← Back to Skills Marketplace
K3s Kubernetes Deploy
by
xuelin314-bot
· GitHub ↗
· v1.0.0
· MIT-0
281
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install k3s-deploy
Description
自动化部署 K3s Kubernetes 集群到多台 Linux 服务器。支持自动镜像拉取、网络配置检测、CNI 插件安装。使用场景:(1) 从零部署 K3s 集群,(2) 修复 NotReady 节点,(3) 批量部署多节点集群。触发条件:用户提到 K3s、Kubernetes 部署、集群安装、节点加入等。
README (SKILL.md)
K3s 自动化部署技能
快速开始
# 使用部署脚本(推荐)
./scripts/deploy-k3s.sh \
--master 10.1.9.177 \
--masters-user root \
--masters-pass 'your-password' \
--worker 10.1.9.178,10.1.9.179 \
--workers-user root \
--workers-pass 'your-password'
工作流程
1. 部署前检查
- 检查服务器连通性
- 验证 SSH 凭据
- 检测操作系统版本(支持 CentOS 7+/Ubuntu 18.04+)
2. 安装 K3s
- Master 节点:安装 K3s server
- Worker 节点:加入集群
3. 部署网络插件
- 自动检测网络接口(ens192/eth0 等)
- 拉取国内镜像源 flannel
- 创建 CNI 配置文件
4. 健康检查
- 验证所有节点 Ready
- 验证 CoreDNS 运行
- 测试 Pod 调度
可用脚本
| 脚本 | 用途 |
|---|---|
scripts/deploy-k3s.sh |
一键部署完整集群 |
scripts/pull-images.sh |
预拉取必要镜像 |
scripts/check-cluster.sh |
集群健康检查 |
故障排查
常见问题见 references/troubleshooting.md
快速诊断
# 检查节点状态
kubectl get nodes
# 检查系统 Pod
kubectl get pods -n kube-system
# 查看 Pod 详情
kubectl describe pod \x3Cpod-name> -n kube-system
# 查看 kubelet 日志
journalctl -u kubelet -n 50
配置说明
网络接口自动检测
脚本会自动执行以下命令检测默认路由接口:
ip route | grep default | awk '{print $5}'
镜像源
默认使用华为云镜像:
- Flannel:
swr.cn-north-4.myhuaweicloud.com/ddn-k8s/quay.io/coreos/flannel:v0.15.1 - Pause:
registry.aliyuncs.com/google_containers/pause:3.9
CNI 配置
Flannel v0.15.1 需要手动创建 CNI 配置文件,脚本会自动完成:
# 在所有节点创建 /etc/cni/net.d/10-flannel.conflist
最佳实践
- 提前拉取镜像 - 使用
pull-images.sh在所有节点预拉取 - 统一时间 - 确保所有节点 NTP 同步
- 防火墙 - 关闭防火墙或开放必要端口
- Swap - K3s 要求关闭 Swap
输出
部署完成后生成:
cluster-info.md- 集群配置摘要deployment-log.txt- 详细部署日志
Usage Guidance
This skill appears to implement a working K3s deployment but is sloppy and potentially unsafe in places — treat it as suspicious until you review and harden it:
- Don't pass plaintext passwords on the command line. Prefer SSH key-based auth or at least SSHPASS via secure environment variables, and avoid storing passwords in shell history or using unsecured process arguments.
- Inspect the scripts locally before running. Pay attention to lines that write /tmp/k3s-token.txt, modify kubeconfigs, create /etc/cni files, and run curl https://get.k3s.io. These reveal or expose cluster credentials.
- The package declares no required tools but the scripts require ssh/sshpass/scp, curl, docker/containerd, kubectl and systemctl — ensure those exist and that use of sshpass is acceptable in your environment.
- The scripts change kubeconfig addresses (attempts to replace 127.0.0.1 with 0.0.0.0 and $host). Verify and correct that behavior so you don't accidentally expose the API server to all interfaces.
- Run the deployment first in an isolated test environment (throwaway VMs) to validate behavior and to see exactly what files are created and what network connections are made (image registries, get.k3s.io).
- After a successful run, rotate any tokens/credentials that were generated or exposed and remove temporary files like /tmp/k3s-token.txt. Limit access to generated kubeconfigs and store them securely.
- Consider using a vetted deployment tool or implementing SSH key auth and vault-backed secrets in place of passing passwords. If you need help auditing or hardening the scripts, review the exact lines that use sshpass, echo/piping of passwords, and kubeconfig edits.
Confidence note: the issues look like sloppy/insecure engineering rather than explicit malicious behavior, but the combination of undeclared credential use, plaintext passwords, and token exposure justifies caution.
Capability Analysis
Type: OpenClaw Skill
Name: k3s-deploy
Version: 1.0.0
The skill bundle automates K3s cluster deployment but exhibits high-risk credential handling by requiring root passwords as plaintext command-line arguments for use with `sshpass` in `scripts/deploy-k3s.sh`. While these capabilities are functionally aligned with the stated purpose of remote multi-node installation, the insecure management of sensitive credentials and the execution of broad system-level modifications via SSH (e.g., disabling swap, modifying /etc/fstab) represent significant security risks. No evidence of intentional data exfiltration or hidden backdoors was identified.
Capability Assessment
Purpose & Capability
The skill's stated purpose (deploy K3s to multiple Linux hosts) matches what the scripts attempt to do, but the package declares no required binaries or credentials while the scripts clearly require ssh/sshpass/scp, docker/containerd, curl, systemctl and kubectl. The lack of declared runtime requirements is an inconsistency that could mislead users about what will be needed and what access the skill will use.
Instruction Scope
SKILL.md and included scripts instruct the agent/user to run remote operations that require SSH access and privileged actions on target machines: disabling swap, running get.k3s.io installer, writing CNI files under /etc, restarting services, pulling images from external registries, and creating kubeconfigs. The scripts store the cluster node-token and save kubeconfig, and modify kubeconfig to listen on 0.0.0.0 — actions that expose sensitive cluster credentials. The instructions also advise passing plaintext passwords on the command line, which risks credential leakage (shell history, process lists).
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded/installed by the registry. However, included scripts perform network downloads at runtime (curl https://get.k3s.io and pull container images from third-party registries). This runtime network activity is expected for the task but should be noted: it will fetch code and images from external hosts.
Credentials
The skill declares no required environment variables or credentials but the scripts demand SSH credentials (user/password) and effectively log/emit the k3s node-token to /tmp/k3s-token.txt and generate kubeconfig files. Requiring plaintext passwords as CLI arguments and writing cluster tokens to /tmp is disproportionate and risky; credentials are not limited or scoped and are not documented as required env vars despite being central to operation.
Persistence & Privilege
The skill does not request platform-level persistence, but the scripts create and modify sensitive files on target hosts (CNI config in /etc/cni/net.d, kubeconfig under ~/.kube/config on the remote user, /tmp/k3s-token.txt and /tmp/cluster-info.txt). The kubeconfig modification to change 127.0.0.1 to 0.0.0.0 (and attempt to replace with $host) can expose the API endpoint and broaden access if used as-is. These are legitimate deployment effects but increase the attack surface and require careful handling.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install k3s-deploy - After installation, invoke the skill by name or use
/k3s-deploy - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Automated K3s cluster deployment with domestic mirror support, automatic network interface detection, and comprehensive troubleshooting guide
Metadata
Frequently Asked Questions
What is K3s Kubernetes Deploy?
自动化部署 K3s Kubernetes 集群到多台 Linux 服务器。支持自动镜像拉取、网络配置检测、CNI 插件安装。使用场景:(1) 从零部署 K3s 集群,(2) 修复 NotReady 节点,(3) 批量部署多节点集群。触发条件:用户提到 K3s、Kubernetes 部署、集群安装、节点加入等。 It is an AI Agent Skill for Claude Code / OpenClaw, with 281 downloads so far.
How do I install K3s Kubernetes Deploy?
Run "/install k3s-deploy" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is K3s Kubernetes Deploy free?
Yes, K3s Kubernetes Deploy is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does K3s Kubernetes Deploy support?
K3s Kubernetes Deploy is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created K3s Kubernetes Deploy?
It is built and maintained by xuelin314-bot (@xuelin314-bot); the current version is v1.0.0.
More Skills