← 返回 Skills 市场

K3s Kubernetes Deploy

Name: K3s Kubernetes Deploy
Author: xuelin314-bot

作者 xuelin314-bot · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

281

总下载

当前安装

版本数

在 OpenClaw 中安装

/install k3s-deploy

功能描述

自动化部署 K3s Kubernetes 集群到多台 Linux 服务器。支持自动镜像拉取、网络配置检测、CNI 插件安装。使用场景：(1) 从零部署 K3s 集群，(2) 修复 NotReady 节点，(3) 批量部署多节点集群。触发条件：用户提到 K3s、Kubernetes 部署、集群安装、节点加入等。

使用说明 (SKILL.md)

K3s 自动化部署技能

快速开始

# 使用部署脚本（推荐）
./scripts/deploy-k3s.sh \
  --master 10.1.9.177 \
  --masters-user root \
  --masters-pass 'your-password' \
  --worker 10.1.9.178,10.1.9.179 \
  --workers-user root \
  --workers-pass 'your-password'

工作流程

1. 部署前检查

检查服务器连通性
验证 SSH 凭据
检测操作系统版本（支持 CentOS 7+/Ubuntu 18.04+）

2. 安装 K3s

Master 节点：安装 K3s server
Worker 节点：加入集群

3. 部署网络插件

自动检测网络接口（ens192/eth0 等）
拉取国内镜像源 flannel
创建 CNI 配置文件

4. 健康检查

验证所有节点 Ready
验证 CoreDNS 运行
测试 Pod 调度

可用脚本

脚本	用途
`scripts/deploy-k3s.sh`	一键部署完整集群
`scripts/pull-images.sh`	预拉取必要镜像
`scripts/check-cluster.sh`	集群健康检查

故障排查

常见问题见 references/troubleshooting.md

快速诊断

# 检查节点状态
kubectl get nodes

# 检查系统 Pod
kubectl get pods -n kube-system

# 查看 Pod 详情
kubectl describe pod \x3Cpod-name> -n kube-system

# 查看 kubelet 日志
journalctl -u kubelet -n 50

配置说明

网络接口自动检测

脚本会自动执行以下命令检测默认路由接口：

ip route | grep default | awk '{print $5}'

镜像源

默认使用华为云镜像：

Flannel: swr.cn-north-4.myhuaweicloud.com/ddn-k8s/quay.io/coreos/flannel:v0.15.1
Pause: registry.aliyuncs.com/google_containers/pause:3.9

CNI 配置

Flannel v0.15.1 需要手动创建 CNI 配置文件，脚本会自动完成：

# 在所有节点创建 /etc/cni/net.d/10-flannel.conflist

最佳实践

提前拉取镜像 - 使用 pull-images.sh 在所有节点预拉取
统一时间 - 确保所有节点 NTP 同步
防火墙 - 关闭防火墙或开放必要端口
Swap - K3s 要求关闭 Swap

输出

部署完成后生成：

cluster-info.md - 集群配置摘要
deployment-log.txt - 详细部署日志

安全使用建议

This skill appears to implement a working K3s deployment but is sloppy and potentially unsafe in places — treat it as suspicious until you review and harden it: - Don't pass plaintext passwords on the command line. Prefer SSH key-based auth or at least SSHPASS via secure environment variables, and avoid storing passwords in shell history or using unsecured process arguments. - Inspect the scripts locally before running. Pay attention to lines that write /tmp/k3s-token.txt, modify kubeconfigs, create /etc/cni files, and run curl https://get.k3s.io. These reveal or expose cluster credentials. - The package declares no required tools but the scripts require ssh/sshpass/scp, curl, docker/containerd, kubectl and systemctl — ensure those exist and that use of sshpass is acceptable in your environment. - The scripts change kubeconfig addresses (attempts to replace 127.0.0.1 with 0.0.0.0 and $host). Verify and correct that behavior so you don't accidentally expose the API server to all interfaces. - Run the deployment first in an isolated test environment (throwaway VMs) to validate behavior and to see exactly what files are created and what network connections are made (image registries, get.k3s.io). - After a successful run, rotate any tokens/credentials that were generated or exposed and remove temporary files like /tmp/k3s-token.txt. Limit access to generated kubeconfigs and store them securely. - Consider using a vetted deployment tool or implementing SSH key auth and vault-backed secrets in place of passing passwords. If you need help auditing or hardening the scripts, review the exact lines that use sshpass, echo/piping of passwords, and kubeconfig edits. Confidence note: the issues look like sloppy/insecure engineering rather than explicit malicious behavior, but the combination of undeclared credential use, plaintext passwords, and token exposure justifies caution.

功能分析

Type: OpenClaw Skill Name: k3s-deploy Version: 1.0.0 The skill bundle automates K3s cluster deployment but exhibits high-risk credential handling by requiring root passwords as plaintext command-line arguments for use with `sshpass` in `scripts/deploy-k3s.sh`. While these capabilities are functionally aligned with the stated purpose of remote multi-node installation, the insecure management of sensitive credentials and the execution of broad system-level modifications via SSH (e.g., disabling swap, modifying /etc/fstab) represent significant security risks. No evidence of intentional data exfiltration or hidden backdoors was identified.

能力评估

⚠ Purpose & Capability

The skill's stated purpose (deploy K3s to multiple Linux hosts) matches what the scripts attempt to do, but the package declares no required binaries or credentials while the scripts clearly require ssh/sshpass/scp, docker/containerd, curl, systemctl and kubectl. The lack of declared runtime requirements is an inconsistency that could mislead users about what will be needed and what access the skill will use.

⚠ Instruction Scope

SKILL.md and included scripts instruct the agent/user to run remote operations that require SSH access and privileged actions on target machines: disabling swap, running get.k3s.io installer, writing CNI files under /etc, restarting services, pulling images from external registries, and creating kubeconfigs. The scripts store the cluster node-token and save kubeconfig, and modify kubeconfig to listen on 0.0.0.0 — actions that expose sensitive cluster credentials. The instructions also advise passing plaintext passwords on the command line, which risks credential leakage (shell history, process lists).

ℹ Install Mechanism

There is no install spec (instruction-only), so nothing is automatically downloaded/installed by the registry. However, included scripts perform network downloads at runtime (curl https://get.k3s.io and pull container images from third-party registries). This runtime network activity is expected for the task but should be noted: it will fetch code and images from external hosts.

⚠ Credentials

The skill declares no required environment variables or credentials but the scripts demand SSH credentials (user/password) and effectively log/emit the k3s node-token to /tmp/k3s-token.txt and generate kubeconfig files. Requiring plaintext passwords as CLI arguments and writing cluster tokens to /tmp is disproportionate and risky; credentials are not limited or scoped and are not documented as required env vars despite being central to operation.

⚠ Persistence & Privilege

The skill does not request platform-level persistence, but the scripts create and modify sensitive files on target hosts (CNI config in /etc/cni/net.d, kubeconfig under ~/.kube/config on the remote user, /tmp/k3s-token.txt and /tmp/cluster-info.txt). The kubeconfig modification to change 127.0.0.1 to 0.0.0.0 (and attempt to replace with $host) can expose the API endpoint and broaden access if used as-is. These are legitimate deployment effects but increase the attack surface and require careful handling.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install k3s-deploy
安装完成后，直接呼叫该 Skill 的名称或使用 /k3s-deploy 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release: Automated K3s cluster deployment with domestic mirror support, automatic network interface detection, and comprehensive troubleshooting guide

元数据

Slug k3s-deploy

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题