<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: prokshita nagarajan</title>
    <description>The latest articles on DEV Community by prokshita nagarajan (@prokshita_nagarajan_16a4d).</description>
    <link>https://dev.to/prokshita_nagarajan_16a4d</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3898901%2Fd352a09a-0a6c-48ee-95d5-ea99e63a43be.png</url>
      <title>DEV Community: prokshita nagarajan</title>
      <link>https://dev.to/prokshita_nagarajan_16a4d</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/prokshita_nagarajan_16a4d"/>
    <language>en</language>
    <item>
      <title>Create a Kubernetes service account and assign permissions</title>
      <dc:creator>prokshita nagarajan</dc:creator>
      <pubDate>Mon, 13 Jul 2026 07:26:50 +0000</pubDate>
      <link>https://dev.to/prokshita_nagarajan_16a4d/create-a-kubernetes-service-account-and-assign-permissions-69p</link>
      <guid>https://dev.to/prokshita_nagarajan_16a4d/create-a-kubernetes-service-account-and-assign-permissions-69p</guid>
      <description>&lt;p&gt;When deploying applications to Kubernetes, it's important to ensure they have only the permissions they actually need. This is where &lt;strong&gt;ServiceAccounts&lt;/strong&gt; and &lt;strong&gt;RBAC (Role-Based Access Control)&lt;/strong&gt; come into play.&lt;/p&gt;

&lt;p&gt;In our case, the &lt;strong&gt;ServiceAccount is required for the Agentic CLI to authenticate with the AKS cluster when running in cluster mode.&lt;/strong&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  What is a ServiceAccount?
&lt;/h2&gt;

&lt;p&gt;A &lt;strong&gt;ServiceAccount&lt;/strong&gt; is an identity used by applications running inside a Kubernetes cluster. Unlike user accounts, which are intended for administrators and developers, ServiceAccounts allow pods to securely authenticate with the Kubernetes API.&lt;/p&gt;

&lt;p&gt;Applications commonly use a ServiceAccount to:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Read Pods&lt;/li&gt;
&lt;li&gt;Create Jobs&lt;/li&gt;
&lt;li&gt;Access ConfigMaps and Secrets&lt;/li&gt;
&lt;li&gt;Watch Deployments&lt;/li&gt;
&lt;li&gt;Integrate with cloud identity providers (Azure Workload Identity, AWS IAM Roles for Service Accounts, OCI Workload Identity)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Rather than granting broad cluster-wide permissions, Kubernetes lets you assign only the permissions an application requires, following the &lt;strong&gt;Principle of Least Privilege&lt;/strong&gt;.&lt;/p&gt;




&lt;h1&gt;
  
  
  Default ServiceAccount
&lt;/h1&gt;

&lt;p&gt;Every Kubernetes namespace includes a default ServiceAccount.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;kubectl get sa
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Example output:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;NAME      SECRETS   AGE
default   0         10d
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If no ServiceAccount is specified in a Pod or Deployment, Kubernetes automatically uses the &lt;code&gt;default&lt;/code&gt; ServiceAccount.&lt;/p&gt;




&lt;h1&gt;
  
  
  Creating a ServiceAccount
&lt;/h1&gt;

&lt;p&gt;Create a file named &lt;code&gt;serviceaccount.yaml&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;apiVersion&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;v1&lt;/span&gt;
&lt;span class="na"&gt;kind&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;ServiceAccount&lt;/span&gt;
&lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;my-app-sa&lt;/span&gt;
  &lt;span class="na"&gt;namespace&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;alpha&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Apply it:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;kubectl apply &lt;span class="nt"&gt;-f&lt;/span&gt; serviceaccount.yaml
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Verify it exists:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;kubectl get sa &lt;span class="nt"&gt;-n&lt;/span&gt; alpha
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h1&gt;
  
  
  Using a ServiceAccount in a Pod or Deployment
&lt;/h1&gt;

&lt;p&gt;Reference the ServiceAccount using the &lt;code&gt;serviceAccountName&lt;/code&gt; field.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;apiVersion&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;v1&lt;/span&gt;
&lt;span class="na"&gt;kind&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Pod&lt;/span&gt;
&lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;nginx&lt;/span&gt;
&lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;serviceAccountName&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;my-app-sa&lt;/span&gt;
  &lt;span class="na"&gt;containers&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;nginx&lt;/span&gt;
      &lt;span class="na"&gt;image&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;nginx&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Any pod using this ServiceAccount will authenticate to the Kubernetes API as &lt;code&gt;my-app-sa&lt;/code&gt;.&lt;/p&gt;




&lt;h1&gt;
  
  
  A ServiceAccount Has No Permissions by Default
&lt;/h1&gt;

&lt;p&gt;Creating a ServiceAccount &lt;strong&gt;does not automatically grant access&lt;/strong&gt; to Kubernetes resources.&lt;/p&gt;

&lt;p&gt;Permissions are assigned using &lt;strong&gt;RBAC&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Role + RoleBinding&lt;/strong&gt; → Namespace-scoped permissions&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;ClusterRole + ClusterRoleBinding&lt;/strong&gt; → Cluster-wide permissions&lt;/li&gt;
&lt;/ul&gt;




&lt;h1&gt;
  
  
  Creating a Role
&lt;/h1&gt;

&lt;p&gt;The following Role allows read-only access to Pods, Services, and Endpoints.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;kind&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Role&lt;/span&gt;
&lt;span class="na"&gt;apiVersion&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;rbac.authorization.k8s.io/v1&lt;/span&gt;

&lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;namespace&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;dev&lt;/span&gt;
  &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;endpoints-reader&lt;/span&gt;

&lt;span class="na"&gt;rules&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
&lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;apiGroups&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
  &lt;span class="na"&gt;resources&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;pods&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;services&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;endpoints&lt;/span&gt;
  &lt;span class="na"&gt;verbs&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;get&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;list&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;watch&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h1&gt;
  
  
  Binding the Role to the ServiceAccount
&lt;/h1&gt;

&lt;p&gt;Next, bind the Role to the ServiceAccount.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;kind&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;RoleBinding&lt;/span&gt;
&lt;span class="na"&gt;apiVersion&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;rbac.authorization.k8s.io/v1&lt;/span&gt;

&lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;read-access&lt;/span&gt;
  &lt;span class="na"&gt;namespace&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;dev&lt;/span&gt;

&lt;span class="na"&gt;subjects&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
&lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;kind&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;ServiceAccount&lt;/span&gt;
  &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;my-app-sa&lt;/span&gt;
  &lt;span class="na"&gt;namespace&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;dev&lt;/span&gt;

&lt;span class="na"&gt;roleRef&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;kind&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Role&lt;/span&gt;
  &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;endpoints-reader&lt;/span&gt;
  &lt;span class="na"&gt;apiGroup&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;rbac.authorization.k8s.io&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;After applying the Role and RoleBinding, the ServiceAccount can:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Get Pods&lt;/li&gt;
&lt;li&gt;List Pods&lt;/li&gt;
&lt;li&gt;Watch Pods&lt;/li&gt;
&lt;li&gt;Get Services&lt;/li&gt;
&lt;li&gt;List Services&lt;/li&gt;
&lt;li&gt;Watch Services&lt;/li&gt;
&lt;li&gt;Get Endpoints&lt;/li&gt;
&lt;li&gt;List Endpoints&lt;/li&gt;
&lt;li&gt;Watch Endpoints&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Nothing more.&lt;/p&gt;




&lt;h1&gt;
  
  
  Verifying the Role
&lt;/h1&gt;

&lt;p&gt;Describe the Role to verify its permissions.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;kubectl describe role endpoints-reader &lt;span class="nt"&gt;-n&lt;/span&gt; test-magik
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Example output:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Name:         endpoints-reader
PolicyRule:
  Resources   Verbs
  ---------   ----------------
  endpoints   get, list, watch
  pods        get, list, watch
  services    get, list, watch
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;You can also verify what a ServiceAccount is allowed to do:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;kubectl auth can-i list pods &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--as&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;system:serviceaccount:dev:my-app-sa &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;-n&lt;/span&gt; dev
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If configured correctly, Kubernetes will return:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;yes
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h1&gt;
  
  
  Why This Matters
&lt;/h1&gt;

&lt;p&gt;Giving every application cluster-admin privileges is a significant security risk.&lt;/p&gt;

&lt;p&gt;Using &lt;strong&gt;ServiceAccounts&lt;/strong&gt; together with &lt;strong&gt;RBAC&lt;/strong&gt; enables you to:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Grant only the permissions an application requires&lt;/li&gt;
&lt;li&gt;Reduce the impact of compromised workloads&lt;/li&gt;
&lt;li&gt;Improve Kubernetes security&lt;/li&gt;
&lt;li&gt;Follow the Principle of Least Privilege&lt;/li&gt;
&lt;li&gt;Support secure authentication for tools such as the Agentic CLI running in AKS cluster mode&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Properly configured ServiceAccounts are a foundational security practice for any production Kubernetes environment.&lt;/p&gt;

</description>
      <category>azure</category>
      <category>kubernetes</category>
      <category>security</category>
      <category>tutorial</category>
    </item>
    <item>
      <title>Deploying a Single-Node Kubernetes Cluster on AWS EC2 with K3s</title>
      <dc:creator>prokshita nagarajan</dc:creator>
      <pubDate>Sun, 21 Jun 2026 13:38:52 +0000</pubDate>
      <link>https://dev.to/prokshita_nagarajan_16a4d/deploying-a-single-node-kubernetes-cluster-on-aws-ec2-with-k3s-25ma</link>
      <guid>https://dev.to/prokshita_nagarajan_16a4d/deploying-a-single-node-kubernetes-cluster-on-aws-ec2-with-k3s-25ma</guid>
      <description>&lt;p&gt;Running a full Kubernetes cluster doesn't always mean spinning up multiple nodes. If you're prototyping, running a small production workload, or just want a lightweight environment to learn on, a &lt;strong&gt;single EC2 instance&lt;/strong&gt; running Kubernetes is more than enough — and a lot cheaper.&lt;/p&gt;

&lt;p&gt;In this post, I'll walk through the options for running Kubernetes on a single EC2 instance, why I went with &lt;strong&gt;K3s&lt;/strong&gt;, and exactly how to get a working single-node cluster up in under five minutes.&lt;/p&gt;

&lt;h2&gt;
  
  
  Options for Running Kubernetes on EC2
&lt;/h2&gt;

&lt;p&gt;Before picking a tool, it's worth knowing what's out there:&lt;/p&gt;

&lt;p&gt;1] &lt;strong&gt;k3s&lt;/strong&gt;           : Single node, lightweight.&lt;br&gt;
 2] &lt;strong&gt;MicroK8s&lt;/strong&gt;     : Ubuntu-native, addons built-in.&lt;br&gt;
 3] &lt;strong&gt;Kubeadm&lt;/strong&gt;       : Full control, standard k8s.&lt;br&gt;
 4] &lt;strong&gt;Kind/Minikube&lt;/strong&gt; : Local dev only, not for EC2 prod.&lt;/p&gt;

&lt;p&gt;Each has a place. &lt;code&gt;kubeadm&lt;/code&gt; gives you the full vanilla Kubernetes experience and is the right call if you're planning to scale to multiple nodes later. &lt;code&gt;MicroK8s&lt;/code&gt; is a solid choice if you're already in the Ubuntu/Canonical ecosystem and want snap-based add-ons. &lt;code&gt;Kind&lt;/code&gt; and &lt;code&gt;Minikube&lt;/code&gt; are built for local development and aren't meant for EC2 production use at all.&lt;/p&gt;
&lt;h2&gt;
  
  
  Why K3s
&lt;/h2&gt;

&lt;p&gt;Since the goal here was a &lt;strong&gt;single EC2 instance&lt;/strong&gt; running a working cluster, K3s was the clear choice:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Single command install&lt;/strong&gt; — literally one line, no multi-step bootstrap process&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Half the memory footprint&lt;/strong&gt; of full Kubernetes, so it runs comfortably on smaller instances&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Production-grade&lt;/strong&gt; — it's not a toy; K3s is used widely in real-world deployments, including edge and IoT environments&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Batteries included&lt;/strong&gt; — containerd, Flannel (CNI), Traefik (ingress), and CoreDNS all ship built-in, so there's nothing extra to install&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;100% kubectl compatible&lt;/strong&gt; — every &lt;code&gt;kubectl&lt;/code&gt; command, every manifest, every Helm chart works exactly the same as it would on a "real" cluster&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;
  
  
  Prerequisites
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;An AWS account&lt;/li&gt;
&lt;li&gt;An EC2 instance with:

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;AMI:&lt;/strong&gt; Ubuntu 22.04 LTS&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Instance type:&lt;/strong&gt; &lt;code&gt;t3.medium&lt;/code&gt; (2 vCPU, 4GB RAM)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Storage:&lt;/strong&gt; 20GB gp3&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;
  
  
  Step 1: Install K3s
&lt;/h2&gt;

&lt;p&gt;SSH into your EC2 instance and run:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;curl &lt;span class="nt"&gt;-sfL&lt;/span&gt; https://get.k3s.io | sh -
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That's the entire installation. Behind the scenes, this single command:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Installs &lt;strong&gt;containerd&lt;/strong&gt; as the container runtime&lt;/li&gt;
&lt;li&gt;Installs the &lt;strong&gt;control plane components&lt;/strong&gt; (API server, controller manager, scheduler)&lt;/li&gt;
&lt;li&gt;Installs &lt;strong&gt;Flannel&lt;/strong&gt; for pod networking&lt;/li&gt;
&lt;li&gt;Installs &lt;strong&gt;Traefik&lt;/strong&gt; as the ingress controller&lt;/li&gt;
&lt;li&gt;Installs &lt;strong&gt;CoreDNS&lt;/strong&gt; for cluster DNS&lt;/li&gt;
&lt;li&gt;Configures the node to act as both &lt;strong&gt;control plane and worker&lt;/strong&gt;, since this is a single-node setup&lt;/li&gt;
&lt;li&gt;Registers itself as a &lt;strong&gt;systemd service&lt;/strong&gt;, so it survives reboots&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Step 2: Verify the Cluster
&lt;/h2&gt;

&lt;p&gt;Check that the node is up and ready:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo &lt;/span&gt;kubectl get nodes
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;You should see a single node in &lt;code&gt;Ready&lt;/code&gt; state:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight console"&gt;&lt;code&gt;&lt;span class="go"&gt;NAME              STATUS   ROLES                  AGE   VERSION
ip-172-31-x-x     Ready    control-plane,master   1m    v1.29.x+k3s1
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That's it — you now have a fully functional, kubectl-compatible Kubernetes cluster running on a single EC2 instance, ready to take workloads.&lt;/p&gt;

&lt;h2&gt;
  
  
  What's Next
&lt;/h2&gt;

&lt;p&gt;From here, the cluster behaves like any other Kubernetes cluster: deploy with manifests, expose services via Traefik ingress, install Helm charts, or wire it into a CI/CD pipeline to pull and run container images from a registry like ECR.&lt;/p&gt;

&lt;p&gt;K3s strips away the operational overhead of running Kubernetes without compromising on compatibility — making it the simplest way to get a real cluster running on a single EC2 instance.&lt;/p&gt;

</description>
      <category>aws</category>
      <category>devops</category>
      <category>kubernetes</category>
      <category>tutorial</category>
    </item>
  </channel>
</rss>
