k3s Single-Node - Issues

Lessons Learned

Category Lesson

Category	Lesson
cloud-init	`#cloud-config` must start at column 0 - no leading whitespace in heredoc.
SELinux	k3s requires container-selinux package. Don’t disable SELinux - fix contexts instead.
Cilium	Must disable Flannel in k3s install (`--flannel-backend=none`) before Cilium.
Vault Agent	Service account must have `vault.hashicorp.com/agent-inject: "true"` annotation.
firewalld	Rich rules needed for pod CIDR → host communication.

cloud-init

#cloud-config must start at column 0 - no leading whitespace in heredoc.

SELinux

k3s requires container-selinux package. Don’t disable SELinux - fix contexts instead.

Cilium

Must disable Flannel in k3s install (--flannel-backend=none) before Cilium.

Vault Agent

Service account must have vault.hashicorp.com/agent-inject: "true" annotation.

firewalld

Rich rules needed for pod CIDR → host communication.

Item	Status
k3s Cluster	Operational, single-node
DNS Records	k3s-master-01 A record in BIND
Monitoring	Wazuh agent deployed
Documentation	2340-line runbook in domus-infra-ops

Item

Status

k3s Cluster

Operational, single-node

DNS Records

k3s-master-01 A record in BIND

Monitoring

Wazuh agent deployed

Documentation

2340-line runbook in domus-infra-ops