How to Install k3s Lightweight Kubernetes on RHEL 7

How to Install k3s Lightweight Kubernetes on RHEL 7

k3s is a certified, production-ready Kubernetes distribution engineered for resource-constrained environments. Developed by Rancher Labs (now part of SUSE), it packages the entire Kubernetes control plane into a single binary under 100 MB, includes Traefik as a built-in ingress controller, and removes legacy or alpha features to reduce complexity. On RHEL 7 systems with limited memory — edge servers, development VMs, or small clusters — k3s is often a far better choice than a full kubeadm-based cluster. This tutorial covers installing a k3s server node, configuring kubectl, joining agent nodes, deploying a workload, and cleanly uninstalling k3s.

Prerequisites

• One or more RHEL 7 machines with at least 512 MB RAM (1 GB+ recommended)
• Root or sudo access on all nodes
• Outbound internet access (or a local mirror of the k3s install script and binary)
• curl installed: yum install -y curl
• Unique hostname on each node
• Ports 6443 (API), 8472/UDP (Flannel VXLAN), 10250 (kubelet metrics) open between nodes

Step 1: Prepare the System

k3s handles most kernel prerequisites automatically, but a few settings improve stability on RHEL 7.

# Update the system
yum update -y

# Disable swap (k3s warns if swap is on)
swapoff -a
sed -i '/ swap / s/^(.*)$/#1/g' /etc/fstab

# Disable firewalld for a lab setup
systemctl disable firewalld
systemctl stop firewalld

# If keeping firewalld, open required ports instead:
# firewall-cmd --permanent --add-port=6443/tcp
# firewall-cmd --permanent --add-port=8472/udp
# firewall-cmd --permanent --add-port=10250/tcp
# firewall-cmd --reload

# Set SELinux to permissive
setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

Step 2: Install k3s Using the Official Curl Script

The k3s project provides an installation script that downloads the binary, installs a systemd service, and starts the server automatically. Run this on the server (control plane) node.

# Install the latest stable k3s release
curl -sfL https://get.k3s.io | sh -

# The installer:
# - Downloads /usr/local/bin/k3s
# - Creates /etc/systemd/system/k3s.service
# - Starts and enables the k3s service

# Verify the service is running
systemctl status k3s

To install a specific version, set the INSTALL_K3S_VERSION environment variable before running the script:

curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.28.5+k3s1 sh -

Step 3: Configure KUBECONFIG

k3s writes its kubeconfig file to /etc/rancher/k3s/k3s.yaml. Set the KUBECONFIG environment variable so that standard kubectl commands work.

# Set KUBECONFIG for the current session
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml

# Persist for root user
echo "export KUBECONFIG=/etc/rancher/k3s/k3s.yaml" >> /root/.bash_profile
source /root/.bash_profile

# Verify cluster access
kubectl get nodes

# Example output
NAME         STATUS   ROLES                  AGE   VERSION
k3s-server   Ready    control-plane,master   2m    v1.28.5+k3s1

Step 4: Retrieve the Node Token for Agent Registration

Before joining agent (worker) nodes, you need the server’s join token. k3s stores this automatically during installation.

# Display the node token
cat /var/lib/rancher/k3s/server/node-token

# The token looks like:
# K10abc123::server:xyz789...

Copy the full token string — you will pass it to each agent node during installation.

Step 5: Join Agent Nodes with K3S_URL and K3S_TOKEN

On each worker machine, run the k3s installer with the K3S_URL and K3S_TOKEN variables to register it as an agent. Replace the IP address and token with your actual values.

# Run on each agent node
curl -sfL https://get.k3s.io | 
  K3S_URL=https://192.168.1.10:6443 
  K3S_TOKEN=K10abc123::server:xyz789... 
  sh -

# Verify the agent service
systemctl status k3s-agent

Back on the server node, confirm all agents appear in the node list:

kubectl get nodes

# Expected output
NAME          STATUS   ROLES                  AGE   VERSION
k3s-server    Ready    control-plane,master   10m   v1.28.5+k3s1
k3s-agent1    Ready    <none>                 1m    v1.28.5+k3s1
k3s-agent2    Ready    <none>                 45s   v1.28.5+k3s1

Step 6: Explore the Built-in Traefik Ingress Controller

k3s ships with Traefik as its default ingress controller. It is deployed automatically in the kube-system namespace and listens on ports 80 and 443 of every node.

# Check Traefik deployment
kubectl get pods -n kube-system | grep traefik

# Check the Traefik service
kubectl get svc -n kube-system | grep traefik

# View Traefik's IngressClass
kubectl get ingressclass

To create an Ingress resource that routes traffic through Traefik, use ingressClassName: traefik in your manifest.

Step 7: Deploy Your First Workload

With the cluster running, deploy a simple Nginx web server to verify end-to-end functionality.

# Create a deployment
kubectl create deployment nginx --image=nginx:1.25 --replicas=2

# Expose it as a NodePort service
kubectl expose deployment nginx 
  --type=NodePort 
  --port=80 
  --name=nginx-svc

# Find the assigned NodePort
kubectl get svc nginx-svc

# Example output
NAME        TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
nginx-svc   NodePort   10.43.150.201   <none>        80:31234/TCP   10s

# Test with curl using any node IP and the NodePort
curl http://192.168.1.10:31234

Step 8: Use k3s kubectl Directly

k3s bundles its own kubectl binary accessible as k3s kubectl. This is useful if you have not set KUBECONFIG or installed a standalone kubectl.

# Use the embedded kubectl
k3s kubectl get nodes
k3s kubectl get pods --all-namespaces
k3s kubectl describe node k3s-server

Step 9: Managing the k3s Service with systemctl

# View service status
systemctl status k3s

# Restart the server
systemctl restart k3s

# Stop the server
systemctl stop k3s

# View k3s logs
journalctl -u k3s -f

# On agent nodes, the service is named k3s-agent
systemctl status k3s-agent
journalctl -u k3s-agent -f

Step 10: Uninstall k3s

k3s provides dedicated uninstall scripts that cleanly remove binaries, services, network interfaces, and iptables rules. This is important because k3s makes significant changes to the host network stack.

# Uninstall the k3s server node
/usr/local/bin/k3s-uninstall.sh

# Uninstall a k3s agent node
/usr/local/bin/k3s-agent-uninstall.sh

# Verify cleanup
systemctl status k3s
ls /usr/local/bin/k3s*

k3s is an excellent solution for running Kubernetes on RHEL 7 systems where resource efficiency matters. You have installed the k3s server using the official install script, configured KUBECONFIG, retrieved the node token, joined multiple agent nodes, and deployed a workload through the built-in Traefik ingress. The lightweight design does not sacrifice compatibility — k3s passes the full Kubernetes conformance tests, making it a reliable foundation for real workloads. Refer to the k3s documentation for advanced topics such as high availability, external datastores, and custom TLS certificates.