Sovereign Serverless: Implementing FaaS Patterns on K3s Without the Vendor Lock-in
Let’s clear the air: "Serverless" is an operational model, not a product you buy from Seattle. For too long, developers have equated event-driven architecture with a credit card attached to AWS Lambda. The result? Unpredictable billing spikes, cold start latency that kills user experience, and—since July 2020—a massive legal headache regarding data transfer outside the EEA.
If you are a CTO or Lead Architect operating in Norway or the broader EU today, the Schrems II ruling isn't just legal noise; it is an infrastructure constraint. Relying purely on US-owned hyperscalers for processing personal data puts you in the crosshairs of Datatilsynet.
The solution isn't to abandon the agility of Function-as-a-Service (FaaS). The solution is to own the stack. By deploying a lightweight Kubernetes distribution like K3s combined with OpenFaaS on high-performance infrastructure, you gain the developer velocity of serverless with the fixed costs and data sovereignty of a VPS.
The Architecture: Why Bare-Metal Performance Matters
When you run your own FaaS platform, the underlying hardware becomes your bottleneck. In a public cloud, the provider abstracts the noisy neighbor effect (mostly). On your own VPS, you must ensure your I/O throughput can handle thousands of concurrent container spins.
This is where standard spinning rust or shared SATA SSDs fail. For a responsive FaaS architecture, NVMe storage is non-negotiable. When a function triggers, the container runtime needs to pull the image layer and start the process immediately. On CoolVDS NVMe instances, we typically see container start times under 300ms, compared to 1-2 seconds on standard SSD VPS.
Pro Tip: Avoid OpenVZ or LXC containers for this workload. You need genuine kernel isolation to run Kubernetes effectively. CoolVDS uses KVM virtualization, ensuring your K3s control plane has direct access to the kernel resources it needs without fighting the host node.
Step 1: Preparing the Node for High Concurrency
Before installing any orchestration tools, we must tune the Linux kernel. A default Ubuntu 20.04 installation is not optimized for the rapid creation and destruction of network namespaces required by FaaS.
Open /etc/sysctl.conf and add the following configurations. These settings increase the limits for open files and improve packet forwarding efficiency, critical when your ingress controller is hammered by webhooks.
# /etc/sysctl.conf
# Critical for K3s networking
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
# Increase connection tracking for high-load ingress
net.netfilter.nf_conntrack_max = 131072
# Optimize for short-lived connections (common in FaaS)
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 300
fs.inotify.max_user_instances = 8192
fs.inotify.max_user_watches = 1048576Apply these changes immediately:
sudo sysctl -p
Step 2: Lightweight Orchestration with K3s
We don't need the bloat of a full `kubeadm` setup. K3s is a production-ready, lightweight Kubernetes distribution that works perfectly on a single CoolVDS instance (though clustering is easy if you scale later).
Install K3s, disabling the default Traefik controller (we will install a custom ingress later for better control) and using the docker container runtime if you prefer it over containerd, though containerd is standard now.
curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--no-deploy traefik" sh -Verify your node is ready. It should take less than 30 seconds to become 'Ready' on a decent connection.
sudo k3s kubectl get node
Step 3: Deploying OpenFaaS
OpenFaaS (Function as a Service) sits on top of Kubernetes. It provides the API gateway, the UI, and the watchdog system that scales your functions from zero. We will use `arkade`, a tool designed to simplify app installation on Kubernetes.
curl -sLS https://get.arkade.dev | sudo sh
Now, install OpenFaaS. This command sets up the gateway, queue worker, and Prometheus for auto-scaling metrics.
arkade install openfaas
Once installed, you need to retrieve your admin password to interact with the gateway. This secret management is built-in.
kubectl get secret -n openfaas basic-auth -o jsonpath="{.data.basic-auth-password}" | base64 --decode; echo
The "Meat": Defining a Function Stack
Here is where the magic happens. Instead of uploading a zip file to a proprietary cloud console, you define your infrastructure as code. Below is a `stack.yml` file for a Python function that processes GDPR deletion requests—a common use case for European businesses.
This stack defines a function that scales automatically based on CPU usage.
provider:
name: openfaas
gateway: http://127.0.0.1:8080
functions:
gdpr-processor:
lang: python3
handler: ./gdpr-processor
image: registry.yourdomain.com/gdpr-processor:latest
labels:
com.openfaas.scale.factor: 20
com.openfaas.scale.min: 1
com.openfaas.scale.max: 15
annotations:
# Essential for production reliability
com.openfaas.health.http.path: /_/health
prometheus.io.scrape: "true"
environment:
# Keep data local to Norway
DB_HOST: "10.42.0.5"
write_debug: true
read_timeout: 10
write_timeout: 10Inside your handler (./gdpr-processor/handler.py), you write standard Python code. No proprietary SDK imports required.
import json
import os
def handle(req):
"""handle a request to the function
Args:
req (str): request body
"""
payload = json.loads(req)
user_id = payload.get("user_id")
# Simulate connecting to a local secured database
# Logic to scrub user data goes here
result = {"status": "processed", "user": user_id, "region": "NO"}
return json.dumps(result)Cost & Performance Analysis
Why go through this trouble? Two reasons: Predictability and Latency.
In a public cloud environment, you pay per invocation. If a script kiddie decides to DDoS your endpoint, your bill explodes. On CoolVDS, you pay a flat monthly rate for the instance. If you hit capacity, you throttle—you don't go bankrupt.
| Feature | Public Cloud FaaS | CoolVDS + OpenFaaS |
|---|---|---|
| Billing Model | Per request / GB-second | Flat Monthly Rate |
| Cold Start | Variable (100ms - 2s) | Consistent (tunable via KeepAlive) |
| Data Location | Opaque (EU-West often implies replication) | Strictly Norway (CoolVDS DC) |
| Timeout Limits | Strict (usually 15m) | Unlimited |
Handling Persistence and State
Functions should be stateless, but your application isn't. Running a database alongside your K3s cluster requires careful I/O management. If you are running MySQL or PostgreSQL on the same node, ensure you bind it to the private network interface to avoid latency from loopback overhead.
Here is an example of optimizing the `my.cnf` for a VPS with 8GB RAM, ensuring the database doesn't get OOM-killed when functions spike:
[mysqld]
# Ensure we leave RAM for the K3s pods
innodb_buffer_pool_size = 4G
innodb_log_file_size = 512M
innodb_flush_log_at_trx_commit = 2 # Faster, slightly less durable
innodb_flush_method = O_DIRECT
max_connections = 200
# Network tuning
bind-address = 0.0.0.0
skip-name-resolveConclusion
Serverless architecture is a powerful paradigm for event-driven systems, but it should not cost you your data sovereignty or your budget stability. By leveraging modern tools like K3s and OpenFaaS on CoolVDS, you reclaim control. You get the developer experience of the cloud with the raw power and legal safety of Norwegian bare-metal.
The next time you architect a solution for a client in Oslo or Bergen, ask yourself: Do they need a bill from Seattle, or do they need a solution that works?
Ready to build? Deploy a high-performance NVMe instance on CoolVDS today and get your private FaaS cluster running in under 10 minutes.