Running k3s on GCP with Rancher & SOPS

You don't need a managed control plane and a six-figure bill to run Kubernetes responsibly. Here's the lean topology I reach for when the team is small but the requirements aren't.

Managed Kubernetes is wonderful — and for a small team shipping a handful of services, it can also be overkill that you pay for per hour, per cluster, forever. k3s is a fully conformant Kubernetes distribution that strips out the legacy bits and runs the control plane in a single binary. On GCP, with Rancher in front, it gives small teams a real platform without the managed-tier tax.

The topology

The shape that has served me well:

A small Rancher management cluster on its own VM — the control surface for everything else.
One or more k3s workload clusters on GCP Compute Engine, registered into Rancher.
GitOps via ArgoCD reconciling app state — Rancher for humans, Git for machines.

# install a k3s server, no traefik (we bring our own ingress)
curl -sfL https://get.k3s.io | sh -s - server \
  --disable traefik \
  --write-kubeconfig-mode 644 \
  --tls-san $(hostname -I | awk '{print $1}')

Disabling the bundled Traefik is a personal preference — I’d rather run an ingress I version-control alongside everything else than inherit one I didn’t choose.

Secrets that survive a public repo

The moment you commit to GitOps, you need an answer for secrets. Mine is SOPS encrypting with AGE keys. Secrets live in the repo, encrypted; the AGE private key lives only in the cluster and in a vault. A leaked repo is an inconvenience, not an incident.

# encrypt a manifest in place
sops --encrypt --age $AGE_PUB \
  --encrypted-regex '^(data|stringData)$' \
  secret.yaml > secret.enc.yaml

Note: Why AGE over PGP — No keyring archaeology, no expiry surprises, one short public key you can paste into CI. SOPS treats it as a first-class backend.

TLS done properly, including for IoT

For an IoT platform, “TLS” isn’t enough — devices need to prove who they are. On the MQTT broker (EMQX) I ran mutual TLS with ECDSA certificates over TLS 1.3: the broker authenticates the device and the device authenticates the broker. ECDSA keeps the handshake light enough for constrained hardware, which matters when you have thousands of them.

When not to do this

This topology trades managed convenience for control and cost. If you have the budget and want node upgrades, etcd backups and the API server to be someone else’s pager — use the managed offering. Choose k3s when the team is small, the spend matters, and you actually want to understand the platform you operate.

The best cluster is the one your team can reason about at 3am. Sometimes that’s managed. Sometimes it’s a single binary you understand completely.