This section describes the recommended steps to be taken for every KKP upgrade,
including from patch release to patch release.
Create Backups
Even though regular backups should already be in place, it’s always good to be
on the safe side and ensure that backups are made prior to upgrades.
The Velero chart, if installed, includes a backup job that copies all resources
(Clusters, Seeds, Users, Projects, …) on a regular basis. Another option is
to simply use kubectl
to dump all KKP resources:
export KUBECONFIG=...
while IFS= read -r crd; do
echo "Dumping $crd ..."
kubectl get $crd -A -o yaml > $crd.yaml
done <<< "$(kubectl get crd | grep kubermatic | cut -f1 -d' ')"
Backups must be done on the master and should be done on all seed cluster as
well.
Upgrade Versioning Policy
KKP only supports upgrades from one minor version to the next (i.e. from 2.13 to 2.14).
You must not omit a minor version when doing an upgrade of your KKP installation
(i.e. 2.13 to 2.15 without upgrading to 2.14 in-between is not supported).
Prepare for Reconciliation Load
Whenever KKP is upgraded, changes that affect possibly many cluster control-planes
can be rolled out. For example when new settings on Deployments are set, Docker
image versions or registries change, etc.
These mass-upgrades can cause severe load on the seed clusters, depending on the
number of user clusters. To prevent overloads, KKP has a mechanism to limit the
number of parallel reconciliations that can be active at any time,
MaximumParallelReconciles
. This defaults to 10
and can be tweaked by editing
the KubermaticConfiguration
and setting spec.seedController.maximumParallelReconciles
accordingly. In the legacy kubermatic
Helm chart, the setting can be overridden
via kubermatic.maxParallelReconcile
.
It is generally good practice to lower the limit prior to performing an upgrade,
observing the seed cluster load afterwards and then resetting it again.
Manual Upgrade Procedure
Unless otherwise noted in the upgrade notes for the given KKP minor version, the
upgrade procedure is roughly as follows. The exact paths may vary slightly
in-between minor releases, but the procedure is the same.
For KKP releases prior to 2.14, refer to https://github.com/kubermatic/kubermatic-installer
to download the Helm charts and configuration files.
For KKP releases since 2.14, download the appropriate archive from
https://github.com/kubermatic/kubermatic/releases and extract it locally on your
computer.
It’s now time to perform any manual upgrade steps and update the Helm values.yaml
file used to install the charts (a single file for all charts is recommended, but
one values.yaml
per chart is also possible).
Before updating the Helm charts, update all CRDs:
kubectl apply -f charts/cert-manager/crd/
kubectl apply -f charts/backup/velero/crd/
kubectl apply -f charts/kubermatic/crd/
Unless noted otherwise, if the KubermaticConfiguration
or Seed
configurations
had to be changed, they should now be updated.
In general, charts can be upgraded in any order, as long as eventually all
charts have been upgraded. Depending on your installation method, install the
kubermatic
Helm chart for legacy setups or the kubermatic-installer
chart for
the new KKP Operator.
Helm 3
helm --namespace cert-manager upgrade --install --wait --values values.yaml cert-manager charts/cert-manager/
helm --namespace nginx-ingress-controller upgrade --install --wait --values values.yaml nginx-ingress-controller charts/nginx-ingress-controller/
helm --namespace oauth upgrade --install --wait --values values.yaml oauth charts/oauth/
# either
helm --namespace kubermatic upgrade --install --wait --values values.yaml kubermatic-operator charts/kubermatic-operator/
# or
helm --namespace kubermatic upgrade --install --wait --values values.yaml kubermatic charts/kubermatic/
Helm 2
helm upgrade --install --wait --values values.yaml --namespace cert-manager cert-manager charts/cert-manager/
helm upgrade --install --wait --values values.yaml --namespace nginx-ingress-controller nginx-ingress-controller charts/nginx-ingress-controller/
helm upgrade --install --wait --values values.yaml --namespace oauth oauth charts/oauth/
# either
helm upgrade --install --wait --values values.yaml --namespace kubermatic kubermatic-operator charts/kubermatic-operator/
# or
helm upgrade --install --wait --values values.yaml --namespace kubermatic kubermatic charts/kubermatic/