Migrate an admin cluster to HA

This document shows how to migrate to a high availability (HA) admin cluster from a non-HA admin cluster.

1.30: GA
1.29: Preview
1.28: Not available

A non-HA admin cluster has one control-plane node and two add-on nodes. An HA admin cluster has three control-plane nodes and no add-on nodes, so the number of VMs that an HA admin cluster requires hasn't changed, but availability is significantly improved.

Prepare for the migration

If your admin cluster version is 1.29.0-1.29.600 or 1.30.0-1.30.100, and if always-on secrets encryption was enabled in the admin cluster at version 1.14 or earlier, you must rotate the encryption key before starting the migration. Otherwise, the new HA admin cluster will be unable to decrypt secrets.

To check if the cluster could be using an old encryption key:

kubectl --kubeconfig ADMIN_CLUSTER_KUBECONFIG get secret -n kube-system admin-master-component-options -o jsonpath='{.data.data}' | base64 -d | grep -oP '"GeneratedKeys":\[.*?\]'

If the output shows an empty key like the following, then you must rotate the encryption key.


Rotate the encryption key if needed

If needed, do the following steps to rotate an existing encryption key:

  1. Increment the keyVersion in the admin cluster configuration file.

  2. Update the admin cluster:

    gkectl update admin --kubeconfig ADMIN_CLUSTER_KUBECONFIG \

    This creates a new key matching the new version number, re-encrypts each secret, and securely erases the old ones. All subsequent new secrets are encrypted using the new encryption key.

If you started the migration without rotating the encryption key, contact Google support.

Procedure overview

These are the primary steps involved in a migration:

  1. Edit the admin cluster configuration file.

  2. Run gkectl update admin. This command does the following:

    • Bring up an external cluster (Kind) and ensure the current non-HA admin cluster is in a healthy state.

    • Create a new admin cluster control plane using HA spec and a new control plane VIP.

    • Turn off the existing admin cluster control plane.

    • Take an etcd snapshot of the existing admin cluster.

    • Restore the old admin cluster data in the new HA control plane.

    • Reconcile the restored admin cluster to meet the end state of HA admin cluster.


  • During migration, there's no downtime for user cluster workload.

  • During migration, there is some downtime for the admin cluster control plane. (The downtime is <18 min based on our test, but the actual length depends on individual infra environments).

  • Requirements for HA admin clusters still hold for non-HA to HA migration. That is, If you are using the Seesaw load balancer for a non-HA admin cluster, you must first migrate to MetalLB, and then migrate to an HA admin cluster. This is because an HA admin cluster doesn't support Seesaw.

  • After the migration is successfully done, there will be left-over resources (e.g. the non-HA admin master VM) that we intentionally kept for the sake of failure recovery.

Before and after migration

These are the primary differences in the cluster before and after migration:

Before migrationAfter migration
Control-plane node replicas13
Add-on nodes20
Control-plane Pod replicas
(kube-apiserver, kube-etcd, etc.)
Data disk size100GB * 125GB * 3
Data disks path Set by vCenter.dataDisk in the admin cluster configuration file Auto generated under the directory: /anthos/[ADMIN_CLUSTER_NAME]/default/[MACHINE_NAME]-data.vmdk
Load balancer for the control-plane VIP Set by loadBalancer.kind in the admin cluster configuration file keepalived + haproxy
Allocation of IP addresses for admin cluster control-plane nodes DHCP or static, depending on network.ipMode.type 3 static IP addresses
Allocation of IP addresses for kubeception user cluster control-plane nodes DHCP or static, depending on network.ipMode.type DHCP or static, depending on network.ipMode.type
Checkpoint fileEnabled by defaultNot used

Edit the admin cluster configuration file

You need to specify four additional IP addresses:

  • Three IP addresses for the control-plane nodes of the admin cluster
  • A new control-plane VIP for the admin cluster load balancer

You also need to change a few other fields in your admin cluster configuration file.

Specify IP addresses

  1. In the admin cluster configuration file, fill in the network.controlPlaneIPBlock section. For example:

     netmask: ""
     gateway: ""
     – ip: ""
       hostname: "admin-cp-node-1"
     – ip: ""
       hostname: "admin-cp-node-2"
     – ip: ""
       hostname: "admin-cp-node-3"
  2. Fill in the hostconfig section. If your admin cluster uses static IP addresses, this section is already filled in. For example:

  3. Replace the value of loadBalancer.vips.controlPlaneVIP with a new VIP. For example:

       controlPlaneVIP: ""

Update additional configuration fields

  1. Set adminMaster.replicas to 3:

     replicas: 3
     cpus: 4
     memoryMB: 8192
  2. Remove the vCenter.dataDisk field. This is because for an HA admin cluster, the paths for the three data disks used by control-plane nodes are automatically generated under the root directory anthos in the datastore.

  3. If loadBalancer.manualLB.controlPlaneNodePort has a non-zero value, set it to 0.

Adjust manual load balancer configuration

If your admin cluster uses manual load balancing, do the step in this section. Otherwise skip this section.

For each of the three new control-plane node IP addresses that you specified in the network.controlPlaneIPBlock section, configure this mapping in your load balancer:

(old controlPlaneVIP:443) -> (NEW_NODE_IP_ADDRESS:old controlPlaneNodePort)

This is so that the old control-plane VIP will work during the migration.

Update the admin cluster

  1. Start the migration:

    gkectl update admin --kubeconfig ADMIN_CLUSTER_KUBECONFIG --config ADMIN_CLUSTER_CONFIG

    Replace the following:

    • ADMIN_CLUSTER_KUBECONFIG: the path of the admin cluster kubeconfig file.

    • ADMIN_CLUSTER_CONFIG: the path of the admin cluster configuration file

  2. The command displays the progress of the migration.

    When prompted, enter Y to continue.

  3. When the migration is done, the admin cluster kubeconfig file is automatically updated to use the new control-plane VIP. Meanwhile, the old control-plane VIP still functions, and can also be used to access the new HA admin cluster.