Skip to main content

K3s Server Configuration

In this section, you'll learn how to configure the K3s server.

Commonly Used Options

Database

FlagEnvironment VariableDescription
--datastore-endpoint valueK3S_DATASTORE_ENDPOINTSpecify etcd, Mysql, Postgres, or Sqlite (default) data source name
--datastore-cafile valueK3S_DATASTORE_CAFILETLS Certificate Authority file used to secure datastore backend communication
--datastore-certfile valueK3S_DATASTORE_CERTFILETLS certification file used to secure datastore backend communication
--datastore-keyfile valueK3S_DATASTORE_KEYFILETLS key file used to secure datastore backend communication
--etcd-expose-metricsN/AExpose etcd metrics to client interface (default: false)
--etcd-disable-snapshotsN/ADisable automatic etcd snapshots
--etcd-snapshot-name valueN/ASet the base name of etcd snapshots. Default: etcd-snapshot-<unix-timestamp> (default:"etcd-snapshot")
--etcd-snapshot-schedule-cron valueN/ASnapshot interval time in cron spec. eg. every 5 hours '* /5 * ' (default: "0 /12 * * *")
--etcd-snapshot-retention valueN/ANumber of snapshots to retain (default: 5)
--etcd-snapshot-dir valueN/ADirectory to save db snapshots (default: ${data-dir}/db/snapshots)
--etcd-s3N/AEnable backup to S3
--etcd-s3-endpoint valueN/AS3 endpoint url (default: "s3.amazonaws.com")
--etcd-s3-endpoint-ca valueN/AS3 custom CA cert to connect to S3 endpoint
--etcd-s3-skip-ssl-verifyN/ADisables S3 SSL certificate validation
--etcd-s3-access-key valueAWS_ACCESS_KEY_IDS3 access key
--etcd-s3-secret-key valueAWS_SECRET_ACCESS_KEYS3 secret key
--etcd-s3-bucket valueN/AS3 bucket name
--etcd-s3-region valueN/AS3 region / bucket location (optional) (default: "us-east-1")
--etcd-s3-folder valueN/AS3 folder
--etcd-s3-insecureDisables S3 over HTTPS
--etcd-s3-timeout valueS3 timeout (default: 30s)

Cluster Options

FlagEnvironment VariableDescription
--token value, -t valueK3S_TOKENShared secret used to join a server or agent to a cluster
--token-file valueK3S_TOKEN_FILEFile containing the cluster-secret/token
--agent-token valueK3S_AGENT_TOKENShared secret used to join agents to the cluster, but not servers
--agent-token-file valueK3S_AGENT_TOKEN_FILEFile containing the agent secret
--server valueK3S_URLServer to connect to, used to join a cluster
--cluster-initK3S_CLUSTER_INITInitialize a new cluster using embedded Etcd
--cluster-resetK3S_CLUSTER_RESETForget all peers and become sole member of a new cluster

Client Options

FlagEnvironment VariableDescription
--write-kubeconfig value, -o valueK3S_KUBECONFIG_OUTPUTWrite kubeconfig for admin client to this file
--write-kubeconfig-mode valueK3S_KUBECONFIG_MODEWrite kubeconfig with this mode. The option to allow writing to the kubeconfig file is useful for allowing a K3s cluster to be imported into Rancher. An example value is 644.

Agent Options

K3s agent options are available as server options because the server has the agent process embedded within.

Agent Nodes

FlagEnvironment VariableDescription
--node-name valueK3S_NODE_NAMENode name
--with-node-idN/AAppend id to node name
--node-label valueN/ARegistering and starting kubelet with set of labels
--node-taint valueN/ARegistering kubelet with set of taints
--image-credential-provider-bin-dir valueN/AThe path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")
--image-credential-provider-config valueN/AThe path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")
--selinuxK3S_SELINUXEnable SELinux in containerd
--lb-server-port valueK3S_LB_SERVER_PORTLocal port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444)

Agent Runtime

FlagDefaultDescription
--container-runtime-endpoint valueN/ADisable embedded containerd and use alternative CRI implementation
--pause-image value"docker.io/rancher/pause:3.1"Customized pause image for containerd or Docker sandbox
--snapshotter valueN/AOverride default containerd snapshotter (default: "overlayfs")
--private-registry value"/etc/rancher/k3s/registries.yaml"Private registry configuration file

Agent Networking

the agent options are there because the server has the agent process embedded within

FlagEnvironment VariableDescription
--node-ip value, -i valueN/AIP address to advertise for node
--node-external-ip valueN/AExternal IP address to advertise for node
--resolv-conf valueK3S_RESOLV_CONFKubelet resolv.conf file
--flannel-iface valueN/AOverride default flannel interface
--flannel-conf valueN/AOverride default flannel config file
--flannel-cni-conf valueN/AOverride default flannel cni config file

Advanced Options

Logging

FlagDefaultDescription
--debugN/ATurn on debug logs
-v value0Number for the log level verbosity
--vmodule valueN/AComma-separated list of pattern=N settings for file-filtered logging
--log value, -l valueN/ALog to file
--alsologtostderrN/ALog to standard error as well as file (if set)

Listeners

FlagDefaultDescription
--bind-address value0.0.0.0k3s bind address
--https-listen-port value6443HTTPS listen port
--advertise-address valuenode-external-ip/node-ipIPv4 address that apiserver uses to advertise to members of the cluster
--advertise-port valuelisten-port/0Port that apiserver uses to advertise to members of the cluster
--tls-san valueN/AAdd additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the TLS cert

Data

FlagDefaultDescription
--data-dir value, -d value/var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not rootFolder to hold state

Networking

FlagDefaultDescription
--cluster-cidr value"10.42.0.0/16"IPv4/IPv6 network CIDRs to use for pod IPs
--service-cidr value"10.43.0.0/16"IPv4/IPv6 network CIDRs to use for service IPs
--service-node-port-range value"30000-32767"Port range to reserve for services with NodePort visibility
--cluster-dns value"10.43.0.10"IPv4 Cluster IP for coredns service. Should be in your service-cidr range
--cluster-domain value"cluster.local"Cluster Domain
--flannel-backend value"vxlan"One of 'none', 'vxlan', 'ipsec', 'host-gw', 'wireguard-native', or 'wireguard'(deprecated)
--flannel-ipv6-masq"N/A"Enable IPv6 masquerading for pod
--servicelb-namespace value"kube-system"Namespace of the pods for the servicelb component
--egress-selector-mode value"agent"Must be one of the following:
  • disabled: The apiserver does not use agent tunnels to communicate with nodes. Requires that servers run agents, and have direct connectivity to the kubelet on agents, or the apiserver will not be able to function access service endpoints or perform kubectl exec and kubectl logs.
  • agent: The apiserver uses agent tunnels to communicate with nodes. Nodes allow the tunnel connection from loopback addresses. Requires that servers also run agents, or the apiserver will not be able to access service endpoints. The historical default for k3s.
  • pod: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Nodes. Nodes allow the tunnel connection from loopback addresses, or a CIDR assigned to their node.
  • cluster: The apiserver uses agent tunnels to communicate with nodes and service endpoints, routing endpoint connections to the correct agent by watching Endpoints. Nodes allow the tunnel connection from loopback addresses, or the configured cluster CIDR range.

Storage Class

FlagDescription
--default-local-storage-path valueDefault local storage path for local provisioner storage class

Kubernetes Components

FlagDescription
--disable valueDo not deploy packaged components and delete any deployed components (valid items: coredns, servicelb, traefik,local-storage, metrics-server)
--disable-schedulerDisable Kubernetes default scheduler
--disable-cloud-controllerDisable k3s default cloud controller manager
--disable-kube-proxyDisable running kube-proxy
--disable-network-policyDisable k3s default network policy controller
--disable-helm-controllerDisable Helm controller

Customized Flags for Kubernetes Processes

FlagDescription
--etcd-arg valueCustomized flag for etcd process
--kube-apiserver-arg valueCustomized flag for kube-apiserver process
--kube-scheduler-arg valueCustomized flag for kube-scheduler process
--kube-controller-manager-arg valueCustomized flag for kube-controller-manager process
--kube-cloud-controller-manager-arg valueCustomized flag for kube-cloud-controller-manager process
--kubelet-arg valueCustomized flag for kubelet process
--kube-proxy-arg valueCustomized flag for kube-proxy process

Experimental Options

FlagDescription
--rootlessRun rootless
--secrets-encryptionEnable Secret encryption at rest
--enable-pprofEnable pprof endpoint on supervisor port
--dockerUse cri-dockerd instead of containerd

Deprecated Options

FlagEnvironment VariableDescription
--no-flannelN/AUse --flannel-backend=none
--no-deploy valueN/ADo not deploy packaged components (valid items: coredns, servicelb, traefik, local-storage, metrics-server)
--cluster-secret valueK3S_CLUSTER_SECRETUse --token
--flannel-backend wireguardN/AUse --flannel-backend=wireguard-native
--flannel-backend value=option1=valueN/AUse --flannel-conf to specify the flannel config file with the backend config

K3s Server CLI Help

If an option appears in brackets below, for example [$K3S_TOKEN], it means that the option can be passed in as an environment variable of that name.

NAME:
k3s server - Run management server

USAGE:
k3s server [OPTIONS]

OPTIONS:
--config FILE, -c FILE (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]
--debug (logging) Turn on debug logs [$K3S_DEBUG]
-v value (logging) Number for the log level verbosity (default: 0)
--vmodule value (logging) Comma-separated list of pattern=N settings for file-filtered logging
--log value, -l value (logging) Log to file
--alsologtostderr (logging) Log to standard error as well as file (if set)
--bind-address value (listener) k3s bind address (default: 0.0.0.0)
--https-listen-port value (listener) HTTPS listen port (default: 6443)
--advertise-address value (listener) IPv4 address that apiserver uses to advertise to members of the cluster (default: node-external-ip/node-ip)
--advertise-port value (listener) Port that apiserver uses to advertise to members of the cluster (default: listen-port) (default: 0)
--tls-san value (listener) Add additional hostnames or IPv4/IPv6 addresses as Subject Alternative Names on the server TLS cert
--data-dir value, -d value (data) Folder to hold state (default: /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root)
--cluster-cidr value (networking) IPv4/IPv6 network CIDRs to use for pod IPs (default: 10.42.0.0/16)
--service-cidr value (networking) IPv4/IPv6 network CIDRs to use for service IPs (default: 10.43.0.0/16)
--service-node-port-range value (networking) Port range to reserve for services with NodePort visibility (default: "30000-32767")
--cluster-dns value (networking) IPv4 Cluster IP for coredns service. Should be in your service-cidr range (default: 10.43.0.10)
--cluster-domain value (networking) Cluster Domain (default: "cluster.local")
--flannel-backend value (networking) backend<=option1=val1,option2=val2> where backend is one of 'none', 'vxlan', 'ipsec', 'host-gw', 'wireguard-native', or 'wireguard' (deprecated) (default: "vxlan")
--flannel-ipv6-masq (networking) Enable IPv6 masquerading for pod
--egress-selector-mode value (networking) One of 'agent', 'cluster', 'pod', 'disabled' (default: "agent")
--servicelb-namespace value (networking) Namespace of the pods for the servicelb component (default: "kube-system")
--token value, -t value (cluster) Shared secret used to join a server or agent to a cluster [$K3S_TOKEN]
--token-file value (cluster) File containing the cluster-secret/token [$K3S_TOKEN_FILE]
--write-kubeconfig value, -o value (client) Write kubeconfig for admin client to this file [$K3S_KUBECONFIG_OUTPUT]
--write-kubeconfig-mode value (client) Write kubeconfig with this mode [$K3S_KUBECONFIG_MODE]
--enable-pprof (experimental) Enable pprof endpoint on supervisor port
--kube-apiserver-arg value (flags) Customized flag for kube-apiserver process
--etcd-arg value (flags) Customized flag for etcd process
--kube-controller-manager-arg value (flags) Customized flag for kube-controller-manager process
--kube-scheduler-arg value (flags) Customized flag for kube-scheduler process
--kube-cloud-controller-manager-arg value (flags) Customized flag for kube-cloud-controller-manager process
--datastore-endpoint value (db) Specify etcd, Mysql, Postgres, or Sqlite (default) data source name [$K3S_DATASTORE_ENDPOINT]
--datastore-cafile value (db) TLS Certificate Authority file used to secure datastore backend communication [$K3S_DATASTORE_CAFILE]
--datastore-certfile value (db) TLS certification file used to secure datastore backend communication [$K3S_DATASTORE_CERTFILE]
--datastore-keyfile value (db) TLS key file used to secure datastore backend communication [$K3S_DATASTORE_KEYFILE]
--etcd-expose-metrics (db) Expose etcd metrics to client interface. (default: false)
--etcd-disable-snapshots (db) Disable automatic etcd snapshots
--etcd-snapshot-name value (db) Set the base name of etcd snapshots. Default: etcd-snapshot-<unix-timestamp> (default: "etcd-snapshot")
--etcd-snapshot-schedule-cron value (db) Snapshot interval time in cron spec. eg. every 5 hours '* */5 * * *' (default: "0 */12 * * *")
--etcd-snapshot-retention value (db) Number of snapshots to retain (default: 5)
--etcd-snapshot-dir value (db) Directory to save db snapshots. (Default location: ${data-dir}/db/snapshots)
--etcd-snapshot-compress (db) Compress etcd snapshot
--etcd-s3 (db) Enable backup to S3
--etcd-s3-endpoint value (db) S3 endpoint url (default: "s3.amazonaws.com")
--etcd-s3-endpoint-ca value (db) S3 custom CA cert to connect to S3 endpoint
--etcd-s3-skip-ssl-verify (db) Disables S3 SSL certificate validation
--etcd-s3-access-key value (db) S3 access key [$AWS_ACCESS_KEY_ID]
--etcd-s3-secret-key value (db) S3 secret key [$AWS_SECRET_ACCESS_KEY]
--etcd-s3-bucket value (db) S3 bucket name
--etcd-s3-region value (db) S3 region / bucket location (optional) (default: "us-east-1")
--etcd-s3-folder value (db) S3 folder
--etcd-s3-insecure (db) Disables S3 over HTTPS
--etcd-s3-timeout value (db) S3 timeout (default: 30s)
--default-local-storage-path value (storage) Default local storage path for local provisioner storage class
--disable value (components) Do not deploy packaged components and delete any deployed components (valid items: coredns, servicelb, traefik, local-storage, metrics-server)
--disable-scheduler (components) Disable Kubernetes default scheduler
--disable-cloud-controller (components) Disable k3s default cloud controller manager
--disable-kube-proxy (components) Disable running kube-proxy
--disable-network-policy (components) Disable k3s default network policy controller
--disable-helm-controller (components) Disable Helm controller
--node-name value (agent/node) Node name [$K3S_NODE_NAME]
--with-node-id (agent/node) Append id to node name
--node-label value (agent/node) Registering and starting kubelet with set of labels
--node-taint value (agent/node) Registering kubelet with set of taints
--image-credential-provider-bin-dir value (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")
--image-credential-provider-config value (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")
--docker (agent/runtime) Use docker instead of containerd
--container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use alternative CRI implementation
--pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")
--snapshotter value (agent/runtime) Override default containerd snapshotter (default: "overlayfs")
--private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")
--node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node
--node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node
--resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]
--flannel-iface value (agent/networking) Override default flannel interface
--flannel-conf value (agent/networking) Override default flannel config file
--flannel-cni-conf value (agent/networking) Override default flannel cni config file
--kubelet-arg value (agent/flags) Customized flag for kubelet process
--kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process
--protect-kernel-defaults (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.
--rootless (experimental) Run rootless
--agent-token value (cluster) Shared secret used to join agents to the cluster, but not servers [$K3S_AGENT_TOKEN]
--agent-token-file value (cluster) File containing the agent secret [$K3S_AGENT_TOKEN_FILE]
--server value, -s value (cluster) Server to connect to, used to join a cluster [$K3S_URL]
--cluster-init (cluster) Initialize a new cluster using embedded Etcd [$K3S_CLUSTER_INIT]
--cluster-reset (cluster) Forget all peers and become sole member of a new cluster [$K3S_CLUSTER_RESET]
--cluster-reset-restore-path value (db) Path to snapshot file to be restored
--secrets-encryption (experimental) Enable Secret encryption at rest
--system-default-registry value (image) Private registry to be used for all system images [$K3S_SYSTEM_DEFAULT_REGISTRY]
--selinux (agent/node) Enable SELinux in containerd [$K3S_SELINUX]
--lb-server-port value (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]
--no-flannel (deprecated) use --flannel-backend=none
--no-deploy value (deprecated) Do not deploy packaged components (valid items: coredns, servicelb, traefik, local-storage, metrics-server)
--cluster-secret value (deprecated) use --token [$K3S_CLUSTER_SECRET]