K3s Installation Standards

Intermediate

Enforce best practices for K3s installation — secure tokens, TLS SANs, disabled unused components, resource reservations, and kernel parameter configuration.

File Patterns

**/k3s/****/scripts/*k3s***/ansible/*k3s*

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# K3s Installation Standards

## Rule
All K3s installations MUST use secure tokens, explicit TLS SANs, and appropriate component configuration flags.

## Format
```bash
curl -sfL https://get.k3s.io | K3S_TOKEN="<strong-random-token>" sh -s - server \
  --tls-san=<load-balancer-dns> \
  --tls-san=<load-balancer-ip> \
  --node-taint CriticalAddonsOnly=true:NoExecute \
  --protect-kernel-defaults \
  --write-kubeconfig-mode 644 \
  --disable=<unused-components>
```

## Requirements
1. **Secure token** — use a strong random value, never default or simple strings
2. **TLS SANs** — add all DNS names and IPs used to access the API server
3. **Server taints** — taint server nodes in HA setups to prevent workload scheduling
4. **Kernel protection** — enable `--protect-kernel-defaults` in production
5. **Kubeconfig permissions** — set `--write-kubeconfig-mode 644` for non-root access
6. **Disable unused components** — remove traefik, servicelb when using alternatives

## Examples

### Good — Production HA Server
```bash
curl -sfL https://get.k3s.io | K3S_TOKEN="$(openssl rand -hex 32)" sh -s - server \
  --cluster-init \
  --tls-san=k3s.example.com \
  --tls-san=10.0.0.100 \
  --node-taint CriticalAddonsOnly=true:NoExecute \
  --protect-kernel-defaults \
  --write-kubeconfig-mode 644 \
  --disable traefik \
  --disable servicelb \
  --kubelet-arg="system-reserved=cpu=250m,memory=256Mi" \
  --etcd-snapshot-schedule-cron="0 */6 * * *" \
  --etcd-snapshot-retention=10
```

### Bad
```bash
# Insecure: default token, no TLS SAN, no taints, no kernel protection
curl -sfL https://get.k3s.io | sh -
```

## Enforcement
Document installation commands in runbooks and GitOps bootstrap scripts. Review K3s startup flags with `systemctl cat k3s` during audits.

FAQ

Discussion

Loading comments...

# K3s Installation Standards ## Rule All K3s installations MUST use secure tokens, explicit TLS SANs, and appropriate component configuration flags. ## Format ```bash curl -sfL https://get.k3s.io | K3S_TOKEN="<strong-random-token>" sh -s - server \ --tls-san=<load-balancer-dns> \ --tls-san=<load-balancer-ip> \ --node-taint CriticalAddonsOnly=true:NoExecute \ --protect-kernel-defaults \ --write-kubeconfig-mode 644 \ --disable=<unused-components> ``` ## Requirements 1. **Secure token** — use a strong random value, never default or simple strings 2. **TLS SANs** — add all DNS names and IPs used to access the API server 3. **Server taints** — taint server nodes in HA setups to prevent workload scheduling 4. **Kernel protection** — enable `--protect-kernel-defaults` in production 5. **Kubeconfig permissions** — set `--write-kubeconfig-mode 644` for non-root access 6. **Disable unused components** — remove traefik, servicelb when using alternatives ## Examples ### Good — Production HA Server ```bash curl -sfL https://get.k3s.io | K3S_TOKEN="$(openssl rand -hex 32)" sh -s - server \ --cluster-init \ --tls-san=k3s.example.com \ --tls-san=10.0.0.100 \ --node-taint CriticalAddonsOnly=true:NoExecute \ --protect-kernel-defaults \ --write-kubeconfig-mode 644 \ --disable traefik \ --disable servicelb \ --kubelet-arg="system-reserved=cpu=250m,memory=256Mi" \ --etcd-snapshot-schedule-cron="0 */6 * * *" \ --etcd-snapshot-retention=10 ``` ### Bad ```bash # Insecure: default token, no TLS SAN, no taints, no kernel protection curl -sfL https://get.k3s.io | sh - ``` ## Enforcement Document installation commands in runbooks and GitOps bootstrap scripts. Review K3s startup flags with `systemctl cat k3s` during audits.