Guide for deploying and managing K3s lightweight Kubernetes clusters. Covers single-node and multi-node installation, HA with embedded etcd or external databases, networking (Flannel, ServiceLB, MetalLB, custom CNI), storage (local-path, Longhorn), HelmChart CRD and auto-deploy manifests, air-gap installation, edge/IoT patterns, CIS security hardening, secrets encryption, system-upgrade-controller, and Rancher multi-cluster management. Use for K3s-specific tasks; do not use for full upstream Kubernetes (kubeadm/kops), managed cloud Kubernetes (EKS/GKE/AKS), or alternative lightweight distros (K0s, MicroK8s).
K3s is a CNCF-certified Kubernetes distribution packaged as a single binary (<100 MB). It bundles:
K3s removes alpha APIs, legacy cloud providers, and non-essential storage drivers from upstream K8s. It retains full Kubernetes API conformance.
Server node runs: kube-apiserver, kube-controller-manager, kube-scheduler, kubelet, kube-proxy (all in one process). Agent node runs: kubelet, kube-proxy, containerd.
/etc/rancher/k3s/config.yaml # Main config file
/etc/rancher/k3s/registries.yaml # Private registry mirrors
/etc/rancher/k3s/k3s.yaml # Generated kubeconfig (server only)
/var/lib/rancher/k3s/server/manifests/ # Auto-deploy manifests directory
/var/lib/rancher/k3s/server/node-token # Join token for agents
/var/lib/rancher/k3s/agent/images/ # Air-gap image tarballs
/var/lib/rancher/k3s/server/db/ # SQLite database
/var/lib/rancher/k3s/server/cred/ # Encryption config and credentials
curl -sfL https://get.k3s.io | sh -
# Verify
sudo systemctl status k3s
sudo k3s kubectl get nodes
curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server" sh -s - \
--disable=traefik \
--disable=servicelb \
--tls-san=lb.example.com \
--node-label=role=control-plane
Create /etc/rancher/k3s/config.yaml before running the install script:
write-kubeconfig-mode: "0644"
tls-san:
- lb.example.com
- 10.0.0.100