Tools

Tools: Report: Why I Replaced Multipass with OrbStack — And Built a Better Kubernetes Lab on My Mac

2026-05-16 0 views admin
Tools: Report: Why I Replaced Multipass with OrbStack — And Built a Better Kubernetes Lab on My Mac

The Problem With My Old Setup

What is OrbStack?

The Architecture: Two Clusters, One Tool

Cluster 1 — OrbStack Native K8s (Daily Driver)

Cluster 2 — VM kubeadm Cluster (EKS Mirror + CKS Lab)

Apple Silicon Compatibility — M1 vs M4

What You'll Need

The Multipass → OrbStack Migration

What's Coming in This Series Part 1 of 7 — "The Mac Kubernetes Lab: A Production-Mirror Setup from Scratch" Series overview: This 7-part series walks through replacing Multipass with OrbStack on Apple Silicon and building a dual-cluster Kubernetes setup — a native daily driver cluster and a full VM-based EKS mirror with Vault PKI, Istio, and Crossplane. My local Kubernetes setup was embarrassing. At Arkila Systems, I manage EKS clusters with Istio, HashiCorp Vault for secrets, and Crossplane for infrastructure provisioning. My laptop was supposed to reflect some version of that. Instead I had a pile of Multipass VMs that took a full minute to boot, Docker Desktop fighting for memory in the background, and a list of kubectl port-forward commands I'd memorised because there was no other way to reach anything. The specific pain points: I spent a weekend trying OrbStack. I didn't go back. Image: Multipass vs OrbStack — boot time and memory comparison OrbStack is a macOS-native tool that runs Linux virtual machines and Docker containers, built specifically for Apple Silicon. It uses Apple's Virtualization Framework and is written in Swift, Go, Rust, and C — not a port of something designed for x86. The numbers that made me switch: OrbStack also ships a built-in Kubernetes cluster — one command and you have a working cluster with real LoadBalancer IPs and wildcard DNS. No configuration required. 💡 Pricing note: OrbStack is free for personal use — which covers everything in this series. If you're planning to roll it out across an engineering team or use it at work commercially, check orbstack.dev/pricing for current plans. The grey area worth knowing: using it on your personal machine for home labs and side projects is free; using it on a work machine to do your day job is commercial use. For this series — personal lab on your own Mac — it costs you nothing. After a few weeks with OrbStack, I settled on a dual-cluster setup. Two clusters, two purposes. Image: Dual-cluster architecture — OrbStack native K8s (daily driver) + VM kubeadm cluster (EKS mirror) The built-in cluster handles fast iteration work: Switch to it with kubectx orbstack. Services are reachable at *.k8s.orb.local from your browser immediately. Four OrbStack Linux VMs running a real kubeadm-bootstrapped cluster: This is also my CKS exam preparation environment — Pod Security Admission, audit policies, NetworkPolicy, short-lived admin certificates via Vault. I originally built this on an M4 Mac. Everything worked. Then I tried replicating the setup on an M1 Pro. The cluster came up fine, but the CNI never did — and the root cause was not obvious. OrbStack VMs run as unprivileged LXC containers. On M4, iptables NAT table manipulation works fine. On M1 it's restricted — kube-proxy can't write KUBE-SERVICES chains, which means ClusterIP services are unreachable and any CNI plugin that tries to call the API server via ClusterIP fails silently. Calico starts, looks healthy, and then just... doesn't work. Took a while to connect the dots. The fix is Cilium, which uses eBPF-based service routing and completely replaces kube-proxy. We'll cover this properly in Part 4. If you're coming from Multipass, the command mapping is straightforward: Install OrbStack and clean out Multipass: OrbStack auto-installs orb, docker, and kubectl on your PATH. Part 2: Cluster 1 — Your Daily K8s Driver in One Command → Noah Makau is a DevSecOps Engineer, Entrepreneur, and self-described Nerd. He holds CKA, CKAD, AWS Solutions Architect Professional, AWS Solutions Architect Associate, and AWS Cloud Practitioner certifications. He is the founder of Arkila Systems, a DevOps consultancy, where he designs and operates Kubernetes, HashiCorp Vault, Crossplane, and CI/CD pipelines at scale. He is currently preparing for CKS certification. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Command

Copy

# 💻 Mac — check your chip system_profiler SPHardwareDataType | grep Chip # Check available disk df -h ~ # 💻 Mac — check your chip system_profiler SPHardwareDataType | grep Chip # Check available disk df -h ~ # 💻 Mac — check your chip system_profiler SPHardwareDataType | grep Chip # Check available disk df -h ~ # 💻 Mac -weight: 500;">brew -weight: 500;">install orbstack open -a OrbStack # required once for first-time GUI setup # Remove Multipass -weight: 500;">brew uninstall multipass -weight: 600;">sudo rm -rf /var/root/Library/Application\ Support/multipassd -weight: 600;">sudo rm -rf ~/Library/Application\ Support/multipass # 💻 Mac -weight: 500;">brew -weight: 500;">install orbstack open -a OrbStack # required once for first-time GUI setup # Remove Multipass -weight: 500;">brew uninstall multipass -weight: 600;">sudo rm -rf /var/root/Library/Application\ Support/multipassd -weight: 600;">sudo rm -rf ~/Library/Application\ Support/multipass # 💻 Mac -weight: 500;">brew -weight: 500;">install orbstack open -a OrbStack # required once for first-time GUI setup # Remove Multipass -weight: 500;">brew uninstall multipass -weight: 600;">sudo rm -rf /var/root/Library/Application\ Support/multipassd -weight: 600;">sudo rm -rf ~/Library/Application\ Support/multipass - Multipass VMs boot in 30–60 seconds and pre-allocate memory whether you use it or not - LoadBalancer services need MetalLB or port-forward hacks just to be reachable - Switching between a dev cluster and a production-mirror cluster meant juggling kubeconfigs and hoping nothing crashed overnight - On Apple Silicon, half the tooling had ARM64 quirks that needed a separate debugging session before I could even -weight: 500;">start the actual work - Crossplane compositions and provider development - HashiCorp Vault AppRole workflows - Helm chart testing - Istio Gateway and VirtualService experimentation — though I break this constantly, which is fine - K8s 1.34 — matching our upcoming EKS -weight: 500;">upgrade target at Arkila Systems - Vault PKI as the cluster Certificate Authority - Istio with revision-based upgrades, identical to our EKS approach - Crossplane with AWS provider - Multi-node topology (control plane + 2 workers) mirroring production - Apple Silicon Mac (M1, M2, M3, or M4) - Homebrew installed - At least 16 GB RAM — 8 GB will technically work but you'll feel it when all four VMs are running - About 20 GB free disk space - Part 1 (this article): Why OrbStack, architecture overview, M1 vs M4 - Part 2: Cluster 1 — Native K8s daily driver with Istio, Vault, Crossplane - Part 3: Cluster 2 — VM creation, networking, and Vault PKI bootstrap - Part 4: kubeadm 1.34 — M1 vs M4 CNI deep dive (Calico vs Cilium) - Part 5: Istio revision-based upgrades and MetalLB on the VM cluster - Part 6: Vault K8s auth and Crossplane — mirroring your EKS stack - Part 7: Day 2 operations, CKS lab scenarios, and making it all stick

🏷️ Tags

toolsutilitiessecurity toolsreportreplacedmultipassorbstackbuiltbetterkubernetes

More from Tools

Tools: The 30 Linux Commands I Use Every Day on My VPS (2026)

Tools: The 30 Linux Commands I Use Every Day on My VPS (2026)

2026-05-16 0
Tools: I Published My First npm Package: Here's Everything I Wish I Knew - 2025 Update

Tools: I Published My First npm Package: Here's Everything I Wish I Knew - 2025 Update

2026-05-16 0
Tools: I kept seeing people ask if OpenClaw is secure, but the real email risk is way more boring - Expert Insights

Tools: I kept seeing people ask if OpenClaw is secure, but the real email risk is way more boring - Expert Insights

2026-05-16 0
Tools: Update: Deploying a Node.js App to Production: The 2026 Guide

Tools: Update: Deploying a Node.js App to Production: The 2026 Guide

2026-05-16 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views