Description
When using HCLOUD_CLUSTER_CONFIG with serverLabels in a nodeConfig, the cluster-autoscaler Hetzner cloud provider does not apply these as Hetzner Cloud server labels to newly provisioned servers. Only the implicit hcloud/node-group=<pool-name> label is set.
Environment
- cluster-autoscaler version:
registry.k8s.io/autoscaling/cluster-autoscaler:v1.32.0
- Cloud provider:
hetzner
- Kubernetes: k3s v1.34.6+k3s1
- HCLOUD_CLUSTER_CONFIG schema includes
serverLabels per nodeConfig
Steps to reproduce
-
Configure HCLOUD_CLUSTER_CONFIG as base64-encoded JSON:
{
"imagesForArch": {"amd64": "ubuntu-24.04"},
"nodeConfigs": {
"workers": {
"cloudInit": "<base64>",
"labels": {"role": "worker"},
"serverLabels": {"archie-cluster": "staging"}
}
}
}
-
Trigger a scale-up event by creating a pod with matching nodeSelector that cannot fit existing nodes.
-
Observe the new server in Hetzner Cloud:
hcloud server describe <new-server-id> --output=json | jq '.labels'
Expected
{
"hcloud/node-group": "workers",
"archie-cluster": "staging"
}Actual
{
"hcloud/node-group": "workers"
}The archie-cluster label from serverLabels is missing. The Kubernetes node labels (labels field) are applied correctly via --node-label=role=worker in the agent install command.
Impact
This breaks the apply_to.label_selector pattern for Hetzner Cloud Firewalls. The recommended way to attach a firewall to autoscaler-provisioned nodes is via label_selector, but if serverLabels are not applied, every new node lacks the label and is outside the firewall scope. Workaround requires manual hcloud server add-label after each scale-up, defeating autoscaling.
Workaround
Manually apply the label post-provisioning:
hcloud server add-label <server-id> archie-cluster=<env>
This is operationally painful for autoscaling workloads.
Related code
The provider's hetzner_node_group.go (search for serverLabels or ServerLabels). Possible that cloudInitDefinition.ServerLabels is parsed but not passed to client.Server.Create opts.
Acceptance criteria
- New servers created by the autoscaler carry all key-value pairs from
serverLabels of their nodeConfig as Hetzner Cloud labels.
- Existing
hcloud/node-group label continues to be set.
- Documented in the Hetzner provider README.
Happy to test a fix against a staging cluster if a PR is opened.
Description
When using
HCLOUD_CLUSTER_CONFIGwithserverLabelsin a nodeConfig, the cluster-autoscaler Hetzner cloud provider does not apply these as Hetzner Cloud server labels to newly provisioned servers. Only the implicithcloud/node-group=<pool-name>label is set.Environment
registry.k8s.io/autoscaling/cluster-autoscaler:v1.32.0hetznerserverLabelsper nodeConfigSteps to reproduce
Configure HCLOUD_CLUSTER_CONFIG as base64-encoded JSON:
{ "imagesForArch": {"amd64": "ubuntu-24.04"}, "nodeConfigs": { "workers": { "cloudInit": "<base64>", "labels": {"role": "worker"}, "serverLabels": {"archie-cluster": "staging"} } } }Trigger a scale-up event by creating a pod with matching nodeSelector that cannot fit existing nodes.
Observe the new server in Hetzner Cloud:
Expected
{ "hcloud/node-group": "workers", "archie-cluster": "staging" }Actual
{ "hcloud/node-group": "workers" }The
archie-clusterlabel fromserverLabelsis missing. The Kubernetes node labels (labelsfield) are applied correctly via--node-label=role=workerin the agent install command.Impact
This breaks the
apply_to.label_selectorpattern for Hetzner Cloud Firewalls. The recommended way to attach a firewall to autoscaler-provisioned nodes is vialabel_selector, but ifserverLabelsare not applied, every new node lacks the label and is outside the firewall scope. Workaround requires manualhcloud server add-labelafter each scale-up, defeating autoscaling.Workaround
Manually apply the label post-provisioning:
This is operationally painful for autoscaling workloads.
Related code
The provider's hetzner_node_group.go (search for
serverLabelsorServerLabels). Possible thatcloudInitDefinition.ServerLabelsis parsed but not passed toclient.Server.Createopts.Acceptance criteria
serverLabelsof their nodeConfig as Hetzner Cloud labels.hcloud/node-grouplabel continues to be set.Happy to test a fix against a staging cluster if a PR is opened.