Skip to content

Commit

Permalink
docs: clarify direct access needed to nodes in insecure mode
Browse files Browse the repository at this point in the history
And some small updates.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
  • Loading branch information
steverfrancis authored and smira committed Jul 2, 2024
1 parent b4c871e commit c19cc4c
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 12 deletions.
2 changes: 1 addition & 1 deletion website/content/_index.html
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ <h3 class="display-4 text-center mb-3">Hardened</h3>
<h3 class="display-4 text-center mb-3">Immutable</h3>
<p class="text-center">
Talos improves security further by mounting the root filesystem as
read-only and removing any host-level such as a shell and SSH.
read-only and removing host-level access tools such as a shell and SSH.
</p>
</div>
<div class="col-12 col-lg-4 mb-3">
Expand Down
29 changes: 18 additions & 11 deletions website/content/v1.8/introduction/getting-started.md
Original file line number Diff line number Diff line change
Expand Up @@ -81,14 +81,6 @@ The endpoint should be formatted like:

> NOTE: For a production cluster, you should have three control plane nodes, and have the endpoint allocate traffic to all three - see [Production Notes]({{< relref "prodnotes#control-plane-nodes" >}}).
## Accessing the Talos API

Administrative tasks are performed by calling the Talos API (usually with `talosctl`) on Talos Linux control plane nodes - thus, ensure your control
plane node is directly reachable on TCP port 50000 from the workstation where you run the `talosctl` client.
This may require changing firewall rules or cloud provider access-lists.

For production configurations, see [Production Notes]({{< relref "prodnotes#decide-the-kubernetes-endpoint" >}}).

## Configure Talos Linux

When Talos boots without a configuration, such as when booting off the Talos ISO, it
Expand Down Expand Up @@ -182,9 +174,24 @@ to reflect `vda` instead of `sda`.

> For information on customizing your machine configurations (such as to specify the version of Kubernetes), using [machine configuration patches]({{< relref "../talos-guides/configuration/patching" >}}), or customizing configurations for individual machines (such as setting static IP addresses), see the [Production Notes]({{< relref "prodnotes#customizing-machine-configuration" >}}).

## Understand talosctl, endpoints and nodes
## Accessing the Talos API

Administrative tasks are performed by calling the Talos API (usually with `talosctl`) on Talos Linux control plane nodes, who may forward the requests to other nodes.
Thus:

- ensure your control plane node is directly reachable on TCP port 50000 from the workstation where you run the `talosctl` client.
- until a node is a member of the cluster, it does not have the PKI infrastructure set up, and so will not accept API requests that are proxied through a control plane node.

Thus you will need direct access to the **worker** nodes on port 50000 from the workstation where you run `talosctl` in order to apply the initial configuration.
Once the cluster is established, you will no longer need port 50000 access to the workers.
(You can avoid requiring such access by passing in the initial configuration in one of other methods, such as by cloud `userdata` or via `talos.config=` kernel argument on a `metal` platform)

This may require changing firewall rules or cloud provider access-lists.

For production configurations, see [Production Notes]({{< relref "prodnotes#decide-the-kubernetes-endpoint" >}}).

## Understand how talosctl treats endpoints and nodes

It is important to understand the concept of `endpoints` and `nodes`.
In short: `endpoints` are where `talosctl` _sends_ commands to, but the command _operates_ on the specified `nodes`.
The endpoint will forward the command to the nodes, if needed.

Expand Down Expand Up @@ -247,7 +254,7 @@ Apply the `controlplane.yaml` file to the control plane node, and the `worker.ya
The `--insecure` flag is necessary because the PKI infrastructure has not yet been made available to the node.
Note: the connection _will_ be encrypted, but not authenticated.

When using the `--insecure` flag, it is not necessary to specify an endpoint.
> When using the `--insecure` flag, you cannot specify an endpoint, and must directly access the node on port 50000.

### Default talosconfig configuration file

Expand Down

0 comments on commit c19cc4c

Please sign in to comment.