k3s Operator Setup

Purpose

Configure the k3s kubeconfig file to be world-readable so kubectl works for non-root users (including operator on caneast-site1-node4). By default k3s writes /etc/rancher/k3s/k3s.yaml as mode 0600 (root-only).

Prerequisites

• SSH access to caneast-site1-node4 (k3s control-plane, REDACTED)
• sudo on caneast-site1-node4

Procedure

1. Set K3S_KUBECONFIG_MODE via systemd override

ssh REDACTED -p 2222
sudo systemctl edit k3s

Add the following content in the editor:

[Service]
Environment="K3S_KUBECONFIG_MODE=0644"

Save and exit (Ctrl+O, Ctrl+X for nano; :wq for vim).

2. Restart k3s

sudo systemctl restart k3s

Wait ~10 seconds for the service to come back up.

3. Verify kubeconfig permissions

ls -la /etc/rancher/k3s/k3s.yaml

Expected output:

-rw-r--r-- 1 root root ... /etc/rancher/k3s/k3s.yaml

Mode must be 0644 (-rw-r--r--).

4. Verify kubectl access as non-root

kubectl get nodes

All k3s nodes should appear in Ready state.

Why This Is Needed

k3s defaults to 0600 on its kubeconfig. Without the K3S_KUBECONFIG_MODE environment variable set in the systemd unit, the file reverts to 0600 on every k3s restart, breaking non-root kubectl access. The systemd override via systemctl edit persists the setting across restarts and upgrades.

Verification on CanEast AI Node WSL

The CanEast AI Node WSL kubeconfig at ~/.kube/config is a copy fetched from caneast-site1-node4. If caneast-site1-node4's kubeconfig is regenerated (e.g. after a cluster reset), copy it again:

scp -P 2222 REDACTED:/etc/rancher/k3s/k3s.yaml ~/.kube/config

Then update the server address to the cluster VIP if needed:

# confirm the server field points at REDACTED:[REDACTED]
grep server ~/.kube/config

References

• ADR-0016: k3s namespace layout
• WI-360: k3s kubeconfig runbook