Host hardening on K3S-based integration

Updated: March 12, 2026

Each time you start K3S, a KUBECONFIG file is created. This file contains the credentials to access the K3S cluster as an administrator. The KUBECONFIG file is created by default under /etc/rancher/k3s/k3s.yaml. For security reasons, we recommend host hardening by making the KUBECONFIG file inaccessible for other users. As long as the host hardening is applied to Edge, you cannot connect to the K3S cluster using kubectl or the Edge tools.

By following these steps, you can secure your Edge site to best meet your organization's needs.

Prerequisites

• Edge needs to be installed.
• You must install iptables-services package and enable iptables.
  How to install and deploy iptables…

  Copy

  yum install iptables-services

• You need root privileges on the server that hosts the Edge site.

Enable host hardening

1. Sign into the server that hosts your Edge site with root privileges.
2. Open the file /etc/systemd/system/k3s.service.env for editing.
3. Add the following lines to the k3s.service.env file:
   • K3S_KUBECONFIG_OUTPUT=/dev/null.
   • K3S_KUBECONFIG_MODE=666

   Note If there are other lines, setting other environment variables do not remove them.

4. Restart the K3S service: systemctl restart k3s

5. Check if the KUBECONFIG file is empty: cat /etc/rancher/k3s/k3s.yaml

   Note K3S is actually making /etc/rancher/k3s/k3s.yaml a symlink to /dev/null.

To further increase the security of your server, you can prevent connections to K3S from other sources than localhost.

Limit the access to the following ports other than localhost:

Protocol	Port	Description
TCP	6443	Kubernetes API Server
TCP	10250	Kubelet metrics

The following configuration file prevents access to the ports mentioned in the table. Additionally, the iptables provide persistence in the event of Edge upgrades and reboots. Before applying these commands, confirm with your security team that this process and the filtering tools meet your organization's compliance requirements.

*filter
:INPUT ACCEPT [0:0]
:edge hardening - [0:0]
-A INPUT -j edge hardening
-A edge hardening -m state --state RELATED,ESTABLISHED -j ACCEPT
-A edge hardening -p tcp -m state --state NEW -m tcp --dport
22 -j ACCEPT
-A edge hardening -j ACCEPT -i lo -p tcp -m multiport --dports 6443,10250
-A edge hardening -j ACCEPT -i cni0 -p tcp -m multiport --dports 6443,10250
-A edge hardening -j DROP -p tcp -m multiport --dports 6443,10250
COMMIT

Disable host hardening

1. Sign into the server that hosts your Edge site with root privileges.
2. Open the file /etc/systemd/system/k3s.service.env for editing.
3. Remove the following lines from the k3s.service.env file:
   • K3S_KUBECONFIG_OUTPUT=/dev/null.
   • K3S_KUBECONFIG_MODE=666
4. Restart the K3S service:
   Copy

   systemctl restart k3s

5. Check if the KUBECONFIG file is empty:
   Copy

   cat /etc/rancher/k3s/k3s.yaml

6. Comment out any undesired restrictions in iptables.
7. Restart iptables.

What's next

• Learn about Edge connections.
• Learn about Edge capabilities.