K3S

Raspberry Pi

Enable cgroups

sudo vim /boot/cmdline.txt

... cgroup_memory=1 cgroup_enable=memory

Enable legacy iptables

sudo iptables -F
sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
sudo reboot

Install k3s on our sacrificial server

curl -sfL https://get.k3s.io | sh -s - server \
    --datastore-endpoint=https://3.14.3.102:2379,https://3.14.3.107:2379,https://3.14.3.103:2379 \
    --datastore-cafile=/certs/ca.pem \
    --datastore-certfile=/certs/client.pem \
    --datastore-keyfile=/certs/client-key.pem \

Join worker node (token located at /var/lib/rancher/k3s/server/node-token)

export token=<token>
curl -sfL https://get.k3s.io | sh -s - server \
    --datastore-endpoint=https://3.14.3.102:2379,https://3.14.3.107:2379,https://3.14.3.103:2379 \
    --datastore-cafile=/certs/ca.pem \
    --datastore-certfile=/certs/client.pem \
    --datastore-keyfile=/certs/client-key.pem \
    --token $token \
    --server https://3.14.3.107

Test a bunch of deploys

for i in {1..100}; do kubectl create deploy test$i --image=nginx & done;
for i in {1..100}; do kubectl delete deploy test$i & done;

Generate certs

export USER=<username>
mkdir $USER
cd $USER
openssl genrsa -out $USER.key 2048
openssl req -new -key $USER.key -out $USER.csr -subj "/CN=$USER/O=user"
sudo openssl x509 -req -in $USER.csr -CA /var/lib/rancher/k3s/server/tls/client-ca.crt -CAkey /var/lib/rancher/k3s/server/tls/client-ca.key -CAcreateserial -out $USER.crt -days 5000
sudo chown pi:pi $USER.crt
sudo kubectl create role $USER --verb=* --resource=deployments,pods,pods/exec,pods/log,pods/attach,services,ingresses,ingressroutes,secrets,configmaps,persistentvolumeclaims
sudo kubectl create rolebinding $USER --role=$USER --user=$USER