Installing k0s
k0s ships everything Kubernetes needs — etcd, containerd, kube-router — as a single binary. You do not pre-install a container runtime or manage kubelet separately. Download the binary, run two commands, and you have a cluster.
Prerequisites
Section titled “Prerequisites”Hardware minimums:
| Role | RAM | CPU |
|---|---|---|
| Controller only | 1 GB | 1 vCPU |
| Worker only | 512 MB | 1 vCPU |
| Single node (controller + worker) | 1 GB | 1 vCPU |
A single-node setup needs roughly 2 GB of disk space. Workers must have at least 15% free disk space. An SSD is recommended.
Kernel requirements: Linux 4.3+ with cgroups v1 or v2. Fedora ships cgroups v2 by default. The kernel needs UTS, IPC, PID, and Net namespaces, plus netfilter and ext4 support. Every stock Fedora kernel has these.
Host binaries: Workers need mount and umount on the host. k0s bundles everything else.
Install the binary
Section titled “Install the binary”curl --proto '=https' --tlsv1.2 -sSf https://get.k0s.sh | sudo shThis places k0s in /usr/local/bin/. If you prefer not to pipe curl to sh, fetch the binary directly:
K0S_VERSION=$(curl -sSf https://docs.k0sproject.io/stable.txt)curl -sSfL "https://github.com/k0sproject/k0s/releases/download/${K0S_VERSION}/k0s-${K0S_VERSION}-amd64" \ -o /usr/local/bin/k0schmod +x /usr/local/bin/k0sVerify the install:
k0s versionOpen firewall ports
Section titled “Open firewall ports”Fedora uses firewalld by default. Open the ports k0s requires:
sudo firewall-cmd --permanent --add-port=6443/tcp # API serversudo firewall-cmd --permanent --add-port=2380/tcp # etcd peerssudo firewall-cmd --permanent --add-port=9443/tcp # k0s join APIsudo firewall-cmd --permanent --add-port=8132/tcp # konnectivitysudo firewall-cmd --permanent --add-port=10250/tcp # kubeletsudo firewall-cmd --permanent --add-port=179/tcp # kube-router BGP
# Trust the CNI bridge so pods can reach the hostsudo firewall-cmd --permanent --zone=trusted --add-interface=kube-bridge
# Enable masquerading for pod egresssudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --reloadOn a dedicated worker node (no control plane), you only need ports 10250 and 179.
Configure SELinux
Section titled “Configure SELinux”Fedora runs SELinux in enforcing mode. Install the container SELinux policy:
sudo dnf install -y container-selinuxThen create a containerd config snippet that enables SELinux labeling inside k0s’s embedded containerd:
sudo mkdir -p /etc/k0s/containerd.dcat <<'EOF' | sudo tee /etc/k0s/containerd.d/selinux.toml[plugins."io.containerd.grpc.v1.cri"] enable_selinux = trueEOFInstall and start the service
Section titled “Install and start the service”Single node (controller + worker on the same machine):
sudo k0s install controller --enable-worker --no-taintssudo k0s start--enable-worker runs a kubelet on the controller node. --no-taints lets workloads schedule there. To use a custom config, add -c /etc/k0s/k0s.yaml.
Dedicated controller (multi-node cluster):
sudo k0s install controller -c /etc/k0s/k0s.yamlsudo k0s startWorker node (joining an existing cluster):
Generate a join token on the controller first:
sudo k0s token create --role worker > join-tokenCopy the token file to the worker, then on the worker:
sudo mkdir -p /etc/k0ssudo cp join-token /etc/k0s/join-tokensudo k0s install worker --token-file /etc/k0s/join-tokensudo k0s startk0s install creates a systemd unit (k0scontroller.service or k0sworker.service) that starts on boot automatically.
Access the cluster
Section titled “Access the cluster”Export the admin kubeconfig to your home directory:
sudo k0s kubeconfig admin > ~/.kube/configchmod 600 ~/.kube/configNow kubectl works without sudo:
kubectl get nodesVerify cluster status
Section titled “Verify cluster status”Check the k0s process:
sudo k0s statusA healthy single-node cluster reports:
Version: v1.35.2+k0s.0Role: controllerWorkloads: trueKube-api probing successful: trueConfirm the node is ready:
kubectl get nodesNAME STATUS ROLES AGE VERSIONvale Ready control-plane 2d3h v1.35.2+k0sThe node reaches Ready within a minute or two of starting. If it stays NotReady, check port 10250 in the firewall and verify kube-bridge is in the trusted zone.
Manage the service
Section titled “Manage the service”Standard systemd commands control k0s:
sudo k0s stopsudo k0s startsudo systemctl status k0scontrollerUninstall
Section titled “Uninstall”sudo k0s stopsudo k0s resetsudo rebootk0s reset removes /var/lib/k0s/, the systemd units, and CNI state. The reboot clears residual firewall rules.