Open-source · Defense-in-depth · Field-tested patterns

Build a hermetically sealed k3s cluster.
The most secure one you can.

A complete, opinionated field guide to running Kubernetes on your own hardware with seven independent layers of hardening — from the host firmware all the way up to the workloads inside your pods. Written so that even a non-technical reader can follow it, copy the commands, and end up with a genuinely locked-down cluster.

WORKLOAD L0 · Hardened Host OSSecure boot · kernel lockdown · nftables L1 · Immutable VMTalos / Bottlerocket · read-only · dm-verity L2 · CIS-Hardened k3sAudit logs · PSA restricted · RBAC · secrets enc. L3 · Sealed RuntimegVisor / Kata · seccomp · drop-all-caps · distroless L4 · Zero-Trust NetworkCilium eBPF · default-deny · WireGuard mesh L5 · Encrypted StorageLUKS2 USB · S3 object · persistent + ephemeral L6 · Always-On ObservabilityPrometheus · Falco/Tetragon eBPF · Trivy
Seven independent layers. An attacker must defeat every ring to reach the workload at the core — and each ring is watching.
7
independent defense layers
100%
open-source tooling
x86 + ARM
Intel/AMD & Raspberry Pi
CIS
benchmark aligned
What you'll have at the end

A single small computer (or a few) running a Kubernetes cluster you control with kubectl, where every workload is sandboxed, every byte on disk is encrypted, every packet between pods is encrypted, every action is logged, and an eBPF sensor screams the instant anything behaves unexpectedly. Object storage and volumes are served from an encrypted USB drive you can physically unplug.

The seven layers

Each layer is a standalone chapter with the reasoning, the exact commands, and a plain-English explanation of why. Start at the top and work down, or jump to what you need.

L0 · Host OS

Lock the machine itself: secure boot, kernel lockdown, encrypted disk, host firewall.

L1 · Immutable VM

Run k3s inside a read-only, self-updating OS that can't be tampered with.

L2 · k3s Hardening

Every CIS control: audit logs, restricted Pod Security, RBAC, encrypted secrets.

L3 · Sealed Runtime

Wrap each pod in a sandbox — gVisor or Kata — so a breakout hits a wall.

L4 · Zero-Trust Network

Cilium eBPF, default-deny policy, and an encrypted WireGuard mesh.

L5 · Encrypted Storage

An encrypted USB drive becomes S3 object storage plus container volumes.

L6 · Observability

See everything, always: metrics, logs, and a real-time eBPF threat sensor.

✦ Supply Chain & Secrets

Only signed, scanned images run — and secrets never touch Git in plaintext.

▶ The Build Runbook

The whole thing, start to finish, as copy-paste commands in order.

New to all of this? Read it in order.

This guide assumes nothing. The next three chapters explain what we're defending against and why the architecture looks the way it does, before any commands. If you just want to build, jump straight to the runbook — but the layer chapters are where the understanding lives.

Threat Model Architecture What hardware do I need? Confused by a word? Glossary