You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This feature introduces a new custom resource definition, serviceaccounts.talos.dev.
Creating custom resources of this type will provide credentials to access Talos API from within Kubernetes.
The new CLI subcommand talosctl inject serviceaccount can be used to configure Kubernetes manifests with Talos service accounts as below:
The advertisedSubnets setting is used to control which subnet is used for etcd peer communication, it will be advertised
by each peer for other peers to connect to. If advertiseSubnets is set, listenSubnets defaults to the same value, so that etcd only listens on the same subnet as it advertises. Additional subnets can be configured in listenSubnets if needed.
Default behavior hasn't changed - if the advertisedSubnets is not set, Talos picks up the first available network address as
advertised address and etcd is configured to listen on all interfaces.
Note: most of the etcd configuration changes are accepted on the fly, but they are fully applied only after reboot.
Generating Talos secrets from PKI directory
It is now possible to generate a secrets bundle from a Kubernetes PKI directory (e.g. /etc/kubernetes/pki).
You can also specify a bootstrap token to be used in the secrets bundle.
This secrets bundle can then be used to generate a machine config.
This facilitates migrating clusters (e.g. created using kubeadm) to Talos.
talosctl gen secrets --kubernetes-bootstrap-token znzio1.1ifu15frz7jd59pv --from-kubernetes-pki /etc/kubernetes/pki
talosctl gen config --with-secrets secrets.yaml my-cluster https://172.20.0.1:6443
Kubernetes ControlPlane Components
Talos now run all Kubernetes Control Plane Components with the CRI default Seccomp Profile and other recommendations as described in KEP-2568.
Kubelet Default Runtime Seccomp Profile
Talos now runs Kubelet with the CRI default Seccomp Profile enabled.
This can be disabled by setting .machine.kubelet.defaultRuntimeSeccompProfileEnabled to false.
This is not enabled automatically on upgrades, so upgrading to Talos v1.2 needs this to be explicitly enabled.
Kubernetes Control Plane labels and taints
Talos now defaults to node-role.kubernetes.io/control-plane label/taint.
On upgrades Talos now removes the node-role.kubernetes.io/master label/taint on control-plane nodes and replaces it with the node-role.kubernetes.io/control-plane label/taint.
Workloads that tolerate the old taints or having node selectors with the old labels will need to be updated.
Kubernetes Discovery Backend
Kubernetes cluster discovery backend is now disabled by default for new clusters.
This backend doesn't provide any benefits over the Discovery Service based backend, while it
causes issues for KubeSpan enabled clusters when control plane endpoint is KubeSpan-routed.
For air-gapped installations when the Discovery Service is not enabled, Kubernetes Discovery Backend can be enabled by applying
the following machine configuration patch:
KubeSpan no longer by default advertises Kubernetes pod networks of the node over KubeSpan.
This means that CNI should handle encapsulation of pod-to-pod traffic into the node-to-node tunnel,
and node-to-node traffic will be handled by KubeSpan.
This provides better compatibility with popular CNIs like Calico and Cilium.
Old behavior can be restored by setting .machine.kubespan.advertiseKubernetesNetworks = true in the machine config.
The .cluster.allowSchedulingOnMasters is deprecated and replaced by .cluster.allowSchedulingOnControlPlanes.
The .cluster.allowSchedulingOnMasters will be removed in a future release of Talos.
If both .cluster.allowSchedulingOnMasters and .cluster.allowSchedulingOnControlPlanes are set to true, the .cluster.allowSchedulingOnControlPlanes will be used.
k8s.gcr.io mirror configuration
Talos now defaults to adding a registry mirror configuration in the machineconfig for k8s.gcr.io pointing to both registry.k8s.io and k8s.gcr.io unless overridden.
This is in line with the Kubernetes 1.25 release having the new registry.k8s.io registry endpoint.
This is only enabled by default on newly generated configurations and not on upgrades.
This can be enabled with a machine configuration as follows:
NVIDIA GPU support on Talos has been promoted to beta and SideroLabs now publishes the NVIDIA Open GPU Kernel Modules as a system extension making it easier to run GPU workloads on Talos. Refer to enabling NVIDIA GPU support docs here:
Talos now supports capturing packets on a network interface with talosctl pcap command:
talosctl pcap --interface eth0
Seccomp Profiles
Talos now supports creating custom seccomp profiles on the host machine which in turn can be used by Kubernetes workloads.
It can be configured in the machine config as below:
Talos now generates the default hostname (when there is no explicitly specified hostname) for the nodes based on the
node id (e.g. talos-2gd-76y) instead of using the DHCP assigned IP address (e.g. talos-172-20-0-2).
This ensures that the node hostname is not changed when DHCP assigns a new IP to a node.
Please note: the stable hostname generation algorithm changed between v1.2.0-beta.0 and v1.2.0-beta.1, please take care when upgrading
from versions >= 1.2.0-alpha.1 to versions >= 1.2.0-beta.1 when using stable default hostname feature.
For example, machine hostname can be set with the following patch:
machine:
network:
hostname: worker1
Patch format is detected automatically.
Variable substitution for URL query parameter in the talos.config kernel parameter
The kernel parameter talos.config can now substitute system information into placeholders inside its URL query values. This example shows all supported variables:
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Talos 1.2.0-beta.1 (2022-08-23)
Welcome to the v1.2.0-beta.1 release of Talos!
This is a pre-release of Talos
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
Talos API access from Kubernetes
Talos now supports access to its API from within Kubernetes. It can be configured in the machine config as below:
This feature introduces a new custom resource definition,
serviceaccounts.talos.dev
.Creating custom resources of this type will provide credentials to access Talos API from within Kubernetes.
The new CLI subcommand
talosctl inject serviceaccount
can be used to configure Kubernetes manifests with Talos service accounts as below:See documentation for more details.
Apply Config Patches
talosctl apply-config
now supports patching the machine config file in memory before submitting it to the node.Etcd Configuration
Configuration setting
cluster.etcd.subnet
is deprecated, but still supported.Two new configuration settings are introduce to control precisely which subnet is used for etcd peer communication:
The
advertisedSubnets
setting is used to control which subnet is used for etcd peer communication, it will be advertisedby each peer for other peers to connect to. If
advertiseSubnets
is set,listenSubnets
defaults to the same value, so thatetcd
only listens on the same subnet as it advertises. Additional subnets can be configured inlistenSubnets
if needed.Default behavior hasn't changed - if the
advertisedSubnets
is not set, Talos picks up the first available network address asadvertised address and
etcd
is configured to listen on all interfaces.Generating Talos secrets from PKI directory
It is now possible to generate a secrets bundle from a Kubernetes PKI directory (e.g.
/etc/kubernetes/pki
).You can also specify a bootstrap token to be used in the secrets bundle.
This secrets bundle can then be used to generate a machine config.
This facilitates migrating clusters (e.g. created using
kubeadm
) to Talos.Kubernetes ControlPlane Components
Talos now run all Kubernetes Control Plane Components with the CRI default Seccomp Profile and other recommendations as described in
KEP-2568.
Kubelet Default Runtime Seccomp Profile
Talos now runs Kubelet with the CRI default Seccomp Profile enabled.
This can be disabled by setting
.machine.kubelet.defaultRuntimeSeccompProfileEnabled
tofalse
.This is not enabled automatically on upgrades, so upgrading to Talos v1.2 needs this to be explicitly enabled.
Kubernetes Control Plane labels and taints
Talos now defaults to
node-role.kubernetes.io/control-plane
label/taint.On upgrades Talos now removes the
node-role.kubernetes.io/master
label/taint on control-plane nodes and replaces it with thenode-role.kubernetes.io/control-plane
label/taint.Workloads that tolerate the old taints or having node selectors with the old labels will need to be updated.
Kubernetes Discovery Backend
Kubernetes cluster discovery backend is now disabled by default for new clusters.
This backend doesn't provide any benefits over the Discovery Service based backend, while it
causes issues for KubeSpan enabled clusters when control plane endpoint is KubeSpan-routed.
For air-gapped installations when the Discovery Service is not enabled, Kubernetes Discovery Backend can be enabled by applying
the following machine configuration patch:
KubeSpan Kubernetes Network Advertisement
KubeSpan no longer by default advertises Kubernetes pod networks of the node over KubeSpan.
This means that CNI should handle encapsulation of pod-to-pod traffic into the node-to-node tunnel,
and node-to-node traffic will be handled by KubeSpan.
This provides better compatibility with popular CNIs like Calico and Cilium.
Old behavior can be restored by setting
.machine.kubespan.advertiseKubernetesNetworks = true
in the machine config.MachineConfig
.cluster.allowSchedulingOnMasters
deprecatedThe
.cluster.allowSchedulingOnMasters
is deprecated and replaced by.cluster.allowSchedulingOnControlPlanes
.The
.cluster.allowSchedulingOnMasters
will be removed in a future release of Talos.If both
.cluster.allowSchedulingOnMasters
and.cluster.allowSchedulingOnControlPlanes
are set totrue
, the.cluster.allowSchedulingOnControlPlanes
will be used.k8s.gcr.io
mirror configurationTalos now defaults to adding a registry mirror configuration in the machineconfig for
k8s.gcr.io
pointing to bothregistry.k8s.io
andk8s.gcr.io
unless overridden.This is in line with the Kubernetes 1.25 release having the new
registry.k8s.io
registry endpoint.This is only enabled by default on newly generated configurations and not on upgrades.
This can be enabled with a machine configuration as follows:
Network bridge support
Talos now supports configuring Linux bridges. It can be configured in the machine config like the following:
See documentation for more details.
VLAN support in cmdline arguments
Talos now supports dracut-style
vlan
kernel argument to allowinstalling Talos Linux in networks where ports are not tagged
with a default VLAN:
NVIDIA GPU support promoted to beta
NVIDIA GPU support on Talos has been promoted to beta and SideroLabs now publishes the NVIDIA Open GPU Kernel Modules as a system extension making it easier to run GPU workloads on Talos. Refer to enabling NVIDIA GPU support docs here:
Packet Capture
Talos now supports capturing packets on a network interface with
talosctl pcap
command:talosctl pcap --interface eth0
Seccomp Profiles
Talos now supports creating custom seccomp profiles on the host machine which in turn can be used by Kubernetes workloads.
It can be configured in the machine config as below:
This profile data can be either configured as a YAML definition or as a JSON string.
The profiles are created on the host under
/var/lib/kubelet/seccomp/profiles
.See documentation for more details.
Stable Default Hostname
Talos now generates the default hostname (when there is no explicitly specified hostname) for the nodes based on the
node id (e.g.
talos-2gd-76y
) instead of using the DHCP assigned IP address (e.g.talos-172-20-0-2
).This ensures that the node hostname is not changed when DHCP assigns a new IP to a node.
Please note: the stable hostname generation algorithm changed between v1.2.0-beta.0 and v1.2.0-beta.1, please take care when upgrading
from versions >= 1.2.0-alpha.1 to versions >= 1.2.0-beta.1 when using stable default hostname feature.
Strategic merge machine configuration patching
In addition to JSON (RFC6902) patches Talos now supports strategic merge patching.
For example, machine hostname can be set with the following patch:
Patch format is detected automatically.
Variable substitution for URL query parameter in the talos.config kernel parameter
The kernel parameter talos.config can now substitute system information into placeholders inside its URL query values. This example shows all supported variables:
http://example.com/metadata?h=${hostname}&m=${mac}&s=${serial}&u=${uuid}
talosctl
--masters
flag ontalosctl cluster create
is deprecated. Use--controlplanes
instead.Component Updates
Talos is built with Go 1.19.
Contributors
Changes
205 commits
Revert
functioncancelCtxMu
leftovers in PriorityLockcancelCtx
with the mutextalosctl
command return nonzero error codes if it had errorsapply-config
cmdapid
T.TempDir
to create temporary test directoryResetDuringBoot
test if theCluster
config is unknownpowercycle
talos.platform
kernel argumentkvm64
note/etc/ssl/certs/ca-certificates.crt
talosctl bootstrap
accept only single nodexfs_repair
on xfs filesystem returingEUCLEAN
/var
to be mounted in kubelet service controllerChanges since v1.2.0-beta.0
14 commits
Revert
functioncancelCtxMu
leftovers in PriorityLockcancelCtx
with the mutexChanges from siderolabs/extras
4 commits
Changes from siderolabs/pkgs
38 commits
RANDOM_TRUST_BOOTLOADER
by defaultChanges from siderolabs/tools
8 commits
Changes from talos-systems/crypto
1 commit
Changes from talos-systems/go-blockdevice
2 commits
Changes from talos-systems/go-loadbalancer
1 commit
Changes from talos-systems/grpc-proxy
1 commit
SetHeader
callsDependency Changes
Previous release can be found at v1.1.0
Images
This discussion was created from the release v1.2.0-beta.1.
Beta Was this translation helpful? Give feedback.
All reactions