stack is committed to Git (optional)
--gitops-repositoryGitOps repository (e.g. org/repo) to commit the generated stack to (optional)
--include-networkingtrueInstall Traefik + cert-manager for ingress (default on; pass —include-networking=false to skip). Requires —external-cloud-provider (the ingress LoadBalancer is provisioned by the cloud controller manager)
--kubernetes-versionKubernetes version (optional)
--nameCluster name (required)
--network-ip-range10.0.0.0/16Network IP range
-o, --outputOutput format: json or yaml (default: human-readable)
--ssh-key-credential-idSSH key credential ID (required)
--worker-count1Number of worker nodes
--worker-plan2xCPU-4GBWorker plan
--zoneUpCloud zone (required)

ankra cluster upcloud deprovision

Deprovision an UpCloud cluster
ankra cluster upcloud deprovision <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)
--yesfalseSkip the confirmation prompt

ankra cluster upcloud k8s-version

Get current Kubernetes version for an UpCloud cluster
ankra cluster upcloud k8s-version <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster upcloud node-group

List, add, scale, upgrade, and delete node groups.

ankra cluster upcloud node-group add

Add a node group
ankra cluster upcloud node-group add <cluster_id> [flags]
Flags
FlagDefaultDescription
--count1Number of nodes (0-100)
--instance-type2xCPU-4GBServer plan for nodes
--nameNode group name (required)
-o, --outputOutput format: json or yaml (default: human-readable)
--timeout10m0sMaximum time to wait when —wait is set
--waitfalseWait for the operation to finish and report success or failure (default: submit and return immediately)

ankra cluster upcloud node-group delete

Delete a node group and all its nodes
ankra cluster upcloud node-group delete <cluster_id> <group_name> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)
--timeout10m0sMaximum time to wait when —wait is set
--waitfalseWait for the operation to finish and report success or failure (default: submit and return immediately)
--yesfalseSkip the confirmation prompt

ankra cluster upcloud node-group list

List node groups
ankra cluster upcloud node-group list <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster upcloud node-group scale

Scale a node group
ankra cluster upcloud node-group scale <cluster_id> <group_name> <count> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)
--timeout10m0sMaximum time to wait when —wait is set
--waitfalseWait for the operation to finish and report success or failure (default: submit and return immediately)

ankra cluster upcloud node-group upgrade

Upgrade server plan for a node group
ankra cluster upcloud node-group upgrade <cluster_id> <group_name> <plan> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)
--timeout10m0sMaximum time to wait when —wait is set
--waitfalseWait for the operation to finish and report success or failure (default: submit and return immediately)

ankra cluster upcloud nodes

Inspect every server Ankra manages for the cluster (control plane, workers, and bastion or gateway). Soft-deleted entries from a stopped cluster are included so the saved topology is visible before re-provisioning.

ankra cluster upcloud nodes get

Show full spec and metadata for a single node
ankra cluster upcloud nodes get <cluster_id> <node_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster upcloud nodes list

List all nodes for the cluster
ankra cluster upcloud nodes list <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster upcloud scale

Scale the number of worker nodes up or down for an UpCloud cluster.
ankra cluster upcloud scale <cluster_id> <worker_count> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster upcloud start

Start (re-provision) a stopped UpCloud cluster. Use —scope control_plane to bring up only the control plane.
ankra cluster upcloud start <cluster_id> [flags]
Flags
FlagDefaultDescription
--scopeallProvisioning scope: ‘all’ or ‘control_plane’

ankra cluster upcloud stop

Stop an UpCloud cluster’s compute while keeping its configuration so it can be started again later.
ankra cluster upcloud stop <cluster_id>

ankra cluster upcloud upgrade

Upgrade the Kubernetes (k3s) version on all nodes in an UpCloud cluster.
ankra cluster upcloud upgrade <cluster_id> <target_version> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster upcloud workers

Get current worker count for an UpCloud cluster
ankra cluster upcloud workers <cluster_id> [flags]
Flags
FlagDefaultDescription
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster upgrade

Upgrade the Kubernetes (k3s) version on all nodes in a cloud cluster. The cloud provider (Hetzner, OVH, or UpCloud) is detected automatically from the cluster, so you do not need to remember which provider it runs on. List the available target versions with ‘ankra cluster k3s-versions’. Example: ankra cluster upgrade 62f4559a-a44d-46d7-aab3-a57c9dd6b4c6 v1.36.1+k3s1
ankra cluster upgrade <cluster_id> <target_version>

ankra cluster validate

Validate an ImportCluster YAML file. The local structural, dependency, and YAML checks run first (the same ones as ‘ankra cluster apply —dry-run’), then the file is sent to the Ankra API for server-side validation that the offline checks cannot perform:
  • chart existence in the Helm registries connected to your organisation
  • plaintext Kubernetes Secret / unencrypted addon value detection
  • parent references resolved against a cluster’s existing resources
Nothing is applied. Use —cluster <id> to validate the spec against an existing cluster’s deployed resources, and —strict-secrets to treat plaintext secrets as errors instead of warnings.
ankra cluster validate [flags]
Flags
FlagDefaultDescription
--clusterValidate against an existing cluster’s resources (cluster ID)
-f, --filePath to the ImportCluster YAML file to validate
-o, --outputOutput format: json or yaml (default: human-readable)
--strict-secretsfalseTreat plaintext secrets as errors instead of warnings

ankra cluster variables

Manage cluster-scoped variables that are available to every stack on the cluster as template substitutions in manifests and addon values. Cluster variables shadow organisation variables of the same name on this cluster. ankra cluster variables list ankra cluster variables get DB_HOST —cluster prod ankra cluster variables set DB_HOST db.prod.example.com ankra cluster variables delete DB_HOST When —cluster is omitted, the active selection is used.

ankra cluster variables delete

Delete a cluster variable
ankra cluster variables delete <name> [flags]
Flags
FlagDefaultDescription
--clusterTarget cluster (name or ID); defaults to the active selection
--yesfalseSkip the confirmation prompt

ankra cluster variables get

Get a single cluster variable
ankra cluster variables get <name> [flags]
Flags
FlagDefaultDescription
--clusterTarget cluster (name or ID); defaults to the active selection
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster variables list

List variables for a cluster
ankra cluster variables list [flags]
Flags
FlagDefaultDescription
--clusterTarget cluster (name or ID); defaults to the active selection
-o, --outputOutput format: json or yaml (default: human-readable)

ankra cluster variables set

Create or update a cluster variable (upsert). The value can be read from stdin by passing ”-”.
ankra cluster variables set <name> <value> [flags]
Flags
FlagDefaultDescription
--clusterTarget cluster (name or ID); defaults to the active selection
--descriptionOptional human-readable description