This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.


Commonly asked questions about Gardener

1 - Can I run privileged containers?

While it is possible, we highly recommend not to use privileged containers in your productive environment.

2 - Can Kubernetes upgrade automatically?

There is no automatic migration of major/minor versions of Kubernetes. You need to update your clusters manually or press the Upgrade button in the Dashboard.

Before updating a cluster you should be aware of the potential errors this might cause. The following video will dive into a Kubernetes outage in production that Monzo experienced, its causes and effects, and the architectural and operational lessons learned.

It is therefore recommended to first update your test cluster and validate it before performing changes on a productive environment.

3 - Can you backup your Kubernetes cluster resources?

Backing up your Kubernetes cluster is possible through the use of specialized software like Velero. Velero consists of a server side component and a client tool that allow you to backup or restore all objects in your cluster, as well as the cluster resources and persistent volumes.

4 - Can you migrate the content of one cluster to another cluster?

The migration of clusters or content from one cluster to another is out of scope for the Gardener project. For such scenarios you may consider using tools like Velero.

5 - How can you get the status of a shoot API server?

There are two ways to get the health information of a shoot API server.

  • Try to reach the public endpoint of the shoot API server via "https://api.<shoot-name>.<project-name>.shoot.<canary|office|live>"

The endpoint is secured, therefore you need to authenticate via basic auth or client cert. Both are available in the admin kubeconfig of the shoot cluster. Note that with those credentials you have full (admin) access to the cluster, therefore it is highly recommended to create custom credentials with some RBAC rules and bindings which only allow access to the /healthz endpoint.

  • Fetch the shoot resource of your cluster via the programmatic API of the Gardener and get the availability information from the status. You need a kubeconfig for the Garden cluster, which you can get via the Gardener dashboard. Then you could fetch your shoot resource and query for the availability information via:

kubectl get shoot <shoot-name> -o json | jq -r '.status.conditions[] | select(.type=="APIServerAvailable")'

The availability information in the second scenario is collected by the Gardener. If you want to collect the information independently from Gardener, you should choose the first scenario.

If you want to archive a simple pull monitor in the AvS for a shoot cluster, you also need to use the first scenario, because with it you have a stable endpoint for the API server which you can query.

6 - How do you configure Multi-AZ worker pools for different extensions?

Configuration of Multi-AZ worker pools depends on the infrastructure.

The zone distribution for the worker pools can be configured generically across all infrastructures. You can find provider-specific details in the InfrastructureConfig section of each extension provider repository:

7 - How do you rotate IaaS keys for a running cluster?

End-users must provide credentials such that Gardener and Kubernetes controllers can communicate with the respective cloud provider APIs in order to perform infrastructure operations. These credentials should be regularly rotated.

How to do so is explained in Shoot Credentials Rotation.

8 - How to add K8S feature gates to my shoot cluster?

Adding a Feature Gate

In order to add a feature gate, add it as enabled to the appropriate section of the shoot.yaml file:

        SomeKubernetesFeature: true

The available sections are kubelet, kubernetes, kubeAPIServer, kubeControllerManager, kubeScheduler, and kubeProxy.

For more detals, see the example shoot.yaml file.

What is the expected downtime when updating the shoot.yaml?

No downtime is expected after executing a shoot.yaml update.

9 - Reconciliation

What is impacted during a reconciliation?

Infrastructure and DNSRecord reconciliation are only done during usual reconciliation if there were relevant changes. Otherwise, they are only done during maintenance.

How do you steer a reconciliation?

Reconciliation is bound to the maintenance time window of a cluster. This means that your shoot will be reconciled regularly, without need for input.

Outside of the maintenance time window your shoot will only reconcile if you change the specification or if you explicitly trigger it. To learn how, see Trigger shoot operations.

10 - What are the meanings of different DNS configuration options?

Can you adapt a DNS configuration to be used by the workload on the cluster (CoreDNS configuration)?

Yes, you can. Information on that can be found in Custom DNS Configuration.

How to use custom domain names using a DNS provider?

Creating custom domain names for the Gardener infrastructure DNS records using DNSRecords resources

With DNSRecords internal and external domain names of the kube-apiserver are set, as well as the deprecated ingress domain name and an “owner” DNS record for the owning seed.

For this purpose, you need either a provider extension supporting the needed resource kind DNSRecord/<provider-type> or a special extension.

All main providers support their respective IaaS specific DNS servers:

  • AWS => DNSRecord/aws-route53
  • GCP => DNSRecord/google-cloudns
  • Azure => DNSRecord/azure-dns
  • Openstack => DNSRecord/openstack-designate
  • AliCloud => DNSRecord/alicloud-dns

For Cloudflare there is a community extension existing.

For other providers like Netlify and infoblox there is currently no known supporting extension, however, they are supported for shoot-dns-service.

Creating domain names for cluster resources like ingress or services with services of type Loadbalancers and for TLS certificates

For this purpose, the shoot-dns-service extension is used (DNSProvider and DNSEntry resources).

You can read more on it in these documents: