overthinkos/k3s-agent
ov-foundation/skills/k3s-agent/SKILL.md
k3s worker (agent) node — joins an existing k3s-server via pre-shared token. Fully declarative: same ov secrets set once + env K3S_SERVER_URL per agent deploy.
devops
Updated May 7, 2026
$ install --global
skillsauthnpx skillsauth add overthinkos/overthink-plugins k3s-agentInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 7, 2026, 5:47 AM152.6s1 file scanned
SKILL.md
- name:
- k3s-agent
- description:
- |
- Fully declarative:
- same ov secrets set once + env K3S_SERVER_URL per agent deploy.
k3s-agent -- k3s worker node
Layer Properties
| Property | Value |
|----------|-------|
| Install files | layer.yml, tasks:, service:, secret_requires:, env_requires: |
| Depends on | /ov-foundation:k3s |
| Service | k3s-agent.service (system scope, enabled) |
What this layer does
- Reads
K3S_CLUSTER_TOKENfrom the credential store (same secret the server consumes — auto-generated on the first server-or-agent deploy viaensureLayerSecret; subsequent deploys read the persisted value, so agents and server automatically share the token without operator setup). - Requires
K3S_SERVER_URLfrom deploy.yml env (e.g.,https://k3s-srv.lan:6443). - Writes
/etc/rancher/k3s/config.yamlwithserver:andtoken:. - Emits
/etc/systemd/system/k3s-agent.servicerunningk3s agent.
No join-token handoff, no kubeconfig retrieval — agents only need the server URL (declarative, known at author time) and the pre-shared token (from the credential store).
Usage
# overthink.yml (assumes k3s-srv already up; see /ov-foundation:k3s-server)
vm:
k3s-ag1:
source: { kind: cloud_image, url: "…" }
disposable: true
ram: 4G
cpus: 2
deployments:
images:
"vm:k3s-ag1":
target: vm
vm_source: k3s-ag1
add_layers: [k3s-agent]
env:
- K3S_SERVER_URL=https://k3s-srv.lan:6443
# K3S_CLUSTER fed in for the agent-joined test below — must
# match the cluster profile name registered by the server.
- K3S_CLUSTER=k3s-srv
ov deploy add vm:k3s-ag1
# agent registers; ov eval k8s wait-nodes on server confirms the join.
ov eval k8s wait-nodes --cluster k3s-srv --count 2 --timeout 3m
Tests
Build-scope:
/etc/rancher/k3s/config.yamlexists, mode 0600./etc/systemd/system/k3s-agent.serviceexists.
Deploy-scope (uses /ov-advanced:eval-k8s):
k8s: wait-nodes name=${HOSTNAME}— this node reaches Ready on the server.
Related Layers
/ov-foundation:k3s— Base layer installing the k3s binary (required dep)/ov-foundation:k3s-server— Control-plane node this agent joins/ov-advanced:eval-k8s— Test verb used by the agent-joined check
Related Skills
overthinkos/agents
development
VerifiedTrustedCommunity
Claude Code multi-agent support in Overthink — sub-agents, dynamic workflows, and agent teams, and how each drives the existing `ov eval` disposable beds to test and verify. MUST be invoked before authoring or invoking an ov sub-agent / dynamic workflow / agent team, wiring agent-lifecycle hooks, or asking "which primitive should drive the R10 beds?".
SKILL.mdUpdated May 31, 2026
overthinkos/workspace-mount
tools
VerifiedTrustedCommunity
Mounts a virtiofs share tagged `workspace` at /workspace inside a VM guest via a systemd .mount unit. Use when a kind:vm entity shares a host directory into the guest and you need it auto-mounted (and re-mounted at every boot).
SKILL.mdUpdated May 30, 2026
overthinkos/android
development
VerifiedTrustedCommunity
MUST be invoked before any work involving: the `kind: android` schema kind, a `target: android` deploy, the `apk:` layer package format (installing Android apps declaratively), AndroidDeployTarget, an in-pod emulator OR a remote/physical adb-endpoint device, or nested `pod → android` deployment. The first-class Android device + app surface that sits above `ov eval adb`/`appium`.
SKILL.mdUpdated May 26, 2026
overthinkos/git-workflow
tools
VerifiedTrustedCommunity
Use when committing, branching, pushing, merging, tagging, creating PRs, or approving/merging PRs with gh — the feat/-branch, R10-gated, never-force-push landing workflow across the main repo + the plugins submodule + image/<distro> submodules. Covers sync-to-upstream, branch/worktree pruning, the fork+PR path for contributors without write access, and cross-repo @github landing order.
SKILL.mdUpdated May 25, 2026