K3S

Raspberry Pi

Enable cgroups by adding the following to the end of /boot/cmdline.txt

cgroup_memory=1 cgroup_enable=memory

Enable legacy iptables

sudo iptables -F
sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
sudo reboot

Install k3s on our sacrificial server (assuming you have etcd configured)

curl -sfL https://get.k3s.io | sh -s - server \
    --datastore-endpoint=https://3.14.3.102:2379,https://3.14.3.107:2379,https://3.14.3.103:2379 \
    --datastore-cafile=/certs/ca.pem \
    --datastore-certfile=/certs/client.pem \
    --datastore-keyfile=/certs/client-key.pem \

Join worker node (token located at /var/lib/rancher/k3s/server/node-token)

export token=<token>
curl -sfL https://get.k3s.io | sh -s - server \
    --datastore-endpoint=https://3.14.3.102:2379,https://3.14.3.107:2379,https://3.14.3.103:2379 \
    --datastore-cafile=/certs/ca.pem \
    --datastore-certfile=/certs/client.pem \
    --datastore-keyfile=/certs/client-key.pem \
    --token $token \
    --server https://3.14.3.107

Generate certs for a new user

export USER=<username>
mkdir $USER
cd $USER
openssl genrsa -out $USER.key 2048
openssl req -new -key $USER.key -out $USER.csr -subj "/CN=$USER/O=user"
sudo openssl x509 -req -in $USER.csr -CA /var/lib/rancher/k3s/server/tls/client-ca.crt -CAkey /var/lib/rancher/k3s/server/tls/client-ca.key -CAcreateserial -out $USER.crt -days 5000
sudo chown pi:pi $USER.crt
sudo kubectl create namespace $USER
sudo kubectl -n $USER create role $USER --verb=get,list,create,update,patch,watch,delete,deletecollection --resource=deployments,pods,pods/exec,pods/log,pods/attach,services,ingresses,secrets,configmaps,persistentvolumeclaims
sudo kubectl -n $USER create rolebinding -n ducoterra $USER --role=$USER --user=$USER

Test a bunch of deploys

for i in {1..100}; do kubectl create deploy test$i --image=nginx; done;
for i in {1..100}; do kubectl delete deploy test$i; done;