init

.gitignore

@@ -0,0 +1 @@
+certs/

README.md

@@ -0,0 +1,64 @@
+# K3S
+
+## Raspberry Pi
+
+Enable cgroups
+
+```bash
+sudo vim /boot/cmdline.txt
+
+... cgroup_memory=1 cgroup_enable=memory
+```
+
+Enable legacy iptables
+
+```bash
+sudo iptables -F
+sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
+sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+sudo reboot
+```
+
+Install k3s on our sacrificial server
+
+```bash
+curl -sfL https://get.k3s.io | sh -s - server \
+    --datastore-endpoint=https://3.14.3.102:2379,https://3.14.3.107:2379,https://3.14.3.103:2379 \
+    --datastore-cafile=/certs/ca.pem \
+    --datastore-certfile=/certs/client.pem \
+    --datastore-keyfile=/certs/client-key.pem \
+```
+
+Join worker node (token located at /var/lib/rancher/k3s/server/node-token)
+
+```bash
+export token=<token>
+curl -sfL https://get.k3s.io | sh -s - server \
+    --datastore-endpoint=https://3.14.3.102:2379,https://3.14.3.107:2379,https://3.14.3.103:2379 \
+    --datastore-cafile=/certs/ca.pem \
+    --datastore-certfile=/certs/client.pem \
+    --datastore-keyfile=/certs/client-key.pem \
+    --token $token \
+    --server https://3.14.3.107
+```
+
+Test a bunch of deploys
+
+```bash
+for i in {1..100}; do kubectl create deploy test$i --image=nginx & done;
+for i in {1..100}; do kubectl delete deploy test$i & done;
+```
+
+Generate certs
+
+```bash
+export USER=<username>
+mkdir $USER
+cd $USER
+openssl genrsa -out $USER.key 2048
+openssl req -new -key $USER.key -out $USER.csr -subj "/CN=$USER/O=user"
+sudo openssl x509 -req -in $USER.csr -CA /var/lib/rancher/k3s/server/tls/client-ca.crt -CAkey /var/lib/rancher/k3s/server/tls/client-ca.key -CAcreateserial -out $USER.crt -days 5000
+sudo chown pi:pi $USER.crt
+sudo kubectl create role $USER --verb=* --resource=deployments,pods,pods/exec,pods/log,pods/attach,services,ingresses,ingressroutes,secrets,configmaps,persistentvolumeclaims
+sudo kubectl create rolebinding $USER --role=$USER --user=$USER
+```