Removed cloud-controller flag during Kubernetes upgrade to v1.33.x

#talos #kubernetes
Profile image
Written by Vincent Van der Kussen
@vincentvdk
Sep 14, 2025

When updating the Kubernetes version of a Talos cluster from version 1.32.x -> 1.33.0 I ran into the following situation where the install would stop.

$ talosctl --nodes <<talos node>> upgrade-k8s --to 1.33.0
automatically detected the lowest Kubernetes version 1.32.0
discovered controlplane nodes ["10.0.0.3"]
discovered worker nodes ["10.0.0.4" "10.0.0.2"]
checking for removed Kubernetes component flags
checking for removed Kubernetes API resource versions

NODE        COMPONENT                 REMOVED FLAG
10.0.0.3    kube-apiserver            cloud-provider
10.0.0.3    kube-controller-manager   cloud-provider

Kubernetes v1.33 removes the --cloud-provider flag from core components (kube-apiserver, kube-controller-manager). If you’re using an external cloud controller manager (CCM), you need to remove this flag from your configuration before upgrading. Your CCM will continue to work - it doesn’t depend on these flags anymore.

Background: The Cloud Provider Migration

Kubernetes has been on a multi-year journey to externalize cloud provider integrations. What started as built-in cloud provider code (the “in-tree” providers) has evolved into separate, out-of-tree cloud controller managers.

The Timeline:

  • Pre-1.29: Cloud providers could be compiled into Kubernetes
  • 1.29: Only --cloud-provider=external was accepted by default
  • 1.33: The --cloud-provider flag is completely removed

How to fix and perform the upgrade

Step 1: Check Your Configuration First, verify if you have the deprecated flags:

NOTE: yq is used to parse the yaml output for clearer output

# For Talos Linux
 talosctl get machineconfig -n 10.88.0.3 -o yaml | yq .spec | grep -A 5 externalCloudProvider

# For kubeadm or other tools, check your config files

Look for:

cluster:
  externalCloudProvider:
    enabled: true

Step 2: Remove the Deprecated Configuration For Talos Linux:

cat > disable-external-cloud-provider.yaml <<EOF
cluster:
  externalCloudProvider:
    enabled: false
EOF

talosctl patch machineconfig --nodes <control-plane-ip> \
  --patch @disable-external-cloud-provider.yaml

This prevents the flag from being added. You should now be able to perform the upgrade.

Resources