From c19cc4ccbc8c37b6dde49853dfc442a0f5404ab4 Mon Sep 17 00:00:00 2001 From: Steve Francis Date: Wed, 12 Jun 2024 11:41:03 -0700 Subject: [PATCH] docs: clarify direct access needed to nodes in insecure mode And some small updates. Signed-off-by: Andrey Smirnov --- website/content/_index.html | 2 +- .../v1.8/introduction/getting-started.md | 29 ++++++++++++------- 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/website/content/_index.html b/website/content/_index.html index 891fb1d90..13987e9a7 100644 --- a/website/content/_index.html +++ b/website/content/_index.html @@ -127,7 +127,7 @@ title = "Talos Linux"

Immutable

Talos improves security further by mounting the root filesystem as - read-only and removing any host-level such as a shell and SSH. + read-only and removing host-level access tools such as a shell and SSH.

diff --git a/website/content/v1.8/introduction/getting-started.md b/website/content/v1.8/introduction/getting-started.md index ff4220be3..c36247e81 100644 --- a/website/content/v1.8/introduction/getting-started.md +++ b/website/content/v1.8/introduction/getting-started.md @@ -81,14 +81,6 @@ The endpoint should be formatted like: > NOTE: For a production cluster, you should have three control plane nodes, and have the endpoint allocate traffic to all three - see [Production Notes]({{< relref "prodnotes#control-plane-nodes" >}}). -## Accessing the Talos API - -Administrative tasks are performed by calling the Talos API (usually with `talosctl`) on Talos Linux control plane nodes - thus, ensure your control -plane node is directly reachable on TCP port 50000 from the workstation where you run the `talosctl` client. -This may require changing firewall rules or cloud provider access-lists. - -For production configurations, see [Production Notes]({{< relref "prodnotes#decide-the-kubernetes-endpoint" >}}). - ## Configure Talos Linux When Talos boots without a configuration, such as when booting off the Talos ISO, it @@ -182,9 +174,24 @@ to reflect `vda` instead of `sda`. > For information on customizing your machine configurations (such as to specify the version of Kubernetes), using [machine configuration patches]({{< relref "../talos-guides/configuration/patching" >}}), or customizing configurations for individual machines (such as setting static IP addresses), see the [Production Notes]({{< relref "prodnotes#customizing-machine-configuration" >}}). -## Understand talosctl, endpoints and nodes +## Accessing the Talos API + +Administrative tasks are performed by calling the Talos API (usually with `talosctl`) on Talos Linux control plane nodes, who may forward the requests to other nodes. +Thus: + +- ensure your control plane node is directly reachable on TCP port 50000 from the workstation where you run the `talosctl` client. +- until a node is a member of the cluster, it does not have the PKI infrastructure set up, and so will not accept API requests that are proxied through a control plane node. + +Thus you will need direct access to the **worker** nodes on port 50000 from the workstation where you run `talosctl` in order to apply the initial configuration. +Once the cluster is established, you will no longer need port 50000 access to the workers. +(You can avoid requiring such access by passing in the initial configuration in one of other methods, such as by cloud `userdata` or via `talos.config=` kernel argument on a `metal` platform) + +This may require changing firewall rules or cloud provider access-lists. + +For production configurations, see [Production Notes]({{< relref "prodnotes#decide-the-kubernetes-endpoint" >}}). + +## Understand how talosctl treats endpoints and nodes -It is important to understand the concept of `endpoints` and `nodes`. In short: `endpoints` are where `talosctl` _sends_ commands to, but the command _operates_ on the specified `nodes`. The endpoint will forward the command to the nodes, if needed. @@ -247,7 +254,7 @@ Apply the `controlplane.yaml` file to the control plane node, and the `worker.ya The `--insecure` flag is necessary because the PKI infrastructure has not yet been made available to the node. Note: the connection _will_ be encrypted, but not authenticated. -When using the `--insecure` flag, it is not necessary to specify an endpoint. +> When using the `--insecure` flag, you cannot specify an endpoint, and must directly access the node on port 50000. ### Default talosconfig configuration file