Air-Gap Install
This guide walks you through installing K3s in an air-gapped environment using a three-step process.
1. Load Images
Each image loading method has different requirements and is suited for different air-gapped scenarios. Choose the method that best fits your infrastructure and security requirements.
- Private Registry Method
- Manually Deploy Images
- Embedded Registry Mirror
These steps assume you have already created nodes in your air-gap environment, are using the bundled containerd as the container runtime, and have a OCI-compliant private registry available in your environment.
If you have not yet set up a private Docker registry, refer to the official Registry documentation.
Create the Registry YAML and Push Images
- Obtain the images archive for your architecture from the releases page for the version of K3s you will be running.
- Use
docker image load k3s-airgap-images-amd64.tar.zstto import images from the tar file into docker. - Use
docker taganddocker pushto retag and push the loaded images to your private registry. - Follow the Private Registry Configuration guide to create and configure the
registries.yamlfile. - Proceed to the Install K3s section below.
These steps assume you have already created nodes in your air-gap environment, are using the bundled containerd as the container runtime, and cannot or do not want to use a private registry.
This method requires you to manually deploy the necessary images to each node, and is appropriate for edge deployments where running a private registry is not practical.
Prepare the Images Directory and Airgap Image Tarball
- Obtain the images archive for your architecture from the releases page for the version of K3s you will be running.
- Download the images archive to the agent's images directory, for example:
sudo mkdir -p /var/lib/rancher/k3s/agent/images/
sudo curl -L -o /var/lib/rancher/k3s/agent/images/k3s-airgap-images-amd64.tar.zst "https://github.com/k3s-io/k3s/releases/download/v1.33.1%2Bk3s1/k3s-airgap-images-amd64.tar.zst"
- Proceed to the Install K3s section below.
Enable Conditional Image Imports
Conditional Image imports is available as of the May 2025 releases: v1.33.1+k3s1, v1.32.5+k3s1, v1.31.9+k3s1, v1.30.13+k3s1,
Image archives are imported every time k3s starts. This is done to ensure that all the images are consistently available, even if some images have been removed or pruned since last startup. However, this delays startup as the kubelet is not started until after all archives have been processed. To alleviate this delay there is an option to only import tarballs that have changed since they were last imported, even across restarts.
To enable this feature, create a .cache.json file in the images directory:
touch /var/lib/rancher/k3s/agent/images/.cache.json
The cache file will store archive metadata as files are processed. Subsequent restarts of K3s will not import the images, as long as the size and modification time of the archive remains the same.
When this feature is enabled, it will not be possible to ensure that all images are available every time k3s starts. If an image was removed or pruned since last startup, take manual action to reimport the image. Either:
- Manually import the archive with
ctr image import. - Use
touchto modify the timestamp of the archive containing the image. - Clear the contents of the
.cache.jsonfile, and restart k3s.
K3s includes an embedded distributed OCI-compliant registry mirror. When enabled and properly configured, images available in the containerd image store on any node can be pulled by other cluster members without access to an external image registry.
The mirrored images may be sourced from an upstream registry, registry mirror, or airgap image tarball. For more information on enabling the embedded distributed registry mirror, see the Embedded Registry Mirror documentation.
2. Install K3s
Prerequisites
Before installing K3s, choose one of the Load Images options above to prepopulate the images that K3s needs to install.
Binaries
- Download the K3s binary from the releases page, matching the same version used to get the airgap images. Place the binary in
/usr/local/binon each air-gapped node and ensure it is executable. - Download the K3s install script at get.k3s.io. Place the install script anywhere on each air-gapped node, and name it
install.sh.
Default Network Route
If your nodes do not have an interface with a default route, a default route must be configured; even a black-hole route via a dummy interface will suffice. K3s requires a default route in order to auto-detect the node's primary IP, and for kube-proxy ClusterIP routing to function properly. To add a dummy route, do the following:
ip link add dummy0 type dummy
ip link set dummy0 up
ip addr add 203.0.113.254/31 dev dummy0
ip route add default via 203.0.113.255 dev dummy0 metric 1000
When running the K3s script with the INSTALL_K3S_SKIP_DOWNLOAD environment variable, K3s will use the local version of the script and binary.
SELinux RPM
If running on an air-gapped node with SELinux enabled, you must manually install the k3s-selinux RPM before installing K3s. This RPM includes the necessary SELinux policies for K3s to run properly. The latest version of the RPM can be found here. For example, on CentOS 8:
# On internet accessible machine:
curl -LO https://github.com/k3s-io/k3s-selinux/releases/download/v1.6.stable.1/k3s-selinux-1.6-1.el8.noarch.rpm
# Transfer RPM to air-gapped machine
sudo yum install ./k3s-selinux-1.6-1.el8.noarch.rpm
The k3s-selinux RPM installation requires the following dependencies to be available in the OS:
- container-selinux
- policycoreutils
- selinux-policy
See the SELinux section for more information.
Running Install Script
You can install K3s on one or more servers as described below.
- Single Server Configuration
- High Availability Configuration
To install K3s on a single server, simply do the following on the server node:
INSTALL_K3S_SKIP_DOWNLOAD=true ./install.sh
To add additional agents, do the following on each agent node:
INSTALL_K3S_SKIP_DOWNLOAD=true K3S_URL=https://<SERVER_IP>:6443 K3S_TOKEN=<YOUR_TOKEN> ./install.sh
Reference the High Availability with an External DB or High Availability with Embedded DB guides. You will be tweaking install commands so you specify INSTALL_K3S_SKIP_DOWNLOAD=true and run your install script locally instead of via curl. You will also utilize INSTALL_K3S_EXEC='args' to supply any arguments to k3s.
For example, step two of the High Availability with an External DB guide mentions the following:
curl -sfL https://get.k3s.io | sh -s - server \
--token=SECRET \
--datastore-endpoint="mysql://username:password@tcp(hostname:3306)/database-name"
Instead, you would modify such examples like below:
INSTALL_K3S_SKIP_DOWNLOAD=true INSTALL_K3S_EXEC='server --token=SECRET' \
K3S_DATASTORE_ENDPOINT='mysql://username:password@tcp(hostname:3306)/database-name' \
./install.sh
K3s's --resolv-conf flag is passed through to the kubelet, which may help with configuring pod DNS resolution in air-gap networks where the host does not have upstream nameservers configured.
3. Upgrading
- Manual Upgrade
- Automated Upgrade
Upgrading an air-gap environment can be accomplished in the following manner:
- Download the new air-gap images (tar file) from the releases page for the version of K3s you will be upgrading to. Place the tar in the
/var/lib/rancher/k3s/agent/images/directory on each node. Delete the old tar file. - Copy and replace the old K3s binary in
/usr/local/binon each node. Copy over the install script at https://get.k3s.io (as it is possible it has changed since the last release). Run the script again just as you had done in the past with the same environment variables. - Restart the K3s service (if not restarted automatically by installer).
K3s supports automated upgrades. To enable this in air-gapped environments, you must ensure the required images are available in your private registry.
You will need the version of rancher/k3s-upgrade that corresponds to the version of K3s you intend to upgrade to. Note, the image tag replaces the + in the K3s release with a - because Docker images do not support +.
You will also need the versions of system-upgrade-controller and kubectl that are specified in the system-upgrade-controller manifest YAML that you will deploy. Check for the latest release of the system-upgrade-controller here and download the system-upgrade-controller.yaml to determine the versions you need to push to your private registry. For example, in release v0.15.2 of the system-upgrade-controller, these images are specified in the manifest YAML:
rancher/system-upgrade-controller:v0.15.2
rancher/kubectl:v1.30.3
Once you have added the necessary rancher/k3s-upgrade, rancher/system-upgrade-controller, and rancher/kubectl images to your private registry, follow the automated upgrades guide.