Deploying Kubernetes on Hetzner requires careful node configuration, network setup, and storage planning to avoid common pitfalls.

Why Hetzner?

Hetzner offers cost-effective bare-metal instances with low latency, ideal for stateful workloads or latency-sensitive apps. Avoid the “cheap cloud” trap: Hetzner’s hardware is solid, but you manage the entire stack.

Actionable Workflow

1. Provision nodes with Terraform
   Use the hcloud Terraform provider to spin up nodes. Example:

   resource "hcloud_server" "k8s_node" {  
     name = "k8s-worker-01"  
     datacenter_id = 1  
     server_type = "cx11"  
     ssh_keys = [123]  
   }  
   

   Validate with terraform plan and apply.

2. Configure networking
   Use Calico for CNI. Ensure Hetzner firewalls allow ICMP, TCP/UDP for ports 6443, 2379-2380. Test with:

   kubectl get nodes --show-labels | grep Ready  
   

   If nodes aren’t joining, check journalctl -u calico-node for IP conflicts.

3. Set up storage
   Deploy Longhorn for block storage. Create a StorageClass:

   apiVersion: storage.k8s.io/v1  
   kind: StorageClass  
   metadata:  
     name: longhorn  
   provisioner: driver.longhorn.io  
   

   Validate with kubectl get storageclass.

4. Deploy Kubernetes
   Use Talos for simplified node management. Initialize cluster:

   talos up --config talos.yaml  
   

   Check status with talosctl get nodes.

5. Monitor and alert
   Deploy Prometheus/Grafana with:

   helm repo add prometheus-community https://prometheus-community.github.io/helm-charts  
   helm install prometheus prometheus-community/kube-prometheus-stack  
   

Policy Example: Network Isolation

Restrict pod-to-pod traffic by default, allow explicitly:

apiVersion: networking.k8s.io/v1  
kind: NetworkPolicy  
metadata:  
  name: default-deny  
spec:  
  podSelector: {}  
  policyTypes:  
  - Ingress  
  - Egress  

Tooling

• Terraform: IaC for Hetzner resources.
• Talos: Cluster lifecycle management (simplifies OS updates).
• Calico: CNI with network policies.
• Longhorn: Distributed block storage.
• Velero: Backup/restore tool for etcd and workloads.

Tradeoffs

• Pros: Full control over hardware, lower cost than public clouds.
• Cons: No managed control plane—expect ~2 hours/month for upgrades. Hetzner’s API is slower than AWS/GCP for large clusters.

Troubleshooting

• Node not Ready: Check systemd services on the node (systemctl status kubelet).
• NetworkPolicy not working: Verify Calico is in Active state (kubectl get ds -n calico).
• Storage performance issues: Monitor disk IOPS via Hetzner’s Cloud Dashboard.
• Talos boot loops: Inspect talosctl logs -n <node> for kernel panics.

Final Note

Hetzner works well for teams comfortable with self-service infrastructure. If you lack 24/7 ops capacity, consider managed Kubernetes elsewhere. For those in the EU, Hetzner’s data centers comply with GDPR, which is a win.

Source thread: Kubernetes on Hetzner. What’s your experience?