Update: Deprecation of public-only Kapsule clusters

Thibault Genaitay
3 min read

On April 1, 2024, the public-only network interface for Kapsule worker nodes will be at end of service.

Tightening security everywhere has been and always will be our top priority, and that’s why Kapsule clusters can’t have public IP addresses only. These are great, often very handy, and we’ll keep public IPs as a default. But the best way forward is to leverage Scaleway’s free Private Networks in order to secure your infrastructure. They allow all your cloud resources - nodes, databases, bare metal - to communicate in an isolated and secure network, without using the public internet.

That’s why we have introduced a new default as “controlled isolation”, with nodes having both public IPs and private IPs.

Timeline for removal

  • As of October 18, 2023, public-only clusters are deprecated (changelog). New Kapsule clusters are required to have a (free) Private Network attached
  • On December 4, 2023, we’ll show a deprecation notice on all clusters without private endpoints and warnings to migrate
  • On April 1, 2024, the legacy public-only network will be at end of service (notice).
  • Between April 1, 2024 and May 10, 2024, Kapsule clusters still with public-only endpoints will be automatically migrated by Scaleway to Private Networks.

The migrations will happen region by region, in this order:

  1. PL-WAW: Apr 1, 2024 - Apr 5, 2024
  2. NL-AMS: Apr 15, 2024 - Apr 19, 2024
  3. FR-PAR: Apr 29, 2024 - May 10, 2024

How do I know if my cluster is only using public networks?

Prior to May 2023, and before VPC became Generally Available at Scaleway, full public used to be the default network mode.

If you have created your Kapsule cluster prior to that time, it’s very likely your cluster was not set up with a Private Network attached.

However, if you’re not sure whether your cluster uses this feature, you can check in a few places:

  • In your list of Kubernetes clusters look for the Network column; a warning (!) “Public” will show
  • For any cluster yet to migrate, a permanent yellow warning banner will show at the top of its overview.

What do I get out of this?

By migrating to Private Network in early 2024, you are future-proofing your infrastructure.

  • Safer Kubernetes: Private Networks allow your cloud resources to communicate in an isolated and secure network without using the public Internet.
  • More resilient cluster: Private Networks enable you to setup multi AZ clusters
  • Super flexible isolation options: you can either keep public IPs on your nodes (protected behind security groups) or have only private IPs on nodes with a single egress IP. Or both!
  • Ready for more features: Control Planes will soon after be brought in isolation with your workers nodes, all communicating in the same Private Network. You will even be able to restrict/allow a range of IPs or ports to control who can access to the API server.

What’s the fee?

VPC and Private Networks are totally free of charge.

Will there be a downtime during the migration?

Yes, attaching a Private Network to a Kapsule cluster results in an unavoidable network loss of 1 to 10 minutes.

What will happen once the migration is started:

  1. Your control plane will restart for a first time: the Kubernetes API of your cluster will temporarily be unavailable.
  2. Your pools will be upgraded to migrate the nodes into the Private Network. All of your nodes will be rebooted according to the specified Upgrade Policy of your pools.
  3. Once all your nodes have rebooted, your control plane will be configured to use the Private Network and restarted once more. Then, your Load Balancers will be reconfigured and migrated to the Private Network as well.
  4. Finally, the Container Network Interface (CNI) of your cluster will be reconfigured and restarted to use the Private Network.

Important: During step #4, the Pod network of your cluster will be temporarily unavailable for 1 to 10 minutes as all Pods of the CNI are restarted. This estimated duration depends on the size of your cluster and the CNI you are using. Your Pods will be unable to communicate with each other during this step.

How can I migrate my Kapsule clusters?

  • Either using the Scaleway console: in your cluster information, go to the Private Network tab to start the migration
  • Or via Terraform: simply set a private_network_id with the scaleway_k8s_cluster resource to trigger the migration
  1. No PNID => PNID: migrates the cluster to private
  2. PNID a => PNID b: warning, then forcing new cluster

Please pick your Private Network carefully.

  • Once a cluster is attached to a Private Network, you cannot roll back this migration
  • The cluster can't be moved to another Private Network after migration.
  • A Private Network can't be detached.

We provide you with an overview of the new isolation options, the migration strategies and much finer details in this dedicated documentation: Securing a cluster with a Private Network

Any questions? Just ask your Scaleway representative, or reach out on our Community Slack!

Share on
Other articles about: