v0.12.0-beta.1

[smira]

Talos 0.12.0-beta.1 (2021-08-23)

Welcome to the v0.12.0-beta.1 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/talos-systems/talos/issues.

Support for Self-hosted Control Plane Dropped

Note: This item only applies to clusters bootstrapped with Talos <= 0.8.

Talos 0.12 completely removes support for self-hosted Kubernetes control plane (bootkube-based).
Talos 0.9 introduced support for Talos-managed control plane and provided migration path to convert self-hosted control plane
to Talos-managed static pods.
Automated and manual conversion process is available in Talos from 0.9.x to 0.11.x.
For clusters bootstrapped with bootkube (Talos <= 0.8), please make sure control plane is converted to Talos-managed
before upgrading to Talos 0.12.
Current control plane status can be checked with talosctl get bootstrapstatus before performing upgrade to Talos 0.12.

Cluster API v0.3.x

Cluster API v0.3.x (v1alpha3) is not compatible with Kubernetes 1.22 used by default in Talos 0.12.
Talos can be configued to use Kubernetes 1.21 or CAPI v0.4.x components can be used instead.

Machine Config Validation

Unknown keys in the machine config now make the config invalid,
so any attempt to apply/edit the configuration with the unknown keys will lead into an error.

Sysctl Configuration

Sysctl Kernel Params configuration was completely rewritten to be based on controllers and resources,
which makes it possible to apply .machine.sysctls in immediate mode (without a reboot).
talosctl get kernelparams returns merged list of KSPP, Kubernetes and user defined params along with
the default values overwritten by Talos.

Equinix Metal

Added support for Equinix Metal IPs for the Talos virtual (shared) IP (option equnixMetal under vip in the machine configuration).
Talos automatically re-assigns IP using the Equinix Metal API when leadership changes.

etcd

New etcd cluster members are now joined in learner mode, which improves cluster resiliency
to member join issues.

Join Node Type

Node type join was renamed to worker for clarity. The old value is still accepted in the machine configuration but deprecated.
talosctl gen config now generates worker.yaml instead of join.yaml.

Networking

• multiple static addresses can be specified for the interface with new .addresses field (old .cidr field is deprecated now)
• static addresses can be set on interfaces configured with DHCP

Performance

• machined uses less memory and CPU time
• more disk encryption options are exposed via the machine configuration
• disk partitions are now aligned properly with minimum I/O size
• Talos system processes are moved under proper cgroups, resource metrics are now available via the kubelet
• OOM score is set on the system processes making sure they are killed last under memory pressure

Security

• etcd PKI moved to /system/secrets
• kubelet bootstrap CSR auto-signing scoped to kubelet bootstrap tokens only
• enforce default seccomp profile on all system containers
• run system services apid, trustd, and etcd as non-root users

Component Updates

• Linux: 5.10.58
• Kubernetes: 1.22.1
• containerd: 1.5.5
• runc: 1.0.1
• GRUB: 2.06
• Talos is built with Go 1.16.7

Kubernetes Upgrade

talosctl upgrade-k8s now checks if cluster has any resources which are going to be removed or migrated to the new version after upgrade
and shows that as a warning before the upgrade.
Additionally, upgrade-k8s command now has --dry-run flag that only prints out warnings and upgrade summary.

Contributors

• Andrey Smirnov
• Andrey Smirnov
• Alexey Palazhchenko
• Serge Logvinov
• Artem Chernyshev
• Spencer Smith
• Artem Chernyshev
• Alexey Palazhchenko
• dependabot[bot]
• Andrew Rynhard
• Noel Georgi
• Rui Lopes
• Caleb Woodbine
• Seán C McCord

Changes

127 commits

• 30e1ff614 release(v0.12.0-beta.1): prepare release
• 7630d998f chore: don't require single commit per PR
• 208ac9ac4 feat: update Kubernetes to 1.22.1
• e84e2902c fix: don't support cgroups nesting in process runner
• 2cf53fb34 fix: do not set KSPP kernel params in container mode
• 1908f57c6 test: adapt tests to the cgroupsv2
• 4bb84ea0c fix: extramount should have yaml:",inline" tag
• e948560be fix: don't panic if the machine config doesn't have network (EM)
• a5726f2e6 chore: do not check that go mod tidy gives empty output
• 67494923b fix: make sure file mode is same (reproducibility issue)
• 65292880a feat: check if cluster has deprecated resources versions
• 7a0eb5fa2 release(v0.12.0-beta.0): prepare release
• c601dc73f chore: update versions to final release tags
• 82731124b chore: run e2e-qemu test against Talos with race-detector enabled
• 37ea2c9ca feat: support for route source addresses in the configuration
• 0ef8f83ac chore: bump dependencies via dependabot
• 2108fd7b6 feat: update Linux to 5.10.58 and many pkgs updates
• 6ee690d9a release(v0.12.0-alpha.1): prepare release
• 1ed5e5453 feat: add ClusterID and ClusterSecret
• 228b37616 chore: run etcd as non-root user
• 3518219bf chore: drop deprecated --no-reboot param and KernelCurrentRoot const
• 33d1c3e42 chore: run apid and trustd services as non-root user
• dadaa65d5 feat: print uid/gid for the files in ls -l
• e6fa401b6 fix: enable seccomp default profile by default
• 8ddbcc964 feat: validate if extra fields present in the decoder
• 5b57a9800 chore: update Go to 1.16.7, Linux to 5.10.57
• eefe1c21c feat: add new etcd members in learner mode
• b1c66fbad feat: implement Equinix Metal support for virtual (shared) IP
• 62242f979 chore: require GPG signatures
• faecae44f feat: make ISO builds reproducible
• 887c2326a release(v0.12.0-alpha.0): prepare release
• a15f01844 fix: move etcd PKI under /system/secrets
• eb02afe18 fix: match correctly routes on the address family
• cb948accf feat: allow multiple addresses per interface
• e030b2e8b chore: use k8s 1.21.3 in CAPI tests for now
• e08b4f8f9 feat: implement sysctl controllers
• fdf6b2433 chore: revert "improve artifacts generation reproducibility"
• b68ed1eb8 fix: make route resources ID match closer routing table primary key
• 585f63371 fix: correctly handle nodoc for struct fields
• f2d394dc4 docs: add AMIs for v0.11.5
• d0970cbfd feat: bootstrap token limit
• 5285a46d7 fix: maintenance mode reason message
• 009d15e8d chore: use etcd client TryLock function on upgrade
• 4dae9ea55 chore: use vtprotobuf compiled marshaling in Talos API
• 7ca5749ad chore: bump dependencies via dependabot
• b2507b41d chore: improve artifacts generation reproducibility
• 1f7dad234 chore: update PKGS version (512 cpus, new ca-certficates)
• 1a2e78a24 fix: update go-blockdevice
• 6d6ed1170 chore: use parallel xz with higher compression level
• 571f7db1b chore: workaround GitHub new release notes limit
• 09d70b7ea feat: update Kubernetes to v1.22.0
• f25f10e73 feat: add an option to disable PSP
• 7c6e4cf23 feat: allow both DHCP and static addressing for the interface
• 3c566dbc3 fix: remove admission plugins enabled by default from the list
• 69ead3735 fix: preserve PMBR bootable flag correctly
• dee630517 fix: align partitions with minimal I/O size
• 628902297 feat: update GRUB to 2.06
• b9d04928d feat: move system processes to cgroups
• 0b8681b4b fix: resolve several issues with Wireguard link specs
• f8f4bf3ba docs: add disk encryptions examples
• 79b8fa64b feat: update containerd to 1.5.5
• 539f42090 chore: bump dependencies via dependabot
• 0c7ce1cd8 feat: remove remnants of bootkube support
• d4f9804f8 chore: fix typos
• 5f027615f feat: expose more encryption options to the machine config
• 585152a0b chore: bump dependencies
• fc66ec596 feat: set oom score for main processes
• df54584a3 fix: drop linux capabilities
• f65d0b739 docs: add 0.11.3 AMIs
• 7332d6369 fix: bump pkgs for new kernel 5.10.52
• 70d2505b7 fix: do not require ToVersion to be set when detecting version
• 0953b1998 chore: update extras to bring a new CNI bundle
• b6c47f866 fix: set the /etc/os-release HOME_URL parameter
• c780821d0 feat: update containerd to 1.5.3, runc to 1.0.1
• f8f1c83a7 feat: detect the lowest Kubernetes version in upgrade-k8s CLI command
• 55e17ccdd chore: bump dependencies
• da6f786ca fix: kuberentes => kubernetes typo
• 2e463348b fix: pass all logs through the options.Log method
• 4e9c5afb6 fix: make ethtool optional in link status controller
• bf61c2cc4 fix: write upgrade logs only to the LogOutput if it's defined
• 9c73257cb feat: update Go to 1.16.6
• 23ef1d40a chore: add ability to redirect talos upgrade module logs to io.Writer
• 33e9d6c98 chore: bump github.com/aws/aws-sdk-go in /hack/cloud-image-uploader
• 604434c43 chore: bump github.com/prometheus/procfs from 0.6.0 to 0.7.0
• 2ea28f62d chore: bump node from 16.3.0-alpine to 16.4.2-alpine
• b358a189b fix: correctly pick route scope for link-local destination
• 6848d4314 feat: can change clusterdns ip lists
• 72b76abfd fix: workaround issues when IPv6 is fully or partially disabled
• 679b08f4f docs: update docs for 0.12
• 6fbec9e0c fix: cache etcd client used for healthchecks
• eea750de2 chore: rename "join" type to "worker"
• 951493ac8 docs: update what's new for Talos 0.11
• b47d1098b docs: promote 0.11 docs to be the latest
• d930a2650 chore: implement DeepCopy for machine configuration
• fe4ed3c73 chore: ignore tags which don't look like semantic version
• b969e7720 chore: update references to old protobuf package
• 2ba8ac9ab docs: add documentation directory for 0.12
• 011e2885e fix: validate bond slaves addressing
• 10c28758a fix: ignore DeadlineExceeded error correctly on bootstrap
• 77fabacec chore: ignore future pkg/machinery/vX.Y.Z tags
• 6b661114d fix: make COSI runtime history depth smaller
• 9bf899bdd fix: make forfeit leadership connect to the right node
• 4708beaee feat: implement talosctl config info command
• 6d13d2cf9 fix: close Kubernetes API client
• aaa36f3b4 fix: ignore 'not a leader' error on forfeit leadership
• 22a419367 fix: workaround 'Unauthorized' errors when accessing Kubernetes API
• 71c6f7004 chore: bump go.mod dependencies
• 915cd8fe2 docs: add guide for RBAC
• f5721050d fix: controlplane keyusage
• 3d7726613 fix: fill uuid argument correctly in the config download URL
• d8602025c chore: update containerd config version 2
• 5949ec4e6 docs: describe the new network configuration subsystem
• 444d72b4d feat: update pkgs version
• e883c12b3 fix: make output of upgrade-k8s command less scary
• 7f8e50de4 fix: restart the merge controllers on conflict
• 60d736094 fix: ignore deadline exceeded errors on bootstrap
• ee06dd69f fix: don't print git sha of the release twice in the dashboard
• 07fb61e5d fix: issue worker apid certs properly on renewal
• 84817f733 chore: bump Talos version in upgrade tests
• 2fa54107b chore: fix tests for disabled RBAC
• 78583ba98 fix: don't set bond delay options if miimon is not enabled
• bbf1c091d feat: add RBAC to talosctl version output
• 5f6ec3ef6 fix: handle cases when merged resource re-appears before being destroyed
• 1e9a0e745 fix: documentation typos
• f228af406 chore: bump go.mod dependencies
• 2060ceaa0 chore: add CAPI version to CI setup
• ad047a7de chore: small RBAC improvements

Changes since v0.12.0-beta.0

11 commits

• 30e1ff614 release(v0.12.0-beta.1): prepare release
• 7630d998f chore: don't require single commit per PR
• 208ac9ac4 feat: update Kubernetes to 1.22.1
• e84e2902c fix: don't support cgroups nesting in process runner
• 2cf53fb34 fix: do not set KSPP kernel params in container mode
• 1908f57c6 test: adapt tests to the cgroupsv2
• 4bb84ea0c fix: extramount should have yaml:",inline" tag
• e948560be fix: don't panic if the machine config doesn't have network (EM)
• a5726f2e6 chore: do not check that go mod tidy gives empty output
• 67494923b fix: make sure file mode is same (reproducibility issue)
• 65292880a feat: check if cluster has deprecated resources versions

Changes from talos-systems/crypto

1 commit

• siderolabs/crypto@deec8d4 chore: implement DeepCopy methods for PEMEncoded* types

Changes from talos-systems/extras

4 commits

• siderolabs/extras@bdd1767 chore: update tools and pkgs to final 0.7.0
• siderolabs/extras@8ce17e5 chore: bump tools and packages for Go 1.16.7
• siderolabs/extras@4957f3c chore: update pkgs to use CNI plugins v0.9.1
• siderolabs/extras@233716a feat: update Go to 1.16.6

Changes from talos-systems/go-blockdevice

4 commits

• siderolabs/go-blockdevice@fe24303 fix: perform correct PMBR partition calculations
• siderolabs/go-blockdevice@2ec0c3c fix: preserve the PMBR bootable flag when opening GPT partition
• siderolabs/go-blockdevice@87816a8 feat: align partition to minimum I/O size
• siderolabs/go-blockdevice@c34b59f feat: expose more encryption options in the LUKS module

Changes from talos-systems/pkgs

26 commits

• siderolabs/pkgs@818761f chore: update tools to 0.7.0
• siderolabs/pkgs@35b7e68 feat: bump u-boot to 2021.07
• siderolabs/pkgs@c68b090 feat: bump raspberrypi-firmware to 1.20210805
• siderolabs/pkgs@f64023c feat: bump util-linux to 2.37
• siderolabs/pkgs@c0ef725 feat: update LibreSSL to 3.2.5
• siderolabs/pkgs@0d12460 feat: update linux-firmware to 20210716
• siderolabs/pkgs@7a29722 fix: set iPXE version properly
• siderolabs/pkgs@958023c feat: update eudev to 3.2.10
• siderolabs/pkgs@dc1008d feat: update Linux to 5.10.58
• siderolabs/pkgs@da4ac04 chore: bump tools for Go 1.16.7
• siderolabs/pkgs@10275fb feat: update Linux to 5.10.57
• siderolabs/pkgs@875c7ec chore: patch grub with support for reproducible ISO builds
• siderolabs/pkgs@12856ce feat: increase number of CPUs supported by the kernel to 512
• siderolabs/pkgs@cbfabac chore: update ca-certificates to 2021-07-05
• siderolabs/pkgs@0c011c0 feat: update GRUB to 2.06
• siderolabs/pkgs@5090d14 chore: update containerd to v1.5.5
• siderolabs/pkgs@6653902 feat: add kernel drivers for fusion and scsi-isci
• siderolabs/pkgs@9b4041f chore: update containerd to v1.5.4
• siderolabs/pkgs@7b6cc05 feat: update kernel to latest 5.10.52
• siderolabs/pkgs@65159fb chore: update runc and CNI plugins
• siderolabs/pkgs@514ba34 feat: disable aufs, devmapper, zfs
• siderolabs/pkgs@6bc118f chore: update runc and containerd
• siderolabs/pkgs@b6fca88 feat: update Go to 1.16.6
• siderolabs/pkgs@fd56852 chore: update open-isns and open-iscsi
• siderolabs/pkgs@d779204 chore: update dosfstools to v4.2
• siderolabs/pkgs@bc7c0d7 feat: add support for hotplug of PCIE devices

Changes from talos-systems/tools

5 commits

• siderolabs/tools@2368154 feat: update Go and protoc-gen-go tools
• siderolabs/tools@7172a5d feat: update Go to 1.16.6
• siderolabs/tools@1de34d7 chore: update musl
• siderolabs/tools@76979a1 chore: update protobuf deps
• siderolabs/tools@0846c64 chore: update expat

Dependency Changes

• github.com/BurntSushi/toml v0.3.1 -> v0.4.1
• github.com/aws/aws-sdk-go v1.38.66 -> v1.40.2
• github.com/containerd/containerd v1.5.2 -> v1.5.5
• github.com/cosi-project/runtime 93ead370bf57 -> 25f235cd0682
• github.com/docker/docker v20.10.7 -> v20.10.8
• github.com/google/uuid v1.2.0 -> v1.3.0
• github.com/hashicorp/go-getter v1.5.4 -> v1.5.7
• github.com/opencontainers/runtime-spec e6143ca7d51d -> 1c3f411f0417
• github.com/packethost/packngo v0.19.0 new
• github.com/prometheus/procfs v0.6.0 -> v0.7.2
• github.com/rivo/tview d4fb0348227b -> 29d673af0ce2
• github.com/spf13/cobra v1.1.3 -> v1.2.1
• github.com/talos-systems/crypto v0.3.1 -> v0.3.2
• github.com/talos-systems/extras v0.4.0 -> v0.5.0
• github.com/talos-systems/go-blockdevice v0.2.1 -> v0.2.3
• github.com/talos-systems/pkgs v0.6.0-1-g7b2e126 -> v0.7.0
• github.com/talos-systems/tools v0.6.0 -> v0.7.0
• github.com/vmware-tanzu/sonobuoy v0.52.0 -> v0.53.1
• go.uber.org/zap v1.17.0 -> v1.19.0
• golang.org/x/net 04defd469f4e -> 853a461950ff
• golang.org/x/sys 59db8d763f22 -> 0f9fa26af87c
• golang.org/x/time 38a9dc6acbc6 -> 1f47c861a9ac
• google.golang.org/grpc v1.38.0 -> v1.40.0
• google.golang.org/protobuf v1.26.0 -> v1.27.1
• inet.af/netaddr bf05d8b52dda -> ce7a8ad02cc1
• k8s.io/api v0.21.2 -> v0.22.1
• k8s.io/apimachinery v0.21.2 -> v0.22.1
• k8s.io/apiserver v0.21.2 -> v0.22.1
• k8s.io/client-go v0.21.2 -> v0.22.1
• k8s.io/cri-api v0.21.2 -> v0.22.1
• k8s.io/kubectl v0.21.2 -> v0.22.1
• k8s.io/kubelet v0.21.2 -> v0.22.1

Previous release can be found at v0.11.0

Images

quay.io/coreos/flannel:v0.13.0
ghcr.io/talos-systems/install-cni:v0.5.0
docker.io/coredns/coredns:1.8.4
gcr.io/etcd-development/etcd:v3.4.16
k8s.gcr.io/kube-apiserver:v1.22.1
k8s.gcr.io/kube-controller-manager:v1.22.1
k8s.gcr.io/kube-scheduler:v1.22.1
k8s.gcr.io/kube-proxy:v1.22.1
ghcr.io/talos-systems/kubelet:v1.22.1
ghcr.io/talos-systems/installer:v0.12.0-beta.1
k8s.gcr.io/pause:3.2

---

This discussion was created from the release v0.12.0-beta.1.