overthinkos/k3s
ov-foundation/skills/k3s/SKILL.md
k3s binary installer (common base for k3s-server and k3s-agent). Use when building images that need the k3s binary but do NOT want a server/agent service started automatically.
development
Updated May 4, 2026
$ install --global
skillsauthnpx skillsauth add overthinkos/overthink-plugins k3sInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 4, 2026, 6:21 AM307.6s1 file scanned
SKILL.md
- name:
- k3s
- description:
- |
k3s -- k3s binary installer (base layer)
Layer Properties
| Property | Value |
|----------|-------|
| Install files | layer.yml, tasks: |
| Pinned version | v1.31.11+k3s1 (edit K3S_VERSION in layer.yml vars to cut over) |
What this layer does
Downloads the verified-checksum k3s binary (plus sha256sum from the
release manifest), installs it to /usr/local/bin/k3s, and creates
symlinks for kubectl, crictl, ctr (k3s is multi-call). Installs
runtime dependencies (iptables, conntrack, socat, ethtool,
ca-certificates) via the distro package manager — not via the
upstream curl | sh installer. Deliberate, per R9.
No service is started by this layer. Role selection happens in the
dependent layers /ov-foundation:k3s-server and /ov-foundation:k3s-agent,
which emit systemd units that wrap this binary with the right CLI verb
(k3s server vs k3s agent).
Usage
Typically not used directly — compose /ov-foundation:k3s-server or
/ov-foundation:k3s-agent (both depend on this layer).
# For a bare binary-only image (rare):
layers:
- k3s
Cross-distro coverage
rpm:(Fedora) —conntrack-tools,iptables,ethtool,socat,ca-certificatespac:(Arch) —conntrack-tools,iptables-nft,ethtool,socat,ca-certificatesdeb:(Debian/Ubuntu) —conntrack,iptables,ethtool,socat,ca-certificates
Tests
k3s --versionmatches pinned version./usr/local/bin/k3sis mode 0755./usr/local/bin/kubectlexists as a symlink.- Each runtime package is installed (per-distro
package_maphandles Debian'sconntrackrename).
Related Layers
/ov-foundation:k3s-server— Control-plane node (depends on this layer)/ov-foundation:k3s-agent— Worker node (depends on this layer)/ov-coder:kubernetes-layer— Distrokubectl/helmbinaries for the operator, not the cluster
Related Skills
overthinkos/agents
development
VerifiedTrustedCommunity
Claude Code multi-agent support in Overthink — sub-agents, dynamic workflows, and agent teams, and how each drives the existing `ov eval` disposable beds to test and verify. MUST be invoked before authoring or invoking an ov sub-agent / dynamic workflow / agent team, wiring agent-lifecycle hooks, or asking "which primitive should drive the R10 beds?".
SKILL.mdUpdated May 31, 2026
overthinkos/workspace-mount
tools
VerifiedTrustedCommunity
Mounts a virtiofs share tagged `workspace` at /workspace inside a VM guest via a systemd .mount unit. Use when a kind:vm entity shares a host directory into the guest and you need it auto-mounted (and re-mounted at every boot).
SKILL.mdUpdated May 30, 2026
overthinkos/android
development
VerifiedTrustedCommunity
MUST be invoked before any work involving: the `kind: android` schema kind, a `target: android` deploy, the `apk:` layer package format (installing Android apps declaratively), AndroidDeployTarget, an in-pod emulator OR a remote/physical adb-endpoint device, or nested `pod → android` deployment. The first-class Android device + app surface that sits above `ov eval adb`/`appium`.
SKILL.mdUpdated May 26, 2026
overthinkos/git-workflow
tools
VerifiedTrustedCommunity
Use when committing, branching, pushing, merging, tagging, creating PRs, or approving/merging PRs with gh — the feat/-branch, R10-gated, never-force-push landing workflow across the main repo + the plugins submodule + image/<distro> submodules. Covers sync-to-upstream, branch/worktree pruning, the fork+PR path for contributors without write access, and cross-repo @github landing order.
SKILL.mdUpdated May 25, 2026