kubernetes
k3s Install Script Generator
Generate a k3s server or agent install command with the right flags for your setup — embedded etcd HA, external datastore, custom CIDR, flannel backend, and Traefik control.
k3s: Lightweight Kubernetes
k3s is a CNCF-certified Kubernetes distribution packaged as a single binary under 100MB. It replaces the standard control plane components (etcd, kube-apiserver, etc.) with a lighter stack suitable for edge, ARM, and resource-constrained nodes.
What k3s removes/replaces
| Component | Standard K8s | k3s |
|---|---|---|
| Container runtime | dockershim (removed) | containerd (built-in) |
| Storage | etcd (separate) | sqlite (single) or embedded etcd |
| Cloud provider | External | None (bare metal first) |
| Ingress | None | Traefik (optional) |
| Load balancer | None | ServiceLB (optional) |
Single-node install
curl -sfL https://get.k3s.io | sh -
# kubeconfig: /etc/rancher/k3s/k3s.yaml
kubectl get nodesHA with embedded etcd (3 servers)
# First server
curl -sfL https://get.k3s.io | \
K3S_TOKEN=SECRET sh -s - server --cluster-init# Second and third servers curl -sfL https://get.k3s.io | \ K3S_TOKEN=SECRET sh -s - server \ --server https://FIRST_SERVER_IP:6443 ```
Useful paths
/etc/rancher/k3s/k3s.yaml — kubeconfig
/var/lib/rancher/k3s/server/ — server state
/var/lib/rancher/k3s/agent/ — agent state
/etc/rancher/k3s/config.yaml — alternative config (vs env vars)Frequently Asked Questions
What's the difference between k3s embedded etcd HA and external datastore HA?
Embedded etcd uses k3s's built-in etcd — requires an odd number of server nodes (3, 5) and no external dependency. External datastore uses Postgres or MySQL as the cluster state store — any number of servers can join, simpler to scale, but requires a managed DB. For most self-hosted clusters, embedded etcd with 3 nodes is the right choice.
How do I add a worker node after installation?
On the server node, get the token: sudo cat /var/lib/rancher/k3s/server/node-token. Then on the worker: curl -sfL https://get.k3s.io | K3S_URL=https://SERVER_IP:6443 K3S_TOKEN=TOKEN sh -. The generated agent command handles this automatically.
Should I disable Traefik?
Disable Traefik if you already have another ingress controller (nginx, HAProxy) or if you use a Cloudflare Tunnel for all ingress. Keep Traefik if you want a working ingress out of the box — it handles Let's Encrypt automatically via cert-manager or its own ACME resolver.
What is the TLS SAN for?
The k3s API server certificate only trusts connections to the IPs/hostnames in its TLS SAN list. If you access the cluster via a load balancer IP or hostname that isn't in the cert, kubectl will get TLS errors. Add your LB IP and any external hostname here at install time. To add SANs after install, you need to rotate the certs.