github siderolabs/talos v0.12.0-alpha.1

latest releases: v1.8.3, pkg/machinery/v1.8.3, v1.9.0-alpha.2...
pre-release3 years ago

Talos 0.12.0-alpha.1 (2021-08-13)

Welcome to the v0.12.0-alpha.1 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/talos-systems/talos/issues.

Support for Self-hosted Control Plane Dropped

Note: This item only applies to clusters bootstrapped with Talos <= 0.8.

Talos 0.12 completely removes support for self-hosted Kubernetes control plane (bootkube-based).
Talos 0.9 introduced support for Talos-managed control plane and provided migration path to convert self-hosted control plane
to Talos-managed static pods.
Automated and manual conversion process is available in Talos from 0.9.x to 0.11.x.
For clusters bootstrapped with bootkube (Talos <= 0.8), please make sure control plane is converted to Talos-managed before
before upgrading to Talos 0.12.
Current control plane status can be checked with talosctl get bootstrapstatus before performing upgrade to Talos 0.12.

Cluster API v0.3.x

Cluster API v0.3.x (v1alpha3) is not compatible with Kubernetes 1.22 used by default in Talos 0.12.
Talos can be configued to use Kubernetes 1.21 or CAPI v0.4.x components can be used instead.

Machine Config Validation

Unknown keys in the machine config now make the config invalid,
so any attempt to apply/edit the configuration with the unknown keys will lead into an error.

Sysctl Configuration

Sysctl Kernel Params configuration was completely rewritten to be based on controllers and resources,
which makes it possible to apply .machine.sysctls in immediate mode (without a reboot).
talosctl get kernelparams returns merged list of KSPP, Kubernetes and user defined params along with
the default values overwritten by Talos.

Equinix Metal

Added support for Equinix Metal IPs for the Talos virtual (shared) IP (option equnixMetal under vip in the machine configuration).
Talos automatically re-assigns IP using the Equinix Metal API when leadership changes.

etcd

New etcd cluster members are now joined in learner mode, which improves cluster resiliency
to member join issues.

Join Node Type

Node type join was renamed to worker for clarity. The old value is still accepted in the machine configuration but deprecated.
talosctl gen config now generates worker.yaml instead of join.yaml.

Networking

  • multiple static addresses can be specified for the interface with new .addresses field (old .cidr field is deprecated now)
  • static addresses can be set on interfaces configured with DHCP

Performance

  • machined uses less memory and CPU time
  • more disk encryption options are exposed via the machine configuration
  • disk partitions are now aligned properly with minimum I/O size
  • Talos system processes are moved under proper cgroups, resource metrics are now available via the kubelet
  • OOM score is set on the system processes making sure they are killed last under memory pressure

Security

  • etcd PKI moved to /system/secrets
  • kubelet bootstrap CSR auto-signing scoped to kubelet bootstrap tokens only
  • enforce default seccomp profile on all system containers
  • run system services apid, trustd, and etcd as non-root users

Component Updates

  • Linux: 5.10.57
  • Kubernetes: 1.22.0
  • containerd: 1.5.5
  • runc: 1.0.1
  • GRUB: 2.06
  • Talos is built with Go 1.16.7

Contributors

  • Andrey Smirnov
  • Alexey Palazhchenko
  • Andrey Smirnov
  • Serge Logvinov
  • Artem Chernyshev
  • Spencer Smith
  • Alexey Palazhchenko
  • dependabot[bot]
  • Andrew Rynhard
  • Artem Chernyshev
  • Rui Lopes
  • Caleb Woodbine
  • Seán C McCord

Changes

110 commits

  • 6ee690d9a release(v0.12.0-alpha.1): prepare release
  • 1ed5e5453 feat: add ClusterID and ClusterSecret
  • 228b37616 chore: run etcd as non-root user
  • 3518219bf chore: drop deprecated --no-reboot param and KernelCurrentRoot const
  • 33d1c3e42 chore: run apid and trustd services as non-root user
  • dadaa65d5 feat: print uid/gid for the files in ls -l
  • e6fa401b6 fix: enable seccomp default profile by default
  • 8ddbcc964 feat: validate if extra fields present in the decoder
  • 5b57a9800 chore: update Go to 1.16.7, Linux to 5.10.57
  • eefe1c21c feat: add new etcd members in learner mode
  • b1c66fbad feat: implement Equinix Metal support for virtual (shared) IP
  • 62242f979 chore: require GPG signatures
  • faecae44f feat: make ISO builds reproducible
  • 887c2326a release(v0.12.0-alpha.0): prepare release
  • a15f01844 fix: move etcd PKI under /system/secrets
  • eb02afe18 fix: match correctly routes on the address family
  • cb948accf feat: allow multiple addresses per interface
  • e030b2e8b chore: use k8s 1.21.3 in CAPI tests for now
  • e08b4f8f9 feat: implement sysctl controllers
  • fdf6b2433 chore: revert "improve artifacts generation reproducibility"
  • b68ed1eb8 fix: make route resources ID match closer routing table primary key
  • 585f63371 fix: correctly handle nodoc for struct fields
  • f2d394dc4 docs: add AMIs for v0.11.5
  • d0970cbfd feat: bootstrap token limit
  • 5285a46d7 fix: maintenance mode reason message
  • 009d15e8d chore: use etcd client TryLock function on upgrade
  • 4dae9ea55 chore: use vtprotobuf compiled marshaling in Talos API
  • 7ca5749ad chore: bump dependencies via dependabot
  • b2507b41d chore: improve artifacts generation reproducibility
  • 1f7dad234 chore: update PKGS version (512 cpus, new ca-certficates)
  • 1a2e78a24 fix: update go-blockdevice
  • 6d6ed1170 chore: use parallel xz with higher compression level
  • 571f7db1b chore: workaround GitHub new release notes limit
  • 09d70b7ea feat: update Kubernetes to v1.22.0
  • f25f10e73 feat: add an option to disable PSP
  • 7c6e4cf23 feat: allow both DHCP and static addressing for the interface
  • 3c566dbc3 fix: remove admission plugins enabled by default from the list
  • 69ead3735 fix: preserve PMBR bootable flag correctly
  • dee630517 fix: align partitions with minimal I/O size
  • 628902297 feat: update GRUB to 2.06
  • b9d04928d feat: move system processes to cgroups
  • 0b8681b4b fix: resolve several issues with Wireguard link specs
  • f8f4bf3ba docs: add disk encryptions examples
  • 79b8fa64b feat: update containerd to 1.5.5
  • 539f42090 chore: bump dependencies via dependabot
  • 0c7ce1cd8 feat: remove remnants of bootkube support
  • d4f9804f8 chore: fix typos
  • 5f027615f feat: expose more encryption options to the machine config
  • 585152a0b chore: bump dependencies
  • fc66ec596 feat: set oom score for main processes
  • df54584a3 fix: drop linux capabilities
  • f65d0b739 docs: add 0.11.3 AMIs
  • 7332d6369 fix: bump pkgs for new kernel 5.10.52
  • 70d2505b7 fix: do not require ToVersion to be set when detecting version
  • 0953b1998 chore: update extras to bring a new CNI bundle
  • b6c47f866 fix: set the /etc/os-release HOME_URL parameter
  • c780821d0 feat: update containerd to 1.5.3, runc to 1.0.1
  • f8f1c83a7 feat: detect the lowest Kubernetes version in upgrade-k8s CLI command
  • 55e17ccdd chore: bump dependencies
  • da6f786ca fix: kuberentes => kubernetes typo
  • 2e463348b fix: pass all logs through the options.Log method
  • 4e9c5afb6 fix: make ethtool optional in link status controller
  • bf61c2cc4 fix: write upgrade logs only to the LogOutput if it's defined
  • 9c73257cb feat: update Go to 1.16.6
  • 23ef1d40a chore: add ability to redirect talos upgrade module logs to io.Writer
  • 33e9d6c98 chore: bump github.com/aws/aws-sdk-go in /hack/cloud-image-uploader
  • 604434c43 chore: bump github.com/prometheus/procfs from 0.6.0 to 0.7.0
  • 2ea28f62d chore: bump node from 16.3.0-alpine to 16.4.2-alpine
  • b358a189b fix: correctly pick route scope for link-local destination
  • 6848d4314 feat: can change clusterdns ip lists
  • 72b76abfd fix: workaround issues when IPv6 is fully or partially disabled
  • 679b08f4f docs: update docs for 0.12
  • 6fbec9e0c fix: cache etcd client used for healthchecks
  • eea750de2 chore: rename "join" type to "worker"
  • 951493ac8 docs: update what's new for Talos 0.11
  • b47d1098b docs: promote 0.11 docs to be the latest
  • d930a2650 chore: implement DeepCopy for machine configuration
  • fe4ed3c73 chore: ignore tags which don't look like semantic version
  • b969e7720 chore: update references to old protobuf package
  • 2ba8ac9ab docs: add documentation directory for 0.12
  • 011e2885e fix: validate bond slaves addressing
  • 10c28758a fix: ignore DeadlineExceeded error correctly on bootstrap
  • 77fabacec chore: ignore future pkg/machinery/vX.Y.Z tags
  • 6b661114d fix: make COSI runtime history depth smaller
  • 9bf899bdd fix: make forfeit leadership connect to the right node
  • 4708beaee feat: implement talosctl config info command
  • 6d13d2cf9 fix: close Kubernetes API client
  • aaa36f3b4 fix: ignore 'not a leader' error on forfeit leadership
  • 22a419367 fix: workaround 'Unauthorized' errors when accessing Kubernetes API
  • 71c6f7004 chore: bump go.mod dependencies
  • 915cd8fe2 docs: add guide for RBAC
  • f5721050d fix: controlplane keyusage
  • 3d7726613 fix: fill uuid argument correctly in the config download URL
  • d8602025c chore: update containerd config version 2
  • 5949ec4e6 docs: describe the new network configuration subsystem
  • 444d72b4d feat: update pkgs version
  • e883c12b3 fix: make output of upgrade-k8s command less scary
  • 7f8e50de4 fix: restart the merge controllers on conflict
  • 60d736094 fix: ignore deadline exceeded errors on bootstrap
  • ee06dd69f fix: don't print git sha of the release twice in the dashboard
  • 07fb61e5d fix: issue worker apid certs properly on renewal
  • 84817f733 chore: bump Talos version in upgrade tests
  • 2fa54107b chore: fix tests for disabled RBAC
  • 78583ba98 fix: don't set bond delay options if miimon is not enabled
  • bbf1c091d feat: add RBAC to talosctl version output
  • 5f6ec3ef6 fix: handle cases when merged resource re-appears before being destroyed
  • 1e9a0e745 fix: documentation typos
  • f228af406 chore: bump go.mod dependencies
  • 2060ceaa0 chore: add CAPI version to CI setup
  • ad047a7de chore: small RBAC improvements

Changes since v0.12.0-alpha.0

13 commits

  • 6ee690d9a release(v0.12.0-alpha.1): prepare release
  • 1ed5e5453 feat: add ClusterID and ClusterSecret
  • 228b37616 chore: run etcd as non-root user
  • 3518219bf chore: drop deprecated --no-reboot param and KernelCurrentRoot const
  • 33d1c3e42 chore: run apid and trustd services as non-root user
  • dadaa65d5 feat: print uid/gid for the files in ls -l
  • e6fa401b6 fix: enable seccomp default profile by default
  • 8ddbcc964 feat: validate if extra fields present in the decoder
  • 5b57a9800 chore: update Go to 1.16.7, Linux to 5.10.57
  • eefe1c21c feat: add new etcd members in learner mode
  • b1c66fbad feat: implement Equinix Metal support for virtual (shared) IP
  • 62242f979 chore: require GPG signatures
  • faecae44f feat: make ISO builds reproducible

Changes from talos-systems/crypto

1 commit

Changes from talos-systems/extras

3 commits

Changes from talos-systems/go-blockdevice

4 commits

Changes from talos-systems/pkgs

17 commits

Changes from talos-systems/tools

5 commits

Dependency Changes

  • github.com/BurntSushi/toml v0.3.1 -> v0.4.1
  • github.com/aws/aws-sdk-go v1.38.66 -> v1.40.2
  • github.com/containerd/containerd v1.5.2 -> v1.5.5
  • github.com/cosi-project/runtime 93ead370bf57 -> 25f235cd0682
  • github.com/docker/docker v20.10.7 -> v20.10.8
  • github.com/google/uuid v1.2.0 -> v1.3.0
  • github.com/hashicorp/go-getter v1.5.4 -> v1.5.6
  • github.com/opencontainers/runtime-spec e6143ca7d51d -> 1c3f411f0417
  • github.com/packethost/packngo v0.19.0 new
  • github.com/prometheus/procfs v0.6.0 -> v0.7.2
  • github.com/rivo/tview d4fb0348227b -> 29d673af0ce2
  • github.com/spf13/cobra v1.1.3 -> v1.2.1
  • github.com/talos-systems/crypto v0.3.1 -> deec8d47700e
  • github.com/talos-systems/extras v0.4.0 -> v0.5.0-alpha.0-2-g8ce17e5
  • github.com/talos-systems/go-blockdevice v0.2.1 -> v0.2.3
  • github.com/talos-systems/pkgs v0.6.0-1-g7b2e126 -> v0.7.0-alpha.0-16-gda4ac04
  • github.com/talos-systems/tools v0.6.0 -> v0.7.0-alpha.0-3-g2368154
  • github.com/vmware-tanzu/sonobuoy v0.52.0 -> v0.53.0
  • go.uber.org/zap v1.17.0 -> v1.18.1
  • golang.org/x/net 04defd469f4e -> 853a461950ff
  • golang.org/x/sys 59db8d763f22 -> 0f9fa26af87c
  • golang.org/x/time 38a9dc6acbc6 -> 1f47c861a9ac
  • google.golang.org/grpc v1.38.0 -> v1.39.1
  • google.golang.org/protobuf v1.26.0 -> v1.27.1
  • inet.af/netaddr bf05d8b52dda -> ce7a8ad02cc1
  • k8s.io/api v0.21.2 -> v0.22.0
  • k8s.io/apimachinery v0.21.2 -> v0.22.0
  • k8s.io/apiserver v0.21.2 -> v0.22.0
  • k8s.io/client-go v0.21.2 -> v0.22.0
  • k8s.io/cri-api v0.21.2 -> v0.22.0
  • k8s.io/kubectl v0.21.2 -> v0.22.0
  • k8s.io/kubelet v0.21.2 -> v0.22.0

Previous release can be found at v0.11.0

Images

quay.io/coreos/flannel:v0.13.0
ghcr.io/talos-systems/install-cni:v0.5.0-alpha.0-2-g8ce17e5
docker.io/coredns/coredns:1.8.4
gcr.io/etcd-development/etcd:v3.4.16
k8s.gcr.io/kube-apiserver:v1.22.0
k8s.gcr.io/kube-controller-manager:v1.22.0
k8s.gcr.io/kube-scheduler:v1.22.0
k8s.gcr.io/kube-proxy:v1.22.0
ghcr.io/talos-systems/kubelet:v1.22.0
ghcr.io/talos-systems/installer:v0.12.0-alpha.1
k8s.gcr.io/pause:3.2

Don't miss a new talos release

NewReleases is sending notifications on new releases.