/etc/rancher/k3s/k3s.yaml

Published by TechMarmot Editorail Staff on | Category K3s

The file located at /etc/rancher/k3s/k3s.yaml serves as the primary administrative gateway for any K3s Kubernetes cluster. It is not merely a configuration file but the master kubeconfig that grants unrestricted access to the cluster's API server. In the architecture of K3s, this file is automatically generated during the installation process on server nodes, encapsulating the necessary credentials, certificates, and server endpoints required for a user or an automated system to manage the cluster. Because it provides access as the system:admin user and the system:masters group, it represents the highest level of privilege possible within the Kubernetes RBAC (Role-Based Access Control) framework. These hardcoded identities are designed to ensure that the cluster administrator has total control over every resource, from pods and deployments to namespaces and secrets, without being restricted by any security policies.

For the operator, /etc/rancher/k3s/k3s.yaml is the bridge between the underlying infrastructure and the Kubernetes control plane. While K3s simplifies the deployment of Kubernetes, the management of this file is critical for cluster accessibility. The built-in kubectl command provided by the K3s installation is pre-configured to seek out this specific path by default, allowing for immediate cluster interaction. However, for those employing external toolsets such as upstream kubectl or Helm, the existence of this file is the prerequisite for connectivity. K3s ensures the longevity and validity of this access point by automatically updating the certificates embedded within the admin kubeconfig every time the service starts, preventing the common "expired certificate" failures that often plague manual Kubernetes installations.

Administrative Access and Privilege Levels

The /etc/rancher/k3s/k3s.yaml file is the definitive source of truth for administrative authentication. By utilizing this file, the user is mapped to the system:admin user and the system:masters group.

  • System:admin User
    The identity provided by this file allows the user to bypass standard RBAC restrictions. This is critical for initial cluster setup, troubleshooting, and emergency recovery. If a user accidentally deletes a critical namespace or misconfigures a ClusterRole, the system:admin privileges provided by this file are the only way to rectify the situation without rebuilding the cluster.

  • System:masters Group
    Belonging to the system:masters group means the user has absolute authority over all resources across all namespaces. In a production environment, this level of access is extremely powerful and potentially dangerous, as any command executed via this configuration can alter the fundamental state of the cluster.

  • Hardcoded Permissions
    Kubernetes hardcodes these specific identities to ensure that there is always a "break-glass" account available. This prevents a scenario where an administrator locks themselves out of the cluster due to an error in a custom RBAC policy.

Integrating External Tooling with Kubeconfig

While K3s includes a bundled version of kubectl, many engineers prefer using upstream versions of kubectl or the Helm package manager for more advanced orchestration. These tools do not inherently know about the K3s-specific path /etc/rancher/k3s/k3s.yaml.

To bridge this gap, the operator must explicitly tell the external tools where to find the administrative credentials. This can be achieved through two primary methods:

  • Environment Variable Export
    The most common method is exporting the KUBECONFIG environment variable. This tells the shell and any subsequent Kubernetes commands to look at the specified path for cluster access.
    export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
    Once this is exported, commands such as kubectl get pods --all-namespaces or helm ls --all-namespaces will function correctly because the tools now have a path to the credentials.

  • Command Line Flag Invocation
    For one-off commands or scripts where environment variables are not persistent, the --kubeconfig flag can be used. This explicitly defines the path for that specific execution.
    kubectl --kubeconfig /etc/rancher/k3s/k3s.yaml get pods --all-namespaces
    helm --kubeconfig /etc/rancher/k3s/k3s.yaml ls --all-namespaces

Remote Cluster Management and Configuration

One of the most frequent requirements for K3s administrators is the ability to manage the cluster from a local workstation rather than SSHing into the server node. This requires transferring the contents of /etc/rancher/k3s/k3s.yaml to a remote machine.

The process for establishing remote access involves several precise steps:

  • File Migration
    The file /etc/rancher/k3s/k3s.yaml must be copied from the server node to the local machine. The standard convention for Kubernetes is to store this configuration at ~/.kube/config.

  • Server Endpoint Modification
    By default, the server field within the K3s kubeconfig is set to localhost because the file is generated for local use on the node. To enable remote access, the user must edit the file and replace localhost with the actual IP address or the DNS name of the K3s server.

  • Load Balancer Integration
    In high-availability environments, instead of pointing to a single node IP, the server directive should be configured to point to the DNS of a load balancer. This ensures that if one master node fails, the kubectl commands are automatically routed to a healthy node. The communication typically occurs over port 6443.

Cluster Health Verification and Validation

Once the /etc/rancher/k3s/k3s.yaml file is properly configured—whether locally or remotely—it is essential to verify the operational status of the cluster.

The following verification workflow is recommended:

  • Node Status Verification
    Run the following command to ensure that the nodes are joined and healthy.
    sudo k3s kubectl get nodes
    The expected output should show the nodes with a Ready status and the master role. For instance, in a dual-master setup, the output might show:
    NAME STATUS ROLES AGE VERSION
    ip-172-31-60-194 Ready master 44m v1.17.2+k3s1
    ip-172-31-63-88 Ready master 6m8s v1.17.2+k3s1

  • Pod Health Check
    To ensure the control plane and system components are functioning, check the pods across all namespaces.
    sudo k3s kubectl get pods --all-namespaces
    This command confirms that the K3s internal components (like CoreDNS, Flannel, and the Kube-API server) are running without errors.

Contrast with Configuration Management (/etc/rancher/k3s/config.yaml)

It is critical to distinguish between /etc/rancher/k3s/k3s.yaml (the access file) and /etc/rancher/k3s/config.yaml (the configuration file). While both reside in the same directory, they serve entirely different purposes.

Feature /etc/rancher/k3s/k3s.yaml /etc/rancher/k3s/config.yaml
Primary Purpose Cluster Access & Authentication Cluster Behavior & Settings
Content Certificates, Tokens, Server URL Feature Flags, Network CIDRs, Performance Tuning
Modification Modified for remote access (Server IP) Modified to change cluster functionality
Privilege Grants system:admin access Defines how the K3s binary runs
Generation Auto-generated by K3s Created/Modified by the administrator

Deep Dive into Cluster Configuration and Performance

While the k3s.yaml file grants access, the /etc/rancher/k3s/config.yaml file defines the environment the administrator is accessing. This file serves as the "digital command center," allowing for persistent settings that survive reboots and service restarts.

The Configuration Hierarchy and Precedence

K3s employs a specific hierarchy for loading settings. The configuration is loaded from /etc/rancher/k3s/config.yaml by default. Additionally, drop-in files located in /etc/rancher/k3s/config.yaml.d/*.yaml are loaded in alphabetical order.

The precedence of configuration is as follows:

  • CLI Arguments: Highest priority. If a flag is passed during the start of the k3s server command, it overrides any value in the YAML file.
  • Config File: Middle priority. Values in config.yaml are used if no CLI argument is present.
  • Default Settings: Lowest priority.

For repeatable arguments, such as --node-label, the CLI argument will completely overwrite any lists provided in the YAML configuration. However, K3s supports a merge behavior where appending a + to a key in the YAML file allows the value to be appended to an existing string or slice rather than replaced.

Performance Optimization and Resource Management

The /etc/rancher/k3s/config.yaml file allows administrators to tune the cluster for specific workloads, whether they are resource-constrained edge devices or high-throughput data centers.

  • Network Throughput
    To optimize network performance, the flannel-backend can be set to host-gw. This reduces overhead compared to VXLAN.
    flannel-backend: "host-gw"
    cluster-cidr: "10.244.0.0/16"
    service-cidr: "10.96.0.0/12"

  • Component Deactivation
    Administrators can disable unnecessary components to save CPU and RAM. For example, if Prometheus is used for monitoring, the metrics-server can be disabled. Similarly, if high-performance SAN storage is available, local-storage can be turned off.
    disable:
    - metrics-server
    - local-storage

  • Storage and I/O Tuning
    The data-dir can be shifted to a high-performance SSD to reduce storage latency.
    data-dir: "/fast-ssd/k3s-data"

  • Kubelet Tuning
    The kubelet-arg section allows for the adjustment of pod density and image pulling behavior.
    kubelet-arg:
    - "max-pods=110"
    - "pods-per-core=10"
    - "serialize-image-pulls=false"

Private Registry and Image Mirroring

For enterprise environments, pulling images from public registries like Docker Hub can be a security risk or a performance bottleneck. K3s supports comprehensive private registry configuration via /etc/rancher/k3s/registries.yaml.

This configuration allows for:

  • Registry Mirroring
    Redirecting Docker Hub pulls to an internal mirror to save bandwidth and ensure availability.
    mirrors:
    docker.io:
    endpoint:
    - "https://registry.company.com:5000"

  • Image Rewriting
    Transforming image names to match an internal organization structure.
    rewrite:
    "^library/(.*)": "company-mirrors/docker-official/$1"

  • Authentication and TLS
    Ensuring secure communication with the private registry using service accounts and certificates.
    configs:
    "registry.company.com:5000":
    auth:
    username: "k3s-service-account"
    password: "super-secret-registry-password"
    tls:
    cert_file: "/etc/k3s-certs/registry-client.crt"
    key_file: "/etc/k3s-certs/registry-client.key"
    ca_file: "/etc/k3s-certs/registry-ca.crt"
    insecure_skip_verify: false

Data Protection and etcd Backup Strategy

In clusters utilizing etcd for state management, data protection is paramount. K3s provides integrated backup capabilities within the configuration.

  • Automated Snapshots
    The etcdSnapshotScheduleCron allows for the definition of backup frequency.
    etcdSnapshotScheduleCron: "0 */6 * * *"
    This configuration ensures snapshots are taken every six hours, with etcdSnapshotRetention: 24 maintaining 24 copies locally.

  • S3 Integration for Disaster Recovery
    To prevent data loss in the event of total node failure, backups can be streamed to Amazon S3.
    etcdS3: true
    etcdS3Endpoint: "s3.amazonaws.com"
    etcdS3Region: "us-west-2"
    etcdS3Bucket: "company-k3s-backups"
    etcdS3Folder: "production-cluster"

Troubleshooting Configuration and Access

When the cluster does not behave as expected, or when kubectl commands fail despite having the /etc/rancher/k3s/k3s.yaml file, a systematic troubleshooting approach is required.

  • Configuration Overrides
    If settings in config.yaml are not taking effect, the first step is to check for environment variables (like K3S_CONFIG_FILE) or CLI flags that might be overriding the file. The hierarchy must be analyzed from highest priority (CLI) to lowest (defaults).

  • Validation Steps
    The operator should perform the following checks:

  1. YAML Syntax Validation: Ensure there are no indentation errors in the config files.
  2. Permission Checks: Verify that the K3s service has the necessary permissions to read /etc/rancher/k3s/config.yaml and /etc/rancher/k3s/registries.yaml.
  3. Network Connectivity: Verify that the server endpoint defined in k3s.yaml is reachable from the client machine.
  • Log Analysis
    To reduce noise in production, the debug flag should be set to false, but logs can be routed to a specific file for analysis.
    log: "/var/log/k3s.log"
    debug: false

Conclusion: The Criticality of Kubeconfig Management

The /etc/rancher/k3s/k3s.yaml file is the linchpin of K3s cluster administration. Its role extends beyond simple authentication; it is the mechanism that allows for the transition from a locally installed service to a remotely managed, enterprise-grade Kubernetes orchestration layer. By granting system:admin and system:masters privileges, it ensures that the operator maintains total control over the cluster's lifecycle.

However, this power necessitates strict security protocols. Because the file contains raw credentials and certificates, it must be handled with the same care as a root password. The ability to modify the server field allows for the implementation of load balancers, which is essential for scaling the control plane. When coupled with the performance and data protection configurations found in config.yaml, the k3s.yaml file enables a robust, manageable, and scalable environment. The synergy between the access credentials in k3s.yaml and the operational directives in config.yaml is what allows K3s to function as both a lightweight edge solution and a powerful production platform.

Sources

  1. AlphaBravo Blog
  2. K3s Installation Configuration
  3. K3s Cluster Access
  4. Rancher Manager Kubernetes Setup

Related Posts