K3s with Tailscale
created: Mon, 29 Jul 2024 16:19:31 GMT, modified: Mon, 06 Jan 2025 00:07:38 GMT
K3s is a lightweight Kubernetes implementation. Here is how to configure it to work with Tailscale, so we can use a host with public IP address as an ingress node, while keeping worker nodes on premises.
Master node
# install tailscale
curl -fsSL https://tailscale.com/install.sh | sh
# configure tailscale
tailscale up --ssh
# install k3s and configure it to work with Tailscale
export NODE_TAILSCALE_IP=$(tailscale ip --4)
curl -sfL https://get.k3s.io | sh -s -
--flannel-iface tailscale0 \
--advertise-address $NODE_TAILSCALE_IP \
--node-external-ip $NODE_TAILSCALE_IP \
--node-ip $NODE_TAILSCALE_IP \
--tls-san $NODE_TAILSCALE_IP \
--disable traefik \
--disable servicelbObtain K3s token and server IP address to configure agents:
K3S_TOKEN=$(cat /var/lib/rancher/k3s/server/node-token)
MASTER_TAILSCALE_IP=$(tailscale ip --4)Agents
# install tailscale
curl -fsSL https://tailscale.com/install.sh | sh
# configure tailscale
tailscale up --ssh --advertise-exit-node
# install k3s agent and make it join the cluster
export K3S_URL=https://$MASTER_TAILSCALE_IP:6443
export K3S_TOKEN=...
export NODE_EXTERNAL_IP=$(curl ifconfig.co)
export NODE_TAILSCALE_IP=$(tailscale ip --4)
curl -sfL https://get.k3s.io | sh -s - \
--flannel-iface tailscale0 \
--node-external-ip $NODE_EXTERNAL_IP \
--node-ip $NODE_TAILSCALE_IPFollow up
Once nodes are configured, follow up with setting up an ingress service.
K3s network over Tailscale VPN
When tailscale is restarted, k3s stops listening for UDP port 8472, which breaks
internal cluster VPN, and the problem is that tailscale restarts on its own to
update itself, once a month. The solution is to restart k3s when tailscale
is restarted, by making it a dependency for systemd:
systemctl edit k3s
[Unit]
Requires=tailscaled.serviceVPN options
Ways to network cluster nodes over VPN: