k3s agent

In this section, you’ll learn how to configure the K3s agent.

Note that servers also run an agent, so all flags listed on this page are also valid for use on servers.

Options are documented on this page as CLI flags, but can also be passed as configuration file options. See the Configuration File documentation for more information on using YAML configuration files.

Logging

FlagDefaultDescription
-v value0Number for the log level verbosity
—vmodule valueN/AComma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging
—log value, -l valueN/ALog to file
—alsologtostderrN/ALog to standard error as well as file (if set)

Cluster Options

FlagEnvironment VariableDescription
—token value, -t valueK3S_TOKENToken to use for authentication
—token-file valueK3S_TOKEN_FILEToken file to use for authentication
—server value, -s valueK3S_URLServer to connect to

Listener

FlagDefaultDescription
—bind-address0.0.0.0k3s bind address

Data

FlagDefaultDescription
—data-dir value, -d value“/var/lib/rancher/k3s”Folder to hold state

Node

FlagEnvironment VariableDescription
—node-name valueK3S_NODE_NAMENode name
—with-node-idN/AAppend id to node name
—node-label valueN/ARegistering and starting kubelet with set of labels
—node-taint valueN/ARegistering kubelet with set of taints
—protect-kernel-defaultsN/AKernel tuning behavior. If set, error if kernel tunables are different from kubelet defaults.
—selinuxK3S_SELINUXEnable SELinux in containerd
—lb-server-port valueK3S_LB_SERVER_PORTLocal port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444)

Runtime

FlagDefaultDescription
—container-runtime-endpointN/ADisable embedded containerd and use the CRI socket at the given path; when used with —docker this sets the docker socket path
—default-runtimeN/ASet the default runtime in containerd
—image-service-endpointN/ADisable embedded containerd image service and use remote image service socket at the given path. If not specified, defaults to —container-runtime-endpoint.
—pause-image value“docker.io/rancher/pause:3.1”Customized pause image for containerd or docker sandbox
—private-registry value“/etc/rancher/k3s/registries.yaml”Private registry configuration file

Networking

FlagEnvironment VariableDescription
—node-ip value, -i valueN/AIP address to advertise for node
—node-external-ip valueN/AExternal IP address to advertise for node
—node-internal-dnsN/Ainternal DNS addresses to advertise for node
—node-external-dnsN/Aexternal DNS addresses to advertise for node
—resolv-conf valueK3S_RESOLV_CONFKubelet resolv.conf file
—flannel-iface valueN/AOverride default flannel interface
—flannel-conf valueN/AOverride default flannel config file
—flannel-cni-conf valueN/AOverride default flannel cni config file

Customized Flags

FlagDescription
—kubelet-arg valueCustomized flag for kubelet process
—kube-proxy-arg valueCustomized flag for kube-proxy process

Experimental

FlagDescription
—rootlessRun rootless
—dockerUse cri-dockerd instead of containerd
—enable-pprofEnable pprof endpoint on supervisor port
—prefer-bundled-binPrefer bundled userspace binaries over host binaries
—disable-default-registry-endpointSee “Default Endpoint Fallback
—vpn-authSee “Integration with the Tailscale VPN provider
—vpn-auth-fileSee “Integration with the Tailscale VPN provider

Deprecated

FlagEnvironment VariableDescription
—no-flannelN/AUse —flannel-backend=none
—cluster-secret valueK3S_CLUSTER_SECRETUse —token

Node Labels and Taints for Agents

K3s agents can be configured with the options --node-label and --node-taint which adds a label and taint to the kubelet. The two options only add labels and/or taints at registration time, so they can only be added once and not changed after that again by running K3s commands.

Below is an example showing how to add labels and a taint:

  1. --node-label foo=bar \
  2. --node-label hello=world \
  3. --node-taint key1=value1:NoExecute

If you want to change node labels and taints after node registration you should use kubectl. Refer to the official Kubernetes documentation for details on how to add taints and node labels.

K3s Agent CLI Help

If an option appears in brackets below, for example [$K3S_URL], it means that the option can be passed in as an environment variable of that name.

  1. NAME:
  2. k3s agent - Run node agent
  3. USAGE:
  4. k3s agent [OPTIONS]
  5. OPTIONS:
  6. --config FILE, -c FILE (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]
  7. --debug (logging) Turn on debug logs [$K3S_DEBUG]
  8. -v value (logging) Number for the log level verbosity (default: 0)
  9. --vmodule value (logging) Comma-separated list of FILE_PATTERN=LOG_LEVEL settings for file-filtered logging
  10. --log value, -l value (logging) Log to file
  11. --alsologtostderr (logging) Log to standard error as well as file (if set)
  12. --token value, -t value (cluster) Token to use for authentication [$K3S_TOKEN]
  13. --token-file value (cluster) Token file to use for authentication [$K3S_TOKEN_FILE]
  14. --server value, -s value (cluster) Server to connect to [$K3S_URL]
  15. --data-dir value, -d value (agent/data) Folder to hold state (default: "/var/lib/rancher/k3s") [$K3S_DATA_DIR]
  16. --node-name value (agent/node) Node name [$K3S_NODE_NAME]
  17. --with-node-id (agent/node) Append id to node name
  18. --node-label value (agent/node) Registering and starting kubelet with set of labels
  19. --node-taint value (agent/node) Registering kubelet with set of taints
  20. --image-credential-provider-bin-dir value (agent/node) The path to the directory where credential provider plugin binaries are located (default: "/var/lib/rancher/credentialprovider/bin")
  21. --image-credential-provider-config value (agent/node) The path to the credential provider plugin config file (default: "/var/lib/rancher/credentialprovider/config.yaml")
  22. --selinux (agent/node) Enable SELinux in containerd [$K3S_SELINUX]
  23. --lb-server-port value (agent/node) Local port for supervisor client load-balancer. If the supervisor and apiserver are not colocated an additional port 1 less than this port will also be used for the apiserver client load-balancer. (default: 6444) [$K3S_LB_SERVER_PORT]
  24. --protect-kernel-defaults (agent/node) Kernel tuning behavior. If set, error if kernel tunables are different than kubelet defaults.
  25. --container-runtime-endpoint value (agent/runtime) Disable embedded containerd and use the CRI socket at the given path; when used with --docker this sets the docker socket path
  26. --default-runtime value (agent/runtime) Set the default runtime in containerd
  27. --image-service-endpoint value (agent/runtime) Disable embedded containerd image service and use remote image service socket at the given path. If not specified, defaults to --container-runtime-endpoint.
  28. --pause-image value (agent/runtime) Customized pause image for containerd or docker sandbox (default: "rancher/mirrored-pause:3.6")
  29. --snapshotter value (agent/runtime) Override default containerd snapshotter (default: "overlayfs")
  30. --private-registry value (agent/runtime) Private registry configuration file (default: "/etc/rancher/k3s/registries.yaml")
  31. --disable-default-registry-endpoint (agent/containerd) Disables containerd fallback default registry endpoint when a mirror is configured for that registry
  32. --nonroot-devices (agent/containerd) Allows non-root pods to access devices by setting device_ownership_from_security_context=true in the containerd CRI config
  33. --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node
  34. --bind-address value (listener) k3s bind address (default: 0.0.0.0)
  35. --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node
  36. --node-internal-dns value (agent/networking) internal DNS addresses to advertise for node
  37. --node-external-dns value (agent/networking) external DNS addresses to advertise for node
  38. --resolv-conf value (agent/networking) Kubelet resolv.conf file [$K3S_RESOLV_CONF]
  39. --flannel-iface value (agent/networking) Override default flannel interface
  40. --flannel-conf value (agent/networking) Override default flannel config file
  41. --flannel-cni-conf value (agent/networking) Override default flannel cni config file
  42. --kubelet-arg value (agent/flags) Customized flag for kubelet process
  43. --kube-proxy-arg value (agent/flags) Customized flag for kube-proxy process
  44. --enable-pprof (experimental) Enable pprof endpoint on supervisor port
  45. --rootless (experimental) Run rootless
  46. --prefer-bundled-bin (experimental) Prefer bundled userspace binaries over host binaries
  47. --docker (agent/runtime) (experimental) Use cri-dockerd instead of containerd
  48. --vpn-auth value (agent/networking) (experimental) Credentials for the VPN provider. It must include the provider name and join key in the format name=<vpn-provider>,joinKey=<key>[,controlServerURL=<url>][,extraArgs=<args>] [$K3S_VPN_AUTH]
  49. --vpn-auth-file value (agent/networking) (experimental) File containing credentials for the VPN provider. It must include the provider name and join key in the format name=<vpn-provider>,joinKey=<key>[,controlServerURL=<url>][,extraArgs=<args>] [$K3S_VPN_AUTH_FILE]
  50. --disable-apiserver-lb (agent/networking) (experimental) Disable the agent client-side load-balancer and connect directly to the configured server address