|
| 1 | +--- |
| 2 | +title: Accessing embedded etcd in K3s |
| 3 | +date: 2025-08-17 |
| 4 | +tags: ["kubernetes"] |
| 5 | +author: "Kapil Agrawal" |
| 6 | +comments: false |
| 7 | +--- |
| 8 | + |
| 9 | +**etcd** is the de-facto KV store for Kubernetes. **k3s** can be run with an embedded etcd as it's KV store which is a great option for running production grade and highly available Kubernetes while keeping overall architecture simple. |
| 10 | + |
| 11 | +There may be situations when you want to interact with it directly in situations like disaster recovery, troubleshooting cluster issues. etcd sync related issues, control leader election, predictability over quorum etc. Accessing the embedded **etcd** is quite trivial although k3s docs do not explain how to do so. All you really need is the `etcdctl` binary. |
| 12 | + |
| 13 | +Unlike RKE2, k3s does not provide with `etcdctl` client binary during installation so it needs to be installed separately. Below is a simple shell script which downloads the `etcdctl` binary. |
| 14 | + |
| 15 | +## 1. Download `etcdctl` |
| 16 | + |
| 17 | +Save the following shell script in a file called `get-etcdctl.sh` on the control plane nodes |
| 18 | + |
| 19 | +```sh |
| 20 | +#!/usr/bin/env bash |
| 21 | +set -euo pipefail |
| 22 | + |
| 23 | +# k3s etcd cert/key paths |
| 24 | +K3S_ETCD_CACERT="/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt" |
| 25 | +K3S_ETCD_CERT="/var/lib/rancher/k3s/server/tls/etcd/server-client.crt" |
| 26 | +K3S_ETCD_KEY="/var/lib/rancher/k3s/server/tls/etcd/server-client.key" |
| 27 | + |
| 28 | +# Check if certs exist |
| 29 | +if [[ ! -f "$K3S_ETCD_CACERT" || ! -f "$K3S_ETCD_CERT" || ! -f "$K3S_ETCD_KEY" ]]; then |
| 30 | + echo "❌ This host does not appear to be a k3s control plane node with embedded etcd." |
| 31 | + echo "Missing one or more of:" |
| 32 | + echo " $K3S_ETCD_CACERT" |
| 33 | + echo " $K3S_ETCD_CERT" |
| 34 | + echo " $K3S_ETCD_KEY" |
| 35 | + exit 1 |
| 36 | +fi |
| 37 | + |
| 38 | +# Get latest etcd version |
| 39 | +ETCD_VER=$(curl -s https://api.github.com/repos/etcd-io/etcd/releases/latest \ |
| 40 | + | grep tag_name \ |
| 41 | + | cut -d '"' -f4) |
| 42 | + |
| 43 | +DOWNLOAD_URL="https://storage.googleapis.com/etcd" |
| 44 | +TAR_FILE="/tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz" |
| 45 | + |
| 46 | +echo "📥 Downloading etcdctl ${ETCD_VER}..." |
| 47 | +curl -sSL "${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz" -o "${TAR_FILE}" |
| 48 | + |
| 49 | +echo "📦 Extracting etcdctl to ${PWD}..." |
| 50 | +tar xzf "${TAR_FILE}" --strip-components=1 -C "${PWD}" etcd-${ETCD_VER}-linux-amd64/etcdctl |
| 51 | +rm -f "${TAR_FILE}" |
| 52 | + |
| 53 | +chmod +x "${PWD}/etcdctl" |
| 54 | + |
| 55 | +# Export k3s etcd environment vars |
| 56 | +export ETCDCTL_ENDPOINTS="https://[::1]:2379" |
| 57 | +export ETCDCTL_CACERT="$K3S_ETCD_CACERT" |
| 58 | +export ETCDCTL_CERT="$K3S_ETCD_CERT" |
| 59 | +export ETCDCTL_KEY="$K3S_ETCD_KEY" |
| 60 | + |
| 61 | +echo "✅ etcdctl ${ETCD_VER} is ready in ${PWD}" |
| 62 | +echo "Example usage:" |
| 63 | +echo " ./etcdctl endpoint status --write-out=table" |
| 64 | +./etcdctl version |
| 65 | + |
| 66 | +``` |
| 67 | + |
| 68 | +## 2. Run the script |
| 69 | + |
| 70 | +sudo if necessary |
| 71 | + |
| 72 | +``` |
| 73 | +chmod +x get-etcdctl.sh && ./get-etcdctl.sh |
| 74 | +``` |
| 75 | + |
| 76 | +## 3. Export etcd connection vars |
| 77 | + |
| 78 | +```sh |
| 79 | +export ETCDCTL_ENDPOINTS='https://[::1]:2379' |
| 80 | +export ETCDCTL_CACERT='/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt' |
| 81 | +export ETCDCTL_CERT='/var/lib/rancher/k3s/server/tls/etcd/server-client.crt' |
| 82 | +export ETCDCTL_KEY='/var/lib/rancher/k3s/server/tls/etcd/server-client.key' |
| 83 | +``` |
| 84 | + |
| 85 | +## 4. Connect to etcd |
| 86 | + |
| 87 | +```sh |
| 88 | +./etcdctl member list |
| 89 | +./etcdctl endpoint status --cluster -w table |
| 90 | +``` |
0 commit comments