v2.4.6

Fixes

• IMPORTANT: Fixed an issue that left password authentication enabled on all nodes of the cluster despite we use keys. See note on upgrading below.
• Fixed the format of the argument to force path style for bucket lookup in etcd backups to s3 - by @privatecoder
• Post k3s command now run as expected after k3s setup, by @privatecoder
• Autoscaled nodes now obey the grow_root_partition_automatically setting, by @privatecoder

Improvements

• When running a command or script on one or all nodes using the run command, we now print the total number of nodes affected together with the number successfully affected and the number of errors.
• Add new embedded_registry_mirror.# private_registry_config to configure registry mirrors for private registries in YAML format (see https://docs.k3s.io/installation/registry-mirror#enabling-registry-mirroring), by @sergioboi
• ip-query-server: include IP lb of Kubernetes API load balancer so it can be added to local firewall, by @leblancmeneses
• Use a configmap for the autoscaler config so we can have many more node pools. Prior to this change, we were using an environment variable which limited the length of the config. By @leblancmeneses
• Made NodePort range configurable and added ability to disable it altogether, by @privatecoder
• Added a check to abort creating the cluster if an SSH key with the expected fingerprint already exists with a different name form the cluster name, as that would cause issues with autoscaled nodes (see #731 for details). By @privatecoder

New

• Added option to create and set-up a cluster through their private-IPs using the skip-current-ip-validation option. See #727 for more details. By @privatecoder

Upgrading

In order to disable password authentication on all nodes, clone the repo locally then run:

hetzner-k3s run --config your-cluster.yaml --script scripts/2026-02-28-disable-ssh-password-auth.sh

---

If hetzner-k3s is useful to you or your company, please consider sponsoring its development.
Sponsorship helps ensure continued maintenance and new features. Thank you to our current sponsors! 🙏

v2.4.5

Fixes

• Fixed an issue in the GitHub Actions workflow that caused the binary for Intel-based Macs to be incorrectly built for ARM architecture instead of x86.

---

If hetzner-k3s is useful to you or your company, please consider sponsoring its development.
Sponsorship helps ensure continued maintenance and new features. Thank you to our current sponsors! 🙏

v2.4.4

Improvements

• We no longer wait for a whole hour when the Hetzner API rate limit is reached, but only the amount of time actually necessary
• Added proper retry mechanism for possible network errors and similar when calling the Hetzner API
• Improved timeout handling when calling the Hetzner API
• Improved handling of concurrency when creating and setting up nodes
• Improved and simplified setup of custom iptables firewall used for large clusters where the Hetzner firwall is not sufficient and thus is not used
• When the custom firewall logic is updated, now we can apply the necessary configuration changes to existing clusters' nodes by rerunning the create command
• The create command when run on an existing cluster will now update the lists of allowed networks automatically, without requiring manual updating
• Various improvements to the codebase

Fixes

• Fix macOS CI by upgrading image from macos-13 → macos-14 - by @artem-zinnatullin

v2.4.3

New

• Added CI Workflow to build code on PRs. This allows contributors to get their code compiled on their PRs. - by @artem-zinnatullin

Fixes

• Added pagination support for the Server Types API. This change fixes a problem that was stopping people from creating nodes with the new instance types that Hetzner recently introduced. - by @artem-zinnatullin

Improvements

• Moved settings for the manifest URLs, cluster autoscaler, embedded registry mirror and local path storage class to the relevant addon sections in the configuration file. - by @KaulSe

Other updates

• Upgraded default Hetzner CSI driver version to v2.18.3
• Upgraded default Hetzner Cloud Controller Manager version to v1.28.0
• Upgraded default Cluster Autoscaler version to v1.34.2
• Upgraded default System Upgrade Controller version to v0.18.0

Upgrading

• If you have specified some custom manifest URLs in the manifests section of the configuration file, you need to move each of them to the relevant addon section:
  • manifests.cloud_controller_manager_manifest_url -> addons.cloud_controller_manager.manifest_url
  • manifests.csi_driver_manifest_url -> addons.csi_driver.manifest_url
  • manifests.system_upgrade_controller_deployment_manifest_url -> addons.system_upgrade_controller.deployment_manifest_url
  • manifests.system_upgrade_controller_crd_manifest_url -> addons.system_upgrade_controller.crd_manifest_url
  • manifests.cluster_autoscaler_manifest_url -> addons.cluster_autoscaler.manifest_url
  • manifests.cluster_autoscaler_container_image_tag -> addons.cluster_autoscaler.container_image_tag
• The cluster_autoscaler section has been moved from the root of the config file to addons.cluster_autoscaler. E.g.
  • cluster_autoscaler.scan_interval is now addons.cluster_autoscaler.scan_interval, and so on.
• The embedded_registry_mirror section has been moved from the root of the configuration file to addons. E.g.
  • embedded_registry_mirror.enabled is now addons.embedded_registry_mirror.enabled
• The local_path_storage_class section has been moved from the root of the config file to addons. E.g.
  • local_path_storage_class.enabled is now addons.local_path_storage_class.enabled
• If you haven't specified the manifest URL for the Hetzner Cloud Controller Manager, you need to follow the instructions in this page to finalize the upgrade of CCM to v1.28.0. In particular, you'll need to delete an old ClusterRoleBinding that is no longer needed with the new CCM version.

v2.4.2

Fixes

• Added pagination support for the Server Types API. This change fixes a problem that was stopping people from creating nodes with the new instance types that Hetzner recently introduced. - by @artem-zinnatullin

v2.4.1

New

• It's now possible to configure custom firewall rules when using the Hetzner firewall. By KaulSe

Fixes

• Create a temp file for the default Cilium Helm values file if no custom file is given. Before this change, we used stdin instead of a regular file - but that did not work correctly on some platforms. By clouedoc

v2.4.0

Fixes

• Fixed a validation that required that all workers stay in the same network zone as the masters, even when the private network is turned off.
• Fixed a validation that required that all masters stay in the same network zone even when using an external datastore for the Kubernetes control plane

Improvements

• Fewer k3s server restarts when running the create command again after replacing one master.

v2.3.9

Fixes

• Fixed a problem with labels and taints - it was caused by slashes in their names being escaped twice.
• Fixed a problem that might have stopped master1 from being replaced in highly available control planes.

Improvements

• Added a check to make sure the SSH key in the config file stays the same as the one already in Hetzner- if they do not match, it can cause issues when nodes use different keys.

Miscellaneous

• Defaulted Hetzner CSI driver to version v2.17.0

v2.3.8

New

• It is now possible to toggle on/off the installation of
  • Hetzner Cloud Controller manager
  • Hetzner CSI driver
  • Traefik ingress controller
  • ServiceLB
  • metrics-server

See the addons section in the configuration example in this page. - by KaulSe

Improvements

• The k3s token is now cached for the whole create command process - this helps speed up some steps. Before this update, it was fetched from the masters several times, which made the process a little slower.

v2.3.7

Improvements

• We now stop early when running the create command to update the config on an existing cluster with a highly available control plane - if setting up the first master fails. This helps protect the other masters that may still be working fine from breaking changes.