Pi4 Microk8s Cluster

Raspberry Pi Micro Kubernetes Cluster

Raspberry Pis are lots of fun. Here is another example - I've decided to make small Kubernetes cluster with my Raspberry Pi4s. Here is how it started.

When Pi4 came out first I've got two: 2GB version and 4GB version. 4GB version was supposed to be my Raspberry Pi (Linux) desktop computer while 2GB version was supposted to go in next robot - like this one. Unfortunately due to various circumstances, 2GB version stayed at shelf until I passed it to my son to host his Java based Discord Bots on it (as replacement to his old Orange Pi - Orange Pi had more memory to start with).

And then Pi4 with 8GB came and shifted all one step down: 8GB version become full desktop with 64bit Raspberry Pi OS, and 4GB was 'demoted' to potential server. And then the idea occurred to me:

Why not make small cluster of Raspberry Pis!

That would achieve several different things at the same time:

  • Promote Raspberry Pi
  • Learn about Kubernetes
  • Move all our 'server side' services to one, manageable place
  • Move all our 'server side' into DMZ

And by 'server side' services I mean - Inbound SMTP and IMAP servers (*) - Discord Bots - File server - Local Pi Camera aggregator web server - Why not adding home automation data collection (ingestion) into some small local data lake for further analysis?

(*) some 14-15 years ago I decided it is easier to make Java implementation of (inbound) IMAP and IMAP servers (on my Spring based app server) in Java than learn how to configure existing software to do the same.

Note: This blog post is not 'how to' recipe - more like (not complete) recording of the journey I've been through. And reminder if I need to do it again!


Since already have 2GB and 4GB versions of Pi4, adding another 4GB version would make a nice master/workers setup.

So, it ended up with:

1 x Raspberry Pi 4 with 2GB ~ £34.00
2 x Raspberry Pi 4 with 4GB ~ £104.00
3 x Fanshim ~ £30
1 x Intel 660p 512GB M.2 NVMe SSD ~ £70.00
1 x USB M.2 Enclosure M-Key (ebay) ~ £14.00
1 x Short USB3 Type A cable (ebay) ~ £ 4.50
1 x Anker Powerport 60W 6-Port USB Charger (ebay) ~ £19.00
5 x 20cm USBC to USBA power cable (ebay) ~ £9.00
1 x NETGEAR GS308 8 Port Smart Switch ~ £28.00
Total: ~ £315


SSD and enclosure I already had from my desktop pi (I've got another, 1TB for 8GB Pi4 version), short network cables I taught muy son how to crimp himself, 2GB and 4GB Raspberry Pi 4s were already at hand and power supply, switch and another Raspberry Pi 4 were that expensive on their own.

Plus, we had offcut of 12mm plywood in the shed - just asking for DIY projects.


I've put several constraints on myself - for no particular reason but because it seemed reasonable.

  • It should be on Raspberry Pi OS (why not - why not just promote Raspberry Pi in every sense)
  • I shouldn't pay for 3 SD cards if I can boot of SSD and network (*)
  • Master node should act as docker repository, maybe some other repos and a file server dedicated for the cluster
  • No extra DHCPs should be installed (if it can be avoided)
  • No per service changes on local router should be expected (except port forwarding and/or maybe local lan DNS) (**)

(*) SSD in the worse case scenario has throughput of 2000Mbit/s, gigabit ethernet has maximum of 1000Mbit/s, ordinary SD cards around 200-500Mbit/s (I know there are 1000Mbit/s or better SDs, too) - so, reasoning is that if everything is on network, there'll be contention of around 1/3 of 1 Gbit/s - which is still in range of most SD cards anyway.

(**) Nice to have is for master to proxy all network so services are seen on static IP or domain name, so no need for one to know which particular worker node service is running. Even nice would be for same constraint to say but handing of where is which service to be in router and all of that managed/orchestrated by the cluster itself.


There are a few options how to install Kubernetes to Raspberry Pi and Microk8s seemed the simplest: it is installed by snap and there are virtually no other need for any configuration and/or setup.

But, it works on 64bit OS only and most (if not all) online how-tos are deployed on 64bit Ubuntu or similar, but as I stated before - since 64bit Raspberry Pi OS is available (even though it is in beta at the time of this blog post) - so why not!

NFS, TFT and PXE (network) booting

First fail in all the setup was booting of SSD. JMicron's chipset (152d:0562) and Raspberry Pi booting didn't like each other and in order to move on I've just brushed it aside. Some old, semi broken SD which can hold vfat boot partition was enough to boot the rest from SSD. Not a big deal. JMicron chipset seemed like it needed quirk mode set and at the end provided with 2000Mbit/s throughput which was acceptable.


Setting up TFT was easier - there's tftpd-hpa package already in the repo and by default configuration it already points to /srv/tftp.

sudo apt install tftpd-hpa

Only thing I've changed in /etc/default/tftpd-hpa was to add --verbose (really good for debugging) in `TFTP_OPTIONS':

TFTP_OPTIONS="--secure --verbose"

Main issue with tftpd-hpa was the service being brought up at the start up. It has an entry in /etc/init.d/tftpd-hpa and no matter what I tried (as explained here) it just didn't work (probably my fault) until I caved in and did the dirtiest solution and added sleep 10s to /etc/init.d/tftpd-hpa in do_start() function just before:

start-stop-daemon --start --quiet --oknodo --exec $DAEMON -- \
        --listen --user $TFTP_USERNAME --address $TFTP_ADDRESS \

Also, as per Raspberry Pi Network Boot Documentation and Pi 4 Bootloader Configuration I've created directories under /srv/tftp/ with mac addresses of workers (which I have previously, just for a good measure and easier debug, assigned to static IPs on local router). For instance: /srv/tftp/dc-a6-32-09-21-c1. Warning: somewhere in documentation it showed that directory with mac address name should have upper case letters, but that was wrong.

Those directories would populated with content of /boot partition of 64bit Raspberry Pi OS image. Only change needed there was in cmdline.txt (as per above documentations):

console=serial0,115200 console=tty1 root=/dev/nfs nfsroot=<master-node-IP>:/srv/nfs/cluster-w<worker-number>,vers=3 rw ip=dhcp rootwait cgroup_enable=memory cgroup_memory=1 elevator=deadline

That way I can have as many worker nodes booting separately from the same server.


Luckily there's nfs-kernel-server package:

sudo apt install nfs-kernel-server

which needs /etc/exports updated. I've added following:

/srv/k8s/volumes,sync,no_subtree_check,no_root_squash) srv/nfs/cluster-w2 (rw,sync,no_subtree_check,no_root_squash) /srv/nfs/cluster-w3 (rw,sync,no_subtree_check,no_root_squash)

/srv/tftp/dc-a6-32-09-21-c1 (rw,sync,no_subtree_check,no_root_squash) /srv/tftp/dc-a6-32-7a-3b-c1 (rw,sync,no_subtree_check,no_root_squash)

Also, as you can see from the paths, I've created /srv/tfpt/cluster-w<worker number> directories where I copied root partition from OS image:

rsync -xa --progress --exclude /boot / /srv/nfs/cluster-w2

From there I had to update /srv/nfs/cluster-w2/etc/fstab to something like:

proc            /proc           proc    defaults          0       0
<master-node-ip>:/srv/tftp/dc-a6-32-09-21-c1 /boot nfs defaults,vers=3 0 0

and update /srv/nfs/cluster-w2/etc/hostname accordingly. Cannot remember if there was anything else needed at this point.

PXE boot and firmware EEPROM update

As per Pi 4 Bootloader Configuration, I've created separate SD card to configure existing Pis for network booting and followed their instructions. The only major difference was that I decided not to use DHCP server (yet, another one inside of network that already has one) but TFTP_IP config parameter. So I've amended bootconf.txt to look like this:


and that was enough for worker nodes to boot off master's TFTP and NFS. Of course I had to repeat the process with booting worker nodes with SD card, updating EEPROM before they booted off the server. Enabling --verbose to tftpd-hpa was helpful - each time I didn't do something right I was able check how far it has gone...

Micro Kubernetes

As I originally said - it was supposed to be zero conf, easy to install. So:

sudo apt install snapd
sudo snap install microk8s --classic

Next to microk8s I've installed docker and added pi user to both docker and microk8s groups:

apt install docker docker.io

sudo usermod -aG docker pi
sudo usermod -aG microk8s pi
sudo chown -f -R pi ~/.kube

On all three Raspberry Pis (master and workers) I've got Microk8s running. But, as separate, stand-alone node. Adding nodes to master (control plane) is really easy with microk8s too:

microk8s add-node

on master node and as per output of above instruction microk8s join xxx on workers.

Also, I've got down some gotchas as well. The worse was when I tried to exclude master node from scheduling and left cluster from it:

microk8s leave

from master node. Strangely enough - all continued to work well but logs were spammed with errros. See here.

To avoid master being used as node in the cluster (as it has only 2GB memory and is meant for other things) I've dropped down to only cordon it:

kubectl cordon <master node name>

(master node name was retrieved with kubectl get nodes)

But, that's not enough. containerd was failing due to some issues with snapshotting. After more research I've got to two conclusion:

  • containerd needs snapshot being set to native
  • kernel must support cgroup's cpu.cfs_period_us and cpu.cfs_quota_us

First is easy to be fixed. In /var/snap/microk8s/current/args/containerd-template.toml I've changed

snapshotter = "${SNAPSHOTTER}"


snapshotter = "native"

As for second problem...

64bit Raspberry Pi OS Kernel Support for CPU CFS_BANDWIDTH

I've discovered that original kernel doesn't have CONFIG_CFS_BANDWIDTH set. Error was:

Error: failed to create containerd task: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"process_linux.go:415: setting cgroup config for procHooks process caused \\\"failed to write \\\\\\\"100000\\\\\\\" to \\\\\\\"/sys/fs/cgroup/cpu,cpuacct/kubepods/besteffort/pod0eddb508-c21d-4e81-a744-2c37a7f0e4e1/nginx/cpu.cfs_period_us\\\\\\\": open /sys/fs/cgroup/cpu,cpuacct/kubepods/besteffort/pod0eddb508-c21d-4e81-a744-2c37a7f0e4e1/nginx/cpu.cfs_period_us: permission denied\\\"\"": unknown

This issue helped me to understand what is needed - CONFIG_CFS_BANDWIDTH=y in kernel config.

So, next was to recompile kernel so Kubernetes can work. I've followed original Pi documentation for [Kernel building] (https://www.raspberrypi.org/documentation/linux/kernel/building.md) and got it relatively painlessly done on my desktop pi (and master node - whichever is more convenient).

Things I've learned in the process:

  • run make bcm2711_defconfig before adding (uncommenting) CONFIG_CFS_BANDWIDTH=y in .config file
  • use ARCH=arm64 make -j4 Image.gz modules dtbs for make instruction (see ARCH=arm64)
  • result is in ./arch/arm64. For instance ./arch/arm64/boot/Image (64bit kernel image mustn't be compressed).

Installing kernel was as simple as copying ./arch/arm64/boot/Image to /boot/kernel8.img (and on my SD card on master node) and /srv/tftp/<mac-address>/kernel8.img, copying overlays to /boot/ and /srv/tftp/<mac-address>/ as per above documentation and copying modules. I've installed them copying whole built kernel source and result to master using sudo make modules_install and then copied them from /lib/modules/<new modules dir>-v8+ to /srv/nfs/cluster-w<worker-no>/lib/modules/.

I'm sure there are easier ways to do all of it. But in general - just installed newly built kernel to master node and all workers (by copying appropriate files to local SSD's root FS).

After booting all again, I've got /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us and /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us appearing, so containerd started running properly.

Now back to microk8s config...

Microk8s, again

Microk8s provides really nice diagnostics with:

microk8s inspect


One of the thing that came out of it is setting up iptables - output of the instruction is going to enough. But, those changes never persisted on Raspberry Pi (debian based) OS. In order to make them stay (FORWARD ACCEPT) /etc/sysctl.conf needs to have net.ipv4.ip_forward=1 uncommented.

Up to this stage I've got microk8s running and scheduling containers on worker nodes, but not master and all log files (/var/log/syslog) on master and workers are not spammed with errors constantly.

Metal Load Balancer

Next was to sort out other constraints. First was accessing services (deployments, pods) seamlessly. After some more research I've learnt in order to have LoadBalancer service working under Microk8s one needs to 'enable' metallb (and here).

But, for it to work, it needs to be configured in such way that local router (Draytek 2960 in my case) knows about it and metallb can access router's BGP (Broad Gateway Protocol), too. So, I've created metallb-conf.yaml:

apiVersion: v1
kind: ConfigMap
  namespace: metallb-system
  name: config
  config: |
    - peer-address:
      peer-asn: 100
      my-asn: 200
    - name: default
      protocol: layer2

In my router I've set neighbour with ASN '200' and configured it to have its own ASN as '100'. This config assigns range from to metallb to use.


Next was to 'install' Microk8s dashboard:

microk8s enable dashboard

and added new config dashboard-lb-service.yaml to expose it locally on 'static' IP (which I associated domain name in the router):

kind: Service
apiVersion: v1
  namespace: kube-system
  name: kubernetes-dashboard-lb-service
    - name: http
      protocol: TCP
      port: 443
      targetPort: 8443
    k8s-app: kubernetes-dashboard
  type: LoadBalancer
  externalTrafficPolicy: Cluster

It will expose HTTPS port on (invented IP address) on that lan.


Enabling storage was easy:

microk8s enable storage

After that I could easily create persistent volume on nfs just by (for example):

apiVersion: v1
kind: PersistentVolume
  name: cameras-website-nfs
    storage: 110Mi
    - ReadWriteMany
  storageClassName: nfs
    server: <master-node-ip>
    path: "/srv/k8s/volumes/cameras-website"

Remeber that I had


in /etc/exports file - exposing /srv/k8s/volumes directory (and all sub directorties) to (only) worker nodes and other machines in given IP range.

Local Registry

Microk8s has helper config for setting up docker repo on local nodes and can be easily added by:

microk8s enable registry

but, unfortunately, it uses hostPath to store persistent volume, which means it is only on local filesystem and is removed when pod is removed. I wanted something more persistent and to know where images are stored. So, I've copied /snap/microk8s/current/actions/registry.yaml to home dir and amended it a bit. First I've added registry-nfs-storage.yaml:

apiVersion: v1
kind: PersistentVolume
  name: registry-nfs
    storage: 50Gi
    - ReadWriteMany
  storageClassName: nfs
    server: <master-node-ip>
    path: "/srv/k8s/volumes/registry"

and amended registry.yaml:

kind: PersistentVolumeClaim
apiVersion: v1
  name: registry-claim
  namespace: container-registry
    - ReadWriteMany
  volumeMode: Filesystem
  volumeName: registry-nfs
  storageClassName: nfs
      storage: 40Gi

(see - added volumeName and changed storageClassName). When applied both:

kubectl apply -f registry-nfs-storage.yaml
kubectl apply -f registry.yaml

Now I was able to delete and re-install deployment for registry and play with all without need to push new image to that registry again and again. BTW as registry is deployed with nodePort service it is simultaneously available on all nodes including master node. So, to push the new docker image I've followed this:

docker build --tag test:1.0
docker images
docker tag 660ab765ee5c cluster-master:32000/test:1.0
docker push cluster-master:32000/test

where cluster-master is domain name associated with my master node.

Sundry setup

You might have noticed that I never typed:


as many tutorials suggest. I've created ~/.bash_kubectl_autocompletion.sh file by:

microk8s.kubectl completion bash > ~/.bash_kubectl_autocompletion.sh

and added

if [ -f ~/.bash_kubectl_autocompletion.sh ]; then
    . ~/.bash_kubectl_autocompletion.sh

to the end of ~/.bashrc

After that I can use kubectl only plus I have completion after using kubectl. Most noticeably namespaces and deployments.aps and pods are autocompleted, too.

More Gotchas And How To Fix Them

For some reason I've got many issues (mostly involving flanneld and etcd) and one particular error I fixed by starting microk8s as root (even though user pi is in microk8s group).

sudo microk8s start


microk8s.daemon-flanneld[7605]: Error:  dial tcp: lookup none on no such host
microk8s.daemon-flanneld[7605]: /coreos.com/network/config is not in etcd. Probably a first time run.
microk8s.daemon-flanneld[7605]: Error:  client: etcd cluster is unavailable or misconfigured; error #0: dial tcp: lookup none on no such host
microk8s.daemon-flanneld[7605]: error #0: dial tcp: lookup none on no such host

error (as seen in /var/log/syslog)...

Also, at some point workers developed:

microk8s.daemon-flanneld[2697]: E0802 17:49:17.214741    2697 main.go:289] Error registering network: failed to configure interface flannel.1: failed to ensure address of interface flannel.1: link has incompatible addresses. Remove additional addresses and try again

for some reason. After another research using favourite search engine I've got to:

sudo ip link delete flannel.1

which just fixed it. flanneld

Last error I wrestled with was with containerd on one of the worker nodes complaining that it cannot remove container:

Aug  3 21:05:28 cluster-w3 microk8s.daemon-containerd[25774]: time="2020-08-03T21:05:28.176028102+01:00" level=error msg="RemoveContainer for \"24fc0a559670740d79d6a9b9f5dcef5b44444b0fbb69fc7d7fe20324fdaa7e34\" failed" error="failed to 
remove volatile container root directory \"/var/snap/microk8s/common/run/containerd/io.containerd.grpc.v1.cri/containers/24fc0a559670740d79d6a9b9f5dcef5b44444b0fbb69fc7d7fe20324fdaa7e34\": unlinkat /var/snap/microk8s/common/run/containe
rd/io.containerd.grpc.v1.cri/containers/24fc0a559670740d79d6a9b9f5dcef5b44444b0fbb69fc7d7fe20324fdaa7e34/io/009844907/.nfs00000000018e17850000003e: device or resource busy"
Aug  3 21:05:28 cluster-w3 microk8s.daemon-kubelet[459]: E0803 21:05:28.176924     459 remote_runtime.go:261] RemoveContainer "24fc0a559670740d79d6a9b9f5dcef5b44444b0fbb69fc7d7fe20324fdaa7e34" from runtime service failed: rpc error: cod
e = Unknown desc = failed to remove volatile container root directory "/var/snap/microk8s/common/run/containerd/io.containerd.grpc.v1.cri/containers/24fc0a559670740d79d6a9b9f5dcef5b44444b0fbb69fc7d7fe20324fdaa7e34": unlinkat /var/snap/m
icrok8s/common/run/containerd/io.containerd.grpc.v1.cri/containers/24fc0a559670740d79d6a9b9f5dcef5b44444b0fbb69fc7d7fe20324fdaa7e34/io/009844907/.nfs00000000018e17850000003e: device or resource busy
Aug  3 21:05:28 cluster-w3 microk8s.daemon-kubelet[459]: E0803 21:05:28.177137     459 kuberuntime_gc.go:143] Failed to remove container "24fc0a559670740d79d6a9b9f5dcef5b44444b0fbb69fc7d7fe20324fdaa7e34": rpc error: code = Unknown desc 
= failed to remove volatile container root directory "/var/snap/microk8s/common/run/containerd/io.containerd.grpc.v1.cri/containers/24fc0a559670740d79d6a9b9f5dcef5b44444b0fbb69fc7d7fe20324fdaa7e34": unlinkat /var/snap/microk8s/common/ru
n/containerd/io.containerd.grpc.v1.cri/containers/24fc0a559670740d79d6a9b9f5dcef5b44444b0fbb69fc7d7fe20324fdaa7e34/io/009844907/.nfs00000000018e17850000003e: device or resource busy

The rest of the cluster was fine and no issues were seen but the logs that were swamped with errors as above. Fix for it was to temporarily stop containerd and remove offending directories. Note: there was more than one that failed so I needed to pick them all from the logs and do:

sudo systemctl stop snap.microk8s.daemon-containerd.service
# there might be more than one failing container!
rm -rf /var/snap/microk8s/common/run/containerd/io.containerd.grpc.v1.cri/containers/24fc0a559670740d79d6a9b9f5dcef5b44444b0fbb69fc7d7fe20324fdaa7e34
rm -rf /var/snap/microk8s/common/run/containerd/io.containerd.grpc.v1.cri/containers/24fc0a559670740d79d6a9b9f5dcef5b44444b0fbb69fc7d7fe20324fdaa7e34
rm -rf /var/snap/microk8s/common/run/containerd/io.containerd.grpc.v1.cri/containers/24fc0a559670740d79d6a9b9f5dcef5b44444b0fbb69fc7d7fe20324fdaa7e34
sudo systemctl start snap.microk8s.daemon-containerd.service

Physical Realisation

As per my son's idea - we've mounted all on the board and hanged it on the wall:

Raspberry Pi Micro Kubernetes Cluster

Raspberry Pi Micro Kubernetes Cluster

Small USB3 extension cable is to be added to the picture. Also, as you can see there's speace for the 3rd worker and some spaces next to the switcha nd power adapter - for future expansions.

Extras - Network Configuration

As a bonus, I've decided to move whole cluster to 'dmz-lan'. I've dedicated whole port on the Draytek router for it, configured separate network (lan on with inside of it for 'static' IP dedicated to particular services) and set firewall filtering so my home network (lan) can access DMZ one but not otherway round. Except for carefully selected services and only when needed.


This exercise lasted slightly longer than a week and produced nice, small, manageable kubernetes cluster. Ideal for playtesting different solutions and such. It has scope for extension and aside of academic purpose will serve real life purpose - run various containers with services used daily.


Comments powered by Disqus