say.farewell.cloud admin

K8s Learning: Step 01 — Initialize VM with k3s

01 — Initialize the VM with k3s

Script: 01_init_vm.sh · Installs k3s and configures the firewall

Installs Kubernetes (k3s) on your remote VM and configures the firewall so only you can manage the cluster, while the world can reach your web apps.

Required environment variables:

  • K3S_SSH_USER — your SSH username on the VM
  • K3S_SSH_HOSTNAME — the VM's hostname or IP address

1. Install k3s on the VM

ssh $K3S_SSH_USER@$K3S_SSH_HOSTNAME \
  'curl -sfL https://get.k3s.io | sudo sh -'

SSHes into the VM and runs the official k3s installer. It downloads a single binary that includes everything: API server, scheduler, controller, containerd, Traefik, and CoreDNS. After this one command, the VM is a fully functioning single-node Kubernetes cluster.

2. Get your public IP

MY_PUBLIC_IP=$(curl -s https://ipinfo.io/ip)

Fetches your current public IP address. Used next to create a firewall rule that allows only you to access the Kubernetes API.

3. Lock down the Kubernetes API (port 6443)

# Allow YOUR IP to access port 6443
ssh ... "sudo ufw allow from $MY_PUBLIC_IP/32 to any port 6443 proto tcp"

# Deny everyone else
ssh ... "sudo ufw deny 6443/tcp"

Port 6443 is where the Kubernetes API server listens. Anyone with access can control your entire cluster. UFW processes rules in order — the "allow" for your IP comes first, then "deny all" catches everyone else. The /32 means exactly one IP address.

⚠️ Heads up: If your home IP changes (common with residential ISPs), you'll lose kubectl access. You'd need to SSH into the VM and update the UFW rule.

4. Open web traffic ports

ssh ... "sudo ufw allow 80/tcp"
ssh ... "sudo ufw allow 443/tcp"

Port 80 (HTTP) — needed for Let's Encrypt HTTP-01 challenges and HTTP→HTTPS redirects.
Port 443 (HTTPS) — your actual encrypted web traffic. Both open to the world.

5. Verify firewall status

ssh ... "sudo ufw status verbose"

What You End Up With

  • ✅ VM running a single-node k3s cluster
  • ✅ Traefik listening on ports 80 and 443
  • ✅ Firewall allows web traffic from anyone
  • ✅ Kubernetes API (6443) accessible only from your machine
  • ⏳ Can't manage the cluster from your laptop yet — that's step 03
← Back to homepage