Also see Runbooks

firewalld/fapolicyd

It is recommended to disable firewalldandfapolicyd:

systemctl disable firewalld --now
systemctl disable fapolicyd.service

nm-cloud-setup

If enabled, it is required to disable nm-cloud-setup and reboot the node:

systemctl disable nm-cloud-setup.service nm-cloud-setup.timer
reboot

make sure noexec is not used for dedicated rancher partition

If you are using a dedicated partition (/var/lib/rancher) to run K3s make sure to NOT havemounted it using noexec flag inside /etc/fstab file.

...

check fips mode

If you have FIPS mode enabled is necessary to disable it otherwise some of our workloads running in K3s will crash at startup. To check if FIPS is enabled run:

sysctl crypto.fips_enabled

...

In Value of 1 means FIPS mode is enabled, in order to disable, please refer to the steps as mentioned in below article:

https://www.thegeekdiary.com/how-to-disable-fips-mode-on-centos-rhel-7/

...

How to disable FIPS in RHEL/CentOS

iptables

RHEL like systems have buggy version of iptables 1.8.4 which is causing issues with firewall, service routing and external network reachability as well as performance issues. It is required to configure k3s to use bundled version by modifying k3s service( same for k3s-agent service on worker nodes in HA deployments) file and adding --prefer-bundled-bin option to service’s cmd and restarting service.

~$ cat  /etc/systemd/system/k3s.service
ExecStart=/usr/local/bin/k3s \
    server \
	'--node-name=local-01' \
	'--prefer-bundled-bin' \


~$ sudo systemctl daemon-reload
~$ sudo systemctl stop k3s
~$ sudo systemctl start k3s
~$

If this change is done on existing system reboot is recommended to clear duplicate iptables rules.

~$ sudo reboot 

More details can be found here - https://docs.k3s.io/advanced#oldknown-iptables-versionsissues?_highlight=iptables&_highlight=bug#iptables