You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: website/content/v1.8/introduction/getting-started.md
+18-11Lines changed: 18 additions & 11 deletions
Original file line number
Diff line number
Diff line change
@@ -81,14 +81,6 @@ The endpoint should be formatted like:
81
81
82
82
> NOTE: For a production cluster, you should have three control plane nodes, and have the endpoint allocate traffic to all three - see [Production Notes]({{< relref "prodnotes#control-plane-nodes" >}}).
83
83
84
-
## Accessing the Talos API
85
-
86
-
Administrative tasks are performed by calling the Talos API (usually with `talosctl`) on Talos Linux control plane nodes - thus, ensure your control
87
-
plane node is directly reachable on TCP port 50000 from the workstation where you run the `talosctl` client.
88
-
This may require changing firewall rules or cloud provider access-lists.
89
-
90
-
For production configurations, see [Production Notes]({{< relref "prodnotes#decide-the-kubernetes-endpoint" >}}).
91
-
92
84
## Configure Talos Linux
93
85
94
86
When Talos boots without a configuration, such as when booting off the Talos ISO, it
@@ -182,9 +174,24 @@ to reflect `vda` instead of `sda`.
182
174
183
175
> For information on customizing your machine configurations (such as to specify the version of Kubernetes), using [machine configuration patches]({{< relref "../talos-guides/configuration/patching" >}}), or customizing configurations for individual machines (such as setting static IP addresses), see the [Production Notes]({{< relref "prodnotes#customizing-machine-configuration" >}}).
184
176
185
-
## Understand talosctl, endpoints and nodes
177
+
## Accessing the Talos API
178
+
179
+
Administrative tasks are performed by calling the Talos API (usually with `talosctl`) on Talos Linux control plane nodes, who may forward the requests to other nodes.
180
+
Thus:
181
+
182
+
- ensure your control plane node is directly reachable on TCP port 50000 from the workstation where you run the `talosctl` client.
183
+
- until a node is a member of the cluster, it does not have the PKI infrastructure set up, and so will not accept API requests that are proxied through a control plane node.
184
+
185
+
Thus you will need direct access to the **worker** nodes on port 50000 from the workstation where you run `talosctl` in order to apply the initial configuration.
186
+
Once the cluster is established, you will no longer need port 50000 access to the workers.
187
+
(You can avoid requiring such access by passing in the initial configuration in one of other methods, such as by cloud `userdata` or via `talos.config=` kernel argument on a `metal` platform)
188
+
189
+
This may require changing firewall rules or cloud provider access-lists.
190
+
191
+
For production configurations, see [Production Notes]({{< relref "prodnotes#decide-the-kubernetes-endpoint" >}}).
192
+
193
+
## Understand how talosctl treats endpoints and nodes
186
194
187
-
It is important to understand the concept of `endpoints` and `nodes`.
188
195
In short: `endpoints`are where `talosctl` _sends_ commands to, but the command _operates_ on the specified `nodes`.
189
196
The endpoint will forward the command to the nodes, if needed.
190
197
@@ -247,7 +254,7 @@ Apply the `controlplane.yaml` file to the control plane node, and the `worker.ya
247
254
The `--insecure` flag is necessary because the PKI infrastructure has not yet been made available to the node.
248
255
Note: the connection _will_ be encrypted, but not authenticated.
249
256
250
-
When using the `--insecure` flag, it is not necessary to specify an endpoint.
257
+
> When using the `--insecure` flag, you cannot specify an endpoint, and must directly access the node on port 50000.
0 commit comments