https://talos.autonomy.io/ Recent content on Talos Hugo -- gohugo.io en-us Sat, 03 Nov 2018 17:14:49 -0700 https://talos.autonomy.io/configuration/osd/ Sat, 03 Nov 2018 17:14:49 -0700 https://talos.autonomy.io/configuration/osd/ The osd service enforces a high level of security by utilizing mutual TLS for authentication and authorization. In this section we will configure mutual TLS by generating the certificates for the servers (osd) and clients (osctl). Cluster Owners We recommend that the configuration of osd be performed by a cluster owner. A cluster owner should be a person of authority within an organization. Perhaps a director, manager, or senior member of a team. https://talos.autonomy.io/examples/aws/ Mon, 29 Oct 2018 19:40:55 -0700 https://talos.autonomy.io/examples/aws/ First, create the AMI: docker run \ --rm \ --volume $HOME/.aws/credentials:/root/.aws/credentials \ --env AWS_DEFAULT_PROFILE=${PROFILE} \ --env AWS_DEFAULT_REGION=${REGION} \ autonomy/talos:latest ami -var regions=${COMMA_SEPARATED_LIST_OF_REGIONS} Once the AMI is created, you can now start an EC2 instance using the AMI ID. Provide the proper configuration as the instance’s user data. An official Terraform module is currently being developed, stay tuned! https://talos.autonomy.io/components/kernel/ Mon, 29 Oct 2018 19:40:55 -0700 https://talos.autonomy.io/components/kernel/ The kernel included with Talos is configured according to the recommendations outlined in the Kernel Self Protection Project (KSSP). https://talos.autonomy.io/examples/kvm/ Mon, 29 Oct 2018 19:40:55 -0700 https://talos.autonomy.io/examples/kvm/ Creating a Master Node On the KVM host, install a master node to an available block device: docker run \ --rm \ --privileged \ --volume /dev:/dev \ autonomy/talos:latest image -b /dev/sdb -f -p bare-metal -u http://${IP}:8080/master.yaml Note: http://${IP}:8080/master.yaml should be reachable by the VM and contain a valid master configuration file. Now, create the VM: virt-install \ -n master \ --description "Kubernetes master node." \ --os-type=Linux \ --os-variant=generic \ --virt-type=kvm \ --cpu=host \ --vcpus=2 \ --ram=4096 \ --disk path=/dev/sdb \ --network bridge=br0,model=e1000,mac=52:54:00:A8:4C:E1 \ --graphics none \ --boot hd \ --rng /dev/random Creating a Worker Node On the KVM host, install a worker node to an available block device: https://talos.autonomy.io/configuration/masters/ Mon, 29 Oct 2018 19:40:55 -0700 https://talos.autonomy.io/configuration/masters/ Configuring master nodes in a Talos Kubernetes cluster is a two part process: configuring the Talos specific options and configuring the Kubernetes specific options To get started, create a YAML file we will use in the following steps: touch <node-name>.yaml Configuring Talos Injecting the Talos PKI Using osctl, and our output from the osd configuration documentation, inject the generated PKI into the configuration file: osctl inject os --crt <organization>. https://talos.autonomy.io/components/init/ Mon, 29 Oct 2018 19:40:55 -0700 https://talos.autonomy.io/components/init/ A common theme throughout the design of Talos is minimalism. We believe strongly in the UNIX philosophy that each program should do one job well. The init included in Talos is one example of this. We wanted to create a focused init that had one job - run Kubernetes. There simply is no mechanism in place to do anything else. To accomplish this, we must address real world operations needs like: https://talos.autonomy.io/examples/xen/ Tue, 06 Nov 2018 06:25:46 -0800 https://talos.autonomy.io/examples/xen/ Creating a Master Node On Dom0, install Talos to an available block device: docker run \ --rm \ --privileged \ --volume /dev:/dev \ autonomy/talos:latest image -b /dev/sdb Save the following as /etc/xen/master.cfg name = "master" builder='hvm' bootloader = "/bin/pygrub" firmware_override = "/usr/lib64/xen/boot/hvmloader" vcpus=2 memory = 4096 serial = "pty" kernel = "/var/lib/xen/talos/vmlinuz" ramdisk = "/var/lib/xen/talos/initramfs.xz" disk = [ 'phy:/dev/sdb,xvda,w', ] vif = [ 'mac=52:54:00:A8:4C:E1,bridge=xenbr0,model=e1000', ] extra = "ip=dhcp consoleblank=0 console=hvc0 console=tty0 console=ttyS0,9600 talos. https://talos.autonomy.io/configuration/workers/ Mon, 29 Oct 2018 19:40:55 -0700 https://talos.autonomy.io/configuration/workers/ Configuring the worker nodes is much more simple in comparison to configuring the master nodes. Using the trustd API, worker nodes submit a CSR, and, if authenticated, receive a valid osd certificate. Similarly, using a kubeadm token, the node joins an existing cluster. We need to specify: the osd public certificate trustd credentials and endpoints and a kubeadm JoinConfiguration version: "" security: os: ca: crt: <base 64 encoded root public certificate> services: kubeadm: configuration: | apiVersion: kubeadm. https://talos.autonomy.io/components/kubeadm/ Mon, 29 Oct 2018 19:40:55 -0700 https://talos.autonomy.io/components/kubeadm/ At the heart of Talos is kubeadm, allowing it to harness the power of the official upstream bootstrap tool. By integrating with kubeadm natively, Talos stands to gain a strong community of users and developers already familiar with kubeadm. https://talos.autonomy.io/components/trustd/ Mon, 29 Oct 2018 19:40:55 -0700 https://talos.autonomy.io/components/trustd/ Security is one of the highest priorities within Autonomy. To run a Kubernetes cluster a certain level of trust is required to operate a cluster. For example, orchestrating the bootstrap of a highly available control plane requires the distribution of sensitive PKI data. To that end, we created trustd. Based on the concept of a Root of Trust, trustd is a simple daemon responsible for establishing trust within the system. Once trust is established, various methods become available to the trustee. https://talos.autonomy.io/components/proxyd/ Mon, 29 Oct 2018 19:40:55 -0700 https://talos.autonomy.io/components/proxyd/ Highly available Kubernetes clusters are crucial for production quality clusters. The proxyd component is a simple yet powerful reverse proxy that adapts to where Talos is employed and provides load balancing across all API servers. https://talos.autonomy.io/components/osd/ Mon, 29 Oct 2018 19:40:55 -0700 https://talos.autonomy.io/components/osd/ Talos is unique in that it has no concept of host-level access. There are no shells installed. No ssh daemon. Only what is required to run Kubernetes. Furthermore, there is no way to run any custom processes on the host level. To make this work, we needed an out-of-band tool for managing the nodes. In an ideal world, the system would be self-healing and we would never have to touch it. https://talos.autonomy.io/components/osctl/ Mon, 29 Oct 2018 19:40:55 -0700 https://talos.autonomy.io/components/osctl/ The osctl CLI is the client to the osd service running on every node. With it you can do things like: retrieve container logs restart a service reset a node reboot a node retrieve kernel logs generate pki resources inject data into node configuration files https://talos.autonomy.io/components/blockd/ Tue, 30 Oct 2018 09:16:35 -0700 https://talos.autonomy.io/components/blockd/ Talos comes with a reserved block device with three partitions: an EFI System Partition (ESP) a ROOT partition mounted as read-only that contains the minimal set of binaries to operate system services and a DATA partion that is mounted as read/write at /var/run These partitions are reserved and cannot be modified. The one exception to this is that the DATA partition will be resized automatically in the init process to the maximum size possible. https://talos.autonomy.io/talos/ Mon, 29 Oct 2018 19:40:55 -0700 https://talos.autonomy.io/talos/ Talos is a modern Linux distribution designed to be secure, immutable, and minimal.