Kevin's Docs

Appearance

Architecture

Detailed overview of the k3s cluster topology, networking model, and exposed ports.

Cluster Topology 

┌─────────────────────────────────────────────────────────────┐
│                         Internet                            │
│                     (HTTP :80 / HTTPS :443)                 │
└─────────────────────┬───────────────────────────────────────┘


┌─────────────────────────────────────────────────────────────┐
│  VPS2 — Worker Node                                         │
│                                                             │
│  • k3s agent (systemd service)                              │
│  • Traefik LoadBalancer pod          → :80 / :443           │
│  • Application pods (namespace: apps)                       │
│  • local-path storage provisioner                           │
│                                                             │
│  Node IP: <WORKER_IP>                                       │
└──────────────────────┬──────────────────────────────────────┘
                       │  Private network
                       │  Flannel VXLAN (UDP :8472)
                       │  kubelet API   (TCP :10250)

┌─────────────────────────────────────────────────────────────┐
│  VPS1 — Master / Control Plane                              │
│                                                             │
│  • k3s server (systemd service)                             │
│  • API server                        → TCP :6443            │
│  • etcd (embedded, single-node)                             │
│  • Controller Manager                                       │
│  • Scheduler                                                │
│                                                             │
│  Node IP / Public IP: <MASTER_IP>                           │
└─────────────────────────────────────────────────────────────┘

Node Roles

NodeRoleLabelsWorkloads
VPS1control-plane, masternode-role=masterControl plane only
VPS2workernode-role=workerApplication pods, Traefik

Network Ranges

RangePurpose
10.42.0.0/16Pod CIDR (Flannel allocates per node)
10.43.0.0/16Service CIDR (ClusterIPs)

Flannel VXLAN Overlay

k3s uses Flannel with the vxlan backend by default. Each node gets a /24 subnet carved out of the pod CIDR:

VPS1 (master): 10.42.0.0/24
VPS2 (worker): 10.42.1.0/24

VXLAN encapsulates pod-to-pod traffic in UDP datagrams on port 8472, tunnelled over the nodes' private network interface.

Pod A (10.42.0.5) ──► VXLAN encap ──► UDP :8472 ──► VXLAN decap ──► Pod B (10.42.1.7)

Port Reference

Master (VPS1)

PortProtocolServiceExposed to
22TCPSSHAdmin only
6443TCPk3s API serverWorker + local
8472UDPFlannel VXLANWorker
10250TCPkubelet APIWorker

Worker (VPS2)

PortProtocolServiceExposed to
22TCPSSHAdmin only
80TCPTraefik (HTTP)Internet
443TCPTraefik (HTTPS)Internet
8472UDPFlannel VXLANMaster
10250TCPkubelet APIMaster

Ingress Flow 

Client

  │  HTTPS :443

Traefik (LoadBalancer Service, Worker node)
  │  TLS termination
  │  cert-manager / Let's Encrypt certificate

IngressRoute / Ingress resource


ClusterIP Service  →  Pod(s) in namespace apps

TLS / Certificate Flow 

Traefik detects IngressRoute with TLS →
cert-manager creates CertificateRequest →
ACME HTTP-01 challenge via Traefik →
Let's Encrypt issues certificate →
cert-manager stores cert in Secret →
Traefik serves HTTPS

Namespace Layout

NamespaceContent
kube-systemk3s core components, Flannel, CoreDNS, Metrics Server
ingressTraefik
cert-managercert-manager controller + webhook
appsApplication workloads
monitoringPrometheus, Grafana, Alertmanager (kube-prometheus-stack)

k3s Key Flags (Master)

FlagPurpose
--disable=traefikTraefik managed via Helm instead
--disable=servicelbServiceLB disabled (Traefik handles LoadBalancer)
--flannel-backend=vxlanExplicit VXLAN overlay (stable, default)
--tls-san=<PUBLIC_IP>Adds public IP to API server TLS SAN (remote kubectl)
--secrets-encryptionEncrypts Kubernetes Secrets at rest in etcd
--protect-kernel-defaultsEnforces required sysctl values at startup
--write-kubeconfig-mode=600Restricts kubeconfig file permissions