Good day K3S folk — question about install option; can I pass the

--tls-san

option more than once if I want to add both an IP and a DNS name as SANs, or does the

--tls-san

option accept multiple values (and, how to specify multiple values then?)

Docs don’t speak to this…

Hello k3s-community I have a single node k3s installation and noticed that ports 6443 and 10250 are open from the outside. How can I add iptables rules in order to close these ports from the outside? When I run iptables -L I see a plethora of rules but have no idea where and how these are configured and thus how to add a couple of them. I am using k3s-selinux-1.2-2.el8.noarch Regards Hans

Is there a way to troubleshoot entries (with verbose logging) in

/etc/rancher/k3s/registries.yaml

? I've entered several entries, but it looks like none of them are being honored. I have entries as follows:

mirrors:
  "<http://docker.io|docker.io>":
    endpoint:
      - "<https://registry>.<fqdn>"
    rewrite:
      "(.*)": "library/docker.io/$1"

However pods are not coming up with the following errors:

Failed to pull image "<http://docker.io/bitnami/sealed-secrets-controller:v0.18.1|docker.io/bitnami/sealed-secrets-controller:v0.18.1>": rpc error: code = Unknown desc = failed to pull and unpack image "<http://docker.io/bitnami/sealed-secrets-controller:v0.18.1|docker.io/bitnami/sealed-secrets-controller:v0.18.1>": failed to resolve reference "<http://docker.io/bitnami/sealed-secrets-controller:v0.18.1|docker.io/bitnami/sealed-secrets-controller:v0.18.1>": failed to do request: Head "<https://registry-1.docker.io/v2/library/docker.io/bitnami/sealed-secrets-controller/manifests/v0.18.1>": dial tcp 44.205.64.79:443: connect: no route to host

Similarly,

k3s ctr image pull <http://docker.io/bitnami/sealed-secrets-controller:v0.18.1|docker.io/bitnami/sealed-secrets-controller:v0.18.1>

returns the same error.

Hi Team, im pretty new with helm and k3s, I'm using jenkins pipeline to handle the deployment to 3 of my servers (dev, test, prod) based in some conditions inside the pipeline, i was making this with docker using its exposed api from each server, now im trying to do this with helm, install the chart in one of those servers, based on the same condition in my pipeline, is there any way to achieve this? hope i made myself clear 😅

Hi there. I'm having difficulty with getting Multus CNI working with k3s and Cilium, but I don't know if I should be asking about it here or Cilium slack or where?

Hello there 👋 How can one install a custom CNI if starting k3s without flannel (default CNI) don't let you start any pod because of a missing CNI (chiken and egg problem)?

Is there a decent guide on getting k3s set up on 2 hosts running multiple agents in docker?

HI team can someone please help me with the question i have in this to a thread

Hi, I’ve got a scenario where I need to authenticate with a repository to grab helm charts from using the

HelmChart

CRD. I came across a chat from this channel via google (link) which is pretty much my exact problem, I was interested to know if this ever went anywhere? Any info would be greatly appreciated!

When backing up k3s running against an external SQL DB, do you also need to back up files in the datadir? Certs or anything

Hi, I'm getting this error sometime and traefik won't be serving traffic resulting

502 bad gateway

. Has any faced this issue ?

k3s: v1.22.8

echo 'Installing helm_v3 chart'
helm_v3 install --set-string global.systemDefaultRegistry= traefik <https://10.43.0.1:443/static/charts/traefik-10.14.100.tgz> --values /config/values-01_HelmChart.yaml --values /config/values-10_HelmChartConfig.yaml
Error: INSTALLATION FAILED: cannot re-use a name that is still in use

Howdy, using the local-path-provisioner, is it possible to create an additional storageclass to write to other volumes/disk locations on the nodes? I have some auxiliary "fast" disks that could be useful for certain applications and wondering how to best use them in a k3s environment.

hi, i installed k3s with 1 server and 3 agent nodes. i noticed k3s is using containerd by default. how do i list the containers running on any given node (server or agents)? I had posted this same question on stackoverflow but not getting anywhere: https://stackoverflow.com/questions/73941545/where-are-my-container-images-when-running-kubernetes-with-containerd

Hi, to upgrade k3s, this page says I can just run

curl -sfL <https://get.k3s.io> | sh -

Do I run this on each k3s server (master)? on each agent (worker)? Does this upgrade the underlying version of k8s as well (and all of the underlying tools, i.e. containerd, runc, …)? https://docs.k3s.io/upgrades/manual#upgrade-k3s-using-the-installation-script

Hi, installation of k3s with selinux enabled does not seem to work, it seems to loop with logs showing "SELinux is preventing /pause from read access on the file /pause"

Hi all, I have k3s clusters (1.24.8) deployed via Rancher (2.6.9) on Openstack (via the openstack-cloud-controller-manager). Now on 3 clusters the Octavia based loadbalancer for the traefik ingress controller died and got deleted by k3s. The "traefik" service is gone and the traefik deployment (pod) says so in it's log... Is there a way to bring it back?

i guess internally it's based on some helm install job - not sure if it's possible to run that again?

ok, not sure if this is the "cleanest" way, but i downloaded the spec for the batch job "helm-install-traefik" deleted the old job, deleted the managedFiles, status and the UIDs and did "kubectl apply" - while this gave a few warnings / errors it created a fresh LB service (which in turn creates the octavia based LB in Openstack) - and for now everything seems to work ...

I am attempting to have pods with multiple network interfaces. For this I am using Multus and Flannel. The issue is that if I add multiple networks on the pod, they all come up in the same subnet. It looks like I should be able to create multiple flannel vxlans by running multiple flannel DS with a separate config. Is this the best way to accomplish multiple networks. Is there an example of this somewhere?

Anyone else experiencing disconnects/timeouts when applying new custom resource definitions to a k3s single node cluster? I just wonder if it is normal. I can get around it by probing the kubernetes api URL until it works again.

Installing the k3s agent machine here, but want to keep firewalld running. Based on documentation and a hunch, would this be enough? or too much? Would all communication be on the flannel interface or should i allow these ports on eth0 interface instead?

sudo firewall-cmd --zone=trusted --add-interface=flannel.1 --permanent
sudo firewall-cmd --zone=trusted --add-masquerade --permanent
sudo firewall-cmd --zone=trusted --add-port=6443/tcp --permanent
sudo firewall-cmd --zone=trusted --add-port=10250/tcp --permanent
sudo firewall-cmd --zone=trusted --add-port=8472/udp --permanent
sudo firewall-cmd --zone=trusted --add-port=51820/udp --permanent
sudo firewall-cmd --zone=trusted --add-port=51821/udp --permanent
sudo firewall-cmd --reload

Anyone successfully running longhorn with k3s in an etcd setup with multiple master nodes?

Hello, is there a way to edit HA stuff like ‘pod-eviction-timeout‘ or ‘node-monitor-grace-period‘ ?

Hi, sometimes there is a delay (about 1~10 minutes) in apply network policy to new Pods in my k3s cluster (they runs v1.25.4+k3s1). how can i fix/research this?

Hello, Background: 13 node bare-metal Raspberry Pi 4 based cluster, 1 master, 12 workers. Running K3s v1.24.8+k3s1 for compatibility with Rancher management UI. I’m doing this to learn Kubernetes. I’m trying to add 2 more master nodes. After working through various goofs of my own (failed to match K3s version and launching with the same flags as the original master), I believe I got all of that straightened out. The respective .service files indicate as such, anyway. However, when I attempt to add these 2 nodes as master, I get the following error in the logs:

2477 authentication.go:63] "Unable to authenticate the request" err="[invalid bearer token, [invalid bearer token, square/go-jose: error in cryptographic primitive]]"

And, they never show up in the output of

kubectl get nodes

I’ve Googled that error and find many bug reports, posts, etc. but no definitive answer or solution. I’ve wiped out these new nodes and started fresh, but still get the same error. Any advice would be appreciated.

Is there something I need to do in order to allow the traefik ingress manager to function properly with a stock install? I've deployed several helm charts I've used before on cloud provided Kubernetes, and it always works properly. Now when I deploy it to my fresh k3s cluster with one node, it gives me

Bad Gateway

And nothing else. I deployed an Ubuntu pod to test things out, and the service it's trying to connect to functions properly and I get the output from the pod while curl'ing the service DNS. It really feels like an issue between the ingress and the service. When I deploy an ingress with Helm it gives me the following errors within the Traefik pod.

time="2022-12-28T03:08:21Z" level=error msg="Skipping service: no endpoints found" providerName=kubernetes serviceName=test servicePort="&ServiceBackendPort{Name:,Number:80,}" ingress=test namespace=default
time="2022-12-28T03:08:22Z" level=error msg="Skipping service: no endpoints found" servicePort="&ServiceBackendPort{Name:,Number:80,}" providerName=kubernetes namespace=default ingress=test serviceName=test

Hi, I have new k3s cluster and I'd like to proxy connections to the master servers through our lb. This currently fails with "Unable to connect to the server: x509: certificate is valid for <list of cluster server ip's> not <lb ip>". I guess I need to add the --tls-san option with lb IP, can this be set after cluster setup?

Hello, please I'm trying to install k3s on a windows 10 machine, I was wondering if there is any concrete guide on how to achieve this? Thanks alot

I’m experiencing https://github.com/cilium/cilium/issues/22585 so:

Error: EMFILE: too many open files, watch '/'
    at FSWatcher.<computed> (node:internal/fs/watchers:244:19)
    at Object.watch (node:fs:2303:34)
    at /usr/local/lib/node_modules/json-server/lib/cli/run.js:179:10 {
  errno: -24,
  syscall: 'watch',
  code: 'EMFILE',
  path: '/',
  filename: '/'
}