v1.6.0-alpha.0

Talos 1.6.0-alpha.0 (2023-08-24)

Welcome to the v1.6.0-alpha.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

talosctl CLI

The command images deprecated in Talos 1.5 was removed, please use talosctl images default instead.

Component Updates

Linux: 6.1.46

Talos is built with Go 1.21.

Contributors

• Andrey Smirnov
• Noel Georgi
• Andrey Smirnov
• Dmitriy Matrenichev
• Artem Chernyshev
• Christian Rolland
• Enno Boland
• Henry Sachs
• Jared Davenport
• Nico Berlee
• Sascha Desch
• Tim Jones
• Utku Ozdemir

Changes

50 commits

• 8670450d2 release(v1.6.0-alpha.0): prepare release
• 6778ded29 feat: add e2e-aws for nvidia extensions
• 74c07ed71 chore: update Go to 1.21
• a28d72e9c fix: ova contents to be named disk.*
• c0ea4d7ba fix: properly calculate overal of node address with subnet filters
• d6b2719e2 chore: drone: move extensions step to a function
• 9608ef56d chore: allow bridge traffic with DHCP broadcast traffic
• c99316457 docs: fix the installing system extensions doc
• 833895940 chore: add tests for zfs extension
• cb468c41c fix: copy proper modules to arm64 squashfs
• ea0d6e8c6 fix: prevent dashboard crashes when process info is not available
• e9077a6fb feat: filter the hostname to produce nodename
• dc8361c1d fix: properly GC images supplied with both tag and digest
• ccfa8de11 fix: automatically change rpi_4 board on upgrade
• b56e8b7d9 fix: support 'List' type manifests
• 574d48e54 fix: use image digest when starting a container
• 175747cea fix: ntp query error with bare IPv6 address
• c8b507fb2 docs: fix kubeprism typo
• 0cdcb2e0e docs: restructure docs for nvidia drivers for v1.4
• 676db9768 docs: fork docs for Talos 1.6
• 92ad18c18 fix: write correct capacity to the ovf
• 6b0373ebe chore: move bash tests to integration
• 52b3d8d37 docs: make Talos 1.5 documentation the default one
• dc873df9b chore: fix the filenames of openstack images
• b5c0e7b24 docs: update nvidia docs
• 9606e871e docs: update Jiva Pod Security Policy
• a86ed4362 chore: update Kubernetes Go modules to 0.28.0
• 97b4e3e91 feat: update Kubernetes to 1.28.0
• 79ca1a3df feat: e2e-aws using tf code
• bf3a5e011 chore: add version compatibility for Talos 1.6
• 969e8097c feat: update Kubernetes to 1.28.0-rc.1
• ca41b611e chore: drone jsonnet cleanup
• bc198e98e docs: retain cilium autoMount pending upstream hostPath fix
• 86c94eff8 refactor: docgen and config examples
• ee6d639f6 fix: match routes on the priority properly
• bff0d8f32 chore: fix dependencies in the release pipeline
• e1b288679 refactor: compile regex in validation method on the first use
• daa4c185a docs: add what's new and documentation for Talos 1.5
• c4a1ca8d6 chore: remove <-errCh where possible in grpc methods
• e0f383598 chore: clean up the output of the imager
• fb536af4d chore: optimize memory usage of tcell library on init
• 7c86a365e chore: publish systemd-boot and systemd-stub assets
• 7d688ccfe fix: make encryption config provider default to luks2 if not set
• 80238a05a chore: unify semver under github.com/blang/semver/v4
• 0f1920bdd chore: provide a resource to peek into Linux clock adjustments
• 4eab3017b fix: calculate log2i properly
• bcf284530 fix: update providerid prefix for aws
• ac2aff5cc fix: fix azure portion of cloud uploader
• 793dcedc9 fix: fast-wipe the system disk on talosctl reset
• 76fa45afb docs: update cilium instructions

Changes from siderolabs/pkgs

9 commits

• siderolabs/pkgs@cca80b7 feat: update Linux to 6.1.46
• siderolabs/pkgs@2e1c0b9 fix: nonfree kmod pkg name
• siderolabs/pkgs@cff5beb feat: add btrfs support
• siderolabs/pkgs@7717b7e chore: bump deps
• siderolabs/pkgs@2f19f18 feat: update containerd to 1.6.23
• siderolabs/pkgs@30d4b74 feat: update Go to 1.21
• siderolabs/pkgs@eda123d feat: update runc to 1.1.9
• siderolabs/pkgs@30cd584 chore: enable pushing of non-free packages
• siderolabs/pkgs@fb247b5 chore: update kernel and microcode

Changes from siderolabs/tools

1 commit

• siderolabs/tools@33fb4b3 feat: update Go to 1.21

Dependency Changes

• github.com/aws/aws-sdk-go-v2/config v1.18.32 -> v1.18.36
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.7 -> v1.13.11
• github.com/aws/smithy-go v1.14.0 -> v1.14.2
• github.com/beevik/ntp v1.2.0 -> v1.3.0
• github.com/blang/semver/v4 v4.0.0 new
• github.com/containerd/containerd v1.6.23 -> v1.6.22
• github.com/foxboron/go-uefi 32187aa193d0 -> 18b9ba9cd4c3
• github.com/google/go-containerregistry v0.15.2 -> v0.16.1
• github.com/google/uuid v1.3.0 -> v1.3.1
• github.com/hetznercloud/hcloud-go/v2 v2.0.0 -> v2.1.1
• github.com/insomniacslk/dhcp 0f9eb93a696c -> b3ca2534940d
• github.com/jsimonetti/rtnetlink v1.3.4 -> v1.3.5
• github.com/rivo/tview 6cc0565babaf -> ccc2c8119703
• github.com/siderolabs/pkgs v1.5.0-6-g2f2c9cd -> v1.6.0-alpha.0-8-gcca80b7
• github.com/siderolabs/talos/pkg/machinery v1.5.0 -> v1.6.0-alpha.0
• github.com/siderolabs/tools v1.5.0 -> v1.6.0-alpha.0
• golang.org/x/net v0.13.0 -> v0.14.0
• golang.org/x/sys v0.10.0 -> v0.11.0
• golang.org/x/term v0.10.0 -> v0.11.0
• golang.org/x/text v0.11.0 -> v0.12.0

Previous release can be found at v1.5.0

Images

Manage CRI containter images

Usage:
  talosctl image [command]

Aliases:
  image, images

Available Commands:
  default     List the default images used by Talos
  list        List CRI images
  pull        Pull an image into CRI

Flags:
  -h, --help               help for image
      --namespace system   namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri")

Global Flags:
      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

Use "talosctl image [command] --help" for more information about a command.

v1.5.1

Talos 1.5.1 (2023-08-22)

Welcome to the v1.5.1 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

• Linux: 6.1.46

Contributors

• Andrey Smirnov
• Utku Ozdemir

Changes

11 commits

• 40a22cdf7 release(v1.5.1): prepare release
• 4fd4e16c0 fix: copy proper modules to arm64 squashfs
• 51c92e48a feat: update Linux to 6.1.46
• 2d2b8c895 fix: prevent dashboard crashes when process info is not available
• a79ed5e47 fix: properly GC images supplied with both tag and digest
• 024053a5c fix: automatically change rpi_4 board on upgrade
• 5c82445d2 fix: support 'List' type manifests
• 7b36ada79 fix: use image digest when starting a container
• 106078295 fix: ntp query error with bare IPv6 address
• 5b1d021d5 fix: write correct capacity to the ovf
• 3c8b0856b fix: restore compatibility with Kubernetes 1.26

Changes from siderolabs/pkgs

1 commit

• siderolabs/pkgs@f62fa2c feat: update Linux to 6.1.46

Dependency Changes

• github.com/beevik/ntp v1.2.0 -> v1.3.0
• github.com/siderolabs/pkgs v1.5.0-6-g2f2c9cd -> v1.5.0-7-gf62fa2c
• github.com/siderolabs/talos/pkg/machinery v1.5.0 -> v1.5.1

Previous release can be found at v1.5.0

Images

ghcr.io/siderolabs/flannel:v0.22.1
ghcr.io/siderolabs/install-cni:v1.5.0
registry.k8s.io/coredns/coredns:v1.10.1
gcr.io/etcd-development/etcd:v3.5.9
registry.k8s.io/kube-apiserver:v1.28.0
registry.k8s.io/kube-controller-manager:v1.28.0
registry.k8s.io/kube-scheduler:v1.28.0
registry.k8s.io/kube-proxy:v1.28.0
ghcr.io/siderolabs/kubelet:v1.28.0
ghcr.io/siderolabs/installer:v1.5.1
registry.k8s.io/pause:3.6

v1.5.0

Talos 1.5.0 (2023-08-17)

Welcome to the v1.5.0 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Extension Services

Talos now supports setting environmentFile for an extension service container spec. Refer: https://www.talos.dev/v1.5/advanced/extension-services/#container
The extension waits for the file to be present before starting the service.

Predictable Network Interface Names

Starting with version Talos 1.5, network interfaces are renamed to predictable names
same way as systemd does that in other Linux distributions.

The naming schema enx78e7d1ea46da (based on MAC addresses) is enabled by default, the order of interface naming decisions is:

• firmware/BIOS provided index numbers for on-board devices (example: eno1)
• firmware/BIOS provided PCI Express hotplug slot index numbers (example: ens1)
• physical/geographical location of the connector of the hardware (example: enp2s0)
• interfaces's MAC address (example: enx78e7d1ea46da)

The predictable network interface names features can be disabled by specifying net.ifnames=0 in the kernel command line.
Talos automatically adds the net.ifnames=0 kernel argument when upgrading from Talos versions before 1.5.

This change doesn't affect "cloud" platforms, like AWS, as Talos automatically adds net.ifnames=0 to the kernel command line.

Network KMS Disk Encryption

Talos now supports new type of encryption keys which are sealed/unsealed with an external KMS server:

systemDiskEncryption:
  ephemeral:
    keys:
      - kms:
          endpoint: https://1.2.3.4:443
        slot: 0

gRPC API definitions and a simple reference implementation of the KMS server can be found in this
repository.

KubePrism - Kubernetes API Server In-Cluster Load Balancer

Talos now supports configuring the KubePrism - Kubernetes API Server in-cluster load balancer with machine config
features.kubePrism.port and features.kubePrism.enabled fields.

If enabled, KubePrism binds to localhost and runs on the same port on every machine in the cluster.
The default value for KubePrism endpoint is https://localhost:7445.

The KubePrism is used by the kubelet, kube-scheduler, kube-controller-manager
and kube-proxy by default and can be passed to the CNIs like Cilium and Calico.

The KubePrism provides access to the Kubernetes API endpoint even if the external loadbalancer
is not healthy, provided that the worker nodes can reach to the controlplane machine addresses directly.

Machine Config option .machine.install.bootloader

The .machine.install.bootloader option in the machine config is deprecated and will be removed in Talos 1.6.
This was a no-op for a long time. The bootloader is always installed.

XFS Quota

Talos 1.5+ enables XFS project quota support by default, also enabling by default
kubelet feature gate LocalStorageCapacityIsolationFSQuotaMonitoring to use xfs quotas
to monitor volume usage instead of du.

This feature is controlled by the .machine.features.diskQuotaSupport field in the machine config,
it is set to true for new clusters.

When upgrading from a previous version, the feature can be enabled by setting the field to true.
On the first mount of a volume, the quota information will be recalculated, which may take some time.

RDMA/RoCE support

Talos no longer loads by default rdma_rxe Linux driver, which is required for RoCE support.
If the driver is required, it can be enabled by specifying rdma_rxe in the .machine.kernel.modules field in the machine config.

SecureBoot

Talos now supports generating a custom iso that can be used with SecureBoot. Key generation and enrolling has to be done manually.

talosctl image Command

A new set of commands was introduced to manage container images in the CRI:

• talosctl image list shows list of available images
• talosctl image pull allows to pre-pull an image into the CRI

Both new commands accept --namespace flag with two possible values:

• cri (default): images managed by the CRI (Kubernetes workloads)
• system: images managed by Talos (etcd and kubelet)

talosctl images Command

The command talosctl images was renamed to talosctl image default.

The backward-compatible alias is kept in Talos 1.5, but it will be dropped in Talos 1.6.

TPM Disk Encryption

Talos now supports encrypting STATE/EPHEMERAL with keys bound to a TPM device. The TPM device must be TPM2.0 compatible.
This is ideally supported when booting with new Talos SecureBoot UKI ISOs/Metal images. This feature would still work if SecureBoot
is not enabled for UKI images, but not recommended since there is no way to verify the trust of the bootloader.

Example machine config:

systemDiskEncryption:
  ephemeral:
    provider: luks2
    keys:
      - slot: 0
        tpm: {}
  state:
    provider: luks2
    keys:
      - slot: 0
        tpm: {}

Component Updates

• Linux: 6.1.45
• containerd: 1.6.23
• runc: 1.1.9
• etcd: 3.5.9
• Kubernetes: 1.28.0
• Flannel: 0.22.1

Talos is built with Go 1.20.7.

talosctl upgrade-k8s Image Pre-pulling

The command talosctl upgrade-k8s now by default pre-pulls images for Kubernetes controlplane components
and kubelet. This provides an early check for missing images, and minimizes downtime during Kubernetes
rolling component update.

Contributors

• Andrey Smirnov
• Noel Georgi
• Dmitriy Matrenichev
• Andrey Smirnov
• Utku Ozdemir
• Artem Chernyshev
• Spencer Smith
• Christian Rolland
• Steve Francis
• Andrei Kvapil
• Nanfei Chen
• Nico Berlee
• Alex Corcoles
• Alex Corcoles
• Alex Lubbock
• Artem Chernyshev
• Budiman Jojo
• Chris Hoffman
• DJAlPee
• Dennis Marttinen
• Eirik Askheim
• Florian Klink
• Henk Kraal
• Igor Rzegocki
• James Callahan
• Jared Davenport
• LukasAuerbeck
• Markus Reiter
• Michael A. Davis
• Michael Fornaro
• Niklas Wik
• Piotr Maksymiuk
• Ricky Sadowski
• Roee Klinger
• Sacha Trémoureux
• Scott Cariss
• Serge Logvinov
• Thomas Lemarchand
• Thomas Perronin
• Tim Jones
• Victor Bajada
• Walt Chen
• bdronneau

Changes

244 commits

• 429a2de86 release(v1.5.0): prepare release
• 7d37108e7 test: fix the check on 'trusted boot'
• 644c8a4a5 feat: update pkgs
• 17d11cb36 chore: update Kubernetes Go modules to 0.28.0
• c15106898 feat: update Kubernetes to 1.28.0
• 51680ad02 chore: add version compatibility for Talos 1.6
• fd304fae2 feat: update Kubernetes to 1.28.0-rc.1
• 2c122b37f fix: match routes on the priority properly
• 16382a650 refactor: compile regex in validation method on the first use
• f0364d29e refactor: docgen and config examples
• 5dec8c22e docs: add what's new and documentation for Talos 1.5
• bd44bf02a chore: fix dependencies in the release pipeline
• 46d61bb3f release(v1.5.0-beta.1): prepare release
• 8a94ae93e chore: update Linux to 6.1.44
• 0b9f200ad chore: allow multiple commits
• 3e2359403 chore: clean up the output of the imager
• d52e5d672 chore: optimize memory usage of tcell library on init
• c8231d482 fix: make encryption config provider default to luks2 if not set
• 47b1224c9 chore: publish systemd-boot and systemd-stub assets
• 761e7737b fix: calculate log2i properly
• 6748efb4e fix: fast-wipe the system disk on talosctl reset
• 73db592fa docs: update cilium instructions
• eae450772 fix: fix azure portion of cloud uploader
• a94cb001c fix: update providerid prefix for aws
• de763409b release(v1.5.0-beta.0): prepare release
• 87fe8f1a2 feat: implement image generation profiles
• e685208ce chore: update go 1.20.7
• 10f958cf4 feat: network configuration improvements on the NoCloud platform
• 5adeb5042 feat: update extension spec allowlist for opengl
• abf383117 chore: remove cpu_manager_state on cpuManagerPolicy change
• 018e7f587 chore: bump dependencies
• 68e6b98f7 feat: add security state resource
• 209c34801 chore: drop with-secureboot talosctl flag
• ab14905d9 docs: note that Talos API requires TCP only load balancer, not HTTPS
• 078c29c73 chore: re-enable cloud images step
• a17272cdd chore: update hcloud API SDK to v2
• 6d71bb8df refactor: replace google/gopacket with gopacket/gopacket
• 846f37d84 refactor: drop dependency on vmware/govmomi
• ca0b32c51 refactor: update AWS SDK and http-getter to v2 versions
• dbb9f2bc7 chore: add dm_multipath module
• b70b7ea57 chore: use new go-pcidb database
• 9b533e27c feat: update Kubernetes to 1.28.0-rc.0
• a3a2aa8ef fix: use fast wipe for upgrade
• f863498ff fix: always override APIServer audit policy
• 355681dda fix: terminate dashboard gracefully on & switch back to tty1
• 544cb4fe7 refactor: accept partial machine configuration
  ...

v1.4.8

Talos 1.4.8 (2023-08-10)

Welcome to the v1.4.8 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.1.44

Talos is built with Go 1.20.7.

Contributors

• Andrey Smirnov
• Andrey Smirnov

Changes

3 commits

• 84c2961ab release(v1.4.8): prepare release
• 371586180 chore: update Go to 1.20.7, Linux to 6.1.44
• 85b5d1ddd fix: calculate log2i properly

Changes from siderolabs/extras

1 commit

• siderolabs/extras@9b41398 chore: update go to 1.20.7

Changes from siderolabs/pkgs

3 commits

• siderolabs/pkgs@13103d6 chore: update Go to 1.20.7
• siderolabs/pkgs@782d769 feat: update Linux to 6.1.44
• siderolabs/pkgs@11860e5 chore: enable pushing of non-free packages

Changes from siderolabs/tools

1 commit

• siderolabs/tools@6889ef6 feat: update Go to 1.20.7

Dependency Changes

• github.com/siderolabs/extras v1.4.0-3-g2b5a1e6 -> v1.4.0-4-g9b41398
• github.com/siderolabs/pkgs v1.4.1-16-g69266d9 -> v1.4.1-19-g13103d6
• github.com/siderolabs/talos/pkg/machinery v1.4.7 -> v1.4.8
• github.com/siderolabs/tools v1.4.0-4-g78b2dc6 -> v1.4.0-5-g6889ef6

Previous release can be found at v1.4.7

Images

ghcr.io/siderolabs/flannel:v0.21.4
ghcr.io/siderolabs/install-cni:v1.4.0-4-g9b41398
docker.io/coredns/coredns:1.10.1
gcr.io/etcd-development/etcd:v3.5.9
registry.k8s.io/kube-apiserver:v1.27.4
registry.k8s.io/kube-controller-manager:v1.27.4
registry.k8s.io/kube-scheduler:v1.27.4
registry.k8s.io/kube-proxy:v1.27.4
ghcr.io/siderolabs/kubelet:v1.27.4
ghcr.io/siderolabs/installer:v1.4.8
registry.k8s.io/pause:3.6

v1.5.0-beta.1

Talos 1.5.0-beta.1 (2023-08-09)

Welcome to the v1.5.0-beta.1 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Extension Services

Talos now supports setting environmentFile for an extension service container spec. Refer: https://www.talos.dev/v1.5/advanced/extension-services/#container
The extension waits for the file to be present before starting the service.

Predictable Network Interface Names

Starting with version Talos 1.5, network interfaces are renamed to predictable names
same way as systemd does that in other Linux distributions.

The naming schema enx78e7d1ea46da (based on MAC addresses) is enabled by default, the order of interface naming decisions is:

• firmware/BIOS provided index numbers for on-board devices (example: eno1)
• firmware/BIOS provided PCI Express hotplug slot index numbers (example: ens1)
• physical/geographical location of the connector of the hardware (example: enp2s0)
• interfaces's MAC address (example: enx78e7d1ea46da)

The predictable network interface names features can be disabled by specifying net.ifnames=0 in the kernel command line.
Talos automatically adds the net.ifnames=0 kernel argument when upgrading from Talos versions before 1.5.

This change doesn't affect "cloud" platforms, like AWS, as Talos automatically adds net.ifnames=0 to the kernel command line.

Network KMS Disk Encryption

Talos now supports new type of encryption keys which are sealed/unsealed with an external KMS server:

systemDiskEncryption:
  ephemeral:
    keys:
      - kms:
          endpoint: https://1.2.3.4:443
        slot: 0

gRPC API definitions and a simple reference implementation of the KMS server can be found in this
repository.

KubePrism - Kubernetes API Server In-Cluster Load Balancer

Talos now supports configuring the KubePrism - Kubernetes API Server in-cluster load balancer with machine config
features.kubePrism.port and features.kubePrism.enabled fields.

If enabled, KubePrism binds to localhost and runs on the same port on every machine in the cluster.
The default value for KubePrism endpoint is https://localhost:7445.

The KubePrism is used by the kubelet, kube-scheduler, kube-controller-manager
and kube-proxy by default and can be passed to the CNIs like Cilium and Calico.

The KubePrism provides access to the Kubernetes API endpoint even if the external loadbalancer
is not healthy, provided that the worker nodes can reach to the controlplane machine addresses directly.

Machine Config option .machine.install.bootloader

The .machine.install.bootloader option in the machine config is deprecated and will be removed in Talos 1.6.
This was a no-op for a long time. The bootloader is always installed.

XFS Quota

Talos 1.5+ enables XFS project quota support by default, also enabling by default
kubelet feature gate LocalStorageCapacityIsolationFSQuotaMonitoring to use xfs quotas
to monitor volume usage instead of du.

This feature is controlled by the .machine.features.diskQuotaSupport field in the machine config,
it is set to true for new clusters.

When upgrading from a previous version, the feature can be enabled by setting the field to true.
On the first mount of a volume, the quota information will be recalculated, which may take some time.

RDMA/RoCE support

Talos no longer loads by default rdma_rxe Linux driver, which is required for RoCE support.
If the driver is required, it can be enabled by specifying rdma_rxe in the .machine.kernel.modules field in the machine config.

SecureBoot

Talos now supports generating a custom iso that can be used with SecureBoot. Key generation and enrolling has to be done manually.

talosctl image Command

A new set of commands was introduced to manage container images in the CRI:

• talosctl image list shows list of available images
• talosctl image pull allows to pre-pull an image into the CRI

Both new commands accept --namespace flag with two possible values:

• cri (default): images managed by the CRI (Kubernetes workloads)
• system: images managed by Talos (etcd and kubelet)

talosctl images Command

The command talosctl images was renamed to talosctl image default.

The backward-compatible alias is kept in Talos 1.5, but it will be dropped in Talos 1.6.

TPM Disk Encryption

Talos now supports encrypting STATE/EPHEMERAL with keys bound to a TPM device. The TPM device must be TPM2.0 compatible.
This is ideally supported when booting with new Talos SecureBoot UKI ISOs/Metal images. This feature would still work if SecureBoot
is not enabled for UKI images, but not recommended since there is no way to verify the trust of the bootloader.

Example machine config:

systemDiskEncryption:
  ephemeral:
    provider: luks2
    keys:
      - slot: 0
        tpm: {}
  state:
    provider: luks2
    keys:
      - slot: 0
        tpm: {}

Component Updates

• Linux: 6.1.44
• containerd: 1.6.22
• runc: 1.1.8
• etcd: 3.5.9
• Kubernetes: 1.28.0-rc.0
• Flannel: 0.22.1

Talos is built with Go 1.20.7.

talosctl upgrade-k8s Image Pre-pulling

The command talosctl upgrade-k8s now by default pre-pulls images for Kubernetes controlplane components
and kubelet. This provides an early check for missing images, and minimizes downtime during Kubernetes
rolling component update.

Contributors

• Andrey Smirnov
• Noel Georgi
• Dmitriy Matrenichev
• Utku Ozdemir
• Artem Chernyshev
• Spencer Smith
• Andrey Smirnov
• Christian Rolland
• Steve Francis
• Andrei Kvapil
• Nanfei Chen
• Nico Berlee
• Alex Corcoles
• Alex Corcoles
• Alex Lubbock
• Artem Chernyshev
• Budiman Jojo
• Chris Hoffman
• DJAlPee
• Dennis Marttinen
• Eirik Askheim
• Florian Klink
• Henk Kraal
• Igor Rzegocki
• James Callahan
• Jared Davenport
• LukasAuerbeck
• Markus Reiter
• Michael A. Davis
• Michael Fornaro
• Niklas Wik
• Piotr Maksymiuk
• Ricky Sadowski
• Roee Klinger
• Sacha Trémoureux
• Scott Cariss
• Serge Logvinov
• Thomas Lemarchand
• Thomas Perronin
• Tim Jones
• Victor Bajada
• Walt Chen
• bdronneau

Changes

233 commits

• bd44bf02a chore: fix dependencies in the release pipeline
• 46d61bb3f release(v1.5.0-beta.1): prepare release
• 8a94ae93e chore: update Linux to 6.1.44
• 0b9f200ad chore: allow multiple commits
• 3e2359403 chore: clean up the output of the imager
• d52e5d672 chore: optimize memory usage of tcell library on init
• c8231d482 fix: make encryption config provider default to luks2 if not set
• 47b1224c9 chore: publish systemd-boot and systemd-stub assets
• 761e7737b fix: calculate log2i properly
• 6748efb4e fix: fast-wipe the system disk on talosctl reset
• 73db592fa docs: update cilium instructions
• eae450772 fix: fix azure portion of cloud uploader
• a94cb001c fix: update providerid prefix for aws
• de763409b release(v1.5.0-beta.0): prepare release
• 87fe8f1a2 feat: implement image generation profiles
• e685208ce chore: update go 1.20.7
• 10f958cf4 feat: network configuration improvements on the NoCloud platform
• 5adeb5042 feat: update extension spec allowlist for opengl
• abf383117 chore: remove cpu_manager_state on cpuManagerPolicy change
• 018e7f587 chore: bump dependencies
• 68e6b98f7 feat: add security state resource
• 209c34801 chore: drop with-secureboot talosctl flag
• ab14905d9 docs: note that Talos API requires TCP only load balancer, not HTTPS
• 078c29c73 chore: re-enable cloud images step
• a17272cdd chore: update hcloud API SDK to v2
• 6d71bb8df refactor: replace google/gopacket with gopacket/gopacket
• 846f37d84 refactor: drop dependency on vmware/govmomi
• ca0b32c51 refactor: update AWS SDK and http-getter to v2 versions
• dbb9f2bc7 chore: add dm_multipath module
• b70b7ea57 chore: use new go-pcidb database
• 9b533e27c feat: update Kubernetes to 1.28.0-rc.0
• a3a2aa8ef fix: use fast wipe for upgrade
• f863498ff fix: always override APIServer audit policy
• 355681dda fix: terminate dashboard gracefully on & switch back to tty1
• 544cb4fe7 refactor: accept partial machine configuration
• 9b0bc3e93 chore: split kernel modules out of the tree
• ffa48ac80 chore: workaround AWS AMI failures, disable Azure uploader
• 4cd7623cf chore: add alx drivers
• 663264c86 release(v1.5.0-alpha.3): prepare release
• d2f64af86 chore: disable cloud-images, pull in new kernel and gre module
• 8edce4906 docs: improve proxmox install guide
• c783458be docs: typo dhcp -> dhcp
• 003cbd161 docs: warn about secretboxEncryptionSecret in kubeadm migration guide
• 786e86f5b refactor: rewrite the way Talos acquires the machine configuration
• siderolabs/talos@5...

v1.5.0-beta.0

Talos 1.5.0-beta.0 (2023-08-02)

Welcome to the v1.5.0-beta.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Extension Services

Talos now supports setting environmentFile for an extension service container spec. Refer: https://www.talos.dev/v1.5/advanced/extension-services/#container
The extension waits for the file to be present before starting the service.

Predictable Network Interface Names

Starting with version Talos 1.5, network interfaces are renamed to predictable names
same way as systemd does that in other Linux distributions.

The naming schema enx78e7d1ea46da (based on MAC addresses) is enabled by default, the order of interface naming decisions is:

• firmware/BIOS provided index numbers for on-board devices (example: eno1)
• firmware/BIOS provided PCI Express hotplug slot index numbers (example: ens1)
• physical/geographical location of the connector of the hardware (example: enp2s0)
• interfaces's MAC address (example: enx78e7d1ea46da)

The predictable network interface names features can be disabled by specifying net.ifnames=0 in the kernel command line.
Talos automatically adds the net.ifnames=0 kernel argument when upgrading from Talos versions before 1.5.

This change doesn't affect "cloud" platforms, like AWS, as Talos automatically adds net.ifnames=0 to the kernel command line.

Network KMS Disk Encryption

Talos now supports new type of encryption keys which are sealed/unsealed with an external KMS server:

systemDiskEncryption:
  ephemeral:
    keys:
      - kms:
          endpoint: https://1.2.3.4:443
        slot: 0

gRPC API definitions and a simple reference implementation of the KMS server can be found in this
repository.

KubePrism - Kubernetes API Server In-Cluster Load Balancer

Talos now supports configuring the KubePrism - Kubernetes API Server in-cluster load balancer with machine config
features.kubePrism.port and features.kubePrism.enabled fields.

If enabled, KubePrism binds to localhost and runs on the same port on every machine in the cluster.
The default value for KubePrism endpoint is https://localhost:7445.

The KubePrism is used by the kubelet, kube-scheduler, kube-controller-manager
and kube-proxy by default and can be passed to the CNIs like Cilium and Calico.

The KubePrism provides access to the Kubernetes API endpoint even if the external loadbalancer
is not healthy, provided that the worker nodes can reach to the controlplane machine addresses directly.

Machine Config option .machine.install.bootloader

The .machine.install.bootloader option in the machine config is deprecated and will be removed in Talos 1.6.
This was a no-op for a long time. The bootloader is always installed.

XFS Quota

Talos 1.5+ enables XFS project quota support by default, also enabling by default
kubelet feature gate LocalStorageCapacityIsolationFSQuotaMonitoring to use xfs quotas
to monitor volume usage instead of du.

This feature is controlled by the .machine.features.diskQuotaSupport field in the machine config,
it is set to true for new clusters.

When upgrading from a previous version, the feature can be enabled by setting the field to true.
On the first mount of a volume, the quota information will be recalculated, which may take some time.

RDMA/RoCE support

Talos no longer loads by default rdma_rxe Linux driver, which is required for RoCE support.
If the driver is required, it can be enabled by specifying rdma_rxe in the .machine.kernel.modules field in the machine config.

SecureBoot

Talos now supports generating a custom iso that can be used with SecureBoot. Key generation and enrolling has to be done manually.

talosctl image Command

A new set of commands was introduced to manage container images in the CRI:

• talosctl image list shows list of available images
• talosctl image pull allows to pre-pull an image into the CRI

Both new commands accept --namespace flag with two possible values:

• cri (default): images managed by the CRI (Kubernetes workloads)
• system: images managed by Talos (etcd and kubelet)

talosctl images Command

The command talosctl images was renamed to talosctl image default.

The backward-compatible alias is kept in Talos 1.5, but it will be dropped in Talos 1.6.

TPM Disk Encryption

Talos now supports encrypting STATE/EPHEMERAL with keys bound to a TPM device. The TPM device must be TPM2.0 compatible.
This is ideally supported when booting with new Talos SecureBoot UKI ISOs/Metal images. This feature would still work if SecureBoot
is not enabled for UKI images, but not recommended since there is no way to verify the trust of the bootloader.

Example machine config:

systemDiskEncryption:
  ephemeral:
    keys:
      - slot: 0
        tpm: {}
  state:
    keys:
      - slot: 0
        tpm: {}

Component Updates

• Linux: 6.1.42
• containerd: 1.6.22
• runc: 1.1.8
• etcd: 3.5.9
• Kubernetes: 1.28.0-rc.0
• Flannel: 0.22.1

Talos is built with Go 1.20.7.

talosctl upgrade-k8s Image Pre-pulling

The command talosctl upgrade-k8s now by default pre-pulls images for Kubernetes controlplane components
and kubelet. This provides an early check for missing images, and minimizes downtime during Kubernetes
rolling component update.

Contributors

• Andrey Smirnov
• Noel Georgi
• Dmitriy Matrenichev
• Utku Ozdemir
• Artem Chernyshev
• Spencer Smith
• Steve Francis
• Christian Rolland
• Andrei Kvapil
• Nanfei Chen
• Nico Berlee
• Alex Corcoles
• Alex Corcoles
• Alex Lubbock
• Artem Chernyshev
• Budiman Jojo
• Chris Hoffman
• DJAlPee
• Dennis Marttinen
• Eirik Askheim
• Florian Klink
• Henk Kraal
• Igor Rzegocki
• James Callahan
• LukasAuerbeck
• Markus Reiter
• Michael A. Davis
• Michael Fornaro
• Niklas Wik
• Piotr Maksymiuk
• Ricky Sadowski
• Roee Klinger
• Sacha Trémoureux
• Scott Cariss
• Serge Logvinov
• Thomas Lemarchand
• Thomas Perronin
• Tim Jones
• Victor Bajada
• Walt Chen
• bdronneau

Changes

220 commits

• de763409b release(v1.5.0-beta.0): prepare release
• 87fe8f1a2 feat: implement image generation profiles
• e685208ce chore: update go 1.20.7
• 10f958cf4 feat: network configuration improvements on the NoCloud platform
• 5adeb5042 feat: update extension spec allowlist for opengl
• abf383117 chore: remove cpu_manager_state on cpuManagerPolicy change
• 018e7f587 chore: bump dependencies
• 68e6b98f7 feat: add security state resource
• 209c34801 chore: drop with-secureboot talosctl flag
• ab14905d9 docs: note that Talos API requires TCP only load balancer, not HTTPS
• 078c29c73 chore: re-enable cloud images step
• a17272cdd chore: update hcloud API SDK to v2
• 6d71bb8df refactor: replace google/gopacket with gopacket/gopacket
• 846f37d84 refactor: drop dependency on vmware/govmomi
• ca0b32c51 refactor: update AWS SDK and http-getter to v2 versions
• dbb9f2bc7 chore: add dm_multipath module
• b70b7ea57 chore: use new go-pcidb database
• 9b533e27c feat: update Kubernetes to 1.28.0-rc.0
• a3a2aa8ef fix: use fast wipe for upgrade
• f863498ff fix: always override APIServer audit policy
• 355681dda fix: terminate dashboard gracefully on & switch back to tty1
• 544cb4fe7 refactor: accept partial machine configuration
• 9b0bc3e93 chore: split kernel modules out of the tree
• ffa48ac80 chore: workaround AWS AMI failures, disable Azure uploader
• 4cd7623cf chore: add alx drivers
• 663264c86 release(v1.5.0-alpha.3): prepare release
• d2f64af86 chore: disable cloud-images, pull in new kernel and gre module
• 8edce4906 docs: improve proxmox install guide
• c783458be docs: typo dhcp -> dhcp
• 003cbd161 docs: warn about secretboxEncryptionSecret in kubeadm migration guide
• 786e86f5b refactor: rewrite the way Talos acquires the machine configuration
• 5e13cafe5 feat: enforce kernel lockdown for UKI
• 4d96d642f feat: update default Kubernetes version to 1.28.0-beta.0
• 170a73e16 chore: support creating qemu guest socket
• 59ac38a6b docs: add docs for installing azure ccm and csi
• 6288cd970 release(v1.5.0-alpha.2): prepare release
• 60c304126 chore: bump dependencies
• 9ef4e5efc fix: log explicitly when kubelet has no nodeIP match
• 6b39c6a4d fix: enable compression and bump gRPC max msg size
• 2f2eca861 chore: basic support for shutdown/poweroff flags
• b84277d7d docs: fix wrong capability name
• 59d7d9344 chore: use machined for shutdown, poweroff
• 2439bfb71 chore: explicitly add timestamps to machined logs
• 14966e718 fix: skip over tpm2 1.2 devices
• 6716e7bc0 docs: update cilium documentation about KubePrism usage
• sider...

v1.4.7

Talos 1.4.7 (2023-07-26)

Welcome to the v1.4.7 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Kubernetes: 1.27.4
Linux: 6.1.41

Talos is built with Go 1.20.6.

Contributors

• Andrey Smirnov

Changes

6 commits

• a1ee7612f release(v1.4.7): prepare release
• 95a3670f6 chore: workaround AWS AMI failures, disable Azure uploader
• 8f35f7dbe feat: update Linux to 6.1.41
• 696a6fb63 feat: update Kubernetes default to 1.27.4
• 7b5e94816 chore: optimize image generation time
• d6af392e1 chore: update Go to 1.20.6

Changes from siderolabs/extras

1 commit

• siderolabs/extras@2b5a1e6 feat: update Go to 1.20.6

Changes from siderolabs/pkgs

2 commits

• siderolabs/pkgs@69266d9 feat: update Linux to 6.1.41
• siderolabs/pkgs@d5a3fd7 feat: update Go to 1.20.6

Changes from siderolabs/tools

1 commit

• siderolabs/tools@78b2dc6 feat: update Go to 1.20.6

Dependency Changes

• github.com/siderolabs/extras v1.4.0-2-gb2aba9d -> v1.4.0-3-g2b5a1e6
• github.com/siderolabs/pkgs v1.4.1-14-ge911ac5 -> v1.4.1-16-g69266d9
• github.com/siderolabs/talos/pkg/machinery v1.4.6 -> v1.4.7
• github.com/siderolabs/tools v1.4.0-3-gfac34e5 -> v1.4.0-4-g78b2dc6
• k8s.io/api v0.27.3 -> v0.27.4
• k8s.io/apimachinery v0.27.3 -> v0.27.4
• k8s.io/apiserver v0.27.3 -> v0.27.4
• k8s.io/client-go v0.27.3 -> v0.27.4
• k8s.io/component-base v0.27.3 -> v0.27.4
• k8s.io/kubectl v0.27.3 -> v0.27.4
• k8s.io/kubelet v0.27.3 -> v0.27.4

Previous release can be found at v1.4.6

Images

ghcr.io/siderolabs/flannel:v0.21.4
ghcr.io/siderolabs/install-cni:v1.4.0-3-g2b5a1e6
docker.io/coredns/coredns:1.10.1
gcr.io/etcd-development/etcd:v3.5.9
registry.k8s.io/kube-apiserver:v1.27.4
registry.k8s.io/kube-controller-manager:v1.27.4
registry.k8s.io/kube-scheduler:v1.27.4
registry.k8s.io/kube-proxy:v1.27.4
ghcr.io/siderolabs/kubelet:v1.27.4
ghcr.io/siderolabs/installer:v1.4.7
registry.k8s.io/pause:3.6

v1.5.0-alpha.3

Talos 1.5.0-alpha.3 (2023-07-25)

Welcome to the v1.5.0-alpha.3 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Extension Services

Talos now supports setting environmentFile for an extension service container spec. Refer: https://www.talos.dev/v1.5/advanced/extension-services/#container
The extension waits for the file to be present before starting the service.

Predictable Network Interface Names

Starting with version Talos 1.5, network interfaces are renamed to predictable names
same way as systemd does that in other Linux distributions.

The naming schema enx78e7d1ea46da (based on MAC addresses) is enabled by default, the order of interface naming decisions is:

• firmware/BIOS provided index numbers for on-board devices (example: eno1)
• firmware/BIOS provided PCI Express hotplug slot index numbers (example: ens1)
• physical/geographical location of the connector of the hardware (example: enp2s0)
• interfaces's MAC address (example: enx78e7d1ea46da)

The predictable network interface names features can be disabled by specifying net.ifnames=0 in the kernel command line.
Talos automatically adds the net.ifnames=0 kernel argument when upgrading from Talos versions before 1.5.

This change doesn't affect "cloud" platforms, like AWS, as Talos automatically adds net.ifnames=0 to the kernel command line.

Network KMS Disk Encryption

Talos now supports new type of encryption keys which are sealed/unsealed with an external KMS server:

systemDiskEncryption:
  ephemeral:
    keys:
      - kms:
          endpoint: https://1.2.3.4:443
        slot: 0

gRPC API definitions and a simple reference implementation of the KMS server can be found in this
repository.

KubePrism - Kubernetes API Server In-Cluster Load Balancer

Talos now supports configuring the KubePrism - Kubernetes API Server in-cluster load balancer with machine config
features.kubePrism.port and features.kubePrism.enabled fields.

If enabled, KubePrism binds to localhost and runs on the same port on every machine in the cluster.
The default value for KubePrism endpoint is https://localhost:7445.

The KubePrism is used by the kubelet, kube-scheduler, kube-controller-manager
and kube-proxy by default and can be passed to the CNIs like Cilium and Calico.

The KubePrism provides access to the Kubernetes API endpoint even if the external loadbalancer
is not healthy, provided that the worker nodes can reach to the controlplane machine addresses directly.

Machine Config option .machine.install.bootloader

The .machine.install.bootloader option in the machine config is deprecated and will be removed in Talos 1.6.
This was a no-op for a long time. The bootloader is always installed.

XFS Quota

Talos 1.5+ enables XFS project quota support by default, also enabling by default
kubelet feature gate LocalStorageCapacityIsolationFSQuotaMonitoring to use xfs quotas
to monitor volume usage instead of du.

This feature is controlled by the .machine.features.diskQuotaSupport field in the machine config,
it is set to true for new clusters.

When upgrading from a previous version, the feature can be enabled by setting the field to true.
On the first mount of a volume, the quota information will be recalculated, which may take some time.

RDMA/RoCE support

Talos no longer loads by default rdma_rxe Linux driver, which is required for RoCE support.
If the driver is required, it can be enabled by specifying rdma_rxe in the .machine.kernel.modules field in the machine config.

SecureBoot

Talos now supports generating a custom iso that can be used with SecureBoot. Key generation and enrolling has to be done manually.

talosctl image Command

A new set of commands was introduced to manage container images in the CRI:

• talosctl image list shows list of available images
• talosctl image pull allows to pre-pull an image into the CRI

Both new commands accept --namespace flag with two possible values:

• cri (default): images managed by the CRI (Kubernetes workloads)
• system: images managed by Talos (etcd and kubelet)

### `talosctl images` Command

The command `talosctl images` was renamed to `talosctl image default`.

The backward-compatible alias is kept in Talos 1.5, but it will be dropped in Talos 1.6.


### TPM Disk Encryption

Talos now supports encrypting STATE/EPHEMERAL with keys bound to a TPM device. The TPM device must be TPM2.0 compatible.
This is ideally supported when booting with new Talos SecureBoot UKI ISOs/Metal images. This feature would still work if SecureBoot
is not enabled for UKI images, but not recommended since there is no way to verify the trust of the bootloader.

Example machine config:

systemDiskEncryption:
ephemeral:
keys:
- slot: 0
tpm: {}
state:
keys:
- slot: 0
tpm: {}

### Component Updates

* Linux: 6.1.39
* containerd: 1.6.21
* runc: 1.1.8
* etcd: 3.5.9
* Kubernetes: 1.28.0-beta.0
* Flannel: 0.22.0

Talos is built with Go 1.20.6.


### `talosctl upgrade-k8s` Image Pre-pulling

The command `talosctl upgrade-k8s` now by default pre-pulls images for Kubernetes controlplane components
and kubelet. This provides an early check for missing images, and minimizes downtime during Kubernetes
rolling component update.


### Contributors

* Andrey Smirnov
* Noel Georgi
* Dmitriy Matrenichev
* Utku Ozdemir
* Artem Chernyshev
* Christian Rolland
* Steve Francis
* Nanfei Chen
* Nico Berlee
* Spencer Smith
* Alex Corcoles
* Alex Corcoles
* Alex Lubbock
* Andrei Kvapil
* Artem Chernyshev
* Budiman Jojo
* Chris Hoffman
* DJAlPee
* Dennis Marttinen
* Eirik Askheim
* Florian Klink
* Henk Kraal
* Igor Rzegocki
* James Callahan
* LukasAuerbeck
* Markus Reiter
* Michael A. Davis
* Michael Fornaro
* Niklas Wik
* Piotr Maksymiuk
* Ricky Sadowski
* Roee Klinger
* Sacha Trémoureux
* Scott Cariss
* Serge Logvinov
* Thomas Lemarchand
* Thomas Perronin
* Tim Jones
* Victor Bajada
* Walt Chen
* bdronneau

### Changes
<details><summary>195 commits</summary>
<p>

* siderolabs/talos@663264c86 release(v1.5.0-alpha.3): prepare release
* siderolabs/talos@d2f64af86 chore: disable cloud-images, pull in new kernel and gre module
* siderolabs/talos@8edce4906 docs: improve proxmox install guide
* siderolabs/talos@c783458be docs: typo dhcp -> dhcp
* siderolabs/talos@003cbd161 docs: warn about secretboxEncryptionSecret in kubeadm migration guide
* siderolabs/talos@786e86f5b refactor: rewrite the way Talos acquires the machine configuration
* siderolabs/talos@5e13cafe5 feat: enforce kernel lockdown for UKI
* siderolabs/talos@4d96d642f feat: update default Kubernetes version to 1.28.0-beta.0
* siderolabs/talos@170a73e16 chore: support creating qemu guest socket
* siderolabs/talos@59ac38a6b docs: add docs for installing azure ccm and csi
* siderolabs/talos@6288cd970 release(v1.5.0-alpha.2): prepare release
* siderolabs/talos@60c304126 chore: bump dependencies
* siderolabs/talos@9ef4e5efc fix: log explicitly when kubelet has no nodeIP match
* siderolabs/talos@6b39c6a4d fix: enable compression and bump gRPC max msg size
* siderolabs/talos@2f2eca861 chore: basic support for shutdown/poweroff flags
* siderolabs/talos@b84277d7d docs: fix wrong capability name
* siderolabs/talos@59d7d9344 chore: use machined for `shutdown`, `poweroff`
* siderolabs/talos@2439bfb71 chore: explicitly add timestamps to machined logs
* siderolabs/talos@14966e718 fix: skip over tpm2 1.2 devices
* siderolabs/talos@6716e7bc0 docs: update cilium documentation about KubePrism usage
* siderolabs/talos@166d75fe8 fix: tpm2 encrypt/decrypt flow
* siderolabs/talos@130518de7 chore: change missing renames of KubePrism
* siderolabs/talos@5f34f5b41 chore: rename api load balancer to KubePrism
* siderolabs/talos@c8b7095c0 refactor: use tpm2 library to calculate policy hash
* siderolabs/talos@078aac92e chore: bump deps
* siderolabs/talos@53873b844 refactor: move ukify into Talos code
* siderolabs/talos@d5f6fb9ff chore: add vendor info
* siderolabs/talos@79365d9ba feat: tpm2 based disk encryption
* siderolabs/talos@06369e819 fix: retry CRI pod removal, fix upgrade flow in the tests
* siderolabs/talos@d32dd3a82 chore: update Go to 1.20.6
* siderolabs/talos@8017afb10 feat: implement CRI image management and pre-pull on K8s upgrade
* siderolabs/talos@1c2f19b36 feat: update Kubernetes to 1.28.0-alpha.4
* siderolabs/talos@94e9891c1 chore: bump sd-boot to v254-rc1
* siderolabs/talos@936111ce0 fix: properly set up tls for KMS endpoint
* siderolabs/talos@cb226eec4 fix: rewrite encryption system information flow
* siderolabs/talos@3206db528 feat: drop tpm simulator for ukify measure
* siderolabs/talos@bd4f89f63 fix: disable dashboard on Azure, GCP and Scaleway
* siderolabs/talos@bdb96189f refactor: make maintenance service controller-based
* siderolabs/talos@d23d04de2 feat: seed the kernel random pool from the TPM
* siderolabs/talos@c81ce8cfb feat: support controlplane resources configuration
* siderolabs/talos@74de562b2 fix: mount hugepages with nosuid + nodev
* siderolabs/talos@ce63abb21 feat: add KMS assisted encryption key handler
* siderolabs/talos@dafbe9deb chore: optimize dockerfile instructions
* siderolabs/talos@a4289e870 chore: fix CLI docs generation stability
* siderolabs/talos@2fec8388f chore: bump dependencies
* siderolabs/talos@c1b4262dd docs: split simple and more c...

v1.4.6

Talos 1.4.6 (2023-06-28)

Welcome to the v1.4.6 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Kubernetes: 1.27.3
Linux: 6.1.35

Talos is built with Go 1.20.5.

Contributors

• Andrey Smirnov
• Alex Lubbock
• Noel Georgi
• Utku Ozdemir

Changes

10 commits

• 8615b213e release(v1.4.6): prepare release
• bb76a38d4 fix: provide stashed META values before installation
• 109a6c659 fix: allow time skew for generated kubeconfig
• 765f87b95 chore: optimize image compression
• 8c9f0495f fix: do not probe kernel args in dashboard if not needed
• d759302d9 fix: skip DHCP RENEW if server IP in the lease is all zeroes
• 2b33a66d7 fix: upgrade-k8s use internal IP first, external IP fallback
• b5bbb3f2e feat: update Linux to 6.1.36
• 1e9c3b3b8 feat: update default Kubernetes version to 1.27.3
• 21a490b11 chore: update to Go 1.20.5

Changes from siderolabs/extras

1 commit

• siderolabs/extras@b2aba9d feat: update Go to 1.20.5

Changes from siderolabs/pkgs

3 commits

• siderolabs/pkgs@e911ac5 feat: update Linux to 6.1.35
• siderolabs/pkgs@15a5cba fix: bump drbd to 9.2.4
• siderolabs/pkgs@91b8dd4 feat: update Go to 1.20.5

Changes from siderolabs/tools

1 commit

• siderolabs/tools@fac34e5 feat: update Go to 1.20.5

Dependency Changes

• github.com/siderolabs/extras v1.4.0-1-g9b07505 -> v1.4.0-2-gb2aba9d
• github.com/siderolabs/pkgs v1.4.1-11-g3e75ce2 -> v1.4.1-14-ge911ac5
• github.com/siderolabs/talos/pkg/machinery v1.4.5 -> v1.4.6
• github.com/siderolabs/tools v1.4.0-2-g5d0e9ab -> v1.4.0-3-gfac34e5
• k8s.io/api v0.27.2 -> v0.27.3
• k8s.io/apimachinery v0.27.2 -> v0.27.3
• k8s.io/apiserver v0.27.2 -> v0.27.3
• k8s.io/client-go v0.27.2 -> v0.27.3
• k8s.io/component-base v0.27.2 -> v0.27.3
• k8s.io/cri-api v0.27.2 -> v0.27.3
• k8s.io/kubectl v0.27.2 -> v0.27.3
• k8s.io/kubelet v0.27.2 -> v0.27.3

Previous release can be found at v1.4.5

Images

ghcr.io/siderolabs/flannel:v0.21.4
ghcr.io/siderolabs/install-cni:v1.4.0-2-gb2aba9d
docker.io/coredns/coredns:1.10.1
gcr.io/etcd-development/etcd:v3.5.9
registry.k8s.io/kube-apiserver:v1.27.3
registry.k8s.io/kube-controller-manager:v1.27.3
registry.k8s.io/kube-scheduler:v1.27.3
registry.k8s.io/kube-proxy:v1.27.3
ghcr.io/siderolabs/kubelet:v1.27.3
ghcr.io/siderolabs/installer:v1.4.6
registry.k8s.io/pause:3.6

v1.5.0-alpha.1

Talos 1.5.0-alpha.1 (2023-06-23)

Welcome to the v1.5.0-alpha.1 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Kubernetes API Server In-Cluster Load Balancer

Talos now supports configuring the Kubernetes API Server in-cluster load balancer with machine config
features.apiServerBalancerSupport.port and features.apiServerBalancerSupport.enabled fields.

If enabled, the loadbalancer binds to localhost and runs on the same port on every machine in the cluster.
The default value for loadbalancer endpoint is https://localhost:7445.

The in-cluster loadbalancer endpoint is used by the kubelet, kube-scheduler, kube-controller-manager
and kube-proxy by default and can be passed to the CNIs like Cilium and Calico.

The in-cluster loadbalancer provides access to the Kubernetes API endpoint even if the external loadbalancer
is not healthy, provided that the worker nodes can reach to the controlplane machine addresses directly.

Predictable Network Interface Names

Starting with version Talos 1.5, network interfaces are renamed to predictable names
same way as systemd does that in other Linux distributions.

The naming schema enx78e7d1ea46da (based on MAC addresses) is enabled by default, the order of interface naming decisions is:

• firmware/BIOS provided index numbers for on-board devices (example: eno1)
• firmware/BIOS provided PCI Express hotplug slot index numbers (example: ens1)
• physical/geographical location of the connector of the hardware (example: enp2s0)
• interfaces's MAC address (example: enx78e7d1ea46da)

The predictable network interface names features can be disabled by specifying net.ifnames=0 in the kernel command line.
Talos automatically adds the net.ifnames=0 kernel argument when upgrading from Talos versions before 1.5.

This change doesn't affect "cloud" platforms, like AWS, as Talos automatically adds net.ifnames=0 to the kernel command line.

Machine Config option .machine.install.bootloader

The .machine.install.bootloader option in the machine config is deprecated and will be removed in Talos 1.6.
This was a no-op for a long time. The bootloader is always installed.

XFS Quota

Talos 1.5+ enables XFS project quota support by default, also enabling by default
kubelet feature gate LocalStorageCapacityIsolationFSQuotaMonitoring to use xfs quotas
to monitor volume usage instead of du.

This feature is controlled by the .machine.features.diskQuotaSupport field in the machine config,
it is set to true for new clusters.

When upgrading from a previous version, the feature can be enabled by setting the field to true.
On the first mount of a volume, the quota information will be recalculated, which may take some time.

RDMA/RoCE support

Talos no longer loads by default rdma_rxe Linux driver, which is required for RoCE support.
If the driver is required, it can be enabled by specifying rdma_rxe in the .machine.kernel.modules field in the machine config.

SecureBoot

Talos now supports generating a custom iso that can be used with SecureBoot. Key generation and enrolling has to be done manually.

Component Updates

• Linux: 6.1.35
• containerd: 1.6.21
• runc: 1.1.7
• etcd: 3.5.9
• Kubernetes: 1.27.3
• Flannel: 0.22.0

Talos is built with Go 1.20.5.

Contributors

• Andrey Smirnov
• Noel Georgi
• Dmitriy Matrenichev
• Utku Ozdemir
• Christian Rolland
• Nanfei Chen
• Spencer Smith
• Steve Francis
• Alex Corcoles
• Alex Corcoles
• Alex Lubbock
• Budiman Jojo
• DJAlPee
• Eirik Askheim
• Henk Kraal
• Michael A. Davis
• Michael Fornaro
• Nico Berlee
• Niklas Wik
• Piotr Maksymiuk
• Ricky Sadowski
• Roee Klinger
• Thomas Perronin
• Walt Chen
• bdronneau

Changes

134 commits

• e1b150a11 release(v1.5.0-alpha.1): prepare release
• 8daf432b2 chore: bump deps
• e3f3f5794 feat: implement revert for sd-boot
• d8b0903d7 docs: vagrant setup document fix
• fe0f46980 feat: implement secure boot from disk
• 445f5ad54 feat: support API server load balancer
• 19bc223de refactor: bootloader interface, labels
• 665702ddd chore: fix cilium e2e tests
• 71a548d18 chore: generic boootloader implementation
• e9dbc9311 test: bump versions for upgrade tests
• 0a99965ef refactor: replace uncordonNode with controllers
• e858bca3a test: fix cilium integration tests
• 455328d05 fix: allow time skew for generated kubeconfig
• 3ae05648a fix: usage of custom kernels
• 0797b0d16 chore: add a pipeline to test cloud-images step without a release
• e5a36268b docs: include allowSchedulingOnControlPlanes on talosctl gen config output
• c74d93728 chore: bump github.com/cosi-project/runtime
• dbaf5c699 refactor: task labelControlPlane into controllers
• 1865a0c29 chore: modify some usages that are not recommended
• 3816318b9 chore: wrap config.Provider in atomic wrapper
• d04cf1978 chore: clean up unnecessary self assignment
• a34a94898 fix: copy missing modules.* files
• f5e3272fc refactor: task 'updateBootLoader' as controller
• e7be6ee7c refactor: make event log streaming fully reactive
• aef2192a6 chore: use fixed module list
• c719aa231 fix: allow http:// for discovery service URL
• 39134d8d5 chore: fix cron pipeline
• a61dcdbbd fix: don't load RDMA over Ethernet driver by default
• aac441f61 chore: update Go to 1.20.5, bump dependencies
• 1c0c7933d chore: cleanup partition code
• 31b988281 docs: add some words about certifcates
• e912c0dfc chore: use go-blockdevice for zeroing partitions
• e6dde8ffc feat: add network chaos to qemu development environment
• 47986cb79 chore: unify kexec phase
• 3a865370f feat: qemu secureboot
• 5dab45e86 refactor: allow kmsg log streaming to be reconfigured on the fly
• 8a02ecd4c chore: add endpoints balancer controller
• 423a31ac9 chore: deprectae bootloader installer option
• cdfece7d6 chore: optimize image compression
• bfc341937 chore: add default console args
• 2749aeeda feat: add support for multi-doc strategic merge patching
• 3f68485e4 feat: add uki iso generation
• bab484a40 feat: use stable network interface names
• 196dfb99b fix: do not probe kernel args in dashboard if not needed
• 8c071b579 fix: skip DHCP RENEW if server IP in the lease is all zeroes
• badbc51e6 refactor: rewrite code to include preliminary support for multi-doc
• ecce29dee fix: upgrade-k8s use internal IP first, external IP fallback
• 3c64a5ffb chore: optimize image generation time
• 2292f36d9 chore: registry.k8s.io for coredns image
• f2b258b37 docs: document talosctl version for upgrades
• a0773f783 chore: add ukify Go script
• b69e38d1f chore: bump dependencies
• adce65103 docs: add piraeus/drbd to storage documentation
• a982cabe7 docs: link support matrix in k8s update doc
• 1fb29a56a fix: fail quickly if upgrade-k8s is used with multiple nodes
• 51d931c47 chore: faster dev cycle
• dc6764871 refactor: move around config interfaces, make RawV1Alpha1 typed
• ea9a97dba fix: fall back to external IP when discovering nodes in upgrade-k8s
• 0bb7e8a5c refactor: split config.Provider into Config & Container
• 85d8a1619 chore: bump deps
• 39b7a56f0 chore: use 8GiB instead of 10GiB for cloud images
• ff11fd39c fix: race with udevd and mountUserDisks
• c3fabb982 chore: update default image sizes to 10GB for all "cloud" images
• 10155c390 feat: enable xfs project quota support, kubelet feature
• eba818564 release(v1.5.0-alpha.0): prepare release
• 383471c3e feat: update default Kubernetes to v1.27.2
• 8f68d1abe chore: bump deps
• e0c1585d3 feat: create azure community gallery image version on release
• dd8336c9e fix: refresh kubelet self-issued serving certificates
• bb02dd263 chore: drop deprecated stuff for Talos 1.5
• 61cad8673 chore: bump deps
• 01dfd3af7 feat: update etcd to v3.5.9
• aa65fbb8a chore: update KUBECTL_URL to reflect the community bucket
• cc3128d94 chore: bump kernel to 6.1.28
• 97fffaf78 chore: use ctest.UpdateWithConflicts instead of plain UpdateWithConflicts
• 3b36993b9 fix: rlimit nofile test
• 45e6e27af chore: bump runtime
• 4f720d465 fix: revert: set rlimit explicitly in wrapperd
• a2565f674 fix: set rlimit explicitly in wrapperd
• cdfc242b8 chore: re-enable Go buildid
• siderol...