k3s over tailscale

k3s is the most easiest and lightweight way to run k8s. Since I am rebuilding it again (lost count on how many times I have done) I wanted to make sure the node-to-node traffic stays encrypted.

So I just wanted to quickly document the commands you could use to fully keep k3s over tailscale only.

k3s by default binds all addresses and if you have a vps/dedicated server, it will be problematic since all the ports would be exposed. For binding your master node, while running --cluster-init, you can use the following command:

assuming you want to disable flannel CNI, kube-proxy, servicelb, traefik and network policy. Since I am going to be using cilium, nginx and metallb, I will remove the built-in addons.

curl -sfL https://get.k3s.io | sh -s - --disable=traefik --disable=servicelb --flannel-backend=none --disable-kube-proxy --disable-network-policy --node-external-ip=<tailscale ip> --node-ip=<tailscale ip> --cluster-init --bind-address=<tailscale ip>

replace the IP with tailscale IP. similar for the other master nodes:

curl -sfL https://get.k3s.io | K3S_URL=<master tailscale ip> sh -s - server --token <token> --server <master tailscale ip> --disable=traefik --disable=servicelb --flannel-backend=none --disable-kube-proxy --disable-network-policy --node-external-ip=<tailscale ip> --node-ip=<tailscale ip> --bind-address=<tailscale ip>

for worker nodes:

curl -sfL https://get.k3s.io | sh -s - agent --token <token> --server <master tailscale ip> --node-external-ip <tailscale ip> --node-ip <tailscale ip> --bind-address <tailscale ip>

The important flags are --node-ip, --node-external-ip and --bind-address. If you miss any of them, k3s will not fully run over tailscale.