Hello I am new and would like guidence. I am runni...
# k3sa
adventurous-noon-67738
04/14/2025, 5:41 PMHello I am new and would like guidence. I am running k3s on my 4 raspberry pi 5 & 4 hosts 2 servers which are the pi 5 and 2 agents pi 4 b. I want to customize containerd to use kata-containers and run rootless. I also want this to work with the dual ipv4 and ipv6 networks enabled. I am trying to harden my k3s cluster because I will be giving random people access to it and want to secure it. Any tips would be advised I am here to learn with open ears.
d
damp-xylophone-94549
04/14/2025, 5:44 PMIf they are just deploying apps there, maybe you can restrict more the access by using something like Argo or Flux in order that then can just push the code, but you should add some pipelines somewhere, additionally maybe create service accounts to restrict access by namespaces and use rbac
damp-xylophone-94549
04/14/2025, 5:45 PMboth gitops tools support arm
a
adventurous-noon-67738
04/14/2025, 6:02 PMare you suggesting I not run rootless containers or kata-contianers. Do you think I am doing to much. Its import if these methods I am trying to incorporate are not actually secure. They hint at it in the documentation but I am still unaware? Would really appreciate you letting me know. So far I can tell that gitops tools and rbac is what I am looking for If they are deploying apps. The goal is I go to a defcon group and want to give someone ssh access so we can learn about c sharp authentication. So the system will work like this they can ssh into the system and download, edit, build and run a csharp application authentication server. We want to create ctfs.
kc: https://blog.niflheim.cc/posts/kata_containers_raspberry/
rootless:
https://rootlesscontaine.rs/getting-started/
adventurous-noon-67738
04/14/2025, 6:02 PMd
damp-xylophone-94549
04/14/2025, 6:04 PMohhh got it, also add some service accounts at least 🙂
damp-xylophone-94549
04/14/2025, 6:05 PMit will be interesting if you can use a RPi as a bastion host 🙂 will be more secure
damp-xylophone-94549
04/14/2025, 6:07 PMAlso, it could be interesting also if you can manage the access with Rancher but not sure the options available at the moment @numerous-animal-44937
n
numerous-animal-44937
04/15/2025, 11:36 AM• I would love to understand more on "I will be giving random people access to it and want to secure it." why giving access to your cluster to a random people and you need a way to implement a multi-tenancy
• for sure enforce rootless containers
• give the users permission per namespace only so you have to play a bit with the RBAC, what do you use to provide them access to the cluster ?
• kata-containers are not natively supported by k3s
• running k3s in rootless mode is currently experimental only - https://docs.k3s.io/known-issues?_highlight=rootless#rootless-mode
• You can use Pod Security Admission to prevent containers running as root and use something like Kubewarden
• check this one as well - https://docs.k3s.io/security