I'm setting up a home lab with k3s on Proxmox because I want to learn Kubernetes and improve my skills. I plan to scale my setup, even deploying some nodes at friends' and family's places. I'm also open-sourcing my Terraform, Ansible, and Helm charts to showcase my work for future job opportunities. I'm doing everything from scratch, relying only on documentation and online resources. My main question is: is it worth running k3s as a non-root user? I'm concerned about security since my nodes won't access other network resources. While I see the potential issue of container breakout attacks, my services aren't publicly accessible. What do you all think?
5 Answers
For most homelab setups, rootless k3s creates way more headaches than it's worth. You can achieve better security and management through node isolation, network policies, and robust RBAC settings rather than going rootless. If your goal is to learn and boost your resume, you’ll gain much more by focusing on stable networking and security patterns than wrestling with rootless issues.
Rootless mode is typically used when you absolutely can't run as root. Unless it's your last resort, I wouldn't recommend it—it just complicates things unnecessarily.
Honestly, I don't think it's really worth it. You can easily restrict containers to non-root, but trying to make k3s run without root adds a lot of complexity for minimal advantages. It can be a hassle for limited gain.
From my experience, the rootless setup didn’t go as smoothly as I hoped. I ran into issues even with basic services like HomeAssistant and faced challenges with GPU support and other integrations. For my needs, regular k3s works perfectly. I think enterprises focus more on effective node isolation rather than running rootless configurations.
Skip the rootless version if you can. It works, but only on a single node with lots of networking limitations due to strict isolation. Enterprises usually prioritize practical installations, often running multiple privileged pods for monitoring. It’s best to run k3s as it’s intended and just figure out your security policies from there.
As a maintainer, I'd say that 'normal' setups really depend on your use case. For on-prem clusters, something like Talos can be viable, but I think folks are still figuring out how dedicated distributions like that fit into broader deployments.