talos api advertise address

[aretecarpe]

I think it would be nice to be able to configure on which IP address talos-api is able to be bound to. As it sits from what I understand there exists no way to set what IP address talos is able to communicate on, without of course using a talos ingress firewall rule or a CNI firewall. There exists ways to block which IP kube-api and kubelet is advertised on, but none for the talos-api. I don't want to have to use a nftable/iptable rule or even a CNI firewall when I have a public IP for external communication and a private IP and localhost which can be used for all other communications

[smira]

CNI firewall is a bad choice, as it gets applied too late.

Talos API is based on mutual TLS, so exposing it on a public API is not a security risk. If you want to restrict network access to it, please use Ingress Firewall.

[janvanlith]

ok but will this also make a talosctl health command work when you have blocked api request on port 50000 for the 1st interface and allowed on the 2nd interface.

[smira]

This totally depends on you, not on Talos in this case. Talos has no way to know how the nodes are reachable on their addresses from each another.

talosctl health command has many flags, but in the default setup it would try to guess the cluster members and their addresses based on discovery data available. This guess would work most of the time, but not always. Moreover, Talos has no way to know that there should be a member if that member failed and never booted up for example.

That's why talosctl health has a way for you to tell what are the expected cluster members via the flags, and if you do so, it would assert that all of them are actually present, and use the provided addresses to communicate within the cluster.