From cfb640222b80e1a2a6c3a8a505c5f6acfb148d24 Mon Sep 17 00:00:00 2001 From: Andrey Smirnov Date: Wed, 22 Jun 2022 18:19:19 +0400 Subject: [PATCH] docs: update docs for release 1.1 Update documentation, support matrix, current release, what's new, etc. Signed-off-by: Andrey Smirnov --- website/config.toml | 6 +- website/content/v1.0/_index.md | 1 - .../v1.0/introduction/support-matrix.md | 2 +- website/content/v1.1/_index.md | 7 +- .../v1.1/introduction/support-matrix.md | 20 ++-- .../content/v1.1/introduction/what-is-new.md | 94 ++++++++++++++++++- .../configuration/pod-security.md | 41 +++----- .../v1.1/talos-guides/upgrading-talos.md | 24 ++++- .../v1.2/introduction/support-matrix.md | 22 ++--- .../configuration/pod-security.md | 41 +++----- 10 files changed, 175 insertions(+), 83 deletions(-) diff --git a/website/config.toml b/website/config.toml index 749234fafd..d3d5e380bf 100644 --- a/website/config.toml +++ b/website/config.toml @@ -108,7 +108,7 @@ version_menu = "Releases" # A link to latest version of the docs. Used in the "version-banner" partial to # point people to the main doc site. -url_latest_version = "/v1.0" +url_latest_version = "/v1.1" # Repository configuration (URLs for in-page links to opening issues and suggesting changes) # github_repo = "https://github.com/googley-example" @@ -141,11 +141,11 @@ version = "v1.2 (pre-release)" [[params.versions]] url = "/v1.1/" -version = "v1.1 (pre-release)" +version = "v1.1 (latest)" [[params.versions]] url = "/v1.0/" -version = "v1.0 (latest)" +version = "v1.0" [[params.versions]] url = "/v0.14/" diff --git a/website/content/v1.0/_index.md b/website/content/v1.0/_index.md index b6520f7bb5..24c28d901a 100644 --- a/website/content/v1.0/_index.md +++ b/website/content/v1.0/_index.md @@ -8,7 +8,6 @@ preRelease: false lastRelease: v1.0.6 kubernetesRelease: "1.23.5" prevKubernetesRelease: "1.23.1" -menu: main --- ## Welcome diff --git a/website/content/v1.0/introduction/support-matrix.md b/website/content/v1.0/introduction/support-matrix.md index f6d3cb0289..e73551ad21 100644 --- a/website/content/v1.0/introduction/support-matrix.md +++ b/website/content/v1.0/introduction/support-matrix.md @@ -7,7 +7,7 @@ description: "Table of supported Talos Linux versions and respective platforms." | Talos Version | 1.0 | 0.14 | |----------------------------------------------------------------------------------------------------------------|------------------------------------|------------------------------------| | Release Date | 2022-03-29 | 2021-12-21 (0.14.0) | -| End of Community Support | 1.1.0 release (2022-06-01, TBD) | 1.0.0 release (2022-03-27, TBD) | +| End of Community Support | 1.1.0 release (2022-06-22) | 1.0.0 release (2022-03-29) | | Enterprise Support | [offered by Sidero Labs Inc.](https://www.siderolabs.com/support/) | [offered by Sidero Labs Inc.](https://www.siderolabs.com/support/) | | Kubernetes | 1.23, 1.22, 1.21 | 1.23, 1.22, 1.21 | | Architecture | amd64, arm64 | amd64, arm64 | diff --git a/website/content/v1.1/_index.md b/website/content/v1.1/_index.md index 3b0b9b1f8a..1206ef9066 100644 --- a/website/content/v1.1/_index.md +++ b/website/content/v1.1/_index.md @@ -4,11 +4,12 @@ no_list: true linkTitle: "Documentation" cascade: type: docs -preRelease: true -lastRelease: v1.1.0-beta.2 -kubernetesRelease: "1.24.1" +preRelease: false +lastRelease: v1.1.0 +kubernetesRelease: "1.24.2" prevKubernetesRelease: "1.23.5" iscsiToolsRelease: "v0.1.1" +menu: main --- ## Welcome diff --git a/website/content/v1.1/introduction/support-matrix.md b/website/content/v1.1/introduction/support-matrix.md index 21e8497325..1d36e43adf 100644 --- a/website/content/v1.1/introduction/support-matrix.md +++ b/website/content/v1.1/introduction/support-matrix.md @@ -6,29 +6,29 @@ description: "Table of supported Talos Linux versions and respective platforms." | Talos Version | 1.1 | 1.0 | |----------------------------------------------------------------------------------------------------------------|------------------------------------|------------------------------------| -| Release Date | 2022-06-24, TBD | 2022-03-29 (1.0.0) | -| End of Community Support | 1.2.0 release (2022-09-01, TBD) | 1.1.0 release (2022-06-24, TBD) | +| Release Date | 2022-06-22 | 2022-03-29 (1.0.0) | +| End of Community Support | 1.2.0 release (2022-09-01, TBD) | 1.1.0 release (2022-06-22) | | Enterprise Support | [offered by Sidero Labs Inc.](https://www.siderolabs.com/support/) | [offered by Sidero Labs Inc.](https://www.siderolabs.com/support/) | | Kubernetes | 1.24, 1.23, 1.22 | 1.23, 1.22, 1.21 | | Architecture | amd64, arm64 | amd64, arm64 | | **Platforms** | | | -| - cloud | AWS, GCP, Azure, Digital Ocean, Hetzner, OpenStack, Oracle Cloud, Scaleway, Vultr, Upcloud | AWS, GCP, Azure, Digital Ocean, Hetzner, OpenStack, Scaleway, Vultr, Upcloud | +| - cloud | AWS, GCP, Azure, Digital Ocean, Hetzner, OpenStack, Oracle Cloud, Scaleway, Vultr, Upcloud | AWS, GCP, Azure, Digital Ocean, Hetzner, OpenStack, Oracle Cloud, Scaleway, Vultr, Upcloud | | - bare metal | x86: BIOS, UEFI; arm64: UEFI; boot: ISO, PXE, disk image | x86: BIOS, UEFI; arm64: UEFI; boot: ISO, PXE, disk image | | - virtualized | VMware, Hyper-V, KVM, Proxmox, Xen | VMware, Hyper-V, KVM, Proxmox, Xen | -| - SBCs | Banana Pi M64, Jetson Nano, Libre Computer Board ALL-H3-CC, Pine64, Pine64 Rock64, Radxa ROCK Pi 4c, Raspberry Pi 4B | Raspberry Pi4, Banana Pi M64, Pine64, and other | +| - SBCs | Banana Pi M64, Jetson Nano, Libre Computer Board ALL-H3-CC, Pine64, Pine64 Rock64, Radxa ROCK Pi 4c, Raspberry Pi 4B | Banana Pi M64, Jetson Nano, Libre Computer Board ALL-H3-CC, Pine64, Pine64 Rock64, Radxa ROCK Pi 4c, Raspberry Pi 4B | | - local | Docker, QEMU | Docker, QEMU | | **Cluster API** | | | -| [CAPI Bootstrap Provider Talos](https://github.com/siderolabs/cluster-api-bootstrap-provider-talos) | >= 0.5.3 | >= 0.5.3 | -| [CAPI Control Plane Provider Talos](https://github.com/siderolabs/cluster-api-control-plane-provider-talos) | >= 0.4.5 | >= 0.4.5 | -| [Sidero](https://www.sidero.dev/) | >= 0.5.0 | >= 0.5.0 | +| [CAPI Bootstrap Provider Talos](https://github.com/siderolabs/cluster-api-bootstrap-provider-talos) | >= 0.5.4 | >= 0.5.3 | +| [CAPI Control Plane Provider Talos](https://github.com/siderolabs/cluster-api-control-plane-provider-talos) | >= 0.4.6 | >= 0.4.5 | +| [Sidero](https://www.sidero.dev/) | >= 0.5.1 | >= 0.5.0 | | **UI** | | | | [Theila](https://github.com/siderolabs/theila) | ✓ | ✓ | ## Platform Tiers -Tier 1: Automated tests, high-priority fixes. -Tier 2: Tested from time to time, medium-priority bugfixes. -Tier 3: Not tested by core Talos team, community tested. +* Tier 1: Automated tests, high-priority fixes. +* Tier 2: Tested from time to time, medium-priority bugfixes. +* Tier 3: Not tested by core Talos team, community tested. ### Tier 1 diff --git a/website/content/v1.1/introduction/what-is-new.md b/website/content/v1.1/introduction/what-is-new.md index bf23304293..4ef51e194a 100644 --- a/website/content/v1.1/introduction/what-is-new.md +++ b/website/content/v1.1/introduction/what-is-new.md @@ -4,4 +4,96 @@ weight: 50 description: "List of new and shiny features in Talos Linux." --- -TBD +## Kubernetes + +### Pod Security Admission + +[Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) controller is enabled by default with the following policy: + +```yaml +apiVersion: apiserver.config.k8s.io/v1 +kind: AdmissionConfiguration +plugins: +- configuration: + apiVersion: pod-security.admission.config.k8s.io/v1alpha1 + defaults: + audit: restricted + audit-version: latest + enforce: baseline + enforce-version: latest + warn: restricted + warn-version: latest + exemptions: + namespaces: + - kube-system + runtimeClasses: [] + usernames: [] + kind: PodSecurityConfiguration + name: PodSecurity + path: "" +``` + +The policy is part of the Talos machine configuration, and it can be modified to suite your needs. + +### Kubernetes API Server Anonymous Auth + +Anonymous authentication is now disabled by default for the `kube-apiserver` (CIS compliance). + +To enable anonymous authentication, update the machine config with: + +```yaml +cluster: + apiServer: + extraArgs: + anonymous-auth: true +``` + +## Machine Configuration + +### Apply Config `--dry-run` + +The commands `talosctl apply-config`, `talosctl patch mc` and `talosctl edit mc` now support `--dry-run` flag. +If enabled it just prints out the selected config application mode and the configuration diff. + +### Apply Config `--mode=try` + +The commands `talosctl apply-config`, `talosctl patch mc` and `talosctl edit mc` now support the new mode called `try`. +In this mode the config change is applied for a period of time and then reverted back to the state it was before the change. +`--timeout` parameter can be used to customize the config rollback timeout. +This new mode can be used only with the parts of the config that can be changed without a reboot and can help to check that +the new configuration doesn't break the node. + +Can be especially useful to check network interfaces changes that may lead to the loss of connectivity to the node. + +## Networking + +### Network Device Selector + +Talos machine configuration supports specifying network interfaces by selectors instead of interface name. +See [documentation]({{< relref "../talos-guides/network/device-selector" >}}) for more details. + +## SBCs + +### RockPi 4 variants A and B + +Talos now supports RockPi variants A and B in addition to RockPi 4C + +### Raspberry Pi PoE Hat Fan + +Talos now enables the Raspberry Pi PoE fan control by pulling in the poe overlay that works with upstream kernel + +## Miscellaneous + +### IPv6 in Docker-based Talos Clusters + +The command `talosctl cluster create` now enables IPv6 by default for the Docker containers +created for Talos nodes. +This allows to use IPv6 addresses in Kubernetes networking. + +If `talosctl cluster create` fails to work on Linux due to the lack of IPv6 support, +please use the flag `--disable-docker-ipv6` to revert the change. + +### `eudev` Default Rules + +Drops some default eudev rules that doesn't make sense in the context of Talos OS. +Especially the ones around sound devices, cd-roms and renaming the network interfaces to be predictable. diff --git a/website/content/v1.1/kubernetes-guides/configuration/pod-security.md b/website/content/v1.1/kubernetes-guides/configuration/pod-security.md index f102e14604..28aaef25be 100644 --- a/website/content/v1.1/kubernetes-guides/configuration/pod-security.md +++ b/website/content/v1.1/kubernetes-guides/configuration/pod-security.md @@ -14,27 +14,22 @@ In this guide we are going to enable and configure Pod Security Admission in Tal ## Configuration -Prepare the following machine configuration patch and store it in the `pod-security-patch.yaml`: +Talos provides default Pod Security Admission in the machine configuration: ```yaml -- op: add - path: /cluster/apiServer/admissionControl - value: - - name: PodSecurity - configuration: - apiVersion: pod-security.admission.config.k8s.io/v1alpha1 - kind: PodSecurityConfiguration - defaults: - enforce: "baseline" - enforce-version: "latest" - audit: "restricted" - audit-version: "latest" - warn: "restricted" - warn-version: "latest" - exemptions: - usernames: [] - runtimeClasses: [] - namespaces: [kube-system] +apiVersion: pod-security.admission.config.k8s.io/v1alpha1 +kind: PodSecurityConfiguration +defaults: + enforce: "baseline" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" +exemptions: + usernames: [] + runtimeClasses: [] + namespaces: [kube-system] ``` This is a cluster-wide configuration for the Pod Security Admission plugin: @@ -42,13 +37,7 @@ This is a cluster-wide configuration for the Pod Security Admission plugin: * by default `baseline` [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/) profile is enforced * more strict `restricted` profile is not enforced, but API server warns about found issues -Generate Talos machine configuration applying the patch above: - -```shell -talosctl gen config cluster1 https://:6443/ --config-patch-control-plane @../pod-security-patch.yaml -``` - -Deploy Talos using the generated machine configuration. +This default policy can be modified by updating the generated machine configuration before the cluster is created or on the fly by using the `talosctl` CLI utility. Verify current admission plugin configuration with: diff --git a/website/content/v1.1/talos-guides/upgrading-talos.md b/website/content/v1.1/talos-guides/upgrading-talos.md index 33efd19a52..5c5cca6553 100644 --- a/website/content/v1.1/talos-guides/upgrading-talos.md +++ b/website/content/v1.1/talos-guides/upgrading-talos.md @@ -79,7 +79,29 @@ future. ## Machine Configuration Changes -TBD +Talos 1.1.0 provides a default configuration for [Pod Security Admission]({{< relref "../kubernetes-guides/configuration/pod-security" >}}): + +```yaml +cluster: + apiServer: + admissionControl: + - name: PodSecurity + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1alpha1 + defaults: + audit: restricted + audit-version: latest + enforce: baseline + enforce-version: latest + warn: restricted + warn-version: latest + exemptions: + namespaces: + - kube-system + runtimeClasses: [] + usernames: [] + kind: PodSecurityConfiguration +``` ## Upgrade Sequence diff --git a/website/content/v1.2/introduction/support-matrix.md b/website/content/v1.2/introduction/support-matrix.md index 4f2b16e8b6..4b1bf668a9 100644 --- a/website/content/v1.2/introduction/support-matrix.md +++ b/website/content/v1.2/introduction/support-matrix.md @@ -6,29 +6,29 @@ description: "Table of supported Talos Linux versions and respective platforms." | Talos Version | 1.2 | 1.1 | |----------------------------------------------------------------------------------------------------------------|------------------------------------|------------------------------------| -| Release Date | 2022-09-01, TBD | 2022-06-24 (1.1.0) | -| End of Community Support | 1.3.0 release (2022-12-01, TBD) | 1.2.0 release (2022-06-24, TBD) | +| Release Date | 2022-09-01, TBD | 2022-06-22 (1.1.0) | +| End of Community Support | 1.3.0 release (2022-12-01, TBD) | 1.2.0 release (2022-09-01, TBD) | | Enterprise Support | [offered by Sidero Labs Inc.](https://www.siderolabs.com/support/) | [offered by Sidero Labs Inc.](https://www.siderolabs.com/support/) | -| Kubernetes | 1.24, 1.23, 1.22 | +| Kubernetes | 1.25, 1.24, 1.23 | 1.24, 1.23, 1.22 | | Architecture | amd64, arm64 | amd64, arm64 | | **Platforms** | | | -| - cloud | AWS, GCP, Azure, Digital Ocean, Hetzner, OpenStack, Oracle Cloud, Scaleway, Vultr, Upcloud | AWS, GCP, Azure, Digital Ocean, Hetzner, OpenStack, Scaleway, Vultr, Upcloud | +| - cloud | AWS, GCP, Azure, Digital Ocean, Hetzner, OpenStack, Oracle Cloud, Scaleway, Vultr, Upcloud | AWS, GCP, Azure, Digital Ocean, Hetzner, OpenStack, Oracle Cloud, Scaleway, Vultr, Upcloud | | - bare metal | x86: BIOS, UEFI; arm64: UEFI; boot: ISO, PXE, disk image | x86: BIOS, UEFI; arm64: UEFI; boot: ISO, PXE, disk image | | - virtualized | VMware, Hyper-V, KVM, Proxmox, Xen | VMware, Hyper-V, KVM, Proxmox, Xen | -| - SBCs | Banana Pi M64, Jetson Nano, Libre Computer Board ALL-H3-CC, Pine64, Pine64 Rock64, Radxa ROCK Pi 4c, Raspberry Pi 4B | Raspberry Pi4, Banana Pi M64, Pine64, and other | +| - SBCs | Banana Pi M64, Jetson Nano, Libre Computer Board ALL-H3-CC, Pine64, Pine64 Rock64, Radxa ROCK Pi 4c, Raspberry Pi 4B | Banana Pi M64, Jetson Nano, Libre Computer Board ALL-H3-CC, Pine64, Pine64 Rock64, Radxa ROCK Pi 4c, Raspberry Pi 4B | | - local | Docker, QEMU | Docker, QEMU | | **Cluster API** | | | -| [CAPI Bootstrap Provider Talos](https://github.com/siderolabs/cluster-api-bootstrap-provider-talos) | >= 0.5.3 | >= 0.5.3 | -| [CAPI Control Plane Provider Talos](https://github.com/siderolabs/cluster-api-control-plane-provider-talos) | >= 0.4.5 | >= 0.4.5 | -| [Sidero](https://www.sidero.dev/) | >= 0.5.0 | >= 0.5.0 | +| [CAPI Bootstrap Provider Talos](https://github.com/siderolabs/cluster-api-bootstrap-provider-talos) | >= 0.5.4 | >= 0.5.3 | +| [CAPI Control Plane Provider Talos](https://github.com/siderolabs/cluster-api-control-plane-provider-talos) | >= 0.4.6 | >= 0.4.6 | +| [Sidero](https://www.sidero.dev/) | >= 0.5.1 | >= 0.5.1 | | **UI** | | | | [Theila](https://github.com/siderolabs/theila) | ✓ | ✓ | ## Platform Tiers -Tier 1: Automated tests, high-priority fixes. -Tier 2: Tested from time to time, medium-priority bugfixes. -Tier 3: Not tested by core Talos team, community tested. +* Tier 1: Automated tests, high-priority fixes. +* Tier 2: Tested from time to time, medium-priority bugfixes. +* Tier 3: Not tested by core Talos team, community tested. ### Tier 1 diff --git a/website/content/v1.2/kubernetes-guides/configuration/pod-security.md b/website/content/v1.2/kubernetes-guides/configuration/pod-security.md index f102e14604..28aaef25be 100644 --- a/website/content/v1.2/kubernetes-guides/configuration/pod-security.md +++ b/website/content/v1.2/kubernetes-guides/configuration/pod-security.md @@ -14,27 +14,22 @@ In this guide we are going to enable and configure Pod Security Admission in Tal ## Configuration -Prepare the following machine configuration patch and store it in the `pod-security-patch.yaml`: +Talos provides default Pod Security Admission in the machine configuration: ```yaml -- op: add - path: /cluster/apiServer/admissionControl - value: - - name: PodSecurity - configuration: - apiVersion: pod-security.admission.config.k8s.io/v1alpha1 - kind: PodSecurityConfiguration - defaults: - enforce: "baseline" - enforce-version: "latest" - audit: "restricted" - audit-version: "latest" - warn: "restricted" - warn-version: "latest" - exemptions: - usernames: [] - runtimeClasses: [] - namespaces: [kube-system] +apiVersion: pod-security.admission.config.k8s.io/v1alpha1 +kind: PodSecurityConfiguration +defaults: + enforce: "baseline" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" +exemptions: + usernames: [] + runtimeClasses: [] + namespaces: [kube-system] ``` This is a cluster-wide configuration for the Pod Security Admission plugin: @@ -42,13 +37,7 @@ This is a cluster-wide configuration for the Pod Security Admission plugin: * by default `baseline` [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/) profile is enforced * more strict `restricted` profile is not enforced, but API server warns about found issues -Generate Talos machine configuration applying the patch above: - -```shell -talosctl gen config cluster1 https://:6443/ --config-patch-control-plane @../pod-security-patch.yaml -``` - -Deploy Talos using the generated machine configuration. +This default policy can be modified by updating the generated machine configuration before the cluster is created or on the fly by using the `talosctl` CLI utility. Verify current admission plugin configuration with: