| build once, deploy anywhere
kldload — your AI platform, your way, for free
Source
Releases

kldload 1.0.4 — Kubernetes on ZFS

Date: April 12, 2026  ·  Commits: 197  ·  License: BSD-3-Clause  ·  ISO: ~9.2 GB  ·  Arch: x86_64
Download: dl.kldload.com/kldload-free-latest.iso  ·  Source: github.com/kldload/kldload  ·  Demo: YouTube (20 min)

What if Cilium + eBPF had its own Linux distribution?

kldload 1.0.4 deploys production Kubernetes from a single command. The entire stack — Cilium eBPF networking, dual WireGuard encrypted backplanes, Hubble observability, MetalLB, Gateway API, ZFS CSI — runs on ZFS instant-cloned KVM nodes that provision in under 100 milliseconds each. No kube-proxy. No iptables. No sidecar mesh. The kernel is the network.

kube-cluster bootstrap --workers 5

6-node production cluster from bare metal in under 20 minutes. Destroy and rebuild in 60 seconds. Everything ships on a 9GB bootable ISO — zero internet required.

Kubernetes on ZFS — The Full Demo

Every screenshot below is from a live kube-demo session — an interactive 21-option demo that exercises every layer of the stack. 6 nodes, Cilium eBPF, dual WireGuard mesh, ZFS instant clones. All from one command.

kube-demo menu
kube-demo — 21 interactive options. Cluster, networking, storage, workloads, resilience.
Cluster Overview
4 nodes Ready, all pods Running, Cilium eBPF replaces kube-proxy, Hubble ready.
ZFS Clone Proof
ZFS instant clones — ~100ms per node, ~0 bytes disk cost. Golden image 2.4G, clones use only deltas.
Add Workers
Live scale-out — 2 new workers cloned, WireGuard meshed, K8s joined. 6 nodes in under 90 seconds.
Cilium Status
Cilium eBPF — 6/6 pods, kube-proxy replaced by eBPF, no iptables rules. Pure kernel datapath.
Hubble eBPF
Hubble — every DNS query, HTTP request, TCP flow visible. Zero agents. eBPF hooks in the kernel.
Network Policy
Cilium network policy — kernel-level eBPF enforcement. Block all, then allow per-pod. No iptables.
MetalLB LoadBalancer
MetalLB — real LoadBalancer IPs on bare metal. L2 advertisement. No cloud required.
Gateway API
Gateway API — Cilium-native ingress. eBPF datapath. No nginx, no traefik, no HAProxy.
ZFS Snapshot Restore
ZFS CSI snapshot + restore — write data, corrupt it, restore from ZFS snapshot in under 1 second.
Scale Test
Scale test — 20 pods across all 6 nodes. Spread evenly. Add more nodes instantly with ZFS clones.
Rolling Update
Rolling update — nginx to httpd, zero downtime. Old pods terminated only after new pods ready.
Self Healing
Self-healing — kill a pod, Kubernetes replaces it automatically. Zero intervention.
Drain Worker
Drain a worker — pods migrate to remaining nodes automatically. Use case: maintenance, kernel upgrade.
ZFS Node Rollback
ZFS time travel — snapshot a node, rollback instantly. OS, packages, config, everything reverts.
Replace Workers
Nodes are cattle — drain, destroy, clone fresh replacements from golden in 122ms. Re-join cluster.
Installer
Web UI installer — 8 distros, 6 profiles. Point, click, deploy. Zero CLI required.

What's new in 1.0.4

One-Command Kubernetes

kube-cluster bootstrap --workers 5 — from bare metal to production cluster.

  • Golden image built once — cloud image + kubeadm + containerd + Cilium + Helm pre-installed
  • ZFS instant clones provision nodes in under 100ms each (copy-on-write, near-zero disk)
  • Cloud-init gives each clone unique identity — hostname, SSH keys, machine-id
  • 6-node cluster (1 CP + 5 workers) in under 20 minutes from USB boot
  • Destroy and rebuild entire cluster in 60 seconds — golden image preserved

Cilium eBPF — The Kernel IS the Network

No kube-proxy. No iptables. No sidecar mesh. Pure kernel datapath.

  • Cilium v1.16.5 as the only CNI — full kube-proxy replacement via eBPF
  • eBPF maps replace iptables chains — O(1) lookups, not O(n) rule walks
  • Network policy enforced at the kernel level, not in userspace
  • L7 policy and observability without sidecar containers
  • Gateway API backed by Cilium — ingress without nginx/traefik/HAProxy

Dual WireGuard Encrypted Backplanes

Every hop encrypted by default. Two separate planes for management and data.

  • wg-mgmt (10.250.0.0/24) — SSH, kubelet, API server, etcd
  • wg-k8s (10.251.0.0/24) — pod-to-pod traffic, Cilium eBPF datapath
  • Full-mesh topology — every node peers directly with every other node
  • Host joins mesh as node 100 — kubectl works over encrypted tunnel
  • nftables firewall per node — only WireGuard + K8s ports open

Hubble eBPF Observability

See every flow, every DNS query, every HTTP request. Zero agents. Zero overhead.

  • Hubble relay + UI deployed from first boot
  • L3/L4/L7 flow visibility — DNS, TCP, HTTP, ICMP metrics
  • eBPF hooks in the kernel — no DaemonSet agents, no packet captures
  • Hubble UI accessible via port-forward for visual flow maps

ZFS-Backed KVM — The Foundation

Every K8s node is a KVM VM running on a ZFS zvol. ZFS superpowers flow up to Kubernetes.

  • Instant clones — new nodes in under 100ms via ZFS copy-on-write
  • Atomic snapshots — snapshot a node's entire disk, rollback instantly (ZFS time travel)
  • Nodes are cattle — drain, destroy, clone fresh replacement from golden in 122ms
  • Dedicated ZFS datasets — etcd on 8K recordsize, containerd and kubelet on separate datasets
  • Sanoid auto-snapshots — hourly/daily/weekly/monthly per node, automatic retention
  • Golden image workflow — build once, seal (clear machine-id, SSH keys), clone forever

Production Stack

Everything you need for production Kubernetes, installed from one command.

  • MetalLB v0.14.9 — real LoadBalancer IPs on bare metal (L2 advertisement)
  • Gateway API — Cilium-native ingress controller, eBPF datapath
  • OpenEBS ZFS CSI — Kubernetes persistent volumes on ZFS (zfs + zfs-db StorageClasses)
  • ZFS CSI snapshots — snapshot PVs, restore from snapshot, ZFS clone for instant recovery
  • Secure Boot — end-to-end chain: shim → signed GRUB → ZFSBootMenu → ZFS root
  • ZFSBootMenu — native boot environments, GRUB eliminated
  • NVIDIA GPU — auto-detected, driver ready from first boot
  • Complete offline install — RPM + APT darksites, container images pre-pulled

Bug fixes

Fix Details
CentOS SSH service name SSH was not enabled on CentOS/RHEL/Rocky installs — service is sshd not ssh
kldload-snapshot binary missing Binary existed in source but was never copied to the live ISO during build
Smoke test ANSI parse errors grep -c on colored output produced multi-line values, crashing arithmetic expressions
Clone networking Triple-layer DHCP fallback, machine-id per clone, cloud-init identity for reliable clone boot
Secure Boot chain End-to-end fix: shim → signed GRUB → ZFSBootMenu → ZFS root. CentOS GRUB config path added.
SIGPIPE build failures Trap SIGPIPE + remove pipefail around pip install — was killing builds for hours
VXLAN MTU over WireGuard Cilium VXLAN (50 byte overhead) over WireGuard (80 byte) needs MTU 1370 — cross-node pod traffic was silently dropping
kbe list Removed column dependency (not installed on Debian)

Known issues

Issue Severity Notes
Kubernetes best on Debian 13 Info The Kubernetes profile is tested and optimized for Debian 13 (Trixie). CentOS/Rocky work but have minor issues with MOK enrollment and GRUB config paths.
K8s not fully darksite Medium Helm charts and some container images (frr, busybox) still pull from internet during bootstrap. Container images for core stack are pre-pulled in golden.
Fedora darksite broken Medium Architecture detection issue in Fedora RPM darksite builder.
CentOS MOK/GRUB on first boot Medium CentOS may drop to GRUB menu instead of MokManager on first boot. Fixed in latest build — GRUB chainloader config now written to distro-specific EFI paths.
kube-demo replace workers Low _get_vm_ip function reference missing in kube-demo replace-workers. Clones create successfully but can't auto-rejoin.

Kubernetes Commands

CommandWhat it doesExample
kube-cluster bootstrapDeploy full K8s cluster from golden imagekube-cluster bootstrap --workers 5
kube-cluster destroyTear down cluster, preserve goldenkube-cluster destroy
kube-cluster destroy --allTear down cluster + golden imagekube-cluster destroy --all
kube-cluster statusShow cluster healthkube-cluster status
kube-cluster goldenBuild golden image onlykube-cluster golden
kube-initInitialize control plane (Cilium, MetalLB, CSI)kube-init
kube-joinJoin worker to existing clusterkube-join 192.168.122.10
kube-setupInstall K8s packages on any nodekube-setup
kube-network initInitialize WireGuard mesh for a nodekube-network init 1
kube-network add-peerAdd WireGuard peerkube-network add-peer 192.168.122.20 <pubkey> 2
kube-network nftApply nftables firewall ruleskube-network nft
kube-network statusShow WireGuard mesh statuskube-network status
kube-demoInteractive 21-option K8s demokube-demo
kube-statusQuick cluster health checkkube-status
kube-smoke-testComprehensive 38-check validationkube-smoke-test
kube-resetReset kubeadm on a nodekube-reset
kube-load-imagesLoad container images from darksite tarballskube-load-images /root/darksite/k8s-images/

KVM Commands

CommandWhat it doesExample
kvm-createCreate VM on ZFS zvolkvm-create --name webserver --ram 4096 --cpus 2 --disk 40G
kvm-cloneZFS instant clone (~100ms)kvm-clone golden-image my-clone
kvm-snapAtomic ZFS snapshot of a VMkvm-snap webserver pre-upgrade
kvm-listList all VMs with state and disk usagekvm-list
kvm-deleteDestroy VM + zvol + orphan snapshotskvm-delete my-clone
kvm-demoInteractive KVM + container demokvm-demo

ZFS Management

CommandWhat it doesExample
kstSystem health dashboardkst
ksnapSmart snapshot managerksnap create mysnap
kcloneClone datasets or zvolskclone rpool/data@snap rpool/data-copy
kbeBoot environment managerkbe create pre-upgrade
kdfZFS-aware disk usagekdf
kpkgPackage manager with auto-snapshotkpkg install nginx
kupgradeSafe OS upgrade with rollbackkupgrade
kexportExport golden imageskexport --format qcow2 --output /tmp/image.qcow2
krecoveryDisaster recovery toolskrecovery
kldload-overviewUnified status — ZFS, VMs, K8s, GPU, eBPFkldload-overview

Supported distros (8)

Distro Status Notes
CentOS Stream 9 Supported Primary target. RPM darksite. All profiles.
Debian 13 (Trixie) Supported APT darksite via debootstrap.
Ubuntu 24.04 Supported APT darksite. Universe component for ZFS.
Fedora 41 Supported RPM darksite. ZFS DKMS.
RHEL 9 Supported Shares CentOS RPM darksite. Red Hat CDN for subscription packages.
Rocky Linux 9 Supported Shares CentOS RPM darksite.
Arch Linux Supported Online install (rolling release). ZFS on root.
Alpine Linux WIP Bootstrap exists. End-to-end testing in progress.
FreeBSD New Native ZFS. WireGuard support. New in 1.0.3.

Upgrade path

No in-place upgrade from 1.0.2. Fresh install recommended. Use zfs send to migrate data pools.

Built by one person who just knows the primitives.

Learn the primitives — they'll outlast any product.

← 1.0.2 Release Notes The freedom to build whatever you want. →