diff --git a/metal/main.yml b/metal/main.yml
index 4bc6a240..d0162afb 100644
--- a/metal/main.yml
+++ b/metal/main.yml
@@ -8,3 +8,8 @@
   gather_facts: no
   roles:
     - wake
+
+- name: Create Kubernetes cluster
+  hosts: metal
+  roles:
+    - k3s
diff --git a/metal/roles/k3s/defaults/main.yml b/metal/roles/k3s/defaults/main.yml
new file mode 100644
index 00000000..1d911c20
--- /dev/null
+++ b/metal/roles/k3s/defaults/main.yml
@@ -0,0 +1,4 @@
+k3s_version: v1.21.4+k3s1
+k3s_config_file: /etc/rancher/k3s/config.yaml
+k3s_token_file: /etc/rancher/node/password
+k3s_service_file: /etc/systemd/system/k3s.service
diff --git a/metal/roles/k3s/tasks/main.yml b/metal/roles/k3s/tasks/main.yml
new file mode 100644
index 00000000..04f9b474
--- /dev/null
+++ b/metal/roles/k3s/tasks/main.yml
@@ -0,0 +1,68 @@
+- name: Download k3s binary
+  get_url:
+    url: https://github.com/k3s-io/k3s/releases/download/{{ k3s_version }}/k3s
+    checksum: sha256:https://github.com/k3s-io/k3s/releases/download/{{ k3s_version }}/sha256sum-amd64.txt
+    dest: /usr/local/bin/k3s
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Ensure config directories exist
+  file:
+    path: "{{ item }}"
+    state: directory
+  loop:
+    - /etc/rancher/k3s
+    - /etc/rancher/node
+
+- name: Check if k3s token file exists on the first node
+  run_once: yes
+  stat:
+    path: "{{ k3s_token_file }}"
+  register: k3s_token_file_stat
+
+- name: Generate k3s token file on the first node if not exist yet
+  run_once: yes
+  when: not k3s_token_file_stat.stat.exists
+  copy:
+    content: lookup('community.general.random_string', length=32)
+    dest: "{{ k3s_token_file }}"
+
+- name: Get k3s token from the first node
+  run_once: yes
+  slurp:
+    src: "{{ k3s_token_file }}"
+  register: k3s_token_base64
+
+- name: Ensure all nodes has the same token
+  copy:
+    content: "{{ k3s_token_base64.content | b64decode }}"
+    dest: "{{ k3s_token_file }}"
+
+- name: Copy k3s config files to master nodes
+  when: "'masters' in group_names"
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+  vars:
+    node_role: server
+  loop:
+    - src: config.yaml.j2
+      dest: "{{ k3s_config_file }}"
+    - src: k3s.service.j2
+      dest: "{{ k3s_service_file }}"
+
+- name: Copy k3s config files to worker nodes
+  when: "'workers' in group_names"
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+  vars:
+    node_role: agent
+  loop:
+    - src: config.yaml.j2
+      dest: "{{ k3s_config_file }}"
+    - src: k3s.service.j2
+      dest: "{{ k3s_service_file }}"
+
+# Get kubeconfig /etc/rancher/k3s/k3s.yaml
diff --git a/metal/roles/k3s/templates/config.yaml.j2 b/metal/roles/k3s/templates/config.yaml.j2
new file mode 100644
index 00000000..eda6f511
--- /dev/null
+++ b/metal/roles/k3s/templates/config.yaml.j2
@@ -0,0 +1 @@
+{{ node_role }}
diff --git a/metal/roles/k3s/templates/k3s.service.j2 b/metal/roles/k3s/templates/k3s.service.j2
new file mode 100644
index 00000000..9fb43616
--- /dev/null
+++ b/metal/roles/k3s/templates/k3s.service.j2
@@ -0,0 +1,24 @@
+[Unit]
+Description=Lightweight Kubernetes
+Documentation=https://k3s.io
+After=network-online.target
+
+[Service]
+Type=notify
+ExecStartPre=-/sbin/modprobe br_netfilter
+ExecStartPre=-/sbin/modprobe overlay
+ExecStart=/usr/local/bin/k3s {{ node_role }}
+KillMode=process
+Delegate=yes
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNOFILE=1048576
+LimitNPROC=infinity
+LimitCORE=infinity
+TasksMax=infinity
+TimeoutStartSec=0
+Restart=always
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target