DEPLOY-2026-02-19 k3s Single-Node Cluster

1. Executive Summary

Deployment Type: Kubernetes Platform

Problem Statement: Need container orchestration platform for homelab workloads with enterprise-grade security (defense-in-depth).

Solution: Single-node k3s on Rocky Linux 9 with SELinux enforcing, Cilium CNI, Vault Agent for secrets injection.

Environment	Production (Home Lab)
Runbook	k3s Kubernetes Deployment
Risk Level	Medium (new platform, well-documented)

Environment

Production (Home Lab)

Runbook

k3s Kubernetes Deployment

Risk Level

Medium (new platform, well-documented)

2. Deployment Information

Field	Value
Deployment Date	2026-02-19
Previous State	No container orchestration
Target State	Single-node k3s cluster (extensible to 6-node HA)
Deployment Window	4 hours (planned), 3 hours (actual)
Rollback Plan	VM deletion and cleanup
Affected Systems	New deployment - no existing systems affected

Field

Value

Deployment Date

2026-02-19

Previous State

No container orchestration

Target State

Single-node k3s cluster (extensible to 6-node HA)

Deployment Window

4 hours (planned), 3 hours (actual)

Rollback Plan

VM deletion and cleanup

Affected Systems

New deployment - no existing systems affected

3. Infrastructure Deployed

Component	Specification	Notes
Control Plane	k3s-master-01 (10.50.1.100)	Rocky Linux 9, 4 vCPU, 8GB RAM
Container Runtime	containerd	k3s embedded
CNI	Cilium	eBPF-based, replaces Flannel
Network Policy	Cilium L3-L7	Identity-based microsegmentation
Ingress	Traefik	k3s default ingress controller
Secrets Management	Vault Agent Injector	Dynamic secrets from HashiCorp Vault
Host Firewall	firewalld	RHEL standard, nftables backend
MAC	SELinux Enforcing	Mandatory access control

Component

Specification

Notes

Control Plane

k3s-master-01 (10.50.1.100)

Rocky Linux 9, 4 vCPU, 8GB RAM

Container Runtime

containerd

k3s embedded

CNI

Cilium

eBPF-based, replaces Flannel

Network Policy

Cilium L3-L7

Identity-based microsegmentation

Ingress

Traefik

k3s default ingress controller

Secrets Management

Vault Agent Injector

Dynamic secrets from HashiCorp Vault

Host Firewall

firewalld

RHEL standard, nftables backend

MAC

SELinux Enforcing

Mandatory access control

4. Architecture

Table 1. Defense-in-Depth Security Stack
Layer	Component	Function
Host Security	firewalld	OS-level port filtering
Pod Network	Cilium	Microsegmentation, L7 visibility
Secrets	Vault Agent	No hardcoded credentials
Runtime	SELinux	Mandatory access control

5. Deployment Phases

Phase	Description	Key Steps
1	VM Creation	Cloud image resize, cloud-init, static IP
2	Base Configuration	SELinux, firewalld, NTP, package updates
3	k3s Installation	Cilium CNI, kubectl, kubeconfig
4	Vault Agent Integration	Injector deployment, service account
5	Test Deployment	Vault secret injection test pod
6	DNS Registration	BIND nsupdate for A record
7	Verification	Health check script, all services

Phase

Description

Key Steps

VM Creation

Cloud image resize, cloud-init, static IP

Base Configuration

SELinux, firewalld, NTP, package updates

k3s Installation

Cilium CNI, kubectl, kubeconfig

Vault Agent Integration

Injector deployment, service account

Test Deployment

Vault secret injection test pod

DNS Registration

BIND nsupdate for A record

Verification

Health check script, all services

6. Validation Results

Test Result Evidence

Test	Result	Evidence
k3s service active	✅ PASS	`systemctl is-active k3s` → active
Node Ready status	✅ PASS	`kubectl get nodes` → Ready
SELinux Enforcing	✅ PASS	`getenforce` → Enforcing
firewalld active	✅ PASS	Required ports open (6443, 10250)
Cilium CNI	✅ PASS	`cilium status` → Ok
Vault Injector	✅ PASS	Pod Running in vault namespace
DNS resolution	✅ PASS	BIND A record resolves

k3s service active

✅ PASS

systemctl is-active k3s → active

Node Ready status

✅ PASS

kubectl get nodes → Ready

SELinux Enforcing

✅ PASS

getenforce → Enforcing

firewalld active

✅ PASS

Required ports open (6443, 10250)

Cilium CNI

✅ PASS

cilium status → Ok

Vault Injector

✅ PASS

Pod Running in vault namespace

DNS resolution

✅ PASS

BIND A record resolves

7. Lessons Learned

Category Lesson

Category	Lesson
cloud-init	`#cloud-config` must start at column 0 - no leading whitespace in heredoc.
SELinux	k3s requires container-selinux package. Don’t disable SELinux - fix contexts instead.
Cilium	Must disable Flannel in k3s install (`--flannel-backend=none`) before Cilium.
Vault Agent	Service account must have `vault.hashicorp.com/agent-inject: "true"` annotation.
firewalld	Rich rules needed for pod CIDR → host communication.

cloud-init

#cloud-config must start at column 0 - no leading whitespace in heredoc.

SELinux

k3s requires container-selinux package. Don’t disable SELinux - fix contexts instead.

Cilium

Must disable Flannel in k3s install (--flannel-backend=none) before Cilium.

Vault Agent

Service account must have vault.hashicorp.com/agent-inject: "true" annotation.

firewalld

Rich rules needed for pod CIDR → host communication.

8. Future Expansion

Phase	Description
HA Control Plane	Add k3s-master-02, k3s-master-03 with embedded etcd
Worker Nodes	Add k3s-worker-01/02/03 for workload distribution
MetalLB	L2 load balancer for bare-metal services
Longhorn	Distributed storage for PVCs

Phase

Description

HA Control Plane

Add k3s-master-02, k3s-master-03 with embedded etcd

Worker Nodes

Add k3s-worker-01/02/03 for workload distribution

MetalLB

L2 load balancer for bare-metal services

Longhorn

Distributed storage for PVCs

9. Post-Deployment Status

Item	Status
k3s Cluster	Operational, single-node
DNS Records	k3s-master-01 A record in BIND
Monitoring	Wazuh agent deployed
Documentation	2340-line runbook in domus-infra-ops

Item

Status

k3s Cluster

Operational, single-node

DNS Records

k3s-master-01 A record in BIND

Monitoring

Wazuh agent deployed

Documentation

2340-line runbook in domus-infra-ops