Since `/var/lib/kubelet` was mounted with `rbind` and `rshared`, the
seccomp profile mount from the host at `/var/lib/seccomp/profiles` when
mounted at `/var/lib/kubelet/seccomp/profiles` would create a mount back
to the host creating an extra mount everytime kubelet starts/restarts.
Fix the issue by using the same path for the seccomp profiles on both
host and kubelet.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Fixes: https://github.com/siderolabs/talos/issues/6045
`talosctl apply-config` now supports `--config-patch` flag that takes
machine config patches as the input.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
We add a new CRD, `serviceaccounts.talos.dev` (with `tsa` as short name), and its controller which allows users to get a `Secret` containing a short-lived Talosconfig in their namespaces with the roles they need. Additionally, we introduce the `talosctl inject serviceaccount` command to accept a YAML file with Kubernetes manifests and inject them with Talos service accounts so that they can be directly applied to Kubernetes afterwards. If Talos API access feature is enabled on Talos side, the injected workloads will be able to talk to Talos API.
Closessiderolabs/talos#4422.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
This is incompatible with Calico and Cilium in default configuration, as
it's not easy to figure out exact PodCIDRs of the node.
We change the default but provide the option to revert the old behavior.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This commit replaces `ioutil.TempDir` with `t.TempDir` in tests. The
directory created by `t.TempDir` is automatically removed when the test
and all its subtests complete.
Prior to this commit, temporary directory created using `ioutil.TempDir`
needs to be removed manually by calling `os.RemoveAll`, which is omitted
in some tests. The error handling boilerplate e.g.
defer func() {
if err := os.RemoveAll(dir); err != nil {
t.Fatal(err)
}
}
is also tedious, but `t.TempDir` handles this for us nicely.
Reference: https://pkg.go.dev/testing#T.TempDir
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This commit adds gotagsrewrite tool, which is used to add `protobuf:"<n>"` tags to structs with //gotagsrewrite:gen comment. This will be used in conjunction with github.com/siderolabs/protoenc.
Closes#5941
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Use machine-id as the source for the default hostname (e.g. `talos-2gd-76y`) instead of DHCP-assigned IP (e.g. `talos-172-20-0-2`). This way, DHCP IP changes won't impact the hostname. Defaults to true for Talos version >=1.2.
Closessiderolabs/talos#5896.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
This uses the `go-packet` library with native bindings for the packet
capture (without `libpcap`). This is not the most performant way, but it
allows us to avoid CGo.
There is a problem with converting network filter expressions (like
`tcp port 3222`) into BPF instructions, it's only available in C
libraries, but there's a workaround with `tcpdump`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This PR allows the ability to generate `secrets.yaml` (`talosctl gen secrets`) using a Kubernetes PKI directory path (e.g. `/etc/kubernetes/pki`) as input. Also introduces the flag `--kubernetes-bootstrap-token` to be able to set a static Kubernetes bootstrap token to the generated `secrets.yaml` file instead of a randomly-generated one. Closessiderolabs/talos#5894.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
The end result is that every Talos CLI accepts both JSON and strategic
patches to patch machine configuration.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This format is much easier to understand when compared to JSON patches,
it allows for more patch validation, and it should provide better user
experience.
This just implements the config merge, but it doesn't yet hook it up to
any CLI utility, so no user-facing docs.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
this commits adds dracut style vlan support to allow
installing talos in networks where ports is not tagged
with a default vlan.
Signed-off-by: Eirik Askheim <eirik@x13.no>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This PR fixes a mistake in the bridge support docs and the reference to its docs in changelog.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
The URL to fetch the configuration for a talos node is given by the
talos.config kernel parameter. We add support for 4 variables ${uuid},
${serial}, ${mac} and ${hostname} which substitute the device UUID,
DMI-sourced serial number, MAC address of the first network interface to
be up and the hostname respectively.
Fixes#3272
Signed-off-by: Philipp Sauter <philipp.sauter@siderolabs.com>
With Pod Security, we need to allow privileged for rook-ceph.
This fix was lost when reverting day-two.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This allows to build a custom Talos image which comes with some system
extension bundled in. Sometimes we might need to have an extension in
the initial image, e.g. `vmtoolsd` for VMWare Talos image.
Syntax:
```
make image-aws \
IMAGER_SYSTEM_EXTENSIONS="ghcr.io/siderolabs/amd-ucode:..."
```
System extensions are not supported for now for ISO images, as they
don't go through the common installer flow (#5725).
Also it might be nice to add a simple way to generate just
`initramfs.xz` with system extensions bundled in (e.g. for PXE booting).
(#5726)
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
It wasn't used when building an endpoint to the local API server, so
Talos couldn't talk to the local API server when port was changed from
the default one.
Fixes#5706
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This is inline with CIS guidelines. Otherwise the kube-apiserver will pass along the request with the group
set to `system:unauthenticated`. This will expose anything that is allowed by the `system:public-info-viewer`
and `system:discovery` cluster roles.
Signed-off-by: Rio Kierkels <riokierkels@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
