oracle cloud free tier k3s kagent

Oracle Cloud Infrastructure (OCI) Free Tier: K3s + Kagent Research

Date: 2026-02-10 Status: Complete deep research Purpose: Evaluate Oracle Cloud Always Free Tier for running K3s with Kagent (19 agents)

Oracle Cloud Always Free Tier Overview
ARM vs x86: Kagent Multi-Arch Support
Free Tier Exact Specifications
K3s on Oracle ARM: Proven Approach
Tailscale on Oracle Cloud
Networking and Firewall Configuration
Region Availability and Capacity Issues
Account Setup: Step by Step
Hetzner Fallback Plan
Risks and Warnings
Feasibility Assessment: 19 Kagent Agents
Recommendation
Sources

1. Oracle Cloud Always Free Tier Overview

What Is It?

Oracle Cloud Infrastructure offers two distinct free programs:

Free Trial (30 days): $300 in credits to use ANY Oracle Cloud service. Expires after 30 days or when credits run out, whichever comes first. After expiry, there is a 30-day grace period to upgrade, or non-free-tier resources are DELETED.
Always Free (forever): A permanent set of resources that never expire, available for the lifetime of the account. These persist even after the Free Trial ends.

What Is the Catch?

Credit card required at signup (verification hold of a few dollars, released in 3-5 days)
Home region is locked at signup and CANNOT be changed afterward
ARM instances are frequently out of capacity in popular regions
Idle instances can be reclaimed if CPU < 20% utilization over 7 days (free tier only)
Upgrading to Pay-As-You-Go removes guardrails -- you CAN be charged for non-free-tier resources if you accidentally provision them
No SLA on Always Free resources

Does It Really Stay Free?

YES, with caveats:

Always Free resources remain free indefinitely on free-tier accounts
If you upgrade to Pay-As-You-Go (PAYG), Always Free resources STILL remain free
HOWEVER, on PAYG the "guardrails" are removed, meaning you COULD accidentally provision paid resources and get charged
Oracle recommends setting a $0.01 budget alert immediately after upgrading to PAYG

Free Trial vs Always Free

Aspect	Free Trial	Always Free
Duration	30 days	Lifetime
Credits	$300	None (specific resources)
Resources	All OCI services	Limited set (see specs)
After expiry	Grace period, then deletion	Continues forever
SLA	No	No
Support	Community only	Community only (PAYG gets tickets)

2. ARM vs x86: Kagent Multi-Arch Support

Confirmed: Kagent Publishes ARM64 Images

The kagent project at ghcr.io/kagent-dev publishes multi-architecture container images supporting:

linux/amd64 (x86_64)
linux/arm64 (aarch64) -- this is what Oracle's Ampere A1 uses

Verified on the kagent/ui package (v0.7.13, latest as of 2026-02-02):

linux/amd64: sha256:9f9a75ae2209bd245589c57019e18ab00644df5a83939259ba4fbb3450ff6065
linux/arm64: sha256:daa3c062d720bb2a61343becf76601a61fee0e60925a7bc32dd7c425b32ac36d

The development docs confirm multi-arch builds using Docker Buildx:

docker buildx create --name kagent-builder-v0.23.0 --platform linux/amd64,linux/arm64

Total downloads across all versions: 1.15M (healthy project adoption).

K3s ARM64 Support

K3s has full ARM64 support and is specifically optimized for ARM architectures. It is a common choice for ARM deployments on Oracle Cloud free tier.

Verdict: ARM64 is fully supported for both K3s and Kagent.

3. Free Tier Exact Specifications

Compute Resources

AMD Micro Instances

Shape: VM.Standard.E2.1.Micro
OCPUs: 1/8 OCPU (burstable)
Memory: 1 GB
Quantity: Up to 2 instances
Networking: Up to 50 Mbps internet bandwidth
Boot Volume: 50 GB default

ARM Ampere A1 Flex Instances (THE GOOD STUFF)

Shape: VM.Standard.A1.Flex
OCPUs: 4 total (flexible allocation across instances)
Memory: 24 GB total (flexible allocation across instances)
Monthly Free: 3,000 OCPU hours + 18,000 GB-hours memory
Quantity: Up to 4 instances (configurable)
Available Images: Oracle Linux, Ubuntu
Processor: Ampere Neoverse-N1 cores (ARM64/aarch64)

You can split the 4 OCPUs and 24 GB across instances however you want:

1 instance: 4 OCPUs, 24 GB RAM
2 instances: 2 OCPUs + 12 GB each
4 instances: 1 OCPU + 6 GB each

Storage

Block Volume: 200 GB total (boot + block combined)
Volume Backups: 5 maximum
Minimum Boot Volume: 47 GB per instance
Object Storage: 20 GB combined (Standard + Infrequent + Archive)
Object Storage API: 50,000 requests/month

Networking

VCNs: Up to 2 Virtual Cloud Networks
Load Balancer: 1 Flexible (10 Mbps bandwidth)
Network Load Balancer: 1 (50 listeners, 512 backends per set)
Site-to-Site VPN: Up to 50 IPSec connections
Outbound Data Transfer: 10 TB/month (generous!)
Inbound: Unlimited and free

Database (Bonus)

2 Autonomous Databases (20 GB each)
1 MySQL HeatWave (50 GB)
3 NoSQL tables (25 GB each)

Observability

10 GB/month logging
500M monitoring ingestion datapoints
1B monitoring retrieval datapoints
1,000 APM tracing events/hour
100 custom dashboards

4. K3s on Oracle ARM: Proven Approach

Has Anyone Done This? YES -- Extensively

This is a well-documented, popular setup. Multiple comprehensive guides and even Terraform automation exist:

Multiple Medium articles with step-by-step guides
GitHub repos with Terraform automation (e.g., garutilorenzo/k3s-oci-cluster, GlorifiedTypist/k3s-oracle-cloud-free-tier)
Community blog posts dating from 2020 to 2025

Recommended Setup: Single Node K3s

For the free tier (4 OCPUs, 24 GB RAM, 200 GB storage), a single-node K3s cluster is the best approach:

# SSH into your ARM instance
ssh -i ~/.ssh/oracle_key ubuntu@<PUBLIC_IP>

# Install K3s (single node, no Traefik -- saves resources)
curl -sfL https://get.k3s.io | sh -s - \
  --disable traefik \
  --disable servicelb \
  --write-kubeconfig-mode 644

Key Gotchas (CRITICAL)

TWO FIREWALLS: Oracle Cloud has TWO layers of firewall:
- OCI Security Lists (cloud level, managed in console)
- iptables on the instance (OS level, managed via SSH) Both MUST allow traffic or connections fail.
Default iptables blocks everything except SSH: Ubuntu images on OCI come with iptables rules that REJECT all traffic except SSH (port 22), ICMP, and NTP. You MUST add rules for K3s ports.
UFW is disabled on purpose: Do NOT enable UFW on OCI Ubuntu instances. Use iptables directly.
Rule insertion order matters: New iptables rules must be inserted BEFORE the default REJECT rule, not appended after it.
NAT/Virtual IP: The public IP is NAT'd, not directly attached. This affects how K3s API server is exposed.
iptables version bugs: On RHEL-like systems, iptables 1.8.4 has bugs. Use --prefer-bundled-bin flag with K3s.

Required iptables Rules

# K3s API server
sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 6443 -j ACCEPT

# Kubelet metrics
sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 10250 -j ACCEPT

# Flannel VXLAN (if using Flannel)
sudo iptables -I INPUT 6 -m state --state NEW -p udp --dport 8472 -j ACCEPT

# NodePort range
sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 30000:32767 -j ACCEPT

# Save rules persistently
sudo apt install iptables-persistent -y
sudo netfilter-persistent save

Required OCI Security List Rules

In the OCI Console, navigate to: Networking > Virtual Cloud Networks > [Your VCN] > Security Lists

Add ingress rules:

TCP 6443 (K3s API) -- from your IP or 0.0.0.0/0
TCP 80, 443 (HTTP/HTTPS) -- if exposing services
TCP 8080, 8083 (kagent-ui, controller) -- from your IP or Tailscale CIDR
UDP 41641 (Tailscale) -- from 0.0.0.0/0

5. Tailscale on Oracle Cloud

Confirmed: Works Great

Tailscale on Oracle Cloud free tier is a well-documented, popular combination. Multiple guides and even Terraform automation exist for this exact setup.

Installation

# Add Tailscale repo and install
curl -fsSL https://tailscale.com/install.sh | sh

# Start Tailscale
sudo tailscale up

# Optional: Enable as exit node
sudo tailscale up --advertise-exit-node

# Optional: Enable subnet routing (for K3s pod/service CIDRs)
sudo tailscale up --advertise-routes=10.42.0.0/16,10.43.0.0/16

Firewall Considerations

OCI Security List: Allow UDP 41641 ingress (Tailscale direct connections)
iptables: Tailscale manages its own iptables rules via the tailscale0 interface
Exit Node caveat: On Ubuntu 24.04, there is a known issue with ip6tables MARK errors (tailscale/tailscale#15549). Use Ubuntu 22.04 if you need exit node functionality.

Benefits for This Setup

With Tailscale installed:

Access K3s API server via Tailscale IP (no need to expose 6443 publicly)
Access kagent-ui (8080) and controller (8083) via Tailscale IP (no public exposure needed)
SSH via Tailscale SSH (no password/key management)
Connect the Oracle instance to your existing Tailnet alongside your NAS

Recommended Approach

Use Tailscale as the ONLY way to access the cluster. Do NOT expose K3s API or kagent ports publicly:

# OCI Security List: Only allow SSH (22) and Tailscale (UDP 41641) from internet
# Everything else accessed via Tailscale IP (100.x.x.x)

6. Networking and Firewall Configuration

Oracle Cloud Network Architecture

Internet
    |
[Internet Gateway]
    |
[Virtual Cloud Network (VCN)]
    |
[Subnet + Security List]  <-- FIRST firewall (OCI level)
    |
[VM Instance]
    |
[iptables/nftables]       <-- SECOND firewall (OS level)
    |
[Your Application]

Default Ports (What Is Open Out of the Box)

OCI Security List defaults:

TCP 22 (SSH) from 0.0.0.0/0 -- ALLOWED
ICMP types 3,4 from 0.0.0.0/0 -- ALLOWED
Everything else -- BLOCKED

Instance iptables defaults (Ubuntu):

RELATED,ESTABLISHED connections -- ALLOWED
ICMP -- ALLOWED
Loopback -- ALLOWED
TCP 22 (SSH) -- ALLOWED
UDP 123 (NTP) -- ALLOWED
Everything else -- REJECTED

Ports You Need to Open

For K3s + Kagent + Tailscale, add these to BOTH Security List AND iptables:

Port	Protocol	Purpose	Open To
22	TCP	SSH	Your IP (or use Tailscale SSH)
6443	TCP	K3s API	Tailscale only (100.x.x.x/8)
8080	TCP	kagent-ui	Tailscale only
8083	TCP	kagent controller	Tailscale only
10250	TCP	Kubelet metrics	localhost / pod CIDR
8472	UDP	Flannel VXLAN	localhost / pod CIDR
41641	UDP	Tailscale	0.0.0.0/0

Blocked Ports

TCP 25 (SMTP): Blocked by default. Requires service request to Oracle to unblock.
All other ports blocked by default in both Security List and iptables.

Complete Firewall Setup Script

# iptables rules for K3s + Tailscale (run on the instance)

# Allow Tailscale UDP
sudo iptables -I INPUT 6 -m state --state NEW -p udp --dport 41641 -j ACCEPT

# Allow K3s API (from Tailscale subnet only)
sudo iptables -I INPUT 6 -m state --state NEW -s 100.64.0.0/10 -p tcp --dport 6443 -j ACCEPT

# Allow kagent-ui (from Tailscale subnet only)
sudo iptables -I INPUT 6 -m state --state NEW -s 100.64.0.0/10 -p tcp --dport 8080 -j ACCEPT

# Allow kagent controller (from Tailscale subnet only)
sudo iptables -I INPUT 6 -m state --state NEW -s 100.64.0.0/10 -p tcp --dport 8083 -j ACCEPT

# Allow K3s internal ports (flannel, kubelet)
sudo iptables -I INPUT 6 -m state --state NEW -p udp --dport 8472 -j ACCEPT
sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 10250 -j ACCEPT

# Allow NodePort range (optional, for services)
sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 30000:32767 -j ACCEPT

# Persist rules
sudo apt install iptables-persistent -y
sudo netfilter-persistent save

7. Region Availability and Capacity Issues

The Biggest Problem: ARM Instances Are Frequently Out of Stock

This is the #1 complaint about Oracle Cloud free tier. Many regions show "Out of host capacity" when trying to create ARM Ampere A1 instances.

Best Regions for ARM Availability (Community Reports)

Region	ARM Availability	Notes
US-East (Ashburn)	Poor-Medium	High demand, frequently out of stock
US-West (San Jose)	Very Poor	Avoid -- consistently worst availability
US-West (Phoenix)	Medium	Better than San Jose
UK South (London)	Good	Reliable for ARM
Australia Southeast (Sydney)	Good	Consistently available
Japan East (Tokyo)	Very Poor	Almost always out of stock
Germany Central (Frankfurt)	Medium	Mixed reports
Canada Southeast (Toronto)	Medium-Good	Reasonable availability

Workaround: The "Out of Capacity" Retry Script

A popular open-source tool (hitrov/oci-arm-host-capacity) automatically retries instance creation:

Polls every 60 seconds
Automatically creates the instance when capacity appears
Available in PHP, Python, Bash, and PowerShell variants
Can take hours, days, or even weeks depending on region

Best Strategy

Choose a less popular region at signup (London, Sydney, or Toronto recommended)
Sign up and immediately try to create the ARM instance
If "out of capacity": use the retry script or try at off-peak hours (early morning UTC)
Upgrading to PAYG reportedly improves instance availability (priority over free-tier-only accounts)

CRITICAL: Home Region Is Permanent

You CANNOT change your home region after account creation. Always Free resources are ONLY available in your home region. Choose wisely.

8. Account Setup: Step by Step

Prerequisites

Valid email address (not previously used for Oracle Cloud)
Credit card or debit card (Visa, Mastercard, Discover, American Express)
Virtual, single-use, and PIN-required debit cards are NOT accepted
Government-issued ID (may be required for identity verification)
Phone number for verification

Step-by-Step Process

Go to: https://www.oracle.com/cloud/free/
Click "Start for Free"
Enter your email and complete CAPTCHA
Verify your email: Oracle sends a verification link (valid 30 minutes)
Set your password: Minimum 8 characters, 1 lowercase, 1 uppercase, 1 numeric, 1 special character
Enter personal information: Name, address, phone number
SELECT YOUR HOME REGION CAREFULLY:
- This is PERMANENT and cannot be changed
- Choose based on ARM availability (see Section 7)
- Recommended: London, Sydney, or Toronto
- Avoid: San Jose, Tokyo
Add payment verification:
- Enter credit/debit card information
- A temporary authorization hold ($1-5) will appear and be released in 3-5 days
- You will NOT be charged unless you explicitly upgrade to PAYG
Accept terms and conditions
Click "Start my free trial"
Wait for provisioning: Your tenancy is created (can take a few minutes)
Access the console: You are redirected to the OCI Console

Immediately After Account Creation

Create the ARM Ampere A1 instance (before capacity runs out)
Generate SSH keys if you have not already
Set up a budget alert ($0.01 threshold) under Cost Management
Do NOT upgrade to PAYG yet unless you need it for ARM availability

9. Hetzner Fallback Plan

If Oracle Does Not Work Out

Hetzner Cloud is the recommended fallback. They offer ARM servers (CAX series) with excellent pricing and guaranteed availability (no capacity issues).

Hetzner ARM (CAX) Pricing

Plan	vCPUs	RAM	Storage	Price/month	Hourly
CAX11	2	4 GB	40 GB	EUR 3.79	EUR 0.0053
CAX21	4	8 GB	80 GB	EUR 6.49	EUR 0.0096
CAX31	8	16 GB	160 GB	EUR 12.49	EUR 0.0192
CAX41	16	32 GB	320 GB	EUR 22.49	EUR 0.0336

All plans include 20 TB traffic.

Comparison: Oracle Free vs Hetzner Paid

Feature	Oracle Free Tier	Hetzner CAX21	Hetzner CAX31
Cost	$0/month	~$7/month	~$13.50/month
vCPUs/OCPUs	4 ARM	4 ARM	8 ARM
RAM	24 GB	8 GB	16 GB
Storage	200 GB	80 GB	160 GB
Bandwidth	10 TB out	20 TB	20 TB
Availability	Uncertain (capacity)	Guaranteed	Guaranteed
SLA	None	Yes	Yes
Support	Community	Ticket system	Ticket system
Idle reclaim	Yes (< 20% CPU)	No	No
Account risk	See Section 10	None	None

Hetzner K3s Ecosystem

Hetzner has excellent K3s tooling:

hetzner-k3s (github.com/vitobotta/hetzner-k3s): Production-ready K3s clusters with one command
Native Hetzner Cloud Controller Manager
CSI driver for Hetzner volumes
Excellent community documentation

Recommendation

Best value if free works: Oracle (24 GB RAM for $0)
Best value if paying: Hetzner CAX31 at EUR 12.49/month (8 vCPU, 16 GB)
Best reliability: Hetzner (guaranteed capacity, no reclamation, proper SLA)

Hetzner Availability

ARM servers available in: Germany (Falkenstein, Nuremberg) and Finland (Helsinki)
No capacity issues reported
Servers provision in under 30 seconds

10. Risks and Warnings

Risk 1: Account Termination (MODERATE)

Multiple users have reported Oracle terminating free tier accounts without warning:

Accounts terminated with all data deleted (reported as recently as May 2025)
Emails state "Cloud Services were purged and all data deleted"
No recovery possible -- data is permanently gone
Reasons often unclear; Oracle support unresponsive for free tier accounts

Mitigation: Keep backups external to Oracle. Never store critical data solely on Oracle free tier.

Risk 2: Idle Instance Reclamation (HIGH for Free Tier)

Oracle WILL reclaim instances if any of these are true during a 7-day period:

CPU utilization (95th percentile) < 20%
Network utilization < 20%
Memory utilization < 20% (A1 shapes only)

Running K3s + Kagent with active agents should naturally keep CPU above 20%. However, if the cluster is idle (no agent tasks running), it could be reclaimed.

Workarounds:

Upgrade to PAYG (recommended): Reclamation policy does NOT apply to PAYG accounts. Always Free resources remain free.
NeverIdle tool: Keeps artificial CPU load above threshold (hacky but works)
lookbusy tool: Simulates 5-20% CPU usage on a curve
stress-ng: Command-line stress tool managed via supervisord

Recommended: Upgrade to PAYG with a $0.01 budget alert. This eliminates reclamation risk entirely.

Risk 3: Unexpected Charges (MODERATE if on PAYG)

Documented cases:

Users charged after changing payment methods on free tier
Compute instances selected that were NOT free tier shapes, resulting in ~EUR 60/month charges
Block storage charges for resources created outside home region
Charges continuing months after stopping (not terminating) instances

Mitigation:

Set up a $0.01 budget alert IMMEDIATELY after upgrading to PAYG
Only provision VM.Standard.A1.Flex and VM.Standard.E2.1.Micro shapes
Only create resources in your HOME REGION
TERMINATE (not stop) instances you do not need
Review billing dashboard weekly

Risk 4: ARM Capacity Unavailable (HIGH)

Popular regions frequently have zero ARM capacity
Can take days or weeks to get an ARM instance
No guarantee you will ever get one in some regions
Home region cannot be changed

Mitigation: Choose less popular region at signup. Use retry script. Upgrade to PAYG for priority.

Risk 5: Oracle Free Tier Policy Changes (LOW)

Oracle has maintained the Always Free tier since 2019. However:

Terms of service allow Oracle to modify or discontinue free services
No contractual obligation to maintain free tier
Past changes include adding idle reclamation policy (2022-2023)

11. Feasibility Assessment: 19 Kagent Agents

Kagent Resource Requirements (Per Component)

From the kagent Helm chart values.yaml:

Component	CPU Request	CPU Limit	Memory Request	Memory Limit
Controller	100m	2000m	128 Mi	512 Mi
UI	100m	1000m	256 Mi	1 Gi
Each Agent	100m	1000m	256 Mi	1 Gi
Grafana MCP	100m	500m	128 Mi	512 Mi
QueryDoc	100m	500m	128 Mi	512 Mi

Resource Calculation for 19 Agents

Minimum (requests only):

Controller: 100m CPU, 128 Mi RAM
UI: 100m CPU, 256 Mi RAM
19 Agents: 19 x 100m = 1900m CPU, 19 x 256 Mi = 4864 Mi RAM
K3s system overhead: ~500m CPU, ~512 Mi RAM
Total minimum: ~2600m CPU (~2.6 cores), ~5760 Mi RAM (~5.6 GB)

Realistic (with some headroom):

Controller: 200m CPU, 256 Mi RAM
UI: 200m CPU, 512 Mi RAM
19 Agents: 19 x 200m = 3800m CPU, 19 x 512 Mi = 9728 Mi RAM
K3s system overhead: ~500m CPU, ~1 Gi RAM
Tailscale: ~50m CPU, ~128 Mi RAM
Total realistic: ~4750m CPU (~4.75 cores), ~11.6 GB RAM

Maximum (if all agents hit limits simultaneously):

This is unlikely but: 19 x 1000m + 2000m + 1000m = 22 cores CPU -- exceeds 4 OCPUs
Memory: 19 x 1 Gi + 512 Mi + 1 Gi + overhead = ~21.5 GB

Oracle Free Tier Capacity: 4 OCPUs, 24 GB RAM

Scenario	CPU Fit?	RAM Fit?	Verdict
Minimum requests	YES (2.6/4 cores)	YES (5.6/24 GB)	Fits easily
Realistic usage	TIGHT (4.75/4 cores)	YES (11.6/24 GB)	CPU constrained
All agents active	NO (22/4 cores)	YES (21.5/24 GB)	CPU way over

Verdict: FEASIBLE with Caveats

RAM is not the problem: 24 GB is generous. Even 19 agents fit comfortably.
CPU is the bottleneck: 4 OCPUs is tight if many agents run simultaneously.
Key insight: Kagent agents are not all active simultaneously. They respond to tasks/events. Most of the time, agents are idle (just watching CRDs). CPU spikes happen during task execution.
Reality: 19 agents DEPLOYED is fine. 19 agents EXECUTING TASKS SIMULTANEOUSLY would exceed CPU. This is acceptable for a development/staging environment.

Optimization Tips

Lower CPU requests to 50m per agent (agents are mostly idle)
Use --profile minimal to skip pre-loaded agents you do not need
Disable Traefik and ServiceLB in K3s (saves ~200m CPU, 256 Mi RAM)
Monitor with kubectl top pods and adjust limits based on actual usage

12. Recommendation

Primary Plan: Oracle Cloud Free Tier

Sign up with London (UK South) or Sydney (Australia Southeast) as home region
Create a single ARM A1 instance: 4 OCPUs, 24 GB RAM, 200 GB boot volume
Install Ubuntu 22.04 (NOT 24.04 due to Tailscale exit node bug)
Install K3s single-node with Traefik and ServiceLB disabled
Install Tailscale for secure access from your Tailnet
Install Kagent via Helm with reduced resource requests
Upgrade to PAYG immediately with a $0.01 budget alert (prevents idle reclamation)
Keep external backups of all cluster state (etcd snapshots, manifests)

Fallback Plan: Hetzner CAX31

If Oracle free tier does not work (capacity issues, account problems):

Provision a Hetzner CAX31 (8 vCPU ARM, 16 GB RAM, 160 GB SSD) for EUR 12.49/month
Same K3s + Tailscale + Kagent setup
More CPU (8 vs 4), less RAM (16 vs 24 GB), but still sufficient
Guaranteed availability, proper SLA, no reclamation risk

Timeline Estimate

Step	Time
Account signup	15 minutes
Wait for ARM capacity	0 minutes to 2+ weeks
VM provisioning	5 minutes
K3s installation	10 minutes
Tailscale setup	5 minutes
Firewall configuration	15 minutes
Kagent Helm install	10 minutes
Agent configuration	30-60 minutes
Total (if capacity available)	~2 hours