DEPLOY-2026-02-19 k3s Single-Node Cluster

Executive Summary

Deployment Type: Kubernetes Platform

Problem Statement: Need container orchestration platform for homelab workloads with enterprise-grade security (defense-in-depth).

Solution: Single-node k3s on Rocky Linux 9 with SELinux enforcing, Cilium CNI, Vault Agent for secrets injection.

Environment	Production (Home Lab)
Runbook	k3s Kubernetes Deployment
Risk Level	Medium (new platform, well-documented)

Environment

Production (Home Lab)

Runbook

k3s Kubernetes Deployment

Risk Level

Medium (new platform, well-documented)

Deployment Information

Field	Value
Deployment Date	2026-02-19
Previous State	No container orchestration
Target State	Single-node k3s cluster (extensible to 6-node HA)
Deployment Window	4 hours (planned), 3 hours (actual)
Rollback Plan	VM deletion and cleanup
Affected Systems	New deployment - no existing systems affected

Field

Value

Deployment Date

2026-02-19

Previous State

No container orchestration

Target State

Single-node k3s cluster (extensible to 6-node HA)

Deployment Window

4 hours (planned), 3 hours (actual)

Rollback Plan

VM deletion and cleanup

Affected Systems

New deployment - no existing systems affected

Infrastructure Deployed

Component	Specification	Notes
Control Plane	k3s-master-01 (10.50.1.100)	Rocky Linux 9, 4 vCPU, 8GB RAM
Container Runtime	containerd	k3s embedded
CNI	Cilium	eBPF-based, replaces Flannel
Network Policy	Cilium L3-L7	Identity-based microsegmentation
Ingress	Traefik	k3s default ingress controller
Secrets Management	Vault Agent Injector	Dynamic secrets from HashiCorp Vault
Host Firewall	firewalld	RHEL standard, nftables backend
MAC	SELinux Enforcing	Mandatory access control

Component

Specification

Notes

Control Plane

k3s-master-01 (10.50.1.100)

Rocky Linux 9, 4 vCPU, 8GB RAM

Container Runtime

containerd

k3s embedded

CNI

Cilium

eBPF-based, replaces Flannel

Network Policy

Cilium L3-L7

Identity-based microsegmentation

Ingress

Traefik

k3s default ingress controller

Secrets Management

Vault Agent Injector

Dynamic secrets from HashiCorp Vault

Host Firewall

firewalld

RHEL standard, nftables backend

MAC

SELinux Enforcing

Mandatory access control

Architecture

Table 1. Defense-in-Depth Security Stack
Layer	Component	Function
Host Security	firewalld	OS-level port filtering
Pod Network	Cilium	Microsegmentation, L7 visibility
Secrets	Vault Agent	No hardcoded credentials
Runtime	SELinux	Mandatory access control