+9

talos/patches/controller/api-access.yaml

reviewed

··· 1 1 + # Enable K8s Talos API Access 2 2 + machine: 3 3 + features: 4 4 + kubernetesTalosAPIAccess: 5 5 + enabled: true 6 6 + allowedRoles: 7 7 + - os:admin 8 8 + allowedKubernetesNamespaces: 9 9 + - system-upgrade

+12

talos/patches/controller/cluster.yaml

reviewed

··· 1 1 + cluster: 2 2 + allowSchedulingOnMasters: true 3 3 + controllerManager: 4 4 + extraArgs: 5 5 + bind-address: 0.0.0.0 6 6 + coreDNS: 7 7 + disabled: true 8 8 + proxy: 9 9 + disabled: true 10 10 + scheduler: 11 11 + extraArgs: 12 12 + bind-address: 0.0.0.0

+3

talos/patches/controller/disable-admission-controller.yaml

reviewed

··· 1 1 + # Disable default API server admission plugins. 2 2 + - op: remove 3 3 + path: /cluster/apiServer/admissionControl

+5

talos/patches/controller/kube-prism.yaml

reviewed

··· 1 1 + machine: 2 2 + features: 3 3 + kubePrism: 4 4 + enabled: true 5 5 + port: 7445

+7

talos/patches/global/cluster-discovery.yaml

reviewed

··· 1 1 + cluster: 2 2 + discovery: 3 3 + registries: 4 4 + kubernetes: 5 5 + disabled: false 6 6 + service: 7 7 + disabled: false

+12

talos/patches/global/containerd.yaml

reviewed

··· 1 1 + machine: 2 2 + files: 3 3 + - op: create 4 4 + path: /etc/cri/conf.d/20-customization.part 5 5 + content: |- 6 6 + [plugins."io.containerd.grpc.v1.cri"] 7 7 + enable_unprivileged_ports = true 8 8 + enable_unprivileged_icmp = true 9 9 + [plugins."io.containerd.grpc.v1.cri".containerd] 10 10 + discard_unpacked_layers = false 11 11 + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] 12 12 + discard_unpacked_layers = false

+3

talos/patches/global/disable-search-domain.yaml

reviewed

··· 1 1 + machine: 2 2 + network: 3 3 + disableSearchDomain: true

+9

talos/patches/global/kubelet.yaml

reviewed

··· 1 1 + machine: 2 2 + kubelet: 3 3 + extraArgs: 4 4 + rotate-server-certificates: "true" 5 5 + extraConfig: 6 6 + maxPods: 150 7 7 + nodeIP: 8 8 + validSubnets: 9 9 + - 10.0.105.0/24

+14

talos/patches/global/nfs.yaml

reviewed

··· 1 1 + machine: 2 2 + files: 3 3 + - op: overwrite 4 4 + path: /etc/nfsmount.conf 5 5 + permissions: 0o644 6 6 + content: | 7 7 + [ NFSMount_Global_Options ] 8 8 + nfsvers=4.2 9 9 + hard=True 10 10 + noatime=True 11 11 + nodiratime=True 12 12 + rsize=131072 13 13 + wsize=131072 14 14 + nconnect=8

+7

talos/patches/global/sysctl.yaml

reviewed

··· 1 1 + machine: 2 2 + sysctls: 3 3 + fs.inotify.max_queued_events: "65536" 4 4 + fs.inotify.max_user_instances: "8192" 5 5 + fs.inotify.max_user_watches: "524288" 6 6 + net.core.rmem_max: "2500000" 7 7 + net.core.wmem_max: "2500000"

+5

talos/patches/global/udev.yaml

reviewed

··· 1 1 + machine: 2 2 + udev: 3 3 + rules: 4 4 + # Intel GPU 5 5 + - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660"

+13 -85

talos/talconfig.yaml

reviewed

··· 80 80 hardwareAddr: d8:3a:dd:d8:70:bc 81 81 dhcp: true 82 82 83 83 + patches: 84 84 + - "@./patches/global/cluster-discovery.yaml" 85 85 + - "@./patches/global/containerd.yaml" 86 86 + - "@./patches/global/disable-search-domain.yaml" 87 87 + - "@./patches/global/kubelet.yaml" 88 88 + - "@./patches/global/nfs.yaml" 89 89 + - "@./patches/global/sysctl.yaml" 90 90 + - "@./patches/global/udev.yaml" 91 91 + 83 92 controlPlane: 84 93 patches: 85 85 - # Disable search domain everywhere 86 86 - - |- 87 87 - machine: 88 88 - network: 89 89 - disableSearchDomain: true 90 90 - 91 91 - # Enable KubePrism 92 92 - - |- 93 93 - machine: 94 94 - features: 95 95 - kubePrism: 96 96 - enabled: true 97 97 - port: 7445 98 98 - 99 99 - # Cluster configuration 100 100 - - |- 101 101 - cluster: 102 102 - allowSchedulingOnMasters: true 103 103 - proxy: 104 104 - disabled: true 105 105 - 106 106 - # Configure containerd 107 107 - - |- 108 108 - machine: 109 109 - files: 110 110 - - op: create 111 111 - path: /etc/cri/conf.d/20-customization.part 112 112 - content: | 113 113 - [plugins] 114 114 - [plugins."io.containerd.grpc.v1.cri"] 115 115 - enable_unprivileged_ports = true 116 116 - enable_unprivileged_icmp = true 117 117 - 118 118 - # Configure nfs mount options 119 119 - - |- 120 120 - machine: 121 121 - files: 122 122 - - op: overwrite 123 123 - path: /etc/nfsmount.conf 124 124 - permissions: 0o644 125 125 - content: | 126 126 - [ NFSMount_Global_Options ] 127 127 - nfsvers=4.2 128 128 - hard=True 129 129 - noatime=True 130 130 - nodiratime=True 131 131 - rsize=131072 132 132 - wsize=131072 133 133 - nconnect=8 94 94 + - "@./patches/controller/api-access.yaml" 95 95 + - "@./patches/controller/cluster.yaml" 96 96 + - "@./patches/controller/disable-admission-controller.yaml" 97 97 + - "@./patches/controller/kube-prism.yaml" 134 98 135 135 - # Disable default API server admission plugins. 136 136 - - |- 137 137 - - op: remove 138 138 - path: /cluster/apiServer/admissionControl 139 99 140 140 - # Enable K8s Talos API Access 141 141 - - |- 142 142 - machine: 143 143 - features: 144 144 - kubernetesTalosAPIAccess: 145 145 - enabled: true 146 146 - allowedRoles: 147 147 - - os:admin 148 148 - allowedKubernetesNamespaces: 149 149 - - system-upgrade 150 150 - 151 151 - # Kubelet configuration 152 152 - - |- 153 153 - machine: 154 154 - kubelet: 155 155 - extraArgs: 156 156 - rotate-server-certificates: "true" 157 157 - extraConfig: 158 158 - maxPods: 150 159 159 - nodeIP: 160 160 - validSubnets: 161 161 - - 10.0.105.0/24 162 162 - 163 163 - # Custom sysctls 164 164 - - |- 165 165 - machine: 166 166 - sysctls: 167 167 - fs.inotify.max_queued_events: "65536" 168 168 - fs.inotify.max_user_instances: "8192" 169 169 - fs.inotify.max_user_watches: "524288" 170 170 - net.core.rmem_max: "2500000" 171 171 - net.core.wmem_max: "2500000"