Fedora (Server / Workstation)
Fedora (Server / Workstation)
Section titled “Fedora (Server / Workstation)”This section covers standard, mutable Fedora installations: Fedora Server, Fedora Workstation, Fedora Cloud (AWS, GCP, etc.), and similar spins. If you run Silverblue or any Atomic variant, skip to the next section.
Install the binary
Section titled “Install the binary”curl --proto '=https' --tlsv1.2 -sSf https://get.k0s.sh | sudo shThis drops the k0s binary into /usr/local/bin/. You can verify:
k0s versionIf you prefer not to pipe curl to sh, download the binary directly:
K0S_VERSION=$(curl -sSf https://docs.k0sproject.io/stable.txt)curl -sSfL "https://github.com/k0sproject/k0s/releases/download/${K0S_VERSION}/k0s-${K0S_VERSION}-amd64" \ -o /usr/local/bin/k0schmod +x /usr/local/bin/k0sOpen firewall ports
Section titled “Open firewall ports”Fedora ships firewalld by default. Open the ports k0s needs:
sudo firewall-cmd --permanent --add-port=6443/tcp # API serversudo firewall-cmd --permanent --add-port=2380/tcp # etcd peerssudo firewall-cmd --permanent --add-port=9443/tcp # k0s join APIsudo firewall-cmd --permanent --add-port=8132/tcp # konnectivitysudo firewall-cmd --permanent --add-port=10250/tcp # kubeletsudo firewall-cmd --permanent --add-port=179/tcp # kube-router BGP
# Trust the CNI bridge interface so pods can reach the hostsudo firewall-cmd --permanent --zone=trusted --add-interface=kube-bridge
# Enable masquerading for pod egresssudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --reloadIf you run a dedicated worker node (no control plane), you only need ports 10250 and 179.
Handle SELinux
Section titled “Handle SELinux”Fedora enables SELinux in enforcing mode. Install the container SELinux policy:
sudo dnf install -y container-selinuxThen create a containerd config snippet so k0s’s embedded containerd enables SELinux labeling:
sudo mkdir -p /etc/k0s/containerd.dcat <<'EOF' | sudo tee /etc/k0s/containerd.d/selinux.toml[plugins."io.containerd.grpc.v1.cri"] enable_selinux = trueEOFGenerate a config (optional)
Section titled “Generate a config (optional)”K0s works without a config file. It applies sensible defaults: etcd for storage, kube-router for CNI, standard CIDRs. If you want to customize, generate the defaults and edit:
sudo mkdir -p /etc/k0sk0s config create | sudo tee /etc/k0s/k0s.yamlInstall and start
Section titled “Install and start”Single node (controller + worker):
sudo k0s install controller --enable-worker --no-taintssudo k0s startThe --enable-worker flag runs a kubelet on the same node as the control plane. The --no-taints flag lets workloads schedule on this node. If you pass a custom config, add -c /etc/k0s/k0s.yaml.
Dedicated controller (multi-node cluster):
sudo k0s install controller -c /etc/k0s/k0s.yamlsudo k0s startWorker node (joins an existing cluster):
First, generate a join token on the controller:
sudo k0s token create --role worker > join-tokenCopy that token to the worker node, then:
sudo mkdir -p /etc/k0ssudo cp join-token /etc/k0s/join-tokensudo k0s install worker --token-file /etc/k0s/join-tokensudo k0s startVerify
Section titled “Verify”sudo k0s statussudo k0s kubectl get nodesThe node should show Ready within a minute or two.
Manage the service
Section titled “Manage the service”k0s install creates a systemd unit (k0scontroller.service or k0sworker.service). It starts on boot automatically. Standard systemd commands work:
sudo k0s stopsudo k0s startsudo systemctl status k0scontrollerAccess the cluster
Section titled “Access the cluster”Export the admin kubeconfig:
sudo k0s kubeconfig admin > ~/.kube/configchmod 600 ~/.kube/configkubectl get nodes