This document explains how to upgrade the Kubernetes version of a Google Distributed Cloud (GDC) air-gapped Kubernetes cluster. You must plan routine upgrades for your clusters to ensure they incorporate the latest Kubernetes features and fixes.
This document is for audiences such as IT administrators, security engineers, and network administrators within the platform administrator group, who are responsible for managing Kubernetes resources within their organization. For more information, see Audiences for GDC air-gapped documentation .
Before you begin
-
Install the kubectl CLI. For more information, see Install components .
-
Generate a kubeconfig file for the management API server in your targeted zone. For more information, see Zonal Kubernetes cluster resources .
-
To get the permissions that you need to list available upgrade versions, ask your Organization IAM Admin to grant you the User Cluster Admin (
user-cluster-admin) role.If you manage a standard cluster and are unable to obtain the User Cluster Admin role from your platform administrator group, you must request they provide you with the list of available Kubernetes upgrade versions.
-
To get the permissions that you need to configure a cluster upgrade, ask your Organization IAM Admin to grant you the Standard Cluster Admin (
standard-cluster-admin) role.
Upgrade a Kubernetes cluster
Use the UserClusterUpgradeRequest
API to upgrade an existing Kubernetes cluster.
To upgrade a Kubernetes cluster using the API, follow these steps:
-
List the available Kubernetes upgrade versions by printing the
kubernetesVersionvalue of theUserClusterMetadataobjects:kubectl --kubeconfig MANAGEMENT_API_SERVER \ get userclustermetadata -o = custom-columns = 'TARGET_VERSION:.spec.kubernetesVersion'Replace
MANAGEMENT_API_SERVERwith the path to the kubeconfig file of the management API server.The command returns a list of available Kubernetes versions:
TARGET_VERSION 1.30.1000-gke.85 -
Note the Kubernetes version from the previous output that you want to upgrade your cluster to. The
targetVersionyou specify in the upgrade request in the next step must be one of these available versions. -
Request the cluster upgrade by creating a
UserClusterUpgradeRequestresource:kubectl --kubeconfig MANAGEMENT_API_SERVER apply -f - <<EOF apiVersion : cluster.gdc.goog/v1 kind : UserClusterUpgradeRequest metadata : name : CLUSTER_NAME namespace : CLUSTER_NAMESPACE spec : clusterRef : name : CLUSTER_NAME targetVersion : TARGET_VERSION EOFReplace the following:
-
MANAGEMENT_API_SERVER: the path to the kubeconfig file of the management API server. -
CLUSTER_NAME: the name of the Kubernetes cluster to upgrade, such asuser-vm-2. -
CLUSTER_NAMESPACE: the namespace of the Kubernetes cluster. For shared clusters, use theplatformnamespace. For standard clusters, use the project namespace of the cluster. -
TARGET_VERSION: the target version for the upgrade identified in the previous step, such as1.30.1000-gke.85.
The average upgrade time for a Kubernetes cluster takes approximately 20 minutes.
-
-
Verify the cluster upgrade by monitoring the
UserClusterUpgradeRequestresource:kubectl --kubeconfig MANAGEMENT_API_SERVER \ describe userclusterupgraderequest CLUSTER_NAME \ -n CLUSTER_NAMESPACEReplace the following:
-
MANAGEMENT_API_SERVER: the path to the kubeconfig file of the management API server. -
CLUSTER_NAME: the name of the Kubernetes cluster to upgrade, such asuser-vm-2. -
CLUSTER_NAMESPACE: the namespace of the Kubernetes cluster. For shared clusters, use theplatformnamespace. For standard clusters, use the project namespace of the cluster.
Inspect the
Specsection of the output. It containsCurrent VersionandTarget Version. The upgrade is still in progress if theCurrent Versionand theTarget Versiondiffer.Spec: ... Current Version: 1.29.500-gke.60 Target Version: 1.30.1000-gke.85 Status: Conditions: - Message: Upgrade is in progress Reason: UpgradeInProgress Status: "False" Type: SucceededThe upgrade is complete and successful when the
Succeededcondition has a status ofTrue, and theCurrent Versionmatches theTarget Version.If the
Succeededcondition has a status ofFalse, the upgrade failed. If you encounter errors related to your Kubernetes cluster upgrade, contact the infrastructure operator group for further assistance. -
Verify cluster subcomponents after upgrade
After your Kubernetes cluster is successfully upgraded, we recommend confirming that all subcomponents of the cluster are healthy.
Check for subcomponent failures in your cluster:
-
Verify that there are no subcomponents that show a
ReconciliationErrormessage:kubectl --kubeconfig MANAGEMENT_API_SERVER \ get subcomponent -n CLUSTER_NAME -o json | jq -r \ '.items[] | select(.status.conditions[]?.reason == "ReconciliationError") | select(.status.featureDisabled != true) | "Sub-Component: \(.metadata.name) - \(.status.conditions[]?.message)"'If the output returns any subcomponents, reach out to your infrastructure operator group for further assistance.
-
Verify that there are no subcomponents that show a
Reconcilingmessage:kubectl --kubeconfig MANAGEMENT_API_SERVER \ get subcomponent -n CLUSTER_NAME -o json | jq -r \ '.items[] | select(.status.conditions[]?.reason == "Reconciling") | select(.status.featureDisabled != true) | select( "\(.status)" | contains("PreinstallPending") | not) | "Sub-Component: \(.metadata.name) - \(.status.conditions[]?.message)"'For Kubernetes clusters with three control plane nodes and three worker nodes, the upgrade time takes approximately 20 minutes. If you still see subcomponents in a state of
Reconcilingafter 20 minutes, contact your infrastructure operator group for further assistance.
