Hardware & Prerequisites

What you need to buy, plug in, and prepare before a single command is run.

This guide builds a real cluster on real hardware. You don’t need a data center — a single small computer and a USB drive is enough to follow every chapter. But the class of hardware you pick decides which security layers are physically possible, so read this page before you spend any money.

ATTACKER PROTECTED CORE L0 Hardened Host OS Ubuntu/Debian · Secure & measured boot · kernel lockdown · LUKS2 · nftables · auditd CIS L1/L2 L1 Immutable VM (KVM) Talos / Flatcar · read-only root · dm-verity · no shell · API-only · sVirt isolation VM SANDBOX L2 CIS-Hardened k3s Audit logging · PSA restricted · RBAC least-priv · secrets encryption · etcd kube-bench L3 Sealed Runtime gVisor / Kata sandbox · seccomp · drop ALL caps · userns · read-only rootfs · distroless PER-POD L4 Zero-Trust Network Cilium eBPF · default-deny · WireGuard encryption · Hubble · FQDN egress · L7 policy DEFAULT DENY L5 Encrypted Storage LUKS2 USB · Garage S3 object · Longhorn/TopoLVM persistent · encrypted ephemeral AT REST L6 Always-On Observability Prometheus · Loki · Tetragon/Falco eBPF detection & enforcement · Trivy · Kubescape WATCHING Your Workload — encrypted, sandboxed, watched
The seven-layer hardened architecture, from host hardware up to your workload.

The one rule that decides everything: can it nest a VM?

Layer 1 of this architecture runs k3s inside an immutable virtual machine, so that even a full compromise of Kubernetes is still trapped inside a throwaway VM. That extra wall only exists if your hardware can run a virtual machine that is itself trustworthy. This splits all hardware into two camps.

A Raspberry Pi cannot run a virtual machine inside a virtual machine. The Pi 5’s processor (Cortex-A76) lacks the ARM nested virtualization extension, which only exists on ARMv8.3 and newer. This isn’t a setting you can switch on — the silicon doesn’t have it. On a Pi we therefore drop the VM layer and run the immutable OS directly on the metal. You still get six of the seven layers.

Important

Think of the VM as a sealed glovebox you do risky work inside. A powerful Intel/AMD machine can put a glovebox inside another glovebox. A Raspberry Pi can only give you one glovebox — still good, just one wall fewer.

In plain English

Two supported hardware classes

Class A — Intel/AMD Class B — Raspberry Pi
Examples Mini-PC (Intel N100/NUC), old laptop, home server Raspberry Pi 5 (8 GB), Pi 4 (4 GB)
Architecture x86-64 ARM64 (aarch64)
Nested VM (Layer 1) Yes full VM isolation No bare-metal immutable OS instead
Hardware sandbox (Kata) Yes with nested=1 Pi 4/5 metal only
gVisor sandbox Yes (systrap) Needs Ubuntu, not Pi OS
TPM2 (sealed disk keys) Usually fTPM/dTPM No real TPM
UEFI Secure Boot Yes Limited / not trustworthy
Full-tier monitoring Yes Light-tier stack

gVisor needs a 48-bit address-space kernel. Raspberry Pi OS ships a 39-bit kernel and gVisor will refuse to start. On a Pi, install Ubuntu Server for ARM instead of Raspberry Pi OS if you want the gVisor sandbox in Layer 3. Plain 64-bit Raspberry Pi OS is fine for everything except gVisor.

Warning
Item Spec Why
Mini-PC 4+ cores, 16 GB RAM, x86-64 with VT-x/AMD-V + nested virt Runs host OS + VM + cluster + full monitoring with headroom
Internal disk 256 GB+ NVMe SSD Host OS + VM image; LUKS2 encrypted
USB drive USB 3.x SSD, 256 GB–1 TB (an SSD, not a flash stick) Encrypted object + volume storage; flash sticks die fast
TPM fTPM enabled in BIOS, or a dTPM module Seals the disk key to the hardware

Class B — the Raspberry Pi build (six layers, bare metal)

Item Spec Why
Raspberry Pi 5 8 GB model strongly preferred 4 GB cannot run Longhorn + full monitoring
Boot media NVMe HAT + NVMe SSD, or high-endurance A2 microSD SD cards wear out under etcd writes
USB drive USB 3.0 SSD Same role: encrypted storage
Cooling Active cooler Sustained crypto + eBPF load runs hot

Do not use a cheap USB flash stick for storage. etcd, container layers, and object storage all write constantly. Consumer flash sticks have no wear levelling for this load and will corrupt within weeks. Use a USB-attached SSD.

Caution

Software prerequisites

You will prepare a fresh OS install in Layer 0. Before that, on your admin machine (your laptop), install the client tools you’ll use to drive the cluster:

On your admin laptop (Linux/macOS)
# kubectl — talk to the cluster
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl

# helm — install the security add-ons
curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

# wireguard — the encrypted tunnel you'll use to reach the cluster
sudo apt install -y wireguard            # Debian/Ubuntu

You will never expose the Kubernetes API to the internet. Every kubectl command in this guide travels through a WireGuard tunnel (Layer 4). The cluster’s control port (6443) stays firewalled to the VPN only. Set this expectation now — it shapes every later decision.

Hardened

Network prerequisites

  • A home router you control, ideally able to forward one UDP port for WireGuard.
  • A static internal IP (or DHCP reservation) for the host machine.
  • Optional: a domain name if you want TLS certificates for any service you expose.

What you’ll have when hardware is ready

A freshly wiped machine of either class, a USB SSD plugged in (still empty — we encrypt it in Layer 5), and an admin laptop with kubectl, helm, and wireguard installed. That’s the starting line. The next chapter covers Layer 0 / Host OS hardening — locking down the base operating system before any Kubernetes component touches it.