Rancher Labs introduced k3OS, the industry’s first extremely lightweight operating system for Kubernetes. It has extremely low resource consumption, minimal operation, and second-level boot, which greatly simplifies in low-resource computing environments. Kubernetes operation, improve the security of Kubernetes operation and maintenance and fully enable edge computing scenarios.
k3OS is a linux distribution designed to remove as much as possible OS maintaince in a Kubernetes cluster. It is specifically designed to only have what is need to run k3s. Additionally the OS is designed to be managed by kubectl once a cluster is bootstrapped. Nodes only need to join a cluster and then all aspects of the OS can be managed from Kubernetes. Both k3OS and k3s upgrades are handled by k3OS.
k3OS can be used for public clouds and virtualized clusters, but in addition, it is of great value in environments where computing resources represented by edge computing are extremely limited. The main features include:
- supports multiple architectures: k3OS runs on x86 and ARM processors to give you maximum flexibility.
- runs only the minimum required services: Fewer services means a tiny attack surface, for greater security.
- doesn’t require a package manager: The required services are built into the distribution image.
- models infrastructure as code: This makes sure there are no surprises, and that systems come up the same way every time. You can manage system configuration with version control systems, and carry out reliable, repeatable cluster deployments.
- Bump LTS Kernel
- Disable Password Auth in SSH #321
This addresses a security concern, #262 brought to our attention by @majkrzak.
If you need to override this secure default, a
/var/lib/rancher/k3os/ssh/sshd_configshould do the trick.
- HTTPS_PROXY Typo http_proxys what? #311
Features and Enhancements
- Updated Tooling #292
Additionally, the parametrizable
toolboxscript to pull down an arbitrary container to twiddle some bits contributed by @bhale
The services for
qemu-guest-agentare not enabled unless a corresponding entry in
- Refactored Usage of LinuxKit Bits #297
metadatais now built directly from LinuxKit source
- Refactored k3OS Commands Into Multi-call Binary #303
k3os rcwith code from fork of LinuxKit rolled into the project (invoked early during boot, may be replaced eventually with bash scripts)
- Build with go 1.13 #312
- Publish Container Images #323
Yet another key bit of functionality supporting the forthcoming operator (upgrades).