Kubernetes (k3s) Platform :: Domus Digitalis

1. Overview

Production-grade Kubernetes platform running k3s on Rocky Linux 9, featuring:

Cilium CNI with Hubble observability
Vault Agent for secrets injection
MetalLB for bare-metal load balancing
Traefik Ingress with TLS termination
Prometheus + Grafana + AlertManager monitoring stack
Wazuh SIEM integration

2. Architecture

Component	Implementation
Distribution	k3s on Rocky Linux 9
CNI	Cilium 1.16.5 (replaced Flannel)
Load Balancer	MetalLB L2 mode (10.50.1.130-140)
Ingress	Traefik with Vault PKI TLS
Secrets	Vault Agent Injector
Monitoring	Prometheus + Grafana + AlertManager
SIEM	Wazuh (k3s deployment)
Storage	NFS from NAS-01 (Synology)
GitOps	ArgoCD (planned)

Component

Implementation

Distribution

k3s on Rocky Linux 9

CNI

Cilium 1.16.5 (replaced Flannel)

Load Balancer

MetalLB L2 mode (10.50.1.130-140)

Ingress

Traefik with Vault PKI TLS

Secrets

Vault Agent Injector

Monitoring

Prometheus + Grafana + AlertManager

SIEM

Wazuh (k3s deployment)

Storage

NFS from NAS-01 (Synology)

GitOps

ArgoCD (planned)

3. Cluster Nodes

Node	IP	Hypervisor	Role
k3s-master-01	10.50.1.120	kvm-01	Control plane (active)
k3s-master-02	10.50.1.121	kvm-02	Control plane (planned)
k3s-master-03	10.50.1.122	kvm-02	Control plane (planned)
k3s-worker-01	10.50.1.123	kvm-01	Workloads (planned)
k3s-worker-02	10.50.1.124	kvm-02	Workloads (planned)
k3s-worker-03	10.50.1.125	kvm-02	Workloads (planned)

Node

IP

Hypervisor

Role

k3s-master-01

10.50.1.120

kvm-01

Control plane (active)

k3s-master-02

10.50.1.121

kvm-02

Control plane (planned)

k3s-master-03

10.50.1.122

kvm-02

Control plane (planned)

k3s-worker-01

10.50.1.123

kvm-01

Workloads (planned)

k3s-worker-02

10.50.1.124

kvm-02

Workloads (planned)

k3s-worker-03

10.50.1.125

kvm-02

Workloads (planned)

4. Technology Stack

Component	Description
CNI	Cilium 1.16.5 (replaces Flannel)
Ingress	Traefik (k3s default)
Secrets	Vault Agent Injector
Storage	NFS from NAS-01 (/k3s/*)
Observability	Prometheus + Grafana + Wazuh
GitOps	ArgoCD

Component

Description

CNI

Cilium 1.16.5 (replaces Flannel)

Ingress

Traefik (k3s default)

Secrets

Vault Agent Injector

Storage

NFS from NAS-01 (/k3s/*)

Observability

Prometheus + Grafana + Wazuh

GitOps

ArgoCD

5. Related Runbooks

Runbook	Description
k3s Deployment	Initial cluster deployment with Cilium
k3s Operations	Day-2 operations and maintenance
Prometheus + Grafana	Monitoring stack deployment
MetalLB	Load balancer configuration
Traefik Ingress	Ingress controller with TLS
ArgoCD	GitOps deployment
Wazuh SIEM	Security monitoring
MinIO S3	Object storage

Runbook

Description

k3s Deployment

Initial cluster deployment with Cilium

k3s Operations

Day-2 operations and maintenance

Prometheus + Grafana

Monitoring stack deployment

MetalLB

Load balancer configuration

Traefik Ingress

Ingress controller with TLS

ArgoCD

GitOps deployment

Wazuh SIEM

Security monitoring

MinIO S3

Object storage

6. Current Status

Milestone	Status	Notes
k3s-master-01 deployed	Done	Rocky 9 + Cilium CNI
Prometheus + Grafana	Done	TLS via Vault PKI
MetalLB LoadBalancer	Done	VIP 10.50.1.130
k3s HA (3 masters)	Planned	Blocked on kvm-02
ArgoCD GitOps	Planned	After HA complete

Milestone

Status

Notes

k3s-master-01 deployed

Done

Rocky 9 + Cilium CNI

Prometheus + Grafana

Done

TLS via Vault PKI

MetalLB LoadBalancer

Done

VIP 10.50.1.130

k3s HA (3 masters)

Planned

Blocked on kvm-02

ArgoCD GitOps

Planned

After HA complete