After we closed `kubelet`, remove `/var/lib/kubelet/cpu_manager_state` if there are any changes in `cpuManagerPolicy`.
We do not add any other safeguards, so it's user responsibility to cordon/drain the node in advance.
Also minor fixes in other files.
Closes#7504
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
The Go modules were not tagged for alpha.4, so using alpha.3 tag.
Talos 1.5 will ship with Kubernetes 1.28.0.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This is controlled with a feature flag which gets enabled automatically
for Talos 1.5+.
Fixes#7181
If enabled, configures kubelet to use project quotas to track xfs volume
usage, which is much more efficient than doing `du` periodically.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Removed deprecated arg from the kubelet spec, as the arg is going to be
removed completely in v1.27 (kubelet defaults to remote CRI anyways).
Go modules not updated due to https://github.com/kubernetes/kubernetes/issues/113951
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
There's a cyclic dependency on siderolink library which imports talos
machinery back. We will fix that after we get talos pushed under a new
name.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Previously static pod manifests were written to and read from a folder
on the disk. We add a controller that cleans up the default static pod
manifests on the disk and serves them as a PodList manifest via HTTP.
The to the manifest is injected into the kubelet. File based static pod
manifests are still supported and may be enabled by setting the key
kubelet -> enableManifestsDirectory in the machine config.
Fixes#5494
Signed-off-by: Philipp Sauter <philipp.sauter@siderolabs.com>
This PR supports skipping node registration from K8s.
This is an adavnced use case and only needs to be used in special cases.
In this mode Kubelet only runs the static pods.
Fixes: #5847
Operations that will be broken:
- `talosctl cluster create` would eventually timeout since it expects
nodes to be registered.
- `talosctl health` since it expects nodes to be registered.
- `talosctl upgrade-k8s` since it expects nodes to be registered. Static
pods can still be updated by editing the machine config..
Signed-off-by: Noel Georgi <git@frezbo.dev>
Clear the kubelet certificates and kubeconfig when hostname changes so that on next start, kubelet goes through the bootstrap process and new certificates are generated and the node is joined to the cluster with the new name.
Fixessiderolabs/talos#5834.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
With the advent of generics, redo pointer functionality and remove github.com/AlekSi/pointer dependency.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
The problem is that these values needs to be set to zero if the kubelet
feature gate is disabled, so we can't assume that we can override zero
value with the proper config, so we have to do an extra check on the
supplied configuration.
Also creates KB article on disabling this feature gate.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
We should skip the checks on container platforms, as Talos has no way to
enforce conditions on the host kernel.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Add a mock D-Bus daemon and a mock logind implementation over D-Bus.
Kubelet gets a handle to the D-Bus socket, connects over it to our
logind mock and negotiates shutdown activities.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Enforces more reasonable minimum TLS versions for Kubernetes components
(1.3 for everything except apiserver; 1.2 for API server for
interoperability).
Signed-off-by: Seán C McCord <ulexus@gmail.com>
The gist is that `kubelet` service code only manages the container
lifecycle, while `kubelet` configuration is managed now in the
controllers and resources.
New resources:
* `secrets.Kubelet` contains Kubelet PKI derived directly from the
machine configuration
* `k8s.KubeletConfig` contains Kubelet non-secret config derived
directly from the machine configuration
* `k8s.NodeIPConfig` contains configuration on picking up Node IP for
the kubelet (from machine configuration)
* `k8s.NodeIP` contains actual Node IPs picked from the node addresses
based on `NodeIPConfig`
* `k8s.KubeletSpec` contains final `kubelet` container configuration,
including merged arguments, KubeletConfig, etc. It is derived from
`KubeletConfig`, `Nodename` and `NodeIP`.
Final controller `KubeletServiceController` writes down configuration
and PKI to disk, and manages restart/start of the `kubelet` service
which is a pure wrapper around container lifecycle.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
