mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2025-12-16 06:51:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

docs: update docs for release 1.1

Browse Source 
Update documentation, support matrix, current release, what's new, etc.

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This commit is contained in:
Andrey Smirnov 2022-06-22 18:19:19 +04:00
parent b816d0b600
commit cfb640222b
No known key found for this signature in database
GPG Key ID: 7B26396447AB6DFD
10 changed files with 175 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
website/config.toml
View File

@ -108,7 +108,7 @@ version_menu = "Releases"
# A link to latest version of the docs. Used in the "version-banner" partial to
# point people to the main doc site.
url_latest_version = "/v1.0"
url_latest_version = "/v1.1"
# Repository configuration (URLs for in-page links to opening issues and suggesting changes)
# github_repo = "https://github.com/googley-example"
@ -141,11 +141,11 @@ version = "v1.2 (pre-release)"
[[params.versions]]
url = "/v1.1/"
version = "v1.1 (pre-release)"
version = "v1.1 (latest)"
[[params.versions]]
url = "/v1.0/"
version = "v1.0 (latest)"
version = "v1.0"
[[params.versions]]
url = "/v0.14/"

1
website/content/v1.0/_index.md
View File

@ -8,7 +8,6 @@ preRelease: false
lastRelease: v1.0.6
kubernetesRelease: "1.23.5"
prevKubernetesRelease: "1.23.1"
menu: main
---
## Welcome

2
website/content/v1.0/introduction/support-matrix.md
View File

@ -7,7 +7,7 @@ description: "Table of supported Talos Linux versions and respective platforms."
| Talos Version | 1.0 | 0.14 |
|----------------------------------------------------------------------------------------------------------------|------------------------------------|------------------------------------|
| Release Date | 2022-03-29 | 2021-12-21 (0.14.0) |
| End of Community Support | 1.1.0 release (2022-06-01, TBD) | 1.0.0 release (2022-03-27, TBD) |
| End of Community Support | 1.1.0 release (2022-06-22) | 1.0.0 release (2022-03-29) |
| Enterprise Support | [offered by Sidero Labs Inc.](https://www.siderolabs.com/support/) | [offered by Sidero Labs Inc.](https://www.siderolabs.com/support/) |
| Kubernetes | 1.23, 1.22, 1.21 | 1.23, 1.22, 1.21 |
| Architecture | amd64, arm64 | amd64, arm64 |

7
website/content/v1.1/_index.md
View File

@ -4,11 +4,12 @@ no_list: true
linkTitle: "Documentation"
cascade:
type: docs
preRelease: true
lastRelease: v1.1.0-beta.2
kubernetesRelease: "1.24.1"
preRelease: false
lastRelease: v1.1.0
kubernetesRelease: "1.24.2"
prevKubernetesRelease: "1.23.5"
iscsiToolsRelease: "v0.1.1"
menu: main
---
## Welcome

20
website/content/v1.1/introduction/support-matrix.md
View File

@ -6,29 +6,29 @@ description: "Table of supported Talos Linux versions and respective platforms."
| Talos Version | 1.1 | 1.0 |
|----------------------------------------------------------------------------------------------------------------|------------------------------------|------------------------------------|
| Release Date | 2022-06-24, TBD | 2022-03-29 (1.0.0) |
| End of Community Support | 1.2.0 release (2022-09-01, TBD) | 1.1.0 release (2022-06-24, TBD) |
| Release Date | 2022-06-22 | 2022-03-29 (1.0.0) |
| End of Community Support | 1.2.0 release (2022-09-01, TBD) | 1.1.0 release (2022-06-22) |
| Enterprise Support | [offered by Sidero Labs Inc.](https://www.siderolabs.com/support/) | [offered by Sidero Labs Inc.](https://www.siderolabs.com/support/) |
| Kubernetes | 1.24, 1.23, 1.22 | 1.23, 1.22, 1.21 |
| Architecture | amd64, arm64 | amd64, arm64 |
| **Platforms** | | |
| - cloud | AWS, GCP, Azure, Digital Ocean, Hetzner, OpenStack, Oracle Cloud, Scaleway, Vultr, Upcloud | AWS, GCP, Azure, Digital Ocean, Hetzner, OpenStack, Scaleway, Vultr, Upcloud |
| - cloud | AWS, GCP, Azure, Digital Ocean, Hetzner, OpenStack, Oracle Cloud, Scaleway, Vultr, Upcloud | AWS, GCP, Azure, Digital Ocean, Hetzner, OpenStack, Oracle Cloud, Scaleway, Vultr, Upcloud |
| - bare metal | x86: BIOS, UEFI; arm64: UEFI; boot: ISO, PXE, disk image | x86: BIOS, UEFI; arm64: UEFI; boot: ISO, PXE, disk image |
| - virtualized | VMware, Hyper-V, KVM, Proxmox, Xen | VMware, Hyper-V, KVM, Proxmox, Xen |
| - SBCs | Banana Pi M64, Jetson Nano, Libre Computer Board ALL-H3-CC, Pine64, Pine64 Rock64, Radxa ROCK Pi 4c, Raspberry Pi 4B | Raspberry Pi4, Banana Pi M64, Pine64, and other |
| - SBCs | Banana Pi M64, Jetson Nano, Libre Computer Board ALL-H3-CC, Pine64, Pine64 Rock64, Radxa ROCK Pi 4c, Raspberry Pi 4B | Banana Pi M64, Jetson Nano, Libre Computer Board ALL-H3-CC, Pine64, Pine64 Rock64, Radxa ROCK Pi 4c, Raspberry Pi 4B |
| - local | Docker, QEMU | Docker, QEMU |
| **Cluster API** | | |
| [CAPI Bootstrap Provider Talos](https://github.com/siderolabs/cluster-api-bootstrap-provider-talos) | >= 0.5.3 | >= 0.5.3 |
| [CAPI Control Plane Provider Talos](https://github.com/siderolabs/cluster-api-control-plane-provider-talos) | >= 0.4.5 | >= 0.4.5 |
| [Sidero](https://www.sidero.dev/) | >= 0.5.0 | >= 0.5.0 |
| [CAPI Bootstrap Provider Talos](https://github.com/siderolabs/cluster-api-bootstrap-provider-talos) | >= 0.5.4 | >= 0.5.3 |
| [CAPI Control Plane Provider Talos](https://github.com/siderolabs/cluster-api-control-plane-provider-talos) | >= 0.4.6 | >= 0.4.5 |
| [Sidero](https://www.sidero.dev/) | >= 0.5.1 | >= 0.5.0 |
| **UI** | | |
| [Theila](https://github.com/siderolabs/theila) | ✓ | ✓ |
## Platform Tiers
Tier 1: Automated tests, high-priority fixes.
Tier 2: Tested from time to time, medium-priority bugfixes.
Tier 3: Not tested by core Talos team, community tested.
* Tier 1: Automated tests, high-priority fixes.
* Tier 2: Tested from time to time, medium-priority bugfixes.
* Tier 3: Not tested by core Talos team, community tested.
### Tier 1

94
website/content/v1.1/introduction/what-is-new.md
View File

@ -4,4 +4,96 @@ weight: 50
description: "List of new and shiny features in Talos Linux."
---
TBD
## Kubernetes
### Pod Security Admission
[Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) controller is enabled by default with the following policy:
```yaml
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- configuration:
apiVersion: pod-security.admission.config.k8s.io/v1alpha1
defaults:
audit: restricted
audit-version: latest
enforce: baseline
enforce-version: latest
warn: restricted
warn-version: latest
exemptions:
namespaces:
- kube-system
runtimeClasses: []
usernames: []
kind: PodSecurityConfiguration
name: PodSecurity
path: ""
```
The policy is part of the Talos machine configuration, and it can be modified to suite your needs.
### Kubernetes API Server Anonymous Auth
Anonymous authentication is now disabled by default for the `kube-apiserver` (CIS compliance).
To enable anonymous authentication, update the machine config with:
```yaml
cluster:
apiServer:
extraArgs:
anonymous-auth: true
```
## Machine Configuration
### Apply Config `--dry-run`
The commands `talosctl apply-config`, `talosctl patch mc` and `talosctl edit mc` now support `--dry-run` flag.
If enabled it just prints out the selected config application mode and the configuration diff.
### Apply Config `--mode=try`
The commands `talosctl apply-config`, `talosctl patch mc` and `talosctl edit mc` now support the new mode called `try`.
In this mode the config change is applied for a period of time and then reverted back to the state it was before the change.
`--timeout` parameter can be used to customize the config rollback timeout.
This new mode can be used only with the parts of the config that can be changed without a reboot and can help to check that
the new configuration doesn't break the node.
Can be especially useful to check network interfaces changes that may lead to the loss of connectivity to the node.
## Networking
### Network Device Selector
Talos machine configuration supports specifying network interfaces by selectors instead of interface name.
See [documentation]({{< relref "../talos-guides/network/device-selector" >}}) for more details.
## SBCs
### RockPi 4 variants A and B
Talos now supports RockPi variants A and B in addition to RockPi 4C
### Raspberry Pi PoE Hat Fan
Talos now enables the Raspberry Pi PoE fan control by pulling in the poe overlay that works with upstream kernel
## Miscellaneous
### IPv6 in Docker-based Talos Clusters
The command `talosctl cluster create` now enables IPv6 by default for the Docker containers
created for Talos nodes.
This allows to use IPv6 addresses in Kubernetes networking.
If `talosctl cluster create` fails to work on Linux due to the lack of IPv6 support,
please use the flag `--disable-docker-ipv6` to revert the change.
### `eudev` Default Rules
Drops some default eudev rules that doesn't make sense in the context of Talos OS.
Especially the ones around sound devices, cd-roms and renaming the network interfaces to be predictable.

41
website/content/v1.1/kubernetes-guides/configuration/pod-security.md
View File

@ -14,27 +14,22 @@ In this guide we are going to enable and configure Pod Security Admission in Tal
## Configuration
Prepare the following machine configuration patch and store it in the `pod-security-patch.yaml`:
Talos provides default Pod Security Admission in the machine configuration:
```yaml
- op: add
path: /cluster/apiServer/admissionControl
value:
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1alpha1
kind: PodSecurityConfiguration
defaults:
enforce: "baseline"
enforce-version: "latest"
audit: "restricted"
audit-version: "latest"
warn: "restricted"
warn-version: "latest"
exemptions:
usernames: []
runtimeClasses: []
namespaces: [kube-system]
apiVersion: pod-security.admission.config.k8s.io/v1alpha1
kind: PodSecurityConfiguration
defaults:
enforce: "baseline"
enforce-version: "latest"
audit: "restricted"
audit-version: "latest"
warn: "restricted"
warn-version: "latest"
exemptions:
usernames: []
runtimeClasses: []
namespaces: [kube-system]
```
This is a cluster-wide configuration for the Pod Security Admission plugin:
@ -42,13 +37,7 @@ This is a cluster-wide configuration for the Pod Security Admission plugin:
* by default `baseline` [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/) profile is enforced
* more strict `restricted` profile is not enforced, but API server warns about found issues
Generate Talos machine configuration applying the patch above:
```shell
talosctl gen config cluster1 https://<IP>:6443/ --config-patch-control-plane @../pod-security-patch.yaml
```
Deploy Talos using the generated machine configuration.
This default policy can be modified by updating the generated machine configuration before the cluster is created or on the fly by using the `talosctl` CLI utility.
Verify current admission plugin configuration with:

24
website/content/v1.1/talos-guides/upgrading-talos.md
View File

@ -79,7 +79,29 @@ future.
## Machine Configuration Changes
TBD
Talos 1.1.0 provides a default configuration for [Pod Security Admission]({{< relref "../kubernetes-guides/configuration/pod-security" >}}):
```yaml
cluster:
apiServer:
admissionControl:
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1alpha1
defaults:
audit: restricted
audit-version: latest
enforce: baseline
enforce-version: latest
warn: restricted
warn-version: latest
exemptions:
namespaces:
- kube-system
runtimeClasses: []
usernames: []
kind: PodSecurityConfiguration
```
## Upgrade Sequence

22
website/content/v1.2/introduction/support-matrix.md
View File

@ -6,29 +6,29 @@ description: "Table of supported Talos Linux versions and respective platforms."
| Talos Version | 1.2 | 1.1 |
|----------------------------------------------------------------------------------------------------------------|------------------------------------|------------------------------------|
| Release Date | 2022-09-01, TBD | 2022-06-24 (1.1.0) |
| End of Community Support | 1.3.0 release (2022-12-01, TBD) | 1.2.0 release (2022-06-24, TBD) |
| Release Date | 2022-09-01, TBD | 2022-06-22 (1.1.0) |
| End of Community Support | 1.3.0 release (2022-12-01, TBD) | 1.2.0 release (2022-09-01, TBD) |
| Enterprise Support | [offered by Sidero Labs Inc.](https://www.siderolabs.com/support/) | [offered by Sidero Labs Inc.](https://www.siderolabs.com/support/) |
| Kubernetes | 1.24, 1.23, 1.22 |
| Kubernetes | 1.25, 1.24, 1.23 | 1.24, 1.23, 1.22 |
| Architecture | amd64, arm64 | amd64, arm64 |
| **Platforms** | | |
| - cloud | AWS, GCP, Azure, Digital Ocean, Hetzner, OpenStack, Oracle Cloud, Scaleway, Vultr, Upcloud | AWS, GCP, Azure, Digital Ocean, Hetzner, OpenStack, Scaleway, Vultr, Upcloud |
| - cloud | AWS, GCP, Azure, Digital Ocean, Hetzner, OpenStack, Oracle Cloud, Scaleway, Vultr, Upcloud | AWS, GCP, Azure, Digital Ocean, Hetzner, OpenStack, Oracle Cloud, Scaleway, Vultr, Upcloud |
| - bare metal | x86: BIOS, UEFI; arm64: UEFI; boot: ISO, PXE, disk image | x86: BIOS, UEFI; arm64: UEFI; boot: ISO, PXE, disk image |
| - virtualized | VMware, Hyper-V, KVM, Proxmox, Xen | VMware, Hyper-V, KVM, Proxmox, Xen |
| - SBCs | Banana Pi M64, Jetson Nano, Libre Computer Board ALL-H3-CC, Pine64, Pine64 Rock64, Radxa ROCK Pi 4c, Raspberry Pi 4B | Raspberry Pi4, Banana Pi M64, Pine64, and other |
| - SBCs | Banana Pi M64, Jetson Nano, Libre Computer Board ALL-H3-CC, Pine64, Pine64 Rock64, Radxa ROCK Pi 4c, Raspberry Pi 4B | Banana Pi M64, Jetson Nano, Libre Computer Board ALL-H3-CC, Pine64, Pine64 Rock64, Radxa ROCK Pi 4c, Raspberry Pi 4B |
| - local | Docker, QEMU | Docker, QEMU |
| **Cluster API** | | |
| [CAPI Bootstrap Provider Talos](https://github.com/siderolabs/cluster-api-bootstrap-provider-talos) | >= 0.5.3 | >= 0.5.3 |
| [CAPI Control Plane Provider Talos](https://github.com/siderolabs/cluster-api-control-plane-provider-talos) | >= 0.4.5 | >= 0.4.5 |
| [Sidero](https://www.sidero.dev/) | >= 0.5.0 | >= 0.5.0 |
| [CAPI Bootstrap Provider Talos](https://github.com/siderolabs/cluster-api-bootstrap-provider-talos) | >= 0.5.4 | >= 0.5.3 |
| [CAPI Control Plane Provider Talos](https://github.com/siderolabs/cluster-api-control-plane-provider-talos) | >= 0.4.6 | >= 0.4.6 |
| [Sidero](https://www.sidero.dev/) | >= 0.5.1 | >= 0.5.1 |
| **UI** | | |
| [Theila](https://github.com/siderolabs/theila) | ✓ | ✓ |
## Platform Tiers
Tier 1: Automated tests, high-priority fixes.
Tier 2: Tested from time to time, medium-priority bugfixes.
Tier 3: Not tested by core Talos team, community tested.
* Tier 1: Automated tests, high-priority fixes.
* Tier 2: Tested from time to time, medium-priority bugfixes.
* Tier 3: Not tested by core Talos team, community tested.
### Tier 1

41
website/content/v1.2/kubernetes-guides/configuration/pod-security.md
View File

@ -14,27 +14,22 @@ In this guide we are going to enable and configure Pod Security Admission in Tal
## Configuration
Prepare the following machine configuration patch and store it in the `pod-security-patch.yaml`:
Talos provides default Pod Security Admission in the machine configuration:
```yaml
- op: add
path: /cluster/apiServer/admissionControl
value:
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1alpha1
kind: PodSecurityConfiguration
defaults:
enforce: "baseline"
enforce-version: "latest"
audit: "restricted"
audit-version: "latest"
warn: "restricted"
warn-version: "latest"
exemptions:
usernames: []
runtimeClasses: []
namespaces: [kube-system]
apiVersion: pod-security.admission.config.k8s.io/v1alpha1
kind: PodSecurityConfiguration
defaults:
enforce: "baseline"
enforce-version: "latest"
audit: "restricted"
audit-version: "latest"
warn: "restricted"
warn-version: "latest"
exemptions:
usernames: []
runtimeClasses: []
namespaces: [kube-system]
```
This is a cluster-wide configuration for the Pod Security Admission plugin:
@ -42,13 +37,7 @@ This is a cluster-wide configuration for the Pod Security Admission plugin:
* by default `baseline` [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/) profile is enforced
* more strict `restricted` profile is not enforced, but API server warns about found issues
Generate Talos machine configuration applying the patch above:
```shell
talosctl gen config cluster1 https://<IP>:6443/ --config-patch-control-plane @../pod-security-patch.yaml
```
Deploy Talos using the generated machine configuration.
This default policy can be modified by updating the generated machine configuration before the cluster is created or on the fly by using the `talosctl` CLI utility.
Verify current admission plugin configuration with: