The latest articles on DEV Community by Boriss V (@bnovickovs). https://dev.to/bnovickovs https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2942085%2F5126127b-e420-4a89-a146-23c6f7527674.jpg https://dev.to/bnovickovs en Boriss V Fri, 12 Sep 2025 06:01:10 +0000 https://dev.to/bnovickovs/running-talos-linux-with-gpu-passthrough-on-qemu-1ec6 https://dev.to/bnovickovs/running-talos-linux-with-gpu-passthrough-on-qemu-1ec6 <p>I’ve been spending a lot of time with Talos Linux<br> lately. It’s awesome for running Kubernetes in a minimal, immutable way. But there’s always that moment when you go:</p> <p>Talos is lightweight, QEMU is great for homelabs, but GPU passthrough is where things get a bit hacky. So I decided to make it work — and I put the results in a repo:</p> <p><a href="https://github.com/kubebn/talos-qemu-gpu-passthrough" rel="noopener noreferrer">https://github.com/kubebn/talos-qemu-gpu-passthrough</a></p> <p>Running Talos on QEMU is easy enough. Spin up a VM, boot the ISO, apply a machine config — done. But once I needed NVIDIA GPU support for workloads (think AI/ML testing or just experimenting with device plugins).</p> <p>Here's the thing about GPU passthrough - you can't just point QEMU at your GPU and hope for the best. The host OS needs to completely release control of the GPU to the VFIO subsystem. This means:</p> <p>Your GPU disappears from the host (no more nvidia-smi on that card)<br> VFIO takes ownership via kernel parameters<br> The VM gets exclusive access to the hardware</p> <p>It's like lending your car to a friend - they get all the control, you get none.</p> <p><strong>OVMF and UEFI Considerations</strong></p> <p>Modern GPUs are picky about firmware. The scripts detect if your system supports OVMF (UEFI for VMs) and configure things appropriately. This is especially important for newer cards that expect UEFI environments.</p> <p><strong>Closing thoughts</strong></p> <p>This is homelab territory, so expect some rough edges. If you’ve ever wrestled with PCI passthrough, you know it’s always a bit finicky.</p> <p>But hey, I got it working, and now my Talos VMs can see GPUs just fine. Hopefully it helps someone else avoid a weekend of trial-and-error.</p> Boriss V Thu, 11 Sep 2025 10:59:58 +0000 https://dev.to/bnovickovs/comparing-cilium-networking-setups-on-a-talos-hybrid-kubernetes-cluster-3gdk https://dev.to/bnovickovs/comparing-cilium-networking-setups-on-a-talos-hybrid-kubernetes-cluster-3gdk <p>Recently, I’ve been experimenting with different networking configurations for a Talos Linux Kubernetes cluster deployed in hybrid mode - with control plane nodes running in AWS and a worker node hosted on-premises in QEMU. My goal was to evaluate how Cilium CNI behaves in such a setup, especially when combined with KubeSpan, Talos’ native WireGuard-based mesh networking layer.</p> <p>In this post, I’ll share my findings from three different setups, highlighting the challenges, performance results, and takeaways for hybrid environments.</p> <p><strong>1. Cilium Native WireGuard with KubeSpan Disabled</strong></p> <p>My first experiment was running Cilium’s native WireGuard encryption while disabling KubeSpan.</p> <p>On paper, this should provide secure pod-to-pod communication. In practice, it failed. The reason lies in how Cilium implements WireGuard - it assumes direct IP connectivity between nodes.</p> <p>In my hybrid setup, the on-prem worker lives behind NAT, which makes it unreachable for AWS nodes. Since Cilium does not support NAT traversal techniques (e.g., hole punching or STUN-like mechanisms), the WireGuard handshake could not be established.</p> <p>This is exactly where KubeSpan shines. Unlike Cilium’s implementation, KubeSpan was designed for hybrid, cloud, and NAT-constrained topologies. It automatically builds WireGuard tunnels across boundaries, enabling connectivity even when nodes are hidden behind NAT.</p> <p>Takeaway: Without KubeSpan, Cilium WireGuard isn’t viable in hybrid deployments with NAT.</p> <p><strong>2. Native Routing to Reduce VXLAN Encapsulation</strong></p> <p>The second setup explored Cilium’s native routing as a way to reduce VXLAN encapsulation overhead. VXLAN is fine in co-located clusters, but it adds overhead, especially in cross-node, hybrid traffic.</p> <p>At first, I assumed native routing wouldn’t work outside of tightly connected environments. However, with a few tweaks it became possible:</p> <p>Deploy a DaemonSet that extracts each node’s cilium_host IP.</p> <p>Assign a secondary IP with a wider subnet mask (e.g., /24).</p> <p>Enable advertiseKubernetesNetworks so that pod CIDRs are shared across nodes.</p> <p>Ensure KubeSpan peers include these CIDRs in their AllowedIPs.</p> <p>This workaround allowed Cilium to operate in native routing mode, bypassing VXLAN encapsulation even in the hybrid cluster.</p> <p>Takeaway: With some custom plumbing, native routing works across NAT-boundaries when combined with KubeSpan.</p> <p><strong>3. Test Results</strong></p> <p>I ran a series of TCP/UDP performance benchmarks. The full dataset is available here</p> <p>but here’s the summary:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Stream Tests: These tests were instrumental <span class="k">in </span>evaluating the throughput performance of pods and nodes. RR tests <span class="o">(</span>Request-Response<span class="o">)</span>: These tests allowed us to assess the packet per second and latency performance of pods and nodes. CRR tests <span class="o">(</span>Connect-Request-Response<span class="o">)</span>: By utilizing this scenario, we could evaluate the New Connection Per Second performance of pods and nodes. <span class="nt">----------------------------------------------------------------------------------------</span> KubeSpan Enabled. Cilium settings: k8sServiceHost: localhost k8sServicePort: 7445 kubeProxyReplacement: <span class="nb">true </span>enableK8sEndpointSlice: <span class="nb">true </span>localRedirectPolicy: <span class="nb">true </span>healthChecking: <span class="nb">true </span>bpf: masquerade: <span class="nb">true </span>ipv4: enabled: <span class="nb">true </span>hostServices: enabled: <span class="nb">true </span>hostPort: enabled: <span class="nb">true </span>nodePort: enabled: <span class="nb">true </span>externalIPs: enabled: <span class="nb">true </span>hostFirewall: enabled: <span class="nb">true</span> <span class="nt">----------------------------------------------------------------------------------------</span> cilium connectivity perf <span class="nt">--tolerations</span> <span class="s2">""</span> <span class="nt">--namespace-labels</span> pod-security.kubernetes.io/enforce<span class="o">=</span>privileged <span class="nt">-n</span> kube-system <span class="nt">--helm-release-name</span> cilium <span class="nt">--udp</span> <span class="nt">--crr</span> <span class="nt">--samples</span> 3 <span class="se">\</span> <span class="nt">--node-selector-client</span> <span class="s2">"kubernetes.io/hostname=io-apps-bootstrap-1"</span> <span class="nt">--node-selector-server</span> <span class="s2">"kubernetes.io/hostname=io-gpu-pruuzglzan18m9y8"</span> 🔥 Network Performance Test Summary - NON COLOCATED NODES <span class="o">(</span>AWS-&gt;ONPREM<span class="o">)</span>: <span class="nt">--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</span> 📋 Scenario | Node | Test | Duration | Min | Mean | Max | P50 | P90 | P99 | Transaction rate OP/s <span class="nt">--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</span> 📋 pod-to-pod | same-node | TCP_CRR | 10s | 57µs | 67.26µs | 271µs | 65µs | 73µs | 101µs | 14822.78 📋 pod-to-pod | same-node | TCP_RR | 10s | 23µs | 33.84µs | 201µs | 33µs | 36µs | 49µs | 29445.81 📋 pod-to-pod | same-node | UDP_RR | 10s | 21µs | 33.42µs | 19.48ms | 33µs | 37µs | 50µs | 29795.95 📋 host-to-host | same-node | TCP_CRR | 10s | 67µs | 87.43µs | 349µs | 86µs | 99µs | 128µs | 11405.75 📋 host-to-host | same-node | TCP_RR | 10s | 25µs | 36.54µs | 227µs | 36µs | 39µs | 52µs | 27270.72 📋 host-to-host | same-node | UDP_RR | 10s | 21µs | 30.35µs | 215µs | 30µs | 31µs | 46µs | 32813.49 📋 pod-to-pod | other-node | TCP_CRR | 10s | 287.284ms | 288.18447ms | 294.926ms | 285.312ms | 289.375ms | 295ms | 3.37 📋 pod-to-pod | other-node | TCP_RR | 10s | 143.513ms | 146.13599ms | 287.71ms | 145.074ms | 149.104ms | 150ms | 6.75 📋 pod-to-pod | other-node | UDP_RR | 10s | 143.883ms | 144.18403ms | 144.613ms | 144.927ms | 148.985ms | 149.855ms | 6.90 📋 host-to-host | other-node | TCP_CRR | 10s | 287.289ms | 287.86662ms | 289.423ms | 285ms | 288.823ms | 289.705ms | 3.38 📋 host-to-host | other-node | TCP_RR | 10s | 143.572ms | 146.06574ms | 288.202ms | 145.074ms | 149.104ms | 150ms | 6.75 📋 host-to-host | other-node | UDP_RR | 10s | 143.486ms | 144.03764ms | 146.835ms | 144.927ms | 148.985ms | 149.855ms | 6.90 📋 pod-to-pod | same-node | TCP_CRR | 10s | 54µs | 66.73µs | 306µs | 65µs | 73µs | 97µs | 14935.31 📋 pod-to-pod | same-node | TCP_RR | 10s | 23µs | 33.89µs | 177µs | 33µs | 36µs | 50µs | 29391.89 📋 pod-to-pod | same-node | UDP_RR | 10s | 21µs | 33.05µs | 195µs | 32µs | 35µs | 49µs | 30139.94 📋 host-to-host | same-node | TCP_CRR | 10s | 68µs | 85.73µs | 366µs | 86µs | 92µs | 118µs | 11630.99 📋 host-to-host | same-node | TCP_RR | 10s | 24µs | 36.82µs | 5.879ms | 36µs | 39µs | 53µs | 27060.31 📋 host-to-host | same-node | UDP_RR | 10s | 22µs | 31.34µs | 21.676ms | 30µs | 38µs | 48µs | 31787.03 📋 pod-to-pod | other-node | TCP_CRR | 10s | 287.141ms | 287.72271ms | 288.986ms | 285ms | 288.823ms | 289.705ms | 3.38 📋 pod-to-pod | other-node | TCP_RR | 10s | 143.716ms | 146.31566ms | 287.914ms | 145.074ms | 149.104ms | 150ms | 6.74 📋 pod-to-pod | other-node | UDP_RR | 10s | 143.48ms | 144.11599ms | 149.036ms | 144.927ms | 148.985ms | 149.855ms | 6.90 📋 host-to-host | other-node | TCP_CRR | 10s | 287.004ms | 287.91197ms | 292.78ms | 285.312ms | 289.375ms | 295ms | 3.37 📋 host-to-host | other-node | TCP_RR | 10s | 145.089ms | 147.76345ms | 290.773ms | 145ms | 149.09ms | 150ms | 6.67 📋 host-to-host | other-node | UDP_RR | 10s | 145.184ms | 145.58032ms | 151.39ms | 145.074ms | 149.104ms | 150ms | 6.80 📋 pod-to-pod | same-node | TCP_CRR | 10s | 56µs | 68.28µs | 284µs | 65µs | 82µs | 106µs | 14600.08 📋 pod-to-pod | same-node | TCP_RR | 10s | 22µs | 34.21µs | 236µs | 33µs | 37µs | 50µs | 29128.28 📋 pod-to-pod | same-node | UDP_RR | 10s | 20µs | 32.74µs | 209µs | 32µs | 35µs | 48µs | 30413.30 📋 host-to-host | same-node | TCP_CRR | 10s | 67µs | 85.69µs | 367µs | 85µs | 92µs | 119µs | 11638.88 📋 host-to-host | same-node | TCP_RR | 10s | 23µs | 36.68µs | 208µs | 36µs | 39µs | 53µs | 27172.15 📋 host-to-host | same-node | UDP_RR | 10s | 20µs | 30.66µs | 3.662ms | 30µs | 32µs | 46µs | 32483.28 📋 pod-to-pod | other-node | TCP_CRR | 10s | 290.464ms | 291.16426ms | 292.808ms | 295ms | 298.823ms | 299.705ms | 3.40 📋 pod-to-pod | other-node | TCP_RR | 10s | 145.063ms | 148.08606ms | 295.874ms | 145ms | 149.09ms | 150ms | 6.66 📋 pod-to-pod | other-node | UDP_RR | 10s | 144.919ms | 145.82088ms | 149.155ms | 145ms | 148.97ms | 149.852ms | 6.80 📋 host-to-host | other-node | TCP_CRR | 10s | 287.323ms | 287.86053ms | 289.85ms | 285ms | 288.823ms | 289.705ms | 3.37 📋 host-to-host | other-node | TCP_RR | 10s | 143.508ms | 146.03766ms | 288.42ms | 145.074ms | 149.104ms | 150ms | 6.75 📋 host-to-host | other-node | UDP_RR | 10s | 143.523ms | 143.91538ms | 145.713ms | 144.927ms | 148.985ms | 149.855ms | 6.90 <span class="nt">--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</span> <span class="nt">----------------------------------------------------------------------------------------</span> 📋 Scenario | Node | Test | Duration | Throughput Mb/s <span class="nt">----------------------------------------------------------------------------------------</span> 📋 pod-to-pod | same-node | TCP_STREAM | 10s | 12950.39 📋 pod-to-pod | same-node | UDP_STREAM | 10s | 2092.67 📋 pod-to-pod | same-node | TCP_STREAM_MULTI | 10s | 48431.66 📋 pod-to-pod | same-node | UDP_STREAM_MULTI | 10s | 7942.53 📋 host-to-host | same-node | TCP_STREAM | 10s | 20550.47 📋 host-to-host | same-node | UDP_STREAM | 10s | 1442.80 📋 host-to-host | same-node | TCP_STREAM_MULTI | 10s | 79811.91 📋 host-to-host | same-node | UDP_STREAM_MULTI | 10s | 5397.83 📋 pod-to-pod | other-node | TCP_STREAM | 10s | 105.28 📋 pod-to-pod | other-node | UDP_STREAM | 10s | 351.63 📋 pod-to-pod | other-node | TCP_STREAM_MULTI | 10s | 380.95 📋 pod-to-pod | other-node | UDP_STREAM_MULTI | 10s | 496.31 📋 host-to-host | other-node | TCP_STREAM | 10s | 104.16 📋 host-to-host | other-node | UDP_STREAM | 10s | 399.63 📋 host-to-host | other-node | TCP_STREAM_MULTI | 10s | 430.81 📋 host-to-host | other-node | UDP_STREAM_MULTI | 10s | 536.22 📋 pod-to-pod | same-node | TCP_STREAM | 10s | 12556.70 📋 pod-to-pod | same-node | UDP_STREAM | 10s | 2071.79 📋 pod-to-pod | same-node | TCP_STREAM_MULTI | 10s | 48310.76 📋 pod-to-pod | same-node | UDP_STREAM_MULTI | 10s | 7941.07 📋 host-to-host | same-node | TCP_STREAM | 10s | 20379.97 📋 host-to-host | same-node | UDP_STREAM | 10s | 1410.00 📋 host-to-host | same-node | TCP_STREAM_MULTI | 10s | 79800.63 📋 host-to-host | same-node | UDP_STREAM_MULTI | 10s | 5430.72 📋 pod-to-pod | other-node | TCP_STREAM | 10s | 103.53 📋 pod-to-pod | other-node | UDP_STREAM | 10s | 325.66 📋 pod-to-pod | other-node | TCP_STREAM_MULTI | 10s | 413.59 📋 pod-to-pod | other-node | UDP_STREAM_MULTI | 10s | 480.75 📋 host-to-host | other-node | TCP_STREAM | 10s | 119.24 📋 host-to-host | other-node | UDP_STREAM | 10s | 413.51 📋 host-to-host | other-node | TCP_STREAM_MULTI | 10s | 383.96 📋 host-to-host | other-node | UDP_STREAM_MULTI | 10s | 437.77 📋 pod-to-pod | same-node | TCP_STREAM | 10s | 12784.47 📋 pod-to-pod | same-node | UDP_STREAM | 10s | 2079.99 📋 pod-to-pod | same-node | TCP_STREAM_MULTI | 10s | 49080.75 📋 pod-to-pod | same-node | UDP_STREAM_MULTI | 10s | 7867.70 📋 host-to-host | same-node | TCP_STREAM | 10s | 20745.23 📋 host-to-host | same-node | UDP_STREAM | 10s | 1432.03 📋 host-to-host | same-node | TCP_STREAM_MULTI | 10s | 79912.94 📋 host-to-host | same-node | UDP_STREAM_MULTI | 10s | 5489.68 📋 pod-to-pod | other-node | TCP_STREAM | 10s | 101.82 📋 pod-to-pod | other-node | UDP_STREAM | 10s | 329.69 📋 pod-to-pod | other-node | TCP_STREAM_MULTI | 10s | 407.10 📋 pod-to-pod | other-node | UDP_STREAM_MULTI | 10s | 470.26 📋 host-to-host | other-node | TCP_STREAM | 10s | 107.29 📋 host-to-host | other-node | UDP_STREAM | 10s | 404.08 📋 host-to-host | other-node | TCP_STREAM_MULTI | 10s | 405.85 📋 host-to-host | other-node | UDP_STREAM_MULTI | 10s | 567.32 <span class="nt">----------------------------------------------------------------------------------------</span> cilium connectivity perf <span class="nt">--tolerations</span> <span class="s2">""</span> <span class="nt">--namespace-labels</span> pod-security.kubernetes.io/enforce<span class="o">=</span>privileged <span class="nt">-n</span> kube-system <span class="nt">--helm-release-name</span> cilium <span class="nt">--udp</span> <span class="nt">--crr</span> <span class="nt">--samples</span> 3 <span class="se">\</span> <span class="nt">--node-selector-client</span> <span class="s2">"kubernetes.io/hostname=io-apps-bootstrap-1"</span> <span class="nt">--node-selector-server</span> <span class="s2">"kubernetes.io/hostname=io-controlplane-1"</span> 🔥 Network Performance Test Summary - COLOCATED NODES <span class="o">(</span>AWS-&gt;AWS<span class="o">)</span>: <span class="nt">--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</span> 📋 Scenario | Node | Test | Duration | Min | Mean | Max | P50 | P90 | P99 | Transaction rate OP/s <span class="nt">--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</span> 📋 pod-to-pod | same-node | TCP_CRR | 10s | 93µs | 153.92µs | 11.063ms | 136µs | 203µs | 442µs | 6473.15 📋 pod-to-pod | same-node | TCP_RR | 10s | 31µs | 50.49µs | 29.252ms | 46µs | 62µs | 121µs | 19644.46 📋 pod-to-pod | same-node | UDP_RR | 10s | 30µs | 49.49µs | 6.326ms | 48µs | 63µs | 123µs | 20042.63 📋 host-to-host | same-node | TCP_CRR | 10s | 99µs | 157.13µs | 11.857ms | 139µs | 203µs | 437µs | 6340.76 📋 host-to-host | same-node | TCP_RR | 10s | 34µs | 51.88µs | 6.772ms | 49µs | 65µs | 124µs | 19121.01 📋 host-to-host | same-node | UDP_RR | 10s | 33µs | 51.49µs | 6.29ms | 47µs | 64µs | 128µs | 19250.97 📋 pod-to-pod | other-node | TCP_CRR | 10s | 805µs | 1.42404ms | 1.031978s | 1.064ms | 1.333ms | 2.533ms | 701.76 📋 pod-to-pod | other-node | TCP_RR | 10s | 305µs | 509.3µs | 17.769ms | 449µs | 608µs | 1.67ms | 1961.27 📋 pod-to-pod | other-node | UDP_RR | 10s | 296µs | 486.33µs | 25.148ms | 433µs | 565µs | 1.495ms | 2053.80 📋 host-to-host | other-node | TCP_CRR | 10s | 717µs | 1.11209ms | 19.207ms | 997µs | 1.348ms | 3.325ms | 898.50 📋 host-to-host | other-node | TCP_RR | 10s | 273µs | 441.12µs | 10.452ms | 406µs | 514µs | 1.147ms | 2264.47 📋 host-to-host | other-node | UDP_RR | 10s | 270µs | 427.96µs | 16.015ms | 394µs | 504µs | 1.031ms | 2333.99 📋 pod-to-pod | same-node | TCP_CRR | 10s | 94µs | 150.7µs | 11.579ms | 134µs | 198µs | 417µs | 6610.99 📋 pod-to-pod | same-node | TCP_RR | 10s | 31µs | 48.94µs | 13.847ms | 46µs | 61µs | 123µs | 20268.63 📋 pod-to-pod | same-node | UDP_RR | 10s | 30µs | 49.32µs | 16.98ms | 47µs | 63µs | 139µs | 20120.57 📋 host-to-host | same-node | TCP_CRR | 10s | 101µs | 158.66µs | 20.761ms | 143µs | 205µs | 438µs | 6280.68 📋 host-to-host | same-node | TCP_RR | 10s | 31µs | 52.56µs | 32.051ms | 49µs | 65µs | 124µs | 18856.14 📋 host-to-host | same-node | UDP_RR | 10s | 30µs | 52.06µs | 18.874ms | 47µs | 63µs | 132µs | 19055.07 📋 pod-to-pod | other-node | TCP_CRR | 10s | 778µs | 1.14343ms | 14.77ms | 1.065ms | 1.385ms | 2.584ms | 873.62 📋 pod-to-pod | other-node | TCP_RR | 10s | 300µs | 473.68µs | 18.28ms | 439µs | 559µs | 1.154ms | 2108.58 📋 pod-to-pod | other-node | UDP_RR | 10s | 305µs | 468.16µs | 12.304ms | 431µs | 550µs | 1.155ms | 2133.48 📋 host-to-host | other-node | TCP_CRR | 10s | 679µs | 1.01739ms | 20.003ms | 948µs | 1.203ms | 2.3ms | 982.19 📋 host-to-host | other-node | TCP_RR | 10s | 290µs | 451.32µs | 8.471ms | 400µs | 529µs | 1.5ms | 2213.05 📋 host-to-host | other-node | UDP_RR | 10s | 275µs | 438.89µs | 48.143ms | 392µs | 512µs | 1.178ms | 2275.78 📋 pod-to-pod | same-node | TCP_CRR | 10s | 91µs | 154.91µs | 9.155ms | 136µs | 206µs | 463µs | 6433.15 📋 pod-to-pod | same-node | TCP_RR | 10s | 31µs | 49.53µs | 11.302ms | 46µs | 62µs | 119µs | 20018.91 📋 pod-to-pod | same-node | UDP_RR | 10s | 30µs | 50.66µs | 6.199ms | 48µs | 64µs | 127µs | 19585.08 📋 host-to-host | same-node | TCP_CRR | 10s | 97µs | 161.53µs | 19.182ms | 140µs | 199µs | 432µs | 6169.06 📋 host-to-host | same-node | TCP_RR | 10s | 33µs | 51.89µs | 9.37ms | 49µs | 64µs | 120µs | 19116.27 📋 host-to-host | same-node | UDP_RR | 10s | 33µs | 51.96µs | 22.041ms | 47µs | 65µs | 133µs | 19078.59 📋 pod-to-pod | other-node | TCP_CRR | 10s | 785µs | 1.17809ms | 14.512ms | 1.088ms | 1.45ms | 2.93ms | 848.22 📋 pod-to-pod | other-node | TCP_RR | 10s | 290µs | 491.34µs | 23.311ms | 445µs | 574µs | 1.358ms | 2032.95 📋 pod-to-pod | other-node | UDP_RR | 10s | 316µs | 530.1µs | 41.495ms | 455µs | 606µs | 1.642ms | 1884.38 📋 host-to-host | other-node | TCP_CRR | 10s | 714µs | 1.06433ms | 31.965ms | 963µs | 1.266ms | 2.766ms | 938.79 📋 host-to-host | other-node | TCP_RR | 10s | 279µs | 443.92µs | 18.193ms | 402µs | 516µs | 1.246ms | 2249.97 📋 host-to-host | other-node | UDP_RR | 10s | 268µs | 420.99µs | 24.753ms | 389µs | 495µs | 1.05ms | 2372.48 <span class="nt">--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</span> <span class="nt">----------------------------------------------------------------------------------------</span> 📋 Scenario | Node | Test | Duration | Throughput Mb/s <span class="nt">----------------------------------------------------------------------------------------</span> 📋 pod-to-pod | same-node | TCP_STREAM | 10s | 7450.22 📋 pod-to-pod | same-node | UDP_STREAM | 10s | 845.16 📋 pod-to-pod | same-node | TCP_STREAM_MULTI | 10s | 11222.14 📋 pod-to-pod | same-node | UDP_STREAM_MULTI | 10s | 849.59 📋 host-to-host | same-node | TCP_STREAM | 10s | 18252.45 📋 host-to-host | same-node | UDP_STREAM | 10s | 775.24 📋 host-to-host | same-node | TCP_STREAM_MULTI | 10s | 23872.71 📋 host-to-host | same-node | UDP_STREAM_MULTI | 10s | 871.62 📋 pod-to-pod | other-node | TCP_STREAM | 10s | 1474.15 📋 pod-to-pod | other-node | UDP_STREAM | 10s | 322.32 📋 pod-to-pod | other-node | TCP_STREAM_MULTI | 10s | 1547.00 📋 pod-to-pod | other-node | UDP_STREAM_MULTI | 10s | 472.29 📋 host-to-host | other-node | TCP_STREAM | 10s | 1844.26 📋 host-to-host | other-node | UDP_STREAM | 10s | 394.33 📋 host-to-host | other-node | TCP_STREAM_MULTI | 10s | 1816.71 📋 host-to-host | other-node | UDP_STREAM_MULTI | 10s | 546.08 📋 pod-to-pod | same-node | TCP_STREAM | 10s | 8057.11 📋 pod-to-pod | same-node | UDP_STREAM | 10s | 717.48 📋 pod-to-pod | same-node | TCP_STREAM_MULTI | 10s | 11106.95 📋 pod-to-pod | same-node | UDP_STREAM_MULTI | 10s | 754.54 📋 host-to-host | same-node | TCP_STREAM | 10s | 17977.78 📋 host-to-host | same-node | UDP_STREAM | 10s | 756.63 📋 host-to-host | same-node | TCP_STREAM_MULTI | 10s | 24229.15 📋 host-to-host | same-node | UDP_STREAM_MULTI | 10s | 843.12 📋 pod-to-pod | other-node | TCP_STREAM | 10s | 1641.48 📋 pod-to-pod | other-node | UDP_STREAM | 10s | 349.99 📋 pod-to-pod | other-node | TCP_STREAM_MULTI | 10s | 1595.12 📋 pod-to-pod | other-node | UDP_STREAM_MULTI | 10s | 463.93 📋 host-to-host | other-node | TCP_STREAM | 10s | 1769.24 📋 host-to-host | other-node | UDP_STREAM | 10s | 410.02 📋 host-to-host | other-node | TCP_STREAM_MULTI | 10s | 1833.89 📋 host-to-host | other-node | UDP_STREAM_MULTI | 10s | 574.86 📋 pod-to-pod | same-node | TCP_STREAM | 10s | 7852.78 📋 pod-to-pod | same-node | UDP_STREAM | 10s | 739.25 📋 pod-to-pod | same-node | TCP_STREAM_MULTI | 10s | 11195.04 📋 pod-to-pod | same-node | UDP_STREAM_MULTI | 10s | 870.62 📋 host-to-host | same-node | TCP_STREAM | 10s | 18268.06 📋 host-to-host | same-node | UDP_STREAM | 10s | 783.99 📋 host-to-host | same-node | TCP_STREAM_MULTI | 10s | 23901.10 📋 host-to-host | same-node | UDP_STREAM_MULTI | 10s | 751.55 📋 pod-to-pod | other-node | TCP_STREAM | 10s | 1507.56 📋 pod-to-pod | other-node | UDP_STREAM | 10s | 328.49 📋 pod-to-pod | other-node | TCP_STREAM_MULTI | 10s | 1498.47 📋 pod-to-pod | other-node | UDP_STREAM_MULTI | 10s | 442.88 📋 host-to-host | other-node | TCP_STREAM | 10s | 1746.56 📋 host-to-host | other-node | UDP_STREAM | 10s | 431.39 📋 host-to-host | other-node | TCP_STREAM_MULTI | 10s | 1821.09 📋 host-to-host | other-node | UDP_STREAM_MULTI | 10s | 574.39 <span class="nt">----------------------------------------------------------------------------------------</span> <span class="nt">----------------------------------------------------------------------------------------</span> KubeSpan Enabled. Native Routing enabled. k8sServiceHost: localhost k8sServicePort: 7445 kubeProxyReplacement: <span class="nb">true </span>enableK8sEndpointSlice: <span class="nb">true </span>localRedirectPolicy: <span class="nb">true </span>healthChecking: <span class="nb">true </span>routingMode: native ipv4NativeRoutingCIDR: <span class="s2">"10.244.0.0/16"</span> bpf: masquerade: <span class="nb">true </span>hostLegacyRouting: <span class="nb">true </span>ipv4: enabled: <span class="nb">true </span>hostServices: enabled: <span class="nb">true </span>hostPort: enabled: <span class="nb">true </span>nodePort: enabled: <span class="nb">true </span>externalIPs: enabled: <span class="nb">true </span>hostFirewall: enabled: <span class="nb">true </span>Hack to add pod CIDR to kubespan with advertiseKubernetesNetworks: <span class="nb">true</span>: apiVersion: apps/v1 kind: DaemonSet metadata: name: cilium-host-node-cidr namespace: kube-system spec: selector: matchLabels: app: cilium-host-node-cidr template: metadata: name: cilium-host-node-cidr labels: app: cilium-host-node-cidr spec: hostNetwork: <span class="nb">true </span>tolerations: - key: <span class="s2">"node-role.kubernetes.io/master"</span> operator: Exists - key: <span class="s2">"node-role.kubernetes.io/control-plane"</span> operator: Exists containers: - name: cilium-host-node-cidr image: alpine imagePullPolicy: Always <span class="nb">command</span>: - /bin/sh - <span class="nt">-c</span> - | apk update apk add iproute2 handle_error<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="nb">sleep</span> <span class="s2">"</span><span class="nv">$SLEEP_TIME</span><span class="s2">"</span> <span class="o">}</span> <span class="nb">echo</span> <span class="s2">"Watching cilium_host IP addresses..."</span> <span class="k">while</span> :<span class="p">;</span> <span class="k">do</span> <span class="c"># Extract all IPv4 addresses from cilium_host</span> <span class="nv">ip_addresses</span><span class="o">=</span><span class="si">$(</span>ip <span class="nt">-4</span> addr show dev cilium_host |grep inet | <span class="nb">awk</span> <span class="s1">'{print $2}'</span><span class="si">)</span> <span class="c"># Check if any of the IP addresses match the NODE_CIDR_MASK_SIZE</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$ip_addresses</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"/</span><span class="k">${</span><span class="nv">NODE_CIDR_MASK_SIZE</span><span class="k">}</span><span class="s2">"</span> <span class="o">||</span> <span class="o">{</span> <span class="c"># Extract the /32 IP address if NODE_CIDR_MASK_SIZE was not found</span> <span class="nv">pod_ip</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$ip_addresses</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="s2">"/32"</span> | <span class="nb">cut</span> <span class="nt">-d</span>/ <span class="nt">-f1</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$pod_ip</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span>handle_error <span class="s2">"Couldn't extract cilium pod IP address from cilium_host interface"</span> <span class="k">continue fi</span> <span class="c"># Add secondary IP address with the proper NODE_CIDR_MASK_SIZE</span> <span class="nb">echo</span> <span class="s2">"cilium_host IP is </span><span class="nv">$pod_ip</span><span class="s2">"</span> ip addr add <span class="s2">"</span><span class="k">${</span><span class="nv">pod_ip</span><span class="k">}</span><span class="s2">/</span><span class="k">${</span><span class="nv">NODE_CIDR_MASK_SIZE</span><span class="k">}</span><span class="s2">"</span> dev cilium_host <span class="nb">echo</span> <span class="s2">"Added new cilium_host IP address with mask /</span><span class="k">${</span><span class="nv">NODE_CIDR_MASK_SIZE</span><span class="k">}</span><span class="s2">"</span> ip addr show dev cilium_host <span class="o">}</span> <span class="nb">sleep</span> <span class="s2">"</span><span class="nv">$SLEEP_TIME</span><span class="s2">"</span> <span class="k">done </span><span class="nb">env</span>: <span class="c"># The node cidr mask size (IPv4) to allocate pod IPs</span> - name: NODE_CIDR_MASK_SIZE value: <span class="s2">"24"</span> - name: SLEEP_TIME value: <span class="s2">"30"</span> securityContext: capabilities: add: <span class="o">[</span><span class="s2">"NET_ADMIN"</span><span class="o">]</span> <span class="nt">----------------------------------------------------------------------------------------</span> cilium connectivity perf <span class="nt">--tolerations</span> <span class="s2">""</span> <span class="nt">--namespace-labels</span> pod-security.kubernetes.io/enforce<span class="o">=</span>privileged <span class="nt">-n</span> kube-system <span class="nt">--helm-release-name</span> cilium <span class="nt">--udp</span> <span class="nt">--crr</span> <span class="nt">--samples</span> 3 <span class="se">\</span> <span class="nt">--node-selector-client</span> <span class="s2">"kubernetes.io/hostname=io-apps-bootstrap-1"</span> <span class="nt">--node-selector-server</span> <span class="s2">"kubernetes.io/hostname=io-gpu-8tv12b3n8mss73a5"</span> 🔥 Network Performance Test Summary - NON COLOCATED NODES <span class="o">(</span>AWS-&gt;ONPREM<span class="o">)</span>: <span class="nt">--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</span> 📋 Scenario | Node | Test | Duration | Min | Mean | Max | P50 | P90 | P99 | Transaction rate OP/s <span class="nt">--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</span> 📋 pod-to-pod | same-node | TCP_CRR | 10s | 58µs | 67.04µs | 306µs | 65µs | 73µs | 98µs | 14866.02 📋 pod-to-pod | same-node | TCP_RR | 10s | 17µs | 33.9µs | 544µs | 33µs | 37µs | 50µs | 29380.88 📋 pod-to-pod | same-node | UDP_RR | 10s | 18µs | 32.77µs | 181µs | 32µs | 35µs | 48µs | 30398.39 📋 host-to-host | same-node | TCP_CRR | 10s | 67µs | 85.55µs | 381µs | 85µs | 93µs | 121µs | 11661.15 📋 host-to-host | same-node | TCP_RR | 10s | 23µs | 36.35µs | 618µs | 36µs | 40µs | 53µs | 27401.58 📋 host-to-host | same-node | UDP_RR | 10s | 21µs | 30.9µs | 210µs | 30µs | 32µs | 46µs | 32233.90 📋 pod-to-pod | other-node | TCP_CRR | 10s | 264.6ms | 265.32654ms | 266.027ms | 264.864ms | 268.918ms | 269.729ms | 3.67 📋 pod-to-pod | other-node | TCP_RR | 10s | 132.279ms | 134.5613ms | 264.645ms | 135.068ms | 139.041ms | 140ms | 7.33 📋 pod-to-pod | other-node | UDP_RR | 10s | 132.226ms | 132.69796ms | 133.179ms | 134.933ms | 138.933ms | 139.866ms | 7.50 📋 host-to-host | other-node | TCP_CRR | 10s | 264.521ms | 265.27635ms | 269.059ms | 264.864ms | 268.918ms | 269.729ms | 3.67 📋 host-to-host | other-node | TCP_RR | 10s | 132.466ms | 134.62891ms | 264.991ms | 135.068ms | 139.041ms | 140ms | 7.33 📋 host-to-host | other-node | UDP_RR | 10s | 132.281ms | 132.93875ms | 141.145ms | 135ms | 139.054ms | 140ms | 7.50 📋 pod-to-pod | same-node | TCP_CRR | 10s | 58µs | 67.35µs | 3.463ms | 65µs | 73µs | 101µs | 14799.03 📋 pod-to-pod | same-node | TCP_RR | 10s | 19µs | 33.57µs | 257µs | 33µs | 36µs | 49µs | 29675.29 📋 pod-to-pod | same-node | UDP_RR | 10s | 18µs | 32.75µs | 39.239ms | 32µs | 35µs | 48µs | 30418.80 📋 host-to-host | same-node | TCP_CRR | 10s | 67µs | 87.48µs | 29.116ms | 86µs | 97µs | 128µs | 11402.00 📋 host-to-host | same-node | TCP_RR | 10s | 22µs | 36.17µs | 215µs | 36µs | 39µs | 52µs | 27552.41 📋 host-to-host | same-node | UDP_RR | 10s | 22µs | 31.26µs | 192µs | 30µs | 35µs | 47µs | 31862.74 📋 pod-to-pod | other-node | TCP_CRR | 10s | 264.337ms | 265.24054ms | 265.849ms | 264.864ms | 268.918ms | 269.729ms | 3.67 📋 pod-to-pod | other-node | TCP_RR | 10s | 132.212ms | 134.49454ms | 265.236ms | 135.068ms | 139.041ms | 140ms | 7.34 📋 pod-to-pod | other-node | UDP_RR | 10s | 132.263ms | 132.72049ms | 134.5ms | 134.933ms | 138.933ms | 139.866ms | 7.50 📋 host-to-host | other-node | TCP_CRR | 10s | 264.701ms | 265.3847ms | 266.411ms | 264.864ms | 268.918ms | 269.729ms | 3.67 📋 host-to-host | other-node | TCP_RR | 10s | 132.197ms | 134.60853ms | 265.78ms | 135.068ms | 139.041ms | 140ms | 7.33 📋 host-to-host | other-node | UDP_RR | 10s | 132.154ms | 132.91133ms | 148.356ms | 135ms | 139.054ms | 140ms | 7.50 📋 pod-to-pod | same-node | TCP_CRR | 10s | 59µs | 69.47µs | 311µs | 66µs | 80µs | 118µs | 14344.16 📋 pod-to-pod | same-node | TCP_RR | 10s | 19µs | 33.46µs | 229µs | 33µs | 36µs | 48µs | 29773.55 📋 pod-to-pod | same-node | UDP_RR | 10s | 20µs | 32.65µs | 214µs | 32µs | 35µs | 48µs | 30515.23 📋 host-to-host | same-node | TCP_CRR | 10s | 68µs | 85.89µs | 537µs | 85µs | 93µs | 123µs | 11611.06 📋 host-to-host | same-node | TCP_RR | 10s | 25µs | 36.42µs | 192µs | 36µs | 39µs | 52µs | 27371.92 📋 host-to-host | same-node | UDP_RR | 10s | 22µs | 30.92µs | 297µs | 30µs | 33µs | 46µs | 32213.09 📋 pod-to-pod | other-node | TCP_CRR | 10s | 265.235ms | 266.09854ms | 269.077ms | 264.864ms | 268.918ms | 269.729ms | 3.66 📋 pod-to-pod | other-node | TCP_RR | 10s | 132.446ms | 134.7497ms | 265.69ms | 135.068ms | 139.041ms | 140ms | 7.32 📋 pod-to-pod | other-node | UDP_RR | 10s | 132.496ms | 133.04328ms | 134.042ms | 134.933ms | 138.933ms | 139.866ms | 7.50 📋 host-to-host | other-node | TCP_CRR | 10s | 265.256ms | 265.82441ms | 268.172ms | 264.864ms | 268.918ms | 269.729ms | 3.66 📋 host-to-host | other-node | TCP_RR | 10s | 132.648ms | 134.87827ms | 265.483ms | 135.068ms | 139.041ms | 140ms | 7.32 📋 host-to-host | other-node | UDP_RR | 10s | 132.486ms | 133.12277ms | 139.521ms | 134.933ms | 138.933ms | 139.866ms | 7.50 <span class="nt">--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</span> <span class="nt">----------------------------------------------------------------------------------------</span> 📋 Scenario | Node | Test | Duration | Throughput Mb/s <span class="nt">----------------------------------------------------------------------------------------</span> 📋 pod-to-pod | same-node | TCP_STREAM | 10s | 12374.78 📋 pod-to-pod | same-node | UDP_STREAM | 10s | 1922.25 📋 pod-to-pod | same-node | TCP_STREAM_MULTI | 10s | 46342.63 📋 pod-to-pod | same-node | UDP_STREAM_MULTI | 10s | 7505.86 📋 host-to-host | same-node | TCP_STREAM | 10s | 20529.12 📋 host-to-host | same-node | UDP_STREAM | 10s | 1393.09 📋 host-to-host | same-node | TCP_STREAM_MULTI | 10s | 79555.81 📋 host-to-host | same-node | UDP_STREAM_MULTI | 10s | 5320.73 📋 pod-to-pod | other-node | TCP_STREAM | 10s | 130.48 📋 pod-to-pod | other-node | UDP_STREAM | 10s | 403.64 📋 pod-to-pod | other-node | TCP_STREAM_MULTI | 10s | 462.46 📋 pod-to-pod | other-node | UDP_STREAM_MULTI | 10s | 522.04 📋 host-to-host | other-node | TCP_STREAM | 10s | 117.54 📋 host-to-host | other-node | UDP_STREAM | 10s | 423.49 📋 host-to-host | other-node | TCP_STREAM_MULTI | 10s | 491.17 📋 host-to-host | other-node | UDP_STREAM_MULTI | 10s | 548.12 📋 pod-to-pod | same-node | TCP_STREAM | 10s | 12309.88 📋 pod-to-pod | same-node | UDP_STREAM | 10s | 1926.65 📋 pod-to-pod | same-node | TCP_STREAM_MULTI | 10s | 46042.69 📋 pod-to-pod | same-node | UDP_STREAM_MULTI | 10s | 7527.96 📋 host-to-host | same-node | TCP_STREAM | 10s | 20760.76 📋 host-to-host | same-node | UDP_STREAM | 10s | 1373.03 📋 host-to-host | same-node | TCP_STREAM_MULTI | 10s | 79836.82 📋 host-to-host | same-node | UDP_STREAM_MULTI | 10s | 5281.56 📋 pod-to-pod | other-node | TCP_STREAM | 10s | 127.08 📋 pod-to-pod | other-node | UDP_STREAM | 10s | 376.28 📋 pod-to-pod | other-node | TCP_STREAM_MULTI | 10s | 297.87 📋 pod-to-pod | other-node | UDP_STREAM_MULTI | 10s | 525.94 📋 host-to-host | other-node | TCP_STREAM | 10s | 119.80 📋 host-to-host | other-node | UDP_STREAM | 10s | 431.03 📋 host-to-host | other-node | TCP_STREAM_MULTI | 10s | 458.48 📋 host-to-host | other-node | UDP_STREAM_MULTI | 10s | 560.72 📋 pod-to-pod | same-node | TCP_STREAM | 10s | 12186.17 📋 pod-to-pod | same-node | UDP_STREAM | 10s | 1931.67 📋 pod-to-pod | same-node | TCP_STREAM_MULTI | 10s | 45567.46 📋 pod-to-pod | same-node | UDP_STREAM_MULTI | 10s | 7430.05 📋 host-to-host | same-node | TCP_STREAM | 10s | 20255.60 📋 host-to-host | same-node | UDP_STREAM | 10s | 1385.20 📋 host-to-host | same-node | TCP_STREAM_MULTI | 10s | 79924.62 📋 host-to-host | same-node | UDP_STREAM_MULTI | 10s | 5241.39 📋 pod-to-pod | other-node | TCP_STREAM | 10s | 117.64 📋 pod-to-pod | other-node | UDP_STREAM | 10s | 376.95 📋 pod-to-pod | other-node | TCP_STREAM_MULTI | 10s | 488.13 📋 pod-to-pod | other-node | UDP_STREAM_MULTI | 10s | 542.54 📋 host-to-host | other-node | TCP_STREAM | 10s | 117.60 📋 host-to-host | other-node | UDP_STREAM | 10s | 408.21 📋 host-to-host | other-node | TCP_STREAM_MULTI | 10s | 471.71 📋 host-to-host | other-node | UDP_STREAM_MULTI | 10s | 583.24 <span class="nt">----------------------------------------------------------------------------------------</span> 🔥 Network Performance Test Summary - COLOCATED NODES <span class="o">(</span>AWS-&gt;AWS<span class="o">)</span>: <span class="nt">--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</span> 📋 Scenario | Node | Test | Duration | Min | Mean | Max | P50 | P90 | P99 | Transaction rate OP/s <span class="nt">--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</span> 📋 pod-to-pod | same-node | TCP_CRR | 10s | 94µs | 151.37µs | 16.201ms | 134µs | 195µs | 406µs | 6581.04 📋 pod-to-pod | same-node | TCP_RR | 10s | 31µs | 50.48µs | 6.289ms | 48µs | 63µs | 130µs | 19649.36 📋 pod-to-pod | same-node | UDP_RR | 10s | 30µs | 49.74µs | 5.088ms | 47µs | 63µs | 127µs | 19931.64 📋 host-to-host | same-node | TCP_CRR | 10s | 101µs | 160.46µs | 5.724ms | 145µs | 206µs | 455µs | 6210.43 📋 host-to-host | same-node | TCP_RR | 10s | 32µs | 49.27µs | 21.005ms | 44µs | 62µs | 121µs | 20122.15 📋 host-to-host | same-node | UDP_RR | 10s | 31µs | 49.06µs | 4.848ms | 45µs | 62µs | 122µs | 20200.67 📋 pod-to-pod | other-node | TCP_CRR | 10s | 762µs | 1.15455ms | 18.837ms | 1.057ms | 1.413ms | 2.842ms | 865.36 📋 pod-to-pod | other-node | TCP_RR | 10s | 305µs | 466.07µs | 7.793ms | 435µs | 536µs | 1.211ms | 2142.90 📋 pod-to-pod | other-node | UDP_RR | 10s | 299µs | 451.41µs | 16.472ms | 418µs | 526µs | 1.162ms | 2212.38 📋 host-to-host | other-node | TCP_CRR | 10s | 714µs | 1.11194ms | 8.506ms | 996µs | 1.361ms | 3.5ms | 898.60 📋 host-to-host | other-node | TCP_RR | 10s | 295µs | 461.86µs | 7.879ms | 416µs | 538µs | 1.471ms | 2162.46 📋 host-to-host | other-node | UDP_RR | 10s | 292µs | 430.47µs | 12.183ms | 400µs | 501µs | 1.091ms | 2320.17 📋 pod-to-pod | same-node | TCP_CRR | 10s | 95µs | 158.23µs | 12.025ms | 135µs | 202µs | 470µs | 6298.03 📋 pod-to-pod | same-node | TCP_RR | 10s | 31µs | 50.67µs | 4.959ms | 49µs | 64µs | 118µs | 19571.78 📋 pod-to-pod | same-node | UDP_RR | 10s | 30µs | 48.64µs | 5.806ms | 47µs | 62µs | 116µs | 20379.56 📋 host-to-host | same-node | TCP_CRR | 10s | 107µs | 162.46µs | 13.512ms | 143µs | 203µs | 543µs | 6134.84 📋 host-to-host | same-node | TCP_RR | 10s | 31µs | 49.95µs | 9.565ms | 46µs | 64µs | 116µs | 19844.92 📋 host-to-host | same-node | UDP_RR | 10s | 32µs | 53.8µs | 9.315ms | 50µs | 68µs | 140µs | 18435.33 📋 pod-to-pod | other-node | TCP_CRR | 10s | 779µs | 1.10845ms | 7.736ms | 1.032ms | 1.328ms | 2.68ms | 901.38 📋 pod-to-pod | other-node | TCP_RR | 10s | 308µs | 453.37µs | 6.071ms | 419µs | 526µs | 1.196ms | 2203.14 📋 pod-to-pod | other-node | UDP_RR | 10s | 303µs | 473.46µs | 19.026ms | 419µs | 543µs | 1.704ms | 2109.48 📋 host-to-host | other-node | TCP_CRR | 10s | 739µs | 1.08138ms | 14.969ms | 993µs | 1.326ms | 2.566ms | 923.96 📋 host-to-host | other-node | TCP_RR | 10s | 293µs | 429.17µs | 11.309ms | 396µs | 491µs | 1.155ms | 2327.37 📋 host-to-host | other-node | UDP_RR | 10s | 288µs | 429.47µs | 8.627ms | 398µs | 493µs | 1.088ms | 2325.36 📋 pod-to-pod | same-node | TCP_CRR | 10s | 95µs | 159.08µs | 19.388ms | 135µs | 198µs | 479µs | 6263.89 📋 pod-to-pod | same-node | TCP_RR | 10s | 31µs | 50.82µs | 14.357ms | 48µs | 63µs | 126µs | 19507.35 📋 pod-to-pod | same-node | UDP_RR | 10s | 30µs | 48.42µs | 6.859ms | 46µs | 61µs | 115µs | 20470.00 📋 host-to-host | same-node | TCP_CRR | 10s | 98µs | 166.47µs | 16.335ms | 144µs | 204µs | 506µs | 5986.98 📋 host-to-host | same-node | TCP_RR | 10s | 32µs | 48.7µs | 5.069ms | 45µs | 62µs | 110µs | 20346.95 📋 host-to-host | same-node | UDP_RR | 10s | 32µs | 49.25µs | 4.462ms | 45µs | 62µs | 123µs | 20121.02 📋 pod-to-pod | other-node | TCP_CRR | 10s | 756µs | 1.16556ms | 12.169ms | 1.052ms | 1.434ms | 3.622ms | 857.29 📋 pod-to-pod | other-node | TCP_RR | 10s | 308µs | 474.68µs | 13.619ms | 421µs | 535µs | 1.804ms | 2104.15 📋 pod-to-pod | other-node | UDP_RR | 10s | 305µs | 452.77µs | 12.858ms | 420µs | 526µs | 1.15ms | 2205.79 📋 host-to-host | other-node | TCP_CRR | 10s | 731µs | 1.06169ms | 9.363ms | 980µs | 1.257ms | 2.792ms | 940.73 📋 host-to-host | other-node | TCP_RR | 10s | 289µs | 440.75µs | 10.215ms | 403µs | 506µs | 1.168ms | 2265.83 📋 host-to-host | other-node | UDP_RR | 10s | 298µs | 446.79µs | 26.481ms | 412µs | 515µs | 1.081ms | 2235.16 <span class="nt">--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</span> <span class="nt">----------------------------------------------------------------------------------------</span> 📋 Scenario | Node | Test | Duration | Throughput Mb/s <span class="nt">----------------------------------------------------------------------------------------</span> 📋 pod-to-pod | same-node | TCP_STREAM | 10s | 8197.07 📋 pod-to-pod | same-node | UDP_STREAM | 10s | 739.78 📋 pod-to-pod | same-node | TCP_STREAM_MULTI | 10s | 11374.82 📋 pod-to-pod | same-node | UDP_STREAM_MULTI | 10s | 1033.50 📋 host-to-host | same-node | TCP_STREAM | 10s | 16969.26 📋 host-to-host | same-node | UDP_STREAM | 10s | 732.87 📋 host-to-host | same-node | TCP_STREAM_MULTI | 10s | 23484.88 📋 host-to-host | same-node | UDP_STREAM_MULTI | 10s | 810.38 📋 pod-to-pod | other-node | TCP_STREAM | 10s | 1526.48 📋 pod-to-pod | other-node | UDP_STREAM | 10s | 364.91 📋 pod-to-pod | other-node | TCP_STREAM_MULTI | 10s | 1680.45 📋 pod-to-pod | other-node | UDP_STREAM_MULTI | 10s | 518.74 📋 host-to-host | other-node | TCP_STREAM | 10s | 1801.35 📋 host-to-host | other-node | UDP_STREAM | 10s | 420.75 📋 host-to-host | other-node | TCP_STREAM_MULTI | 10s | 1809.80 📋 host-to-host | other-node | UDP_STREAM_MULTI | 10s | 428.54 📋 pod-to-pod | same-node | TCP_STREAM | 10s | 8220.26 📋 pod-to-pod | same-node | UDP_STREAM | 10s | 888.74 📋 pod-to-pod | same-node | TCP_STREAM_MULTI | 10s | 11466.74 📋 pod-to-pod | same-node | UDP_STREAM_MULTI | 10s | 845.84 📋 host-to-host | same-node | TCP_STREAM | 10s | 17271.49 📋 host-to-host | same-node | UDP_STREAM | 10s | 646.52 📋 host-to-host | same-node | TCP_STREAM_MULTI | 10s | 23601.75 📋 host-to-host | same-node | UDP_STREAM_MULTI | 10s | 881.83 📋 pod-to-pod | other-node | TCP_STREAM | 10s | 1563.01 📋 pod-to-pod | other-node | UDP_STREAM | 10s | 346.93 📋 pod-to-pod | other-node | TCP_STREAM_MULTI | 10s | 1693.54 📋 pod-to-pod | other-node | UDP_STREAM_MULTI | 10s | 512.22 📋 host-to-host | other-node | TCP_STREAM | 10s | 1877.99 📋 host-to-host | other-node | UDP_STREAM | 10s | 393.55 📋 host-to-host | other-node | TCP_STREAM_MULTI | 10s | 1851.96 📋 host-to-host | other-node | UDP_STREAM_MULTI | 10s | 545.90 📋 pod-to-pod | same-node | TCP_STREAM | 10s | 8175.70 📋 pod-to-pod | same-node | UDP_STREAM | 10s | 874.48 📋 pod-to-pod | same-node | TCP_STREAM_MULTI | 10s | 11698.93 📋 pod-to-pod | same-node | UDP_STREAM_MULTI | 10s | 855.51 📋 host-to-host | same-node | TCP_STREAM | 10s | 17208.02 📋 host-to-host | same-node | UDP_STREAM | 10s | 709.62 📋 host-to-host | same-node | TCP_STREAM_MULTI | 10s | 23487.27 📋 host-to-host | same-node | UDP_STREAM_MULTI | 10s | 679.89 📋 pod-to-pod | other-node | TCP_STREAM | 10s | 1553.33 📋 pod-to-pod | other-node | UDP_STREAM | 10s | 360.14 📋 pod-to-pod | other-node | TCP_STREAM_MULTI | 10s | 1712.79 📋 pod-to-pod | other-node | UDP_STREAM_MULTI | 10s | 524.76 📋 host-to-host | other-node | TCP_STREAM | 10s | 1813.94 📋 host-to-host | other-node | UDP_STREAM | 10s | 436.07 📋 host-to-host | other-node | TCP_STREAM_MULTI | 10s | 1803.77 📋 host-to-host | other-node | UDP_STREAM_MULTI | 10s | 539.33 <span class="nt">----------------------------------------------------------------------------------------</span> </code></pre> </div> <p><strong>Configuration 1 – Standard Cilium (VXLAN)</strong></p> <ul> <li>Cross-node latency: ~287ms (TCP_CRR), ~144ms (TCP_RR)</li> <li>Cross-node throughput: 105–430 Mb/s</li> <li>Same-node performance: Excellent (14–29k ops/s, 12–79 Gb/s throughput)</li> </ul> <p><strong>Configuration 2 – Native Routing</strong></p> <ul> <li>Cross-node latency: ~265ms (TCP_CRR), ~134ms (TCP_RR)</li> <li>Cross-node throughput: 117–583 Mb/s (modest but noticeable improvements)</li> <li>Same-node performance: Comparable to VXLAN setup</li> </ul> <p><strong>4. Key Observations</strong></p> <p>Latency: Native routing consistently shaved off 7–20ms across nodes.</p> <p>Throughput: Gains were modest, but improvements were more visible in UDP scenarios.</p> <p>Simplicity: Removing VXLAN reduces encapsulation overhead and makes the datapath more transparent.</p> <p><strong>5. Conclusion</strong></p> <p>Native routing in Cilium does provide measurable improvements in hybrid setups, lower latency, slightly better throughput, and a cleaner datapath.</p> <p>That said, the improvements are incremental rather than game-changing. Given the complexity of the workaround required, I don’t consider it production ready for now.</p> <p>The good news is that the Sidero community is actively enhancing KubeSpan, and future releases may support native routing out of the box. If that happens, we’ll be able to combine the security and NAT traversal of KubeSpan with the performance benefits of native routing, without custom hacks.</p> kubernetes networking aws linux Boriss V Tue, 25 Mar 2025 08:00:32 +0000 https://dev.to/bnovickovs/hybrid-k8s-cluster-talos-kubespan-kilo-wireguard-1f45 https://dev.to/bnovickovs/hybrid-k8s-cluster-talos-kubespan-kilo-wireguard-1f45 <p>I was interested in trying out a hybrid Kubernetes setup and exploring some use cases.</p> <p>This setup involves creating three control plane (master) nodes in the cloud (AWS) and booting Talos worker nodes on-premises, then connecting them to the master nodes in the cloud.</p> <p>When it comes to on-premises worker nodes, you have the flexibility to choose any solution that fits your needs. Whether you're using a hypervisor or even local QEMU virtual machines, the choice is entirely up to you. In this guide, I will be using Proxmox because it makes things easier for me.</p> <p>Repository: <a href="https://github.com/kubebn/aws-talos-terraform-hybrid" rel="noopener noreferrer">https://github.com/kubebn/aws-talos-terraform-hybrid</a></p> <h2> AWS master nodes provisioning </h2> <ul> <li>Setup vars in <code>vars/dev.tfvars</code> </li> <li>Run Terraform </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply <span class="nt">-var-file</span><span class="o">=</span>vars/dev.tfvars <span class="nt">-auto-approve</span> </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">local_file</span><span class="err">.</span><span class="nx">kubeconfig</span><span class="err">:</span> <span class="nx">Creating</span><span class="err">...</span> <span class="nx">local_file</span><span class="err">.</span><span class="nx">kubeconfig</span><span class="err">:</span> <span class="nx">Creation</span> <span class="nx">complete</span> <span class="nx">after</span> <span class="mi">0</span><span class="nx">s</span> <span class="p">[</span><span class="nx">id</span><span class="err">=</span><span class="nx">d3443f0dfed1dbbf0e71f99dfbf0684dc1ca8b95</span><span class="p">]</span> <span class="nx">Apply</span> <span class="nx">complete</span><span class="err">!</span> <span class="nx">Resources</span><span class="err">:</span> <span class="mi">25</span> <span class="nx">added</span><span class="err">,</span> <span class="mi">0</span> <span class="nx">changed</span><span class="err">,</span> <span class="mi">0</span> <span class="nx">destroyed</span><span class="err">.</span> <span class="nx">Outputs</span><span class="err">:</span> <span class="nx">control_plane_private_ips</span> <span class="err">=</span> <span class="nx">tolist</span><span class="err">(</span><span class="p">[</span> <span class="s2">"192.168.1.135"</span><span class="p">,</span> <span class="s2">"192.168.2.122"</span><span class="p">,</span> <span class="s2">"192.168.0.157"</span><span class="p">,</span> <span class="p">]</span><span class="err">)</span> <span class="nx">control_plane_public_ips</span> <span class="err">=</span> <span class="nx">tolist</span><span class="err">(</span><span class="p">[</span> <span class="s2">"18.184.164.166"</span><span class="p">,</span> <span class="s2">"3.122.238.249"</span><span class="p">,</span> <span class="s2">"3.77.57.73"</span><span class="p">,</span> <span class="p">]</span><span class="err">)</span> </code></pre> </div> <p>Install <code>talosctl</code> and <code>kubectl</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-sL</span> https://talos.dev/install | sh curl <span class="nt">-LO</span> <span class="s2">"https://dl.k8s.io/release/</span><span class="si">$(</span>curl <span class="nt">-L</span> <span class="nt">-s</span> https://dl.k8s.io/release/stable.txt<span class="si">)</span><span class="s2">/bin/linux/amd64/kubectl"</span> <span class="nb">sudo install</span> <span class="nt">-o</span> root <span class="nt">-g</span> root <span class="nt">-m</span> 0755 kubectl /usr/local/bin/kubectl </code></pre> </div> <p>Apply <code>kubeconfig</code> and <code>talosconfig</code> files. These are generated in the same folder where the terraform apply command was executed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">TALOSCONFIG</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">PWD</span><span class="k">}</span><span class="s2">/talosconfig"</span> <span class="nb">export </span><span class="nv">KUBECONFIG</span><span class="o">=</span><span class="k">${</span><span class="nv">PWD</span><span class="k">}</span>/kubeconfig </code></pre> </div> <p>After that, you will see that the master nodes are ready, Kubespan is up, and Cilium is fully installed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get node <span class="nt">-o</span> wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME aws-controlplane-1 Ready control-plane 2m25s v1.32.3 192.168.1.135 18.184.164.166 Talos <span class="o">(</span>v1.9.5<span class="o">)</span> 6.12.18-talos containerd://2.0.3 aws-controlplane-2 Ready control-plane 2m36s v1.32.3 192.168.2.122 3.122.238.249 Talos <span class="o">(</span>v1.9.5<span class="o">)</span> 6.12.18-talos containerd://2.0.3 aws-controlplane-3 Ready control-plane 2m24s v1.32.3 192.168.0.157 3.77.57.73 Talos <span class="o">(</span>v1.9.5<span class="o">)</span> 6.12.18-talos containerd://2.0.3 kubectl get po <span class="nt">-A</span> NAMESPACE NAME READY STATUS RESTARTS AGE kube-system cilium-599jz 1/1 Running 0 80s kube-system cilium-5j6wl 1/1 Running 0 80s kube-system cilium-fkkwv 1/1 Running 0 80s kube-system cilium-install-tkfrf 0/1 Completed 0 111s kube-system cilium-operator-657bdd678b-lxblc 1/1 Running 0 80s kube-system coredns-578d4f8ffc-5lqfm 1/1 Running 0 111s kube-system coredns-578d4f8ffc-n4hwz 1/1 Running 0 111s kube-system kube-apiserver-aws-controlplane-1 1/1 Running 0 79s kube-system kube-apiserver-aws-controlplane-2 1/1 Running 0 107s kube-system kube-apiserver-aws-controlplane-3 1/1 Running 0 80s kube-system kube-controller-manager-aws-controlplane-1 1/1 Running 2 <span class="o">(</span>2m11s ago<span class="o">)</span> 79s kube-system kube-controller-manager-aws-controlplane-2 1/1 Running 0 107s kube-system kube-controller-manager-aws-controlplane-3 1/1 Running 0 80s kube-system kube-scheduler-aws-controlplane-1 1/1 Running 2 <span class="o">(</span>2m11s ago<span class="o">)</span> 79s kube-system kube-scheduler-aws-controlplane-2 1/1 Running 0 107s kube-system kube-scheduler-aws-controlplane-3 1/1 Running 0 80s kube-system talos-cloud-controller-manager-599fddb46d-9mmdk 1/1 Running 0 111s </code></pre> </div> <h2> Important Notes for Talos Machine Configuration on Master Nodes </h2> <p>We want to filter out the AWS private VPC from Kubespan, as on-premise workers won't be aware of it anyway.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">kubespan</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">filters</span><span class="pi">:</span> <span class="na">endpoints</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">0.0.0.0/0</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">!${vpc_subnet}'</span> </code></pre> </div> <p>Although, we have configured both kubelet and etcd to use the internal subnet.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">kubelet</span><span class="pi">:</span> <span class="na">nodeIP</span><span class="pi">:</span> <span class="na">validSubnets</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">${vpc_subnet}</span> <span class="na">etcd</span><span class="pi">:</span> <span class="na">extraArgs</span><span class="pi">:</span> <span class="na">election-timeout</span><span class="pi">:</span> <span class="s2">"</span><span class="s">5000"</span> <span class="na">heartbeat-interval</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1000"</span> <span class="na">advertisedSubnets</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">${vpc_subnet}</span> </code></pre> </div> <p>We have added the kubelet extraArgs for certificate rotation, and Talos CCM will handle that. You can find <a href="https://github.com/siderolabs/talos-cloud-controller-manager?tab=readme-ov-file#controllers" rel="noopener noreferrer">more details here.</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">kubelet</span><span class="pi">:</span> <span class="na">defaultRuntimeSeccompProfileEnabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">registerWithFQDN</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">extraArgs</span><span class="pi">:</span> <span class="na">cloud-provider</span><span class="pi">:</span> <span class="s">external</span> <span class="na">rotate-server-certificates</span><span class="pi">:</span> <span class="kc">true</span> <span class="nn">...</span> <span class="na">externalCloudProvider</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">manifests</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://raw.githubusercontent.com/siderolabs/talos-cloud-controller-manager/main/docs/deploy/cloud-controller-manager.yml</span> </code></pre> </div> <h2> DHCP/TFTP configuration in Proxmox </h2> <p>We have set up networking for virtual machines and LXC containers:</p> <ul> <li>LAN - 10.1.1.0/24</li> <li>Proxmox node - 10.1.1.1</li> <li>DHCP/tftp LXC container - 10.1.1.2</li> <li>Install curl and docker</li> <li>Download vmlinuz and initramfs.xz from Talos release repository.</li> <li>Copy matchbox contents into lxc container </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pct create 1000 <span class="nb">local</span>:vztmpl/ubuntu-24.10-standard_24.10-1_amd64.tar.zst <span class="se">\</span> <span class="nt">--hostname</span> net-lxc <span class="se">\</span> <span class="nt">--net0</span> <span class="nv">name</span><span class="o">=</span>eth0,bridge<span class="o">=</span>vmbr0,ip<span class="o">=</span>10.1.1.2/24,gw<span class="o">=</span>10.1.1.1 <span class="se">\</span> <span class="nt">--nameserver</span> 1.1.1.1 <span class="se">\</span> <span class="nt">--features</span> <span class="nv">keyctl</span><span class="o">=</span>1,nesting<span class="o">=</span>1 <span class="se">\</span> <span class="nt">--storage</span> local-lvm <span class="se">\</span> <span class="nt">--rootfs</span> <span class="nb">local</span>:8 <span class="se">\</span> <span class="nt">--ssh-public-keys</span> .ssh/id_rsa.pub <span class="se">\</span> <span class="nt">--unprivileged</span><span class="o">=</span><span class="nb">true </span>pct start 1000 ssh root@10.1.1.2 apt update <span class="o">&amp;&amp;</span> apt <span class="nb">install </span>curl <span class="nt">-y</span> curl <span class="nt">-s</span> https://get.docker.com | <span class="nb">sudo </span>bash curl <span class="nt">-L</span> https://github.com/siderolabs/talos/releases/download/v1.9.5/initramfs-amd64.xz <span class="nt">-o</span> initramfs-amd64.xz curl <span class="nt">-L</span> https://github.com/siderolabs/talos/releases/download/v1.9.5/vmlinuz-amd64 <span class="nt">-o</span> vmlinuz-amd64 </code></pre> </div> <p>Configure DHCP range, gateway, matchbox endpoint ip address in <code>matchbox/docker-compose.yaml</code> file.</p> <p>Start DHCP/TFTP server via docker compose:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose up <span class="nt">-d</span> <span class="nt">---</span> docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 9f04e46194bf quay.io/poseidon/dnsmasq:v0.5.0-32-g4327d60-amd64 <span class="s2">"/usr/sbin/dnsmasq -…"</span> 2 hours ago Up 2 hours dnsmasq 5db45718aa0a root-matchbox <span class="s2">"/matchbox -address=…"</span> 2 hours ago Up 2 hours matchbox </code></pre> </div> <h2> Connecting on-premise workers </h2> <p>Talos machine configuration for workers is generated by terraform, look for <code>worker.yaml</code>. We are going to apply this to each worker in Proxmox.</p> <p><strong>Create VMs</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">for </span><span class="nb">id </span><span class="k">in</span> <span class="o">{</span>1001..1003<span class="o">}</span><span class="p">;</span> <span class="k">do </span>qm create <span class="nv">$id</span> <span class="nt">--name</span> vm<span class="nv">$id</span> <span class="nt">--memory</span> 12088 <span class="nt">--cores</span> 3 <span class="nt">--net0</span> virtio,bridge<span class="o">=</span>vmbr0 <span class="nt">--ostype</span> l26 <span class="nt">--scsihw</span> virtio-scsi-pci <span class="nt">--sata0</span> lvm1:32 <span class="nt">--cpu</span> host <span class="o">&amp;&amp;</span> qm start <span class="nv">$id</span> <span class="k">done</span> </code></pre> </div> <p><strong>Scan for Talos API open ports and extract IP addresses</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">WORKER_IPS</span><span class="o">=</span><span class="si">$(</span>nmap <span class="nt">-Pn</span> <span class="nt">-n</span> <span class="nt">-p</span> 50000 10.1.1.0/24 <span class="nt">-vv</span> | <span class="nb">grep</span> <span class="s1">'Discovered'</span> | <span class="nb">awk</span> <span class="s1">'{print $6}'</span><span class="si">)</span> </code></pre> </div> <p><strong>Apply configuration to each discovered IP</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$WORKER_IPS</span><span class="s2">"</span> | <span class="k">while </span><span class="nb">read</span> <span class="nt">-r</span> WORKER_IP<span class="p">;</span> <span class="k">do </span>talosctl apply-config <span class="nt">--insecure</span> <span class="nt">--nodes</span> <span class="nv">$WORKER_IP</span> <span class="nt">--file</span> worker.yaml <span class="k">done</span> </code></pre> </div> <h2> Let’s take a look at the result </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get node <span class="nt">-o</span> wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME aws-controlplane-1 Ready control-plane 2m25s v1.32.3 192.168.1.135 18.184.164.166 Talos <span class="o">(</span>v1.9.5<span class="o">)</span> 6.12.18-talos containerd://2.0.3 aws-controlplane-2 Ready control-plane 2m36s v1.32.3 192.168.2.122 3.122.238.249 Talos <span class="o">(</span>v1.9.5<span class="o">)</span> 6.12.18-talos containerd://2.0.3 aws-controlplane-3 Ready control-plane 2m24s v1.32.3 192.168.0.157 3.77.57.73 Talos <span class="o">(</span>v1.9.5<span class="o">)</span> 6.12.18-talos containerd://2.0.3 talos-9mf-ujc Ready &lt;none&gt; 29s v1.32.3 10.1.1.24 &lt;none&gt; Talos <span class="o">(</span>v1.9.5<span class="o">)</span> 6.12.18-talos containerd://2.0.3 talos-lv8-bc7 Ready &lt;none&gt; 29s v1.32.3 10.1.1.10 &lt;none&gt; Talos <span class="o">(</span>v1.9.5<span class="o">)</span> 6.12.18-talos containerd://2.0.3 talos-ohr-1c3 Ready &lt;none&gt; 29s v1.32.3 10.1.1.23 &lt;none&gt; Talos <span class="o">(</span>v1.9.5<span class="o">)</span> 6.12.18-talos containerd://2.0.3 talosctl get kubespanpeerstatuses <span class="nt">-n</span> 192.168.1.135,192.168.2.122,192.168.0.157,10.1.1.24,10.1.1.19,10.1.1.12 NODE NAMESPACE TYPE ID VERSION LABEL ENDPOINT STATE RX TX 192.168.1.135 kubespan KubeSpanPeerStatus <span class="nv">Hh2ldeBX7kuct6Bynehjdgo6xkcOlZ4yUWWQVBqHLWQ</span><span class="o">=</span> 11 talos-fgw-qpv proxmo-publicip:53639 up 84312 69860 192.168.1.135 kubespan KubeSpanPeerStatus <span class="nv">If8ZqCQ1jp0mFV8igLGpfXpYycQSVBTSlT88YUr7eEM</span><span class="o">=</span> 11 talos-4re-kxo proxmo-publicip:53923 up 82160 99412 192.168.1.135 kubespan KubeSpanPeerStatus iKXIODHF3Tx2b4JsA433j8ey9+CWTKrx5To+4lsofTg<span class="o">=</span> 11 talos-7ye-8j0 proxmo-publicip:51820 up 43608 58280 192.168.1.135 kubespan KubeSpanPeerStatus oxU0e9yTFvN+lCGcIO4s13erkWjtIKrVzb8dX+GYLxE<span class="o">=</span> 26 aws-controlplane-3 3.77.57.73:51820 up 7484600 16097980 192.168.1.135 kubespan KubeSpanPeerStatus vAHCI1pwTbaP/LHwO0MnCGELXsEstQahS0o9WkdVK0g<span class="o">=</span> 26 aws-controlplane-2 3.122.238.249:51820 up 6742536 15472144 192.168.2.122 kubespan KubeSpanPeerStatus <span class="nv">Hh2ldeBX7kuct6Bynehjdgo6xkcOlZ4yUWWQVBqHLWQ</span><span class="o">=</span> 11 talos-fgw-qpv proxmo-publicip:53639 up 178960 354776 192.168.2.122 kubespan KubeSpanPeerStatus <span class="nv">If8ZqCQ1jp0mFV8igLGpfXpYycQSVBTSlT88YUr7eEM</span><span class="o">=</span> 11 talos-4re-kxo proxmo-publicip:53923 up 232064 897928 192.168.2.122 kubespan KubeSpanPeerStatus iKXIODHF3Tx2b4JsA433j8ey9+CWTKrx5To+4lsofTg<span class="o">=</span> 11 talos-7ye-8j0 proxmo-publicip:51820 up 92856 254520 192.168.2.122 kubespan KubeSpanPeerStatus oxU0e9yTFvN+lCGcIO4s13erkWjtIKrVzb8dX+GYLxE<span class="o">=</span> 23 aws-controlplane-3 3.77.57.73:51820 up 1557896 1954328 192.168.2.122 kubespan KubeSpanPeerStatus uzi7NCL64o+ILeyqa6/Pq0UWdcVyfjWulZQB+a2Av30<span class="o">=</span> 27 aws-controlplane-1 18.184.164.166:51820 up 15506236 6773440 192.168.0.157 kubespan KubeSpanPeerStatus <span class="nv">Hh2ldeBX7kuct6Bynehjdgo6xkcOlZ4yUWWQVBqHLWQ</span><span class="o">=</span> 11 talos-fgw-qpv proxmo-publicip:53639 up 261464 916524 192.168.0.157 kubespan KubeSpanPeerStatus <span class="nv">If8ZqCQ1jp0mFV8igLGpfXpYycQSVBTSlT88YUr7eEM</span><span class="o">=</span> 11 talos-4re-kxo proxmo-publicip:53923 up 141868 277180 192.168.0.157 kubespan KubeSpanPeerStatus iKXIODHF3Tx2b4JsA433j8ey9+CWTKrx5To+4lsofTg<span class="o">=</span> 11 talos-7ye-8j0 proxmo-publicip:51820 up 172996 830504 192.168.0.157 kubespan KubeSpanPeerStatus uzi7NCL64o+ILeyqa6/Pq0UWdcVyfjWulZQB+a2Av30<span class="o">=</span> 25 aws-controlplane-1 18.184.164.166:51820 up 16126096 7507456 192.168.0.157 kubespan KubeSpanPeerStatus vAHCI1pwTbaP/LHwO0MnCGELXsEstQahS0o9WkdVK0g<span class="o">=</span> 24 aws-controlplane-2 3.122.238.249:51820 up 1954180 1557896 10.1.1.24 kubespan KubeSpanPeerStatus <span class="nv">Hh2ldeBX7kuct6Bynehjdgo6xkcOlZ4yUWWQVBqHLWQ</span><span class="o">=</span> 10 talos-fgw-qpv 10.1.1.12:51820 up 12204 11960 10.1.1.24 kubespan KubeSpanPeerStatus iKXIODHF3Tx2b4JsA433j8ey9+CWTKrx5To+4lsofTg<span class="o">=</span> 10 talos-7ye-8j0 10.1.1.19:51820 up 16316 15624 10.1.1.24 kubespan KubeSpanPeerStatus oxU0e9yTFvN+lCGcIO4s13erkWjtIKrVzb8dX+GYLxE<span class="o">=</span> 10 aws-controlplane-3 3.77.57.73:51820 up 278988 143592 10.1.1.24 kubespan KubeSpanPeerStatus uzi7NCL64o+ILeyqa6/Pq0UWdcVyfjWulZQB+a2Av30<span class="o">=</span> 10 aws-controlplane-1 18.184.164.166:51820 up 100932 84220 10.1.1.24 kubespan KubeSpanPeerStatus vAHCI1pwTbaP/LHwO0MnCGELXsEstQahS0o9WkdVK0g<span class="o">=</span> 10 aws-controlplane-2 3.122.238.249:51820 up 897880 231472 10.1.1.19 kubespan KubeSpanPeerStatus <span class="nv">Hh2ldeBX7kuct6Bynehjdgo6xkcOlZ4yUWWQVBqHLWQ</span><span class="o">=</span> 10 talos-fgw-qpv 10.1.1.12:51820 up 12692 12732 10.1.1.19 kubespan KubeSpanPeerStatus <span class="nv">If8ZqCQ1jp0mFV8igLGpfXpYycQSVBTSlT88YUr7eEM</span><span class="o">=</span> 10 talos-4re-kxo 10.1.1.24:51820 up 15476 16316 10.1.1.19 kubespan KubeSpanPeerStatus oxU0e9yTFvN+lCGcIO4s13erkWjtIKrVzb8dX+GYLxE<span class="o">=</span> 10 aws-controlplane-3 3.77.57.73:51820 up 832688 176132 10.1.1.19 kubespan KubeSpanPeerStatus uzi7NCL64o+ILeyqa6/Pq0UWdcVyfjWulZQB+a2Av30<span class="o">=</span> 10 aws-controlplane-1 18.184.164.166:51820 up 59680 45224 10.1.1.19 kubespan KubeSpanPeerStatus vAHCI1pwTbaP/LHwO0MnCGELXsEstQahS0o9WkdVK0g<span class="o">=</span> 10 aws-controlplane-2 3.122.238.249:51820 up 255472 94296 10.1.1.12 kubespan KubeSpanPeerStatus <span class="nv">If8ZqCQ1jp0mFV8igLGpfXpYycQSVBTSlT88YUr7eEM</span><span class="o">=</span> 10 talos-4re-kxo 10.1.1.24:51820 up 11812 12204 10.1.1.12 kubespan KubeSpanPeerStatus iKXIODHF3Tx2b4JsA433j8ey9+CWTKrx5To+4lsofTg<span class="o">=</span> 10 talos-7ye-8j0 10.1.1.19:51820 up 12732 12840 10.1.1.12 kubespan KubeSpanPeerStatus oxU0e9yTFvN+lCGcIO4s13erkWjtIKrVzb8dX+GYLxE<span class="o">=</span> 10 aws-controlplane-3 3.77.57.73:51820 up 920660 265640 10.1.1.12 kubespan KubeSpanPeerStatus uzi7NCL64o+ILeyqa6/Pq0UWdcVyfjWulZQB+a2Av30<span class="o">=</span> 10 aws-controlplane-1 18.184.164.166:51820 up 67776 82092 10.1.1.12 kubespan KubeSpanPeerStatus vAHCI1pwTbaP/LHwO0MnCGELXsEstQahS0o9WkdVK0g<span class="o">=</span> 10 aws-controlplane-2 3.122.238.249:51820 up 355552 180240 </code></pre> </div> <p><strong>Let’s check if the Kubernetes networking is functioning correctly:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create ns network-test kubectl label ns network-test pod-security.kubernetes.io/enforce<span class="o">=</span>privileged kubectl apply <span class="nt">-f</span> https://raw.githubusercontent.com/cilium/cilium/refs/heads/main/examples/kubernetes/connectivity-check/connectivity-check.yaml <span class="nt">-n</span> network-test kubectl get po <span class="nt">-n</span> network-test NAME READY STATUS RESTARTS AGE echo-a-54dcdd77c-6wjnw 1/1 Running 0 62s echo-b-549fdb8f8c-j4sw7 1/1 Running 0 61s echo-b-host-7cfdb688b7-ppz9f 1/1 Running 0 61s host-to-b-multi-node-clusterip-c54bf67bf-hhm5h 1/1 Running 0 60s host-to-b-multi-node-headless-55f66fc4c7-f8fc4 1/1 Running 0 60s pod-to-a-5f56dc8c9b-kk6c2 1/1 Running 0 61s pod-to-a-allowed-cnp-5dc859fd98-pvxzj 1/1 Running 0 61s pod-to-a-denied-cnp-68976d7584-wm52m 1/1 Running 0 61s pod-to-b-intra-node-nodeport-5884978697-c5rs2 1/1 Running 0 60s pod-to-b-multi-node-clusterip-7d65578cf5-2jh97 1/1 Running 0 61s pod-to-b-multi-node-headless-8557d86d6f-shvzx 1/1 Running 0 61s pod-to-b-multi-node-nodeport-7847b5df8f-9kg89 1/1 Running 0 60s pod-to-external-1111-797c647566-666l4 1/1 Running 0 61s pod-to-external-fqdn-allow-google-cnp-5688c867dd-dkvpk 0/1 Running 0 61s <span class="c"># can be ignored</span> </code></pre> </div> <h2> Kubernetes Network Benchmark </h2> <p>We will use <a href="https://github.com/InfraBuilder/k8s-bench-suite" rel="noopener noreferrer">k8s-bench-suite</a> to benchmark networking performance between the nodes.</p> <p><strong>From the control plane to worker:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl taint nodes aws-controlplane-1 node-role.kubernetes.io/control-plane:NoSchedule- knb <span class="nt">--verbose</span> <span class="nt">--client-node</span> aws-controlplane-1 <span class="nt">--server-node</span> talos-4re-kxo <span class="o">=========================================================</span> Benchmark Results <span class="o">=========================================================</span> Name : knb-3420914 Date : 2025-03-18 04:14:12 UTC Generator : knb Version : 1.5.0 Server : talos-4re-kxo Client : aws-controlplane-1 UDP Socket size : auto <span class="o">=========================================================</span> Discovered CPU : Intel<span class="o">(</span>R<span class="o">)</span> Xeon<span class="o">(</span>R<span class="o">)</span> Gold 6240 CPU @ 2.60GHz Discovered Kernel : 6.12.18-talos Discovered k8s version : Discovered MTU : 1420 Idle : bandwidth <span class="o">=</span> 0 Mbit/s client cpu <span class="o">=</span> total 13.45% <span class="o">(</span>user 3.81%, <span class="nb">nice </span>0.00%, system 2.92%, iowait 0.53%, steal 6.19%<span class="o">)</span> server cpu <span class="o">=</span> total 3.28% <span class="o">(</span>user 1.75%, <span class="nb">nice </span>0.00%, system 1.53%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 985 MB server ram <span class="o">=</span> 673 MB Pod to pod : TCP : bandwidth <span class="o">=</span> 887 Mbit/s client cpu <span class="o">=</span> total 75.29% <span class="o">(</span>user 4.07%, <span class="nb">nice </span>0.00%, system 57.20%, iowait 0.29%, steal 13.73%<span class="o">)</span> server cpu <span class="o">=</span> total 36.16% <span class="o">(</span>user 2.06%, <span class="nb">nice </span>0.00%, system 34.10%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 995 MB server ram <span class="o">=</span> 697 MB UDP : bandwidth <span class="o">=</span> 350 Mbit/s client cpu <span class="o">=</span> total 79.95% <span class="o">(</span>user 6.68%, <span class="nb">nice </span>0.00%, system 54.20%, iowait 0.22%, steal 18.85%<span class="o">)</span> server cpu <span class="o">=</span> total 20.95% <span class="o">(</span>user 2.61%, <span class="nb">nice </span>0.00%, system 18.34%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 1000 MB server ram <span class="o">=</span> 653 MB Pod to Service : TCP : bandwidth <span class="o">=</span> 1063 Mbit/s client cpu <span class="o">=</span> total 80.58% <span class="o">(</span>user 3.89%, <span class="nb">nice </span>0.00%, system 68.36%, iowait 0.05%, steal 8.28%<span class="o">)</span> server cpu <span class="o">=</span> total 42.44% <span class="o">(</span>user 2.26%, <span class="nb">nice </span>0.00%, system 40.18%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 1008 MB server ram <span class="o">=</span> 696 MB UDP : bandwidth <span class="o">=</span> 322 Mbit/s client cpu <span class="o">=</span> total 78.57% <span class="o">(</span>user 6.24%, <span class="nb">nice </span>0.00%, system 57.02%, iowait 0.18%, steal 15.13%<span class="o">)</span> server cpu <span class="o">=</span> total 21.02% <span class="o">(</span>user 2.54%, <span class="nb">nice </span>0.00%, system 18.48%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 995 MB server ram <span class="o">=</span> 668 MB <span class="o">=========================================================</span> </code></pre> </div> <p><strong>From worker to worker locally:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>knb <span class="nt">--verbose</span> <span class="nt">--client-node</span> talos-7ye-8j0 <span class="nt">--server-node</span> talos-4re-kxo <span class="o">=========================================================</span> Benchmark Results <span class="o">=========================================================</span> Name : knb-3423407 Date : 2025-03-18 04:16:29 UTC Generator : knb Version : 1.5.0 Server : talos-4re-kxo Client : talos-7ye-8j0 UDP Socket size : auto <span class="o">=========================================================</span> Discovered CPU : Intel<span class="o">(</span>R<span class="o">)</span> Xeon<span class="o">(</span>R<span class="o">)</span> Gold 6240 CPU @ 2.60GHz Discovered Kernel : 6.12.18-talos Discovered k8s version : Discovered MTU : 1420 Idle : bandwidth <span class="o">=</span> 0 Mbit/s client cpu <span class="o">=</span> total 2.97% <span class="o">(</span>user 1.50%, <span class="nb">nice </span>0.00%, system 1.47%, iowait 0.00%, steal 0.00%<span class="o">)</span> server cpu <span class="o">=</span> total 3.34% <span class="o">(</span>user 1.72%, <span class="nb">nice </span>0.00%, system 1.62%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 552 MB server ram <span class="o">=</span> 688 MB Pod to pod : TCP : bandwidth <span class="o">=</span> 1868 Mbit/s client cpu <span class="o">=</span> total 61.44% <span class="o">(</span>user 2.59%, <span class="nb">nice </span>0.00%, system 58.82%, iowait 0.03%, steal 0.00%<span class="o">)</span> server cpu <span class="o">=</span> total 70.40% <span class="o">(</span>user 2.82%, <span class="nb">nice </span>0.00%, system 67.58%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 546 MB server ram <span class="o">=</span> 801 MB UDP : bandwidth <span class="o">=</span> 912 Mbit/s client cpu <span class="o">=</span> total 64.14% <span class="o">(</span>user 3.75%, <span class="nb">nice </span>0.06%, system 60.30%, iowait 0.03%, steal 0.00%<span class="o">)</span> server cpu <span class="o">=</span> total 52.89% <span class="o">(</span>user 4.29%, <span class="nb">nice </span>0.00%, system 48.60%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 556 MB server ram <span class="o">=</span> 679 MB Pod to Service : TCP : bandwidth <span class="o">=</span> 1907 Mbit/s client cpu <span class="o">=</span> total 58.43% <span class="o">(</span>user 2.15%, <span class="nb">nice </span>0.00%, system 56.25%, iowait 0.00%, steal 0.03%<span class="o">)</span> server cpu <span class="o">=</span> total 61.83% <span class="o">(</span>user 2.35%, <span class="nb">nice </span>0.03%, system 59.45%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 547 MB server ram <span class="o">=</span> 813 MB UDP : bandwidth <span class="o">=</span> 887 Mbit/s client cpu <span class="o">=</span> total 57.50% <span class="o">(</span>user 3.88%, <span class="nb">nice </span>0.00%, system 53.62%, iowait 0.00%, steal 0.00%<span class="o">)</span> server cpu <span class="o">=</span> total 52.33% <span class="o">(</span>user 4.18%, <span class="nb">nice </span>0.03%, system 48.12%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 556 MB server ram <span class="o">=</span> 685 MB <span class="o">=========================================================</span> </code></pre> </div> <p>Interestingly, all our traffic is actually routed through the Kubespan/WireGuard tunnel. For comparison, I created a new local cluster without Kubespan, and the results were different:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>k get node <span class="nt">-o</span> wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME talos-pft-tax Ready control-plane 52s v1.32.0 10.1.1.17 &lt;none&gt; Talos <span class="o">(</span>v1.9.1<span class="o">)</span> 6.12.6-talos containerd://2.0.1 talos-tfy-nig Ready &lt;none&gt; 49s v1.32.0 10.1.1.16 &lt;none&gt; Talos <span class="o">(</span>v1.9.1<span class="o">)</span> 6.12.6-talos containerd://2.0.1 knb <span class="nt">--verbose</span> <span class="nt">--client-node</span> talos-pft-tax <span class="nt">--server-node</span> talos-tfy-nig <span class="o">=========================================================</span> Benchmark Results <span class="o">=========================================================</span> Name : knb-3432162 Date : 2025-03-18 04:32:21 UTC Generator : knb Version : 1.5.0 Server : talos-tfy-nig Client : talos-pft-tax UDP Socket size : auto <span class="o">=========================================================</span> Discovered CPU : QEMU Virtual CPU version 2.5+ Discovered Kernel : 6.12.6-talos Discovered k8s version : Discovered MTU : 1450 Idle : bandwidth <span class="o">=</span> 0 Mbit/s client cpu <span class="o">=</span> total 3.56% <span class="o">(</span>user 1.85%, <span class="nb">nice </span>0.00%, system 1.62%, iowait 0.09%, steal 0.00%<span class="o">)</span> server cpu <span class="o">=</span> total 1.41% <span class="o">(</span>user 0.59%, <span class="nb">nice </span>0.00%, system 0.82%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 775 MB server ram <span class="o">=</span> 401 MB Pod to pod : TCP : bandwidth <span class="o">=</span> 6276 Mbit/s client cpu <span class="o">=</span> total 23.32% <span class="o">(</span>user 2.97%, <span class="nb">nice </span>0.00%, system 20.24%, iowait 0.11%, steal 0.00%<span class="o">)</span> server cpu <span class="o">=</span> total 25.49% <span class="o">(</span>user 2.13%, <span class="nb">nice </span>0.00%, system 23.36%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 709 MB server ram <span class="o">=</span> 391 MB UDP : bandwidth <span class="o">=</span> 861 Mbit/s client cpu <span class="o">=</span> total 55.67% <span class="o">(</span>user 6.55%, <span class="nb">nice </span>0.00%, system 49.02%, iowait 0.05%, steal 0.05%<span class="o">)</span> server cpu <span class="o">=</span> total 46.81% <span class="o">(</span>user 7.85%, <span class="nb">nice </span>0.00%, system 38.96%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 711 MB server ram <span class="o">=</span> 382 MB Pod to Service : TCP : bandwidth <span class="o">=</span> 6326 Mbit/s client cpu <span class="o">=</span> total 24.26% <span class="o">(</span>user 4.05%, <span class="nb">nice </span>0.00%, system 20.11%, iowait 0.10%, steal 0.00%<span class="o">)</span> server cpu <span class="o">=</span> total 25.99% <span class="o">(</span>user 2.22%, <span class="nb">nice </span>0.00%, system 23.77%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 693 MB server ram <span class="o">=</span> 333 MB UDP : bandwidth <span class="o">=</span> 877 Mbit/s client cpu <span class="o">=</span> total 52.58% <span class="o">(</span>user 7.26%, <span class="nb">nice </span>0.00%, system 45.27%, iowait 0.05%, steal 0.00%<span class="o">)</span> server cpu <span class="o">=</span> total 46.81% <span class="o">(</span>user 7.76%, <span class="nb">nice </span>0.00%, system 39.05%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 705 MB server ram <span class="o">=</span> 334 MB <span class="o">=========================================================</span> </code></pre> </div> <p>Although Kubespan works well out of the box, it does not yet support meshed topologies, where you need to control how traffic is routed for specific node pools.</p> <p>There is already an open issue for this, <a href="https://github.com/siderolabs/talos/issues/8364" rel="noopener noreferrer">which you can find here.</a></p> <h2> Kilo </h2> <p>A solution that supports meshed logical topologies - <a href="https://kilo.squat.ai/" rel="noopener noreferrer">Kilo</a>. It enables you to manage traffic between nodes in multiple datacenters while keeping native networking intact within each datacenter, <a href="https://kilo.squat.ai/docs/topology#logical-groups" rel="noopener noreferrer">for intra-datacenter communication.</a></p> <p>The downside is that Kilo requires some customizations, which means additional logic and automation would need to be applied.</p> <h2> Apply terraform using Talos machine configuration for Kilo </h2> <p>The <code>kilo-controlplane.tpl</code> file has Kubespan disabled and kube-proxy enabled. For the CNI, we deploy Kilo, and we also add a CustomResourceDefinition for <code>peers.kilo.squat.ai</code> in the <code>inlineManifests</code>.</p> <p>Update the paths in the <code>talos.tf</code> file by changing <code>controlplane.tpl</code> and <code>worker.tpl</code> to <code>kilo-controlplane.tpl</code> and <code>kilo-worker.tpl</code>, respectively.</p> <p>We follow the same process for spinning up the nodes in both AWS and Proxmox.</p> <p>Once the masters are ready, Kilo will fail because it can't find the kubeconfig access. This issue arises because we are using Talos instead of plain kubeadm. To fix this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create configmap kube-proxy <span class="nt">--from-file</span><span class="o">=</span>kubeconfig.conf<span class="o">=</span>kubeconfig <span class="nt">-n</span> kube-system kubectl get node <span class="nt">-o</span> wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME aws-controlplane-1 Ready control-plane 15m v1.32.3 192.168.1.55 3.73.119.119 Talos <span class="o">(</span>v1.9.5<span class="o">)</span> 6.12.18-talos containerd://2.0.3 aws-controlplane-2 Ready control-plane 16m v1.32.3 192.168.0.75 18.195.244.87 Talos <span class="o">(</span>v1.9.5<span class="o">)</span> 6.12.18-talos containerd://2.0.3 aws-controlplane-3 Ready control-plane 16m v1.32.3 192.168.2.68 18.185.241.183 Talos <span class="o">(</span>v1.9.5<span class="o">)</span> 6.12.18-talos containerd://2.0.3 talos-8vs-lte Ready &lt;none&gt; 2m20s v1.32.3 10.1.1.22 &lt;none&gt; Talos <span class="o">(</span>v1.9.5<span class="o">)</span> 6.12.18-talos containerd://2.0.3 talos-8wf-r6g Ready &lt;none&gt; 2m19s v1.32.3 10.1.1.21 &lt;none&gt; Talos <span class="o">(</span>v1.9.5<span class="o">)</span> 6.12.18-talos containerd://2.0.3 talos-ub5-bc2 Ready &lt;none&gt; 2m14s v1.32.3 10.1.1.23 &lt;none&gt; Talos <span class="o">(</span>v1.9.5<span class="o">)</span> 6.12.18-talos containerd://2.0.3 ... kube-system kilo-286hz 1/1 Running 0 6m46s 10.1.1.22 talos-8vs-lte &lt;none&gt; &lt;none&gt; kube-system kilo-4h8kn 1/1 Running 0 12m 10.1.1.21 talos-8wf-r6g &lt;none&gt; &lt;none&gt; kube-system kilo-gcclp 1/1 Running 0 13m 192.168.2.68 aws-controlplane-3 &lt;none&gt; &lt;none&gt; kube-system kilo-rq2sl 1/1 Running 0 4m17s 192.168.1.55 aws-controlplane-1 &lt;none&gt; &lt;none&gt; </code></pre> </div> <p>Next, we need to specify the topology, set logical locations, and ensure that at least one node in each location has an IP address that is routable from the other locations.</p> <p><strong>For aws control planes (location):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">for </span>node <span class="k">in</span> <span class="si">$(</span>kubectl get nodes | <span class="nb">grep</span> <span class="nt">-i</span> aws | <span class="nb">awk</span> <span class="s1">'{print $1}'</span><span class="si">)</span><span class="p">;</span> <span class="k">do </span>kubectl annotate node <span class="nv">$node</span> kilo.squat.ai/location<span class="o">=</span><span class="s2">"aws"</span><span class="p">;</span> <span class="k">done</span> </code></pre> </div> <p><strong>For workers (location):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl annotate node talos-8vs-lte talos-8wf-r6g talos-ub5-bc2 kilo.squat.ai/location<span class="o">=</span><span class="s2">"on-prem"</span> </code></pre> </div> <p><strong>Endpoint for each location:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl annotate node talos-8vs-lte kilo.squat.ai/force-endpoint<span class="o">=</span><span class="s2">"proxmox-public-ip:51820"</span> kubectl annotate node aws-controlplane-1 kilo.squat.ai/force-endpoint<span class="o">=</span><span class="s2">"3.73.119.119:51820"</span> </code></pre> </div> <p>Rolling out and checking the network again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl rollout restart ds/kilo <span class="nt">-n</span> kube-system kubectl get po <span class="nt">-n</span> network-test NAME READY STATUS RESTARTS AGE echo-a-54dcdd77c-psgqb 1/1 Running 0 34s echo-b-549fdb8f8c-5pjbk 1/1 Running 0 34s echo-b-host-7cfdb688b7-zff5b 1/1 Running 0 34s host-to-b-multi-node-clusterip-c54bf67bf-f7d6c 1/1 Running 0 33s host-to-b-multi-node-headless-55f66fc4c7-kd2wv 1/1 Running 0 33s pod-to-a-5f56dc8c9b-64k7v 1/1 Running 0 34s pod-to-a-allowed-cnp-5dc859fd98-684lh 1/1 Running 0 34s pod-to-a-denied-cnp-68976d7584-6w6fn 1/1 Running 0 34s pod-to-b-intra-node-nodeport-5884978697-ddtz4 1/1 Running 0 32s pod-to-b-multi-node-clusterip-7d65578cf5-rx9ws 1/1 Running 0 33s pod-to-b-multi-node-headless-8557d86d6f-8dqr8 1/1 Running 0 33s pod-to-b-multi-node-nodeport-7847b5df8f-zjlzt 1/1 Running 0 33s pod-to-external-1111-797c647566-qnc22 1/1 Running 0 34s pod-to-external-fqdn-allow-google-cnp-5688c867dd-9btvt 1/1 Running 0 33s </code></pre> </div> <h2> Kilo knb benchmark </h2> <p>Let’s test the network performance by running the same test between the master and worker nodes, as well as between worker nodes.</p> <p><strong>Master to worker:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl taint nodes aws-controlplane-1 node-role.kubernetes.io/control-plane:NoSchedule- knb <span class="nt">--verbose</span> <span class="nt">--client-node</span> aws-controlplane-1 <span class="nt">--server-node</span> talos-8vs-lte <span class="o">=========================================================</span> Benchmark Results <span class="o">=========================================================</span> Name : knb-3461466 Date : 2025-03-18 05:25:08 UTC Generator : knb Version : 1.5.0 Server : talos-8vs-lte Client : aws-controlplane-1 UDP Socket size : auto <span class="o">=========================================================</span> Discovered CPU : Intel<span class="o">(</span>R<span class="o">)</span> Xeon<span class="o">(</span>R<span class="o">)</span> Gold 6240 CPU @ 2.60GHz Discovered Kernel : 6.12.18-talos Discovered k8s version : Discovered MTU : 1420 Idle : bandwidth <span class="o">=</span> 0 Mbit/s client cpu <span class="o">=</span> total 15.67% <span class="o">(</span>user 4.70%, <span class="nb">nice </span>0.00%, system 2.74%, iowait 0.44%, steal 7.79%<span class="o">)</span> server cpu <span class="o">=</span> total 2.82% <span class="o">(</span>user 1.41%, <span class="nb">nice </span>0.00%, system 1.41%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 799 MB server ram <span class="o">=</span> 417 MB Pod to pod : TCP : bandwidth <span class="o">=</span> 942 Mbit/s client cpu <span class="o">=</span> total 61.10% <span class="o">(</span>user 5.12%, <span class="nb">nice </span>0.00%, system 36.35%, iowait 0.39%, steal 19.24%<span class="o">)</span> server cpu <span class="o">=</span> total 22.78% <span class="o">(</span>user 1.35%, <span class="nb">nice </span>0.00%, system 21.43%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 787 MB server ram <span class="o">=</span> 479 MB UDP : bandwidth <span class="o">=</span> 448 Mbit/s client cpu <span class="o">=</span> total 75.97% <span class="o">(</span>user 6.76%, <span class="nb">nice </span>0.00%, system 49.81%, iowait 0.28%, steal 19.12%<span class="o">)</span> server cpu <span class="o">=</span> total 18.07% <span class="o">(</span>user 2.96%, <span class="nb">nice </span>0.00%, system 15.11%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 798 MB server ram <span class="o">=</span> 391 MB Pod to Service : TCP : bandwidth <span class="o">=</span> 1253 Mbit/s client cpu <span class="o">=</span> total 69.80% <span class="o">(</span>user 3.58%, <span class="nb">nice </span>0.00%, system 45.60%, iowait 0.36%, steal 20.26%<span class="o">)</span> server cpu <span class="o">=</span> total 30.59% <span class="o">(</span>user 1.88%, <span class="nb">nice </span>0.00%, system 28.71%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 787 MB server ram <span class="o">=</span> 592 MB UDP : bandwidth <span class="o">=</span> 478 Mbit/s client cpu <span class="o">=</span> total 80.83% <span class="o">(</span>user 6.97%, <span class="nb">nice </span>0.00%, system 53.98%, iowait 0.25%, steal 19.63%<span class="o">)</span> server cpu <span class="o">=</span> total 18.77% <span class="o">(</span>user 2.70%, <span class="nb">nice </span>0.03%, system 16.04%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 795 MB server ram <span class="o">=</span> 391 MB <span class="o">=========================================================</span> </code></pre> </div> <p><strong>Worker to worker:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>knb <span class="nt">--verbose</span> <span class="nt">--client-node</span> talos-8vs-lte <span class="nt">--server-node</span> talos-8wf-r6g <span class="o">=========================================================</span> Benchmark Results <span class="o">=========================================================</span> Name : knb-3467118 Date : 2025-03-18 05:27:23 UTC Generator : knb Version : 1.5.0 Server : talos-8wf-r6g Client : talos-8vs-lte UDP Socket size : auto <span class="o">=========================================================</span> Discovered CPU : Intel<span class="o">(</span>R<span class="o">)</span> Xeon<span class="o">(</span>R<span class="o">)</span> Gold 6240 CPU @ 2.60GHz Discovered Kernel : 6.12.18-talos Discovered k8s version : Discovered MTU : 1420 Idle : bandwidth <span class="o">=</span> 0 Mbit/s client cpu <span class="o">=</span> total 2.57% <span class="o">(</span>user 1.29%, <span class="nb">nice </span>0.00%, system 1.28%, iowait 0.00%, steal 0.00%<span class="o">)</span> server cpu <span class="o">=</span> total 2.05% <span class="o">(</span>user 1.10%, <span class="nb">nice </span>0.00%, system 0.95%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 416 MB server ram <span class="o">=</span> 521 MB Pod to pod : TCP : bandwidth <span class="o">=</span> 8409 Mbit/s client cpu <span class="o">=</span> total 17.34% <span class="o">(</span>user 1.85%, <span class="nb">nice </span>0.00%, system 15.49%, iowait 0.00%, steal 0.00%<span class="o">)</span> server cpu <span class="o">=</span> total 22.70% <span class="o">(</span>user 1.96%, <span class="nb">nice </span>0.00%, system 20.74%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 398 MB server ram <span class="o">=</span> 508 MB UDP : bandwidth <span class="o">=</span> 1403 Mbit/s client cpu <span class="o">=</span> total 36.43% <span class="o">(</span>user 3.27%, <span class="nb">nice </span>0.00%, system 33.16%, iowait 0.00%, steal 0.00%<span class="o">)</span> server cpu <span class="o">=</span> total 35.20% <span class="o">(</span>user 5.36%, <span class="nb">nice </span>0.00%, system 29.84%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 405 MB server ram <span class="o">=</span> 542 MB Pod to Service : TCP : bandwidth <span class="o">=</span> 8366 Mbit/s client cpu <span class="o">=</span> total 21.10% <span class="o">(</span>user 1.64%, <span class="nb">nice </span>0.04%, system 19.42%, iowait 0.00%, steal 0.00%<span class="o">)</span> server cpu <span class="o">=</span> total 22.15% <span class="o">(</span>user 1.85%, <span class="nb">nice </span>0.00%, system 20.30%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 398 MB server ram <span class="o">=</span> 515 MB UDP : bandwidth <span class="o">=</span> 1349 Mbit/s client cpu <span class="o">=</span> total 36.52% <span class="o">(</span>user 3.21%, <span class="nb">nice </span>0.00%, system 33.31%, iowait 0.00%, steal 0.00%<span class="o">)</span> server cpu <span class="o">=</span> total 34.03% <span class="o">(</span>user 5.38%, <span class="nb">nice </span>0.00%, system 28.65%, iowait 0.00%, steal 0.00%<span class="o">)</span> client ram <span class="o">=</span> 414 MB server ram <span class="o">=</span> 535 MB <span class="o">=========================================================</span> </code></pre> </div> <h2> Conclusion </h2> <p>We can see that the nodes are aware of each other and use the internal connection based on their logical location, as demonstrated in the diagram below <em><a href="https://kilo.squat.ai/docs/kgctl#graph" rel="noopener noreferrer">Generated using this </a></em>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd20tttwr86bfjtquc55b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd20tttwr86bfjtquc55b.png" alt=" " width="779" height="725"></a></p> <p>To conclude, since it's not possible to set annotations in advance for the nodes, automating the process completely when Talos/Kubeadm is bootstrapped could be problematic. This would still require an additional layer to set up the mesh. From this perspective, Kubespan is much easier to implement, but it currently doesn't support logical separation.</p> <h2> Delete cluster </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Delete VMs</span> <span class="k">for </span><span class="nb">id </span><span class="k">in</span> <span class="o">{</span>1001..1003<span class="o">}</span><span class="p">;</span> <span class="k">do </span>qm stop <span class="nv">$id</span> <span class="o">&amp;&amp;</span> qm destroy <span class="nv">$id</span> <span class="k">done </span>terraform destroy <span class="nt">-auto-approve</span> <span class="nt">-var-file</span><span class="o">=</span>vars/dev.tfvars </code></pre> </div> <h2> References </h2> <ul> <li><a href="https://github.com/isovalent/terraform-aws-talos" rel="noopener noreferrer">https://github.com/isovalent/terraform-aws-talos</a></li> <li><a href="https://github.com/pfenerty/talos-aws-terraform" rel="noopener noreferrer">https://github.com/pfenerty/talos-aws-terraform</a></li> <li><a href="https://dev.to/sergelogvinov/kubernetes-on-hybrid-cloud-talos-network-51lo">https://dev.to/sergelogvinov/kubernetes-on-hybrid-cloud-talos-network-51lo</a></li> <li><a href="https://dev.to/sergelogvinov/kubernetes-on-hybrid-cloud-network-design-3m9f">https://dev.to/sergelogvinov/kubernetes-on-hybrid-cloud-network-design-3m9f</a></li> <li><a href="https://www.talos.dev/v1.9/talos-guides/network/kubespan/" rel="noopener noreferrer">https://www.talos.dev/v1.9/talos-guides/network/kubespan/</a></li> <li><a href="https://kilo.squat.ai/" rel="noopener noreferrer">https://kilo.squat.ai/</a></li> </ul> kubernetes networking cloud proxmox Boriss V Fri, 14 Mar 2025 09:23:15 +0000 https://dev.to/bnovickovs/kubernetes-as-bare-metal-service-utilizing-sidero-metal-2a1n https://dev.to/bnovickovs/kubernetes-as-bare-metal-service-utilizing-sidero-metal-2a1n <p>The following setup includes the process of creating 3 control planes (master) nodes and 4 worker machines created dynamically, on bare metal servers.</p> <p>We simulate a scenario that DC provided us the metal machines. Booting Talos over the network on bare-metal with PXE &amp; Sidero Cluster API and connect them together.</p> <p>We are going to deploy DHCP server but there is no need for next-server boot and TFTP because it's already implemented in Sidero controller-manager, including DHCP proxy. </p> <p><code>Sidero v0.6 comes with DHCP proxy which augments the DHCP service provided by the network environment with PXE boot instructions automatically. There is no configuration required besides configuring the network environment DHCP server to assign IPs to the machines.</code></p> <p>dnsmasq configuration would look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>services: dnsmasq: image: quay.io/poseidon/dnsmasq:v0.5.0-32-g4327d60-amd64 container_name: dnsmasq cap_add: - NET_ADMIN network_mode: host <span class="nb">command</span>: <span class="o">&gt;</span> <span class="nt">-d</span> <span class="nt">-q</span> <span class="nt">-p0</span> <span class="nt">--dhcp-range</span><span class="o">=</span>10.1.1.3,10.1.1.30 <span class="nt">--dhcp-option</span><span class="o">=</span>option:router,10.1.1.1 <span class="nt">--log-queries</span> <span class="nt">--log-dhcp</span> </code></pre> </div> <h3> Management Plane cluster </h3> <p>In order to run Sidero, you first need a Kubernetes “Management cluster”.</p> <ul> <li>Kubernetes v1.26 or later</li> <li>Ability to expose TCP and UDP Services to the workload cluster machines</li> <li>Access to the cluster: we deploy 1 node Talos cluster so access can be achieve via <code>talosctl kubeconfig</code> </li> </ul> <p>We create a one node cluster with <code>allowSchedulingOnControlPlanes: true</code>, which allows running workload on control-plane nodes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>k get node <span class="nt">-o</span> wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME talos-74m-2r5 Ready control-plane 11m v1.31.2 10.1.1.18 &lt;none&gt; Talos <span class="o">(</span>v1.8.3<span class="o">)</span> 6.6.60-talos containerd://2.0.0 </code></pre> </div> <h3> Sidero Cluster API </h3> <p>Sidero is included as a default infrastructure provider in clusterctl, so the installation of both Sidero and the Cluster API (CAPI) components is as simple as using the clusterctl tool.</p> <p>First, we are telling Sidero to use <code>hostNetwork: true</code> so that it binds its ports directly to the host, rather than being available only from inside the cluster. There are many ways of exposing the services, but this is the simplest path for the single-node management cluster. When you scale the management cluster, you will need to use an alternative method, such as an external load balancer or something like <code>MetalLB</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">SIDERO_CONTROLLER_MANAGER_HOST_NETWORK</span><span class="o">=</span><span class="nb">true export </span><span class="nv">SIDERO_CONTROLLER_MANAGER_DEPLOYMENT_STRATEGY</span><span class="o">=</span>Recreate <span class="nb">export </span><span class="nv">SIDERO_CONTROLLER_MANAGER_API_ENDPOINT</span><span class="o">=</span>10.1.1.18 <span class="nb">export </span><span class="nv">SIDERO_CONTROLLER_MANAGER_SIDEROLINK_ENDPOINT</span><span class="o">=</span>10.1.1.18 clusterctl init <span class="nt">-b</span> talos <span class="nt">-c</span> talos <span class="nt">-i</span> sidero k get po NAMESPACE NAME READY STATUS RESTARTS AGE cabpt-system cabpt-controller-manager-6b8b989d68-lwxbw 1/1 Running 0 39h cacppt-system cacppt-controller-manager-858fccc654-xzfds 1/1 Running 0 39h capi-system capi-controller-manager-564745d4b-hbh7x 1/1 Running 0 39h cert-manager cert-manager-5c887c889d-dflnl 1/1 Running 0 39h cert-manager cert-manager-cainjector-58f6855565-5wf5z 1/1 Running 0 39h cert-manager cert-manager-webhook-6647d6545d-k7qhf 1/1 Running 0 39h sidero-system caps-controller-manager-67f75b9cb-9z2fq 1/1 Running 0 39h sidero-system sidero-controller-manager-97cb45f57-v7cv2 4/4 Running 0 39h </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-I</span> http://10.1.1.18:8081/tftp/snp.efi HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 1020416 Content-Type: application/octet-stream </code></pre> </div> <h4> Environment </h4> <p>Environments are a custom resource provided by the Metal Controller Manager. An environment is a codified description of what should be returned by the PXE server when a physical server attempts to PXE boot.</p> <p>Environments can be supplied to a given server either at the Server or the ServerClass level. The hierarchy from most to least respected is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">.spec.environmentRef provided at Server level</span> <span class="s">.spec.environmentRef provided at ServerClass level</span> <span class="s2">"</span><span class="s">default"</span> <span class="s">Environment created automatically and modified by an administrator</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl edit environment default apiVersion: metal.sidero.dev/v1alpha2 kind: Environment metadata: creationTimestamp: <span class="s2">"2024-11-23T13:16:12Z"</span> generation: 1 name: default resourceVersion: <span class="s2">"6527"</span> uid: 9e069ed5-886c-4b3c-9875-fe8e7f453dda spec: initrd: url: https://github.com/siderolabs/talos/releases/download/v1.8.3/initramfs-amd64.xz kernel: args: - <span class="nv">console</span><span class="o">=</span>tty0 - <span class="nv">console</span><span class="o">=</span>ttyS0 - <span class="nv">consoleblank</span><span class="o">=</span>0 - <span class="nv">earlyprintk</span><span class="o">=</span>ttyS0 - <span class="nv">ima_appraise</span><span class="o">=</span>fix - <span class="nv">ima_hash</span><span class="o">=</span>sha512 - <span class="nv">ima_template</span><span class="o">=</span>ima-ng - <span class="nv">init_on_alloc</span><span class="o">=</span>1 - <span class="nv">initrd</span><span class="o">=</span>initramfs.xz - nvme_core.io_timeout<span class="o">=</span>4294967295 - printk.devkmsg<span class="o">=</span>on - <span class="nv">pti</span><span class="o">=</span>on - <span class="nv">slab_nomerge</span><span class="o">=</span> - talos.platform<span class="o">=</span>metal url: https://github.com/siderolabs/talos/releases/download/v1.8.3/vmlinuz-amd64 </code></pre> </div> <h4> Servers and ServerClasses </h4> <p>Servers are the basic resource of bare metal in the Metal Controller Manager. These are created by PXE booting the servers and allowing them to send a registration request to the management plane.</p> <p>Server classes are a way to group distinct server resources. The qualifiers and selector keys allow the administrator to specify criteria upon which to group these servers.</p> <p>So here we are creating 2 ServerClasses for masters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">metal.sidero.dev/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServerClass</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">masters</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">qualifiers</span><span class="pi">:</span> <span class="na">hardware</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">system</span><span class="pi">:</span> <span class="na">manufacturer</span><span class="pi">:</span> <span class="s">QEMU</span> <span class="na">memory</span><span class="pi">:</span> <span class="na">totalSize</span><span class="pi">:</span> <span class="s2">"</span><span class="s">12</span><span class="nv"> </span><span class="s">GB"</span> <span class="na">configPatches</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">op</span><span class="pi">:</span> <span class="s">add</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/machine/network/interfaces</span> <span class="na">value</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">deviceSelector</span><span class="pi">:</span> <span class="na">busPath</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0*"</span> <span class="na">dhcp</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">vip</span><span class="pi">:</span> <span class="na">ip</span><span class="pi">:</span> <span class="s2">"</span><span class="s">10.1.1.50"</span> <span class="pi">-</span> <span class="na">op</span><span class="pi">:</span> <span class="s">add</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/machine/network/nameservers</span> <span class="na">value</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">1.1.1.1</span> <span class="pi">-</span> <span class="s">1.0.0.1</span> <span class="pi">-</span> <span class="na">op</span><span class="pi">:</span> <span class="s">replace</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/machine/install</span> <span class="na">value</span><span class="pi">:</span> <span class="na">disk</span><span class="pi">:</span> <span class="s">none</span> <span class="na">diskSelector</span><span class="pi">:</span> <span class="na">size</span><span class="pi">:</span> <span class="s1">'</span><span class="s">&lt;</span><span class="nv"> </span><span class="s">100GB'</span> <span class="pi">-</span> <span class="na">op</span><span class="pi">:</span> <span class="s">replace</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/cluster/network/cni</span> <span class="na">value</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">none</span> <span class="c1"># name: "custom"</span> <span class="c1"># urls:</span> <span class="c1"># - "https://raw.githubusercontent.com/kubebn/talos-proxmox-kaas/main/manifests/talos/cilium.yaml"</span> <span class="pi">-</span> <span class="na">op</span><span class="pi">:</span> <span class="s">replace</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/cluster/proxy</span> <span class="na">value</span><span class="pi">:</span> <span class="na">disabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">op</span><span class="pi">:</span> <span class="s">replace</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/machine/kubelet/extraArgs</span> <span class="na">value</span><span class="pi">:</span> <span class="na">rotate-server-certificates</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">op</span><span class="pi">:</span> <span class="s">replace</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/cluster/inlineManifests</span> <span class="na">value</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cilium</span> <span class="na">contents</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">apiVersion: v1</span> <span class="s">kind: Namespace</span> <span class="s">metadata:</span> <span class="s">name: cilium</span> <span class="s">labels:</span> <span class="s">pod-security.kubernetes.io/enforce: "privileged"</span> <span class="pi">-</span> <span class="na">op</span><span class="pi">:</span> <span class="s">replace</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/cluster/extraManifests</span> <span class="na">value</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml</span> <span class="pi">-</span> <span class="s">https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml</span> </code></pre> </div> <p>and workers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">metal.sidero.dev/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServerClass</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">workers</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">qualifiers</span><span class="pi">:</span> <span class="na">hardware</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">system</span><span class="pi">:</span> <span class="na">manufacturer</span><span class="pi">:</span> <span class="s">QEMU</span> <span class="na">memory</span><span class="pi">:</span> <span class="na">totalSize</span><span class="pi">:</span> <span class="s2">"</span><span class="s">19</span><span class="nv"> </span><span class="s">GB"</span> <span class="na">configPatches</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">op</span><span class="pi">:</span> <span class="s">add</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/machine/network/interfaces</span> <span class="na">value</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">deviceSelector</span><span class="pi">:</span> <span class="na">busPath</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0*"</span> <span class="na">dhcp</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">op</span><span class="pi">:</span> <span class="s">add</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/machine/network/nameservers</span> <span class="na">value</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">1.1.1.1</span> <span class="pi">-</span> <span class="s">1.0.0.1</span> <span class="pi">-</span> <span class="na">op</span><span class="pi">:</span> <span class="s">replace</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/machine/install</span> <span class="na">value</span><span class="pi">:</span> <span class="na">disk</span><span class="pi">:</span> <span class="s">none</span> <span class="na">diskSelector</span><span class="pi">:</span> <span class="na">size</span><span class="pi">:</span> <span class="s1">'</span><span class="s">&lt;</span><span class="nv"> </span><span class="s">100GB'</span> <span class="pi">-</span> <span class="na">op</span><span class="pi">:</span> <span class="s">replace</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/cluster/proxy</span> <span class="na">value</span><span class="pi">:</span> <span class="na">disabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">op</span><span class="pi">:</span> <span class="s">replace</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/machine/kubelet/extraArgs</span> <span class="na">value</span><span class="pi">:</span> <span class="na">rotate-server-certificates</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>Let's spin up machines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 3 nodes with 12GB memory</span> <span class="k">for </span><span class="nb">id </span><span class="k">in</span> <span class="o">{</span>105..107<span class="o">}</span><span class="p">;</span> <span class="k">do </span>qm create <span class="nv">$id</span> <span class="nt">--name</span> vm<span class="nv">$id</span> <span class="nt">--memory</span> 12288 <span class="nt">--cores</span> 3 <span class="nt">--net0</span> virtio,bridge<span class="o">=</span>vmbr0 <span class="nt">--ostype</span> l26 <span class="nt">--scsihw</span> virtio-scsi-pci <span class="nt">--sata0</span> lvm1:32 <span class="nt">--cpu</span> host <span class="o">&amp;&amp;</span> qm start <span class="nv">$id</span> <span class="k">done</span> <span class="c"># 4 nodes with 19GB memory</span> <span class="k">for </span><span class="nb">id </span><span class="k">in</span> <span class="o">{</span>108..111<span class="o">}</span><span class="p">;</span> <span class="k">do </span>qm create <span class="nv">$id</span> <span class="nt">--name</span> vm<span class="nv">$id</span> <span class="nt">--memory</span> 20288 <span class="nt">--cores</span> 3 <span class="nt">--net0</span> virtio,bridge<span class="o">=</span>vmbr0 <span class="nt">--ostype</span> l26 <span class="nt">--scsihw</span> virtio-scsi-pci <span class="nt">--sata0</span> lvm1:32 <span class="nt">--cpu</span> host <span class="o">&amp;&amp;</span> qm start <span class="nv">$id</span> <span class="k">done</span> </code></pre> </div> <p>So in ServerClass we use the difference between memory allocations for the nodes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> hardware: - system: manufacturer: QEMU memory: totalSize: <span class="s2">"12 GB"</span> <span class="c"># masters</span> <span class="nt">---</span> totalSize: <span class="s2">"19 GB"</span> <span class="c"># workers</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get serverclasses NAME AVAILABLE IN USE AGE any <span class="o">[]</span> <span class="o">[]</span> 18m masters <span class="o">[]</span> <span class="o">[]</span> 9s workers <span class="o">[]</span> <span class="o">[]</span> 9s kubectl get servers NAME HOSTNAME ACCEPTED CORDONED ALLOCATED CLEAN POWER AGE 13f56641-ff59-467c-94df-55a2861146d9 <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true </span>on 96s 26f39da5-c622-42e0-b160-ff0eb58eb56b <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true </span>on 75s 4e56c769-8a35-4a68-b90b-0e1dca530fb0 <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true </span>on 107s 5211912d-8f32-4ea4-8738-aaff57386391 <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true </span>on 96s a0b83613-faa9-468a-9289-1aa270117d54 <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true </span>on 104s a6c8afca-15b9-4254-82b4-91bbcd76dba0 <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true </span>on 96s ec39bf0e-632d-4dca-9ae0-0b3509368de6 <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true </span>on 108s f426397a-76ff-4ea6-815a-2be97265f5e6 <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true </span>on 107s </code></pre> </div> <p>We can describe the server to see other details of it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">kubectl get server 10ea52da-e1fc-4b83-81ef-b9cd40d1d25e -o yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">metal.sidero.dev/v1alpha2</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Server</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">creationTimestamp</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2024-11-25T04:26:35Z"</span> <span class="na">finalizers</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">storage.finalizers.server.k8s.io</span> <span class="na">generation</span><span class="pi">:</span> <span class="m">1</span> <span class="na">name</span><span class="pi">:</span> <span class="s">10ea52da-e1fc-4b83-81ef-b9cd40d1d25e</span> <span class="na">resourceVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">562154"</span> <span class="na">uid</span><span class="pi">:</span> <span class="s">4c08c327-8aba-4af0-8204-5985b2a76e95</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">accepted</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">hardware</span><span class="pi">:</span> <span class="na">compute</span><span class="pi">:</span> <span class="na">processorCount</span><span class="pi">:</span> <span class="m">1</span> <span class="na">processors</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">coreCount</span><span class="pi">:</span> <span class="m">3</span> <span class="na">manufacturer</span><span class="pi">:</span> <span class="s">QEMU</span> <span class="na">productName</span><span class="pi">:</span> <span class="s">pc-i440fx-9.0</span> <span class="na">speed</span><span class="pi">:</span> <span class="m">2000</span> <span class="na">threadCount</span><span class="pi">:</span> <span class="m">3</span> <span class="na">totalCoreCount</span><span class="pi">:</span> <span class="m">3</span> <span class="na">totalThreadCount</span><span class="pi">:</span> <span class="m">3</span> <span class="na">memory</span><span class="pi">:</span> <span class="na">moduleCount</span><span class="pi">:</span> <span class="m">1</span> <span class="na">modules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">manufacturer</span><span class="pi">:</span> <span class="s">QEMU</span> <span class="na">size</span><span class="pi">:</span> <span class="m">12288</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ROM</span> <span class="na">totalSize</span><span class="pi">:</span> <span class="s">12 GB</span> <span class="na">network</span><span class="pi">:</span> <span class="na">interfaceCount</span><span class="pi">:</span> <span class="m">3</span> <span class="na">interfaces</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">flags</span><span class="pi">:</span> <span class="s">broadcast|multicast</span> <span class="na">index</span><span class="pi">:</span> <span class="m">2</span> <span class="na">mac</span><span class="pi">:</span> <span class="s">36:d0:4f:23:f7:03</span> <span class="na">mtu</span><span class="pi">:</span> <span class="m">1500</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bond0</span> <span class="pi">-</span> <span class="na">flags</span><span class="pi">:</span> <span class="s">broadcast</span> <span class="na">index</span><span class="pi">:</span> <span class="m">3</span> <span class="na">mac</span><span class="pi">:</span> <span class="s">d6:9b:8b:99:6f:d0</span> <span class="na">mtu</span><span class="pi">:</span> <span class="m">1500</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dummy0</span> <span class="pi">-</span> <span class="na">addresses</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">10.1.1.6/24</span> <span class="na">flags</span><span class="pi">:</span> <span class="s">up|broadcast|multicast</span> <span class="na">index</span><span class="pi">:</span> <span class="m">8</span> <span class="na">mac</span><span class="pi">:</span> <span class="s">bc:24:11:a1:77:25</span> <span class="na">mtu</span><span class="pi">:</span> <span class="m">1500</span> <span class="na">name</span><span class="pi">:</span> <span class="s">eth0</span> <span class="na">storage</span><span class="pi">:</span> <span class="na">deviceCount</span><span class="pi">:</span> <span class="m">1</span> <span class="na">devices</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">deviceName</span><span class="pi">:</span> <span class="s">/dev/sda</span> <span class="na">productName</span><span class="pi">:</span> <span class="s">QEMU HARDDISK</span> <span class="na">size</span><span class="pi">:</span> <span class="m">34359738368</span> <span class="na">type</span><span class="pi">:</span> <span class="s">HDD</span> <span class="na">wwid</span><span class="pi">:</span> <span class="s">t10.ATA QEMU HARDDISK QM00005</span> <span class="na">totalSize</span><span class="pi">:</span> <span class="s">32 GB</span> <span class="na">system</span><span class="pi">:</span> <span class="na">manufacturer</span><span class="pi">:</span> <span class="s">QEMU</span> <span class="na">productName</span><span class="pi">:</span> <span class="s">Standard PC (i440FX + PIIX, 1996)</span> <span class="na">uuid</span><span class="pi">:</span> <span class="s">10ea52da-e1fc-4b83-81ef-b9cd40d1d25e</span> <span class="na">hostname</span><span class="pi">:</span> <span class="s">(none)</span> <span class="na">status</span><span class="pi">:</span> <span class="na">addresses</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">address</span><span class="pi">:</span> <span class="s">10.1.1.6</span> <span class="na">type</span><span class="pi">:</span> <span class="s">InternalIP</span> <span class="na">power</span><span class="pi">:</span> <span class="s2">"</span><span class="s">on"</span> </code></pre> </div> <p>Note in the output above that the newly registered servers are not accepted. In order for a server to be eligible for consideration, it must be marked as accepted. Before a Server is accepted, no write action will be performed against it. This default is for safety (don’t accidentally delete something just because it was plugged in) and security (make sure you know the machine before it is given credentials to communicate).</p> <p>There are two ways to accept the server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl patch server 00000000-0000-0000-0000-d05099d33360 <span class="nt">--type</span><span class="o">=</span><span class="s1">'json'</span> <span class="nt">-p</span><span class="o">=</span><span class="s1">'[{"op": "replace", "path": "/spec/accepted", "value": true}]'</span> </code></pre> </div> <p>or you can enable auto-acceptance by passing the --auto-accept-servers=true flag to sidero-controller-manager.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl edit deploy sidero-controller-manager <span class="nt">-n</span> sidero-system </code></pre> </div> <p>After the servers are accepted, they can be seen allocated to serverclasses, but they are still not "IN USE":<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get serverclass <span class="nt">-A</span> NAME AVAILABLE IN USE AGE any <span class="o">[</span><span class="s2">"13f56641-ff59-467c-94df-55a2861146d9"</span>,<span class="s2">"26f39da5-c622-42e0-b160-ff0eb58eb56b"</span>,<span class="s2">"4e56c769-8a35-4a68-b90b-0e1dca530fb0"</span>,<span class="s2">"5211912d-8f32-4ea4-8738-aaff57386391"</span>,<span class="s2">"a0b83613-faa9-468a-9289-1aa270117d54"</span>,<span class="s2">"a6c8afca-15b9-4254-82b4-91bbcd76dba0"</span>,<span class="s2">"ec39bf0e-632d-4dca-9ae0-0b3509368de6"</span>,<span class="s2">"f426397a-76ff-4ea6-815a-2be97265f5e6"</span><span class="o">]</span> <span class="o">[]</span> 21m masters <span class="o">[</span><span class="s2">"4e56c769-8a35-4a68-b90b-0e1dca530fb0"</span>,<span class="s2">"ec39bf0e-632d-4dca-9ae0-0b3509368de6"</span>,<span class="s2">"f426397a-76ff-4ea6-815a-2be97265f5e6"</span><span class="o">]</span> <span class="o">[]</span> 3m27s workers <span class="o">[</span><span class="s2">"13f56641-ff59-467c-94df-55a2861146d9"</span>,<span class="s2">"26f39da5-c622-42e0-b160-ff0eb58eb56b"</span>,<span class="s2">"5211912d-8f32-4ea4-8738-aaff57386391"</span>,<span class="s2">"a0b83613-faa9-468a-9289-1aa270117d54"</span>,<span class="s2">"a6c8afca-15b9-4254-82b4-91bbcd76dba0"</span><span class="o">]</span> <span class="o">[]</span> 3m27s </code></pre> </div> <p>While developing config patches it is usually convenient to test generated config with patches before actual server is provisioned with the config.</p> <p>This can be achieved by querying the metadata server endpoint directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://<span class="nv">$PUBLIC_IP</span>:8081/configdata?uuid<span class="o">=</span><span class="nv">$SERVER_UUID</span> <span class="c"># example "http://10.1.1.18:8081/configdata?uuid=4e56c769-8a35-4a68-b90b-0e1dca530fb0"</span> version: v1alpha1 </code></pre> </div> <h4> Create a Workload Cluster </h4> <p>We are now ready to generate the configuration manifest templates for our first workload cluster.</p> <p>There are several configuration parameters that should be set in order for the templating to work properly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">CONTROL_PLANE_SERVERCLASS</span><span class="o">=</span>masters <span class="nb">export </span><span class="nv">WORKER_SERVERCLASS</span><span class="o">=</span>workers <span class="nb">export </span><span class="nv">TALOS_VERSION</span><span class="o">=</span>v1.8.3 <span class="nb">export </span><span class="nv">KUBERNETES_VERSION</span><span class="o">=</span>v1.31.2 <span class="nb">export </span><span class="nv">CONTROL_PLANE_PORT</span><span class="o">=</span>6443 <span class="nb">export </span><span class="nv">CONTROL_PLANE_ENDPOINT</span><span class="o">=</span>10.1.1.50 clusterctl generate cluster cluster-0 <span class="nt">-i</span> sidero <span class="o">&gt;</span> cluster-0.yaml </code></pre> </div> <p>One of the pain points when building a high-availability controlplane is giving clients a single IP or URL at which they can reach any of the controlplane nodes. The most common approaches - reverse proxy, load balancer, BGP, and DNS - all require external resources, and add complexity in setting up Kubernetes.</p> <p>To simplify cluster creation, Talos Linux supports a “Virtual” IP (VIP) address to access the Kubernetes API server, providing high availability with no other resources required.</p> <p>For cluster endpoint we use <code>10.1.1.50</code> ip address, which will be our share Virtual IP address. We can actually set it in ServerClass:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">configPatches</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">op</span><span class="pi">:</span> <span class="s">add</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/machine/network/interfaces</span> <span class="na">value</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">deviceSelector</span><span class="pi">:</span> <span class="na">busPath</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0*"</span> <span class="c1"># any network device</span> <span class="na">dhcp</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">vip</span><span class="pi">:</span> <span class="na">ip</span><span class="pi">:</span> <span class="s2">"</span><span class="s">10.1.1.50"</span> </code></pre> </div> <p>The yaml manifest for cluster-0.yaml:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cluster.x-k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Cluster</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-0</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">clusterNetwork</span><span class="pi">:</span> <span class="na">pods</span><span class="pi">:</span> <span class="na">cidrBlocks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">10.244.0.0/16</span> <span class="na">services</span><span class="pi">:</span> <span class="na">cidrBlocks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">10.96.0.0/12</span> <span class="na">controlPlaneRef</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">controlplane.cluster.x-k8s.io/v1alpha3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">TalosControlPlane</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-0-cp</span> <span class="na">infrastructureRef</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">infrastructure.cluster.x-k8s.io/v1alpha3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">MetalCluster</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-0</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">infrastructure.cluster.x-k8s.io/v1alpha3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">MetalCluster</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-0</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">controlPlaneEndpoint</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">10.1.1.50</span> <span class="na">port</span><span class="pi">:</span> <span class="m">6443</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">infrastructure.cluster.x-k8s.io/v1alpha3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">MetalMachineTemplate</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-0-cp</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serverClassRef</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">metal.sidero.dev/v1alpha2</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServerClass</span> <span class="na">name</span><span class="pi">:</span> <span class="s">masters</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">controlplane.cluster.x-k8s.io/v1alpha3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">TalosControlPlane</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-0-cp</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">controlPlaneConfig</span><span class="pi">:</span> <span class="na">controlplane</span><span class="pi">:</span> <span class="na">generateType</span><span class="pi">:</span> <span class="s">controlplane</span> <span class="na">talosVersion</span><span class="pi">:</span> <span class="s">v1.8.3</span> <span class="na">infrastructureTemplate</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">infrastructure.cluster.x-k8s.io/v1alpha3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">MetalMachineTemplate</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-0-cp</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v1.31.2</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">bootstrap.cluster.x-k8s.io/v1alpha3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">TalosConfigTemplate</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-0-workers</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">generateType</span><span class="pi">:</span> <span class="s">join</span> <span class="na">talosVersion</span><span class="pi">:</span> <span class="s">v1.8.3</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cluster.x-k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">MachineDeployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-0-workers</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">clusterName</span><span class="pi">:</span> <span class="s">cluster-0</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">0</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="kc">null</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">bootstrap</span><span class="pi">:</span> <span class="na">configRef</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">bootstrap.cluster.x-k8s.io/v1alpha3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">TalosConfigTemplate</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-0-workers</span> <span class="na">clusterName</span><span class="pi">:</span> <span class="s">cluster-0</span> <span class="na">infrastructureRef</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">infrastructure.cluster.x-k8s.io/v1alpha3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">MetalMachineTemplate</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-0-workers</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v1.31.2</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">infrastructure.cluster.x-k8s.io/v1alpha3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">MetalMachineTemplate</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-0-workers</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serverClassRef</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">metal.sidero.dev/v1alpha2</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServerClass</span> <span class="na">name</span><span class="pi">:</span> <span class="s">workers</span> </code></pre> </div> <p>When you are satisfied with your configuration, go ahead and apply it to Sidero:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> cluster-0.yaml cluster.cluster.x-k8s.io/cluster-0 created metalcluster.infrastructure.cluster.x-k8s.io/cluster-0 created metalmachinetemplate.infrastructure.cluster.x-k8s.io/cluster-0-cp created taloscontrolplane.controlplane.cluster.x-k8s.io/cluster-0-cp created talosconfigtemplate.bootstrap.cluster.x-k8s.io/cluster-0-workers created machinedeployment.cluster.x-k8s.io/cluster-0-workers created metalmachinetemplate.infrastructure.cluster.x-k8s.io/cluster-0-workers created </code></pre> </div> <p>At this point, Sidero will allocate Servers according to the requests in the cluster manifest. Once allocated, each of those machines will be installed with Talos, given their configuration, and form a cluster.</p> <p>You can watch the progress of the Servers being selected:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get servers,machines,clusters NAME HOSTNAME ACCEPTED CORDONED ALLOCATED CLEAN POWER AGE server.metal.sidero.dev/0859ab1b-32d1-4acc-bb91-74c4eafe8017 <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true false </span>on 29m server.metal.sidero.dev/25ba21df-363c-4345-bbb6-b2f21487d103 <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true </span>on 29m server.metal.sidero.dev/6c9aa61c-b9c6-4b69-8b77-8a46b5f217c6 <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true </span>on 29m server.metal.sidero.dev/992f741b-fc3a-48e4-814b-c2f351b320eb <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true </span>on 29m server.metal.sidero.dev/995d057f-4f61-4359-8e78-9a043904fe3a <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true </span>on 29m server.metal.sidero.dev/9f909243-9333-461c-bcd3-dce874d5c36a <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true </span>on 29m server.metal.sidero.dev/d6141070-cb35-47d7-8f12-447ee936382a <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true </span>on 29m NAME CLUSTER NODENAME PROVIDERID PHASE AGE VERSION machine.cluster.x-k8s.io/cluster-0-cp-89hsd cluster-0 talos-rlj-gk7 sidero://0859ab1b-32d1-4acc-bb91-74c4eafe8017 Running 21m v1.31.2 NAME CLUSTERCLASS PHASE AGE VERSION cluster.cluster.x-k8s.io/cluster-0 Provisioned 21m </code></pre> </div> <p>During the Provisioning phase, a Server will become allocated, the hardware will be powered up, Talos will be installed onto it, and it will be rebooted into Talos. Depending on the hardware involved, this may take several minutes. Currently, we can see that only 1 server is allocated because in cluster-0.yaml manifest we specified only 1 replica for control plane and 0 replicas for workers.</p> <h4> Retrieve the talosconfig &amp; kubeconfig </h4> <p>In order to interact with the new machines (outside of Kubernetes), you will need to obtain the talosctl client configuration, or talosconfig. You can do this by retrieving the secret from the Sidero management cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get talosconfig <span class="nt">-o</span> yaml <span class="si">$(</span>kubectl get talosconfig <span class="nt">--no-headers</span> | <span class="nb">awk</span> <span class="s1">'NR==1{print $1}'</span><span class="si">)</span> <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.status.talosConfig}'</span> <span class="o">&gt;</span> talosconfig kubectl describe server 0859ab1b-32d1-4acc-bb91-74c4eafe8017 | <span class="nb">grep </span>Address Addresses: Addresses: Address: 10.1.1.5 talosctl <span class="nt">--talosconfig</span> talosconfig <span class="nt">-n</span> 10.1.1.5 <span class="nt">-e</span> 10.1.1.5 kubeconfig <span class="nt">-f</span> </code></pre> </div> <h4> Check access and scale the cluster </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>k get node NAME STATUS ROLES AGE VERSION talos-rlj-gk7 NotReady control-plane 20m v1.31.2 k get po <span class="nt">-A</span> NAMESPACE NAME READY STATUS RESTARTS AGE kube-system coredns-68d75fd545-6rxp7 0/1 Pending 0 20m kube-system coredns-68d75fd545-h9xrx 0/1 Pending 0 20m kube-system kube-apiserver-talos-rlj-gk7 1/1 Running 0 19m kube-system kube-controller-manager-talos-rlj-gk7 1/1 Running 2 <span class="o">(</span>20m ago<span class="o">)</span> 18m kube-system kube-scheduler-talos-rlj-gk7 1/1 Running 2 <span class="o">(</span>20m ago<span class="o">)</span> 18m kube-system metrics-server-54bf7cdd6-tlhg5 0/1 Pending 0 20m kube-system talos-cloud-controller-manager-df65c8444-47w49 0/1 Pending 0 20m </code></pre> </div> <p>Node is in NotReady status because we do not have CNI installed. Let's install cilium:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">ipam</span><span class="pi">:</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">kubernetes</span> <span class="na">k8sServiceHost</span><span class="pi">:</span> <span class="s">localhost</span> <span class="na">k8sServicePort</span><span class="pi">:</span> <span class="m">7445</span> <span class="na">kubeProxyReplacement</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">installNoConntrackIptablesRules</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">enableK8sEndpointSlice</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">localRedirectPolicy</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">healthChecking</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">routingMode</span><span class="pi">:</span> <span class="s">native</span> <span class="na">autoDirectNodeRoutes</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">ipv4NativeRoutingCIDR</span><span class="pi">:</span> <span class="s">10.244.0.0/16</span> <span class="na">loadBalancer</span><span class="pi">:</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">hybrid</span> <span class="na">algorithm</span><span class="pi">:</span> <span class="s">maglev</span> <span class="na">acceleration</span><span class="pi">:</span> <span class="s">best-effort</span> <span class="na">serviceTopology</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">bpf</span><span class="pi">:</span> <span class="na">masquerade</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">ipv4</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">hostServices</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">hostPort</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">nodePort</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">externalIPs</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">hostFirewall</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">ingressController</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">envoy</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">prometheus</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">hubble</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">operator</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">rollOutPods</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">prometheus</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">nodeSelector</span><span class="pi">:</span> <span class="na">node-role.kubernetes.io/control-plane</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">tolerations</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">Exists</span> <span class="na">effect</span><span class="pi">:</span> <span class="s">NoSchedule</span> <span class="na">cgroup</span><span class="pi">:</span> <span class="na">autoMount</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">hostRoot</span><span class="pi">:</span> <span class="s">/sys/fs/cgroup</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="m">2</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">4Gi</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">100m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">128Mi</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">capabilities</span><span class="pi">:</span> <span class="na">ciliumAgent</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">CHOWN</span> <span class="pi">-</span> <span class="s">KILL</span> <span class="pi">-</span> <span class="s">NET_ADMIN</span> <span class="pi">-</span> <span class="s">NET_RAW</span> <span class="pi">-</span> <span class="s">IPC_LOCK</span> <span class="pi">-</span> <span class="s">SYS_ADMIN</span> <span class="pi">-</span> <span class="s">SYS_RESOURCE</span> <span class="pi">-</span> <span class="s">DAC_OVERRIDE</span> <span class="pi">-</span> <span class="s">FOWNER</span> <span class="pi">-</span> <span class="s">SETGID</span> <span class="pi">-</span> <span class="s">SETUID</span> <span class="na">cleanCiliumState</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">NET_ADMIN</span> <span class="pi">-</span> <span class="s">SYS_ADMIN</span> <span class="pi">-</span> <span class="s">SYS_RESOURCE</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Same command to install cilium</span> cilium <span class="nb">install</span> <span class="nt">--version</span> 1.16.4 <span class="nt">-f</span> cilium.yaml <span class="nt">-n</span> cilium </code></pre> </div> <p>We have more machines available, we can scale both the controlplane (TalosControlPlane) and the workers (MachineDeployment) for any cluster after it has been deployed. This is done just like normal Kubernetes Deployments.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get TalosControlPlane NAME READY INITIALIZED REPLICAS READY REPLICAS UNAVAILABLE REPLICAS cluster-0-cp <span class="nb">true true </span>1 1 kubectl get MachineDeployment NAME CLUSTER REPLICAS READY UPDATED UNAVAILABLE PHASE AGE VERSION cluster-0-workers cluster-0 Running 80m v1.31.2 kubectl scale taloscontrolplane cluster-0-cp <span class="nt">--replicas</span><span class="o">=</span>3 taloscontrolplane.controlplane.cluster.x-k8s.io/cluster-0-cp scaled kubectl scale MachineDeployment cluster-0-workers <span class="nt">--replicas</span><span class="o">=</span>4 machinedeployment.cluster.x-k8s.io/cluster-0-workers scaled </code></pre> </div> <p>Now we can see that all of our nodes are "IN USE" in serverclass:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get serverclass NAME AVAILABLE IN USE AGE any <span class="o">[]</span> <span class="o">[</span><span class="s2">"0859ab1b-32d1-4acc-bb91-74c4eafe8017"</span>,<span class="s2">"25ba21df-363c-4345-bbb6-b2f21487d103"</span>,<span class="s2">"6c9aa61c-b9c6-4b69-8b77-8a46b5f217c6"</span>,<span class="s2">"992f741b-fc3a-48e4-814b-c2f351b320eb"</span>,<span class="s2">"995d057f-4f61-4359-8e78-9a043904fe3a"</span>,<span class="s2">"9f909243-9333-461c-bcd3-dce874d5c36a"</span>,<span class="s2">"d6141070-cb35-47d7-8f12-447ee936382a"</span><span class="o">]</span> 101m masters <span class="o">[]</span> <span class="o">[</span><span class="s2">"0859ab1b-32d1-4acc-bb91-74c4eafe8017"</span>,<span class="s2">"6c9aa61c-b9c6-4b69-8b77-8a46b5f217c6"</span>,<span class="s2">"995d057f-4f61-4359-8e78-9a043904fe3a"</span><span class="o">]</span> 98m workers <span class="o">[]</span> <span class="o">[</span><span class="s2">"25ba21df-363c-4345-bbb6-b2f21487d103"</span>,<span class="s2">"992f741b-fc3a-48e4-814b-c2f351b320eb"</span>,<span class="s2">"9f909243-9333-461c-bcd3-dce874d5c36a"</span>,<span class="s2">"d6141070-cb35-47d7-8f12-447ee936382a"</span><span class="o">]</span> 98m <span class="o">[]</span> </code></pre> </div> <p>&amp;&amp;&amp;<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>k get servers,machines,clusters NAME HOSTNAME ACCEPTED CORDONED ALLOCATED CLEAN POWER AGE server.metal.sidero.dev/0859ab1b-32d1-4acc-bb91-74c4eafe8017 <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true false </span>on 99m server.metal.sidero.dev/25ba21df-363c-4345-bbb6-b2f21487d103 <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true false </span>on 99m server.metal.sidero.dev/6c9aa61c-b9c6-4b69-8b77-8a46b5f217c6 <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true false </span>on 99m server.metal.sidero.dev/992f741b-fc3a-48e4-814b-c2f351b320eb <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true false </span>on 99m server.metal.sidero.dev/995d057f-4f61-4359-8e78-9a043904fe3a <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true false </span>on 99m server.metal.sidero.dev/9f909243-9333-461c-bcd3-dce874d5c36a <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true false </span>on 99m server.metal.sidero.dev/d6141070-cb35-47d7-8f12-447ee936382a <span class="o">(</span>none<span class="o">)</span> <span class="nb">true true false </span>on 99m NAME CLUSTER NODENAME PROVIDERID PHASE AGE VERSION machine.cluster.x-k8s.io/cluster-0-cp-22d6n cluster-0 talos-m0p-gke sidero://995d057f-4f61-4359-8e78-9a043904fe3a Running 10m v1.31.2 machine.cluster.x-k8s.io/cluster-0-cp-544tn cluster-0 talos-5le-4ou sidero://6c9aa61c-b9c6-4b69-8b77-8a46b5f217c6 Running 10m v1.31.2 machine.cluster.x-k8s.io/cluster-0-cp-89hsd cluster-0 talos-rlj-gk7 sidero://0859ab1b-32d1-4acc-bb91-74c4eafe8017 Running 91m v1.31.2 machine.cluster.x-k8s.io/cluster-0-workers-lgphx-8brp6 cluster-0 talos-rvd-w8m sidero://9f909243-9333-461c-bcd3-dce874d5c36a Running 9m52s v1.31.2 machine.cluster.x-k8s.io/cluster-0-workers-lgphx-hklgh cluster-0 talos-aps-1nj sidero://d6141070-cb35-47d7-8f12-447ee936382a Running 9m52s v1.31.2 machine.cluster.x-k8s.io/cluster-0-workers-lgphx-krwxw cluster-0 talos-72m-mif sidero://25ba21df-363c-4345-bbb6-b2f21487d103 Running 9m53s v1.31.2 machine.cluster.x-k8s.io/cluster-0-workers-lgphx-xs6fm cluster-0 talos-9ww-ia0 sidero://992f741b-fc3a-48e4-814b-c2f351b320eb Running 9m52s v1.31.2 NAME CLUSTERCLASS PHASE AGE VERSION cluster.cluster.x-k8s.io/cluster-0 Provisioned 91m </code></pre> </div> <p>Check the workload cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>k get node NAME STATUS ROLES AGE VERSION talos-5le-4ou Ready control-plane 9m31s v1.31.2 talos-72m-mif Ready &lt;none&gt; 9m11s v1.31.2 talos-9ww-ia0 Ready &lt;none&gt; 9m37s v1.31.2 talos-aps-1nj Ready &lt;none&gt; 9m6s v1.31.2 talos-m0p-gke Ready control-plane 9m29s v1.31.2 talos-rlj-gk7 Ready control-plane 89m v1.31.2 talos-rvd-w8m Ready &lt;none&gt; 9m42s v1.31.2 </code></pre> </div> kubernetes proxmox talos sidero Boriss V Fri, 14 Mar 2025 07:46:40 +0000 https://dev.to/bnovickovs/quickly-prepare-your-tooling-with-nixerydev-no-dockerfile-needed-596b https://dev.to/bnovickovs/quickly-prepare-your-tooling-with-nixerydev-no-dockerfile-needed-596b <p>If you’ve ever been too lazy to write a proper Dockerfile to set up your environment, Nixery.dev has got you covered. It allows you to quickly assemble containers with the exact tools you need, without the hassle of creating and managing a Dockerfile.</p> <p>Let’s say you need an environment with kubectl, jq, yq, and helm all in place. Instead of writing a Dockerfile or manually installing each tool, you can get a pre-configured image in no time using Nixery.dev.</p> <p>With Nixery, all you need to do is specify the tools you need in the URL. For example, to get a shell with kubectl, jq, yq, and helm, just use this URL:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">-it</span> nixery.dev/shell/kubectl/jq/yq/helm Unable to find image <span class="s1">'nixery.dev/shell/kubectl/jq/yq/helm:latest'</span> locally latest: Pulling from shell/kubectl/jq/yq/helm 7bd0d820be49: Already exists cdd7895d7577: Already exists de6cb50335aa: Pull <span class="nb">complete </span>11720475aae7: Pull <span class="nb">complete </span>b8ff367d8a2d: Pull <span class="nb">complete </span>f6ff9498ab9c: Pull <span class="nb">complete </span>1d17c684d513: Pull <span class="nb">complete </span>913f63e3401f: Pull <span class="nb">complete </span>14a855609149: Pull <span class="nb">complete </span>3d5094a0f4f3: Pull <span class="nb">complete </span>e90094fbdef4: Pull <span class="nb">complete </span>7e3feab0b197: Pull <span class="nb">complete </span>262f49f707da: Pull <span class="nb">complete </span>9a33ef4edb1b: Pull <span class="nb">complete </span>2b2ece68abe5: Pull <span class="nb">complete </span>505ed7a4fa00: Pull <span class="nb">complete </span>f68eb5b9e907: Pull <span class="nb">complete </span>7d2670c677e3: Pull <span class="nb">complete </span>b5eceb4adf47: Pull <span class="nb">complete </span>d0f6822fe6ec: Pull <span class="nb">complete </span>90548e6cb522: Pull <span class="nb">complete </span>c06288390ee6: Pull <span class="nb">complete </span>a6592313490f: Pull <span class="nb">complete </span>a7172b4ea41b: Pull <span class="nb">complete </span>4e6f2304a814: Pull <span class="nb">complete </span>a90445f26e1d: Pull <span class="nb">complete </span>ff7b4358edf4: Pull <span class="nb">complete </span>cff643889033: Pull <span class="nb">complete </span>046661f70676: Pull <span class="nb">complete </span>fa94a058e6b0: Pull <span class="nb">complete </span>49d2ea9475ef: Pull <span class="nb">complete </span>b326b3073570: Pull <span class="nb">complete </span>Digest: sha256:da377dc6d7e9091fbc30eecb8aeee5dd89aef6571fba018594c68d581a2f911e Status: Downloaded newer image <span class="k">for </span>nixery.dev/shell/kubectl/jq/yq/helm:latest bash-5.2# helm <span class="nt">--version</span> Helm 0.9.0 bash-5.2# jq <span class="nt">--version</span> jq-1.7.1 bash-5.2# yq <span class="nt">--version</span> yq 3.4.3 bash-5.2# kubectl version Client Version: v1.32.1 Kustomize Version: v5.5.0 </code></pre> </div> <p>This command will give you a shell with all the necessary tools pre-installed, ready to use right away.</p> <ul> <li>Quick and Easy: No need for Dockerfile management or custom setup scripts.</li> <li>Customizable: Add only the tools you need by simply modifying the URL.</li> <li>Lightweight: Avoid creating large, bloated images with unnecessary dependencies.</li> </ul> <p>Next time you're in a hurry, or just feeling a bit too lazy to create a Dockerfile, Nixery.dev is a great tool to have in your back pocket!</p> docker containers dockerfile nixery Boriss V Fri, 14 Mar 2025 07:38:10 +0000 https://dev.to/bnovickovs/kubernetes-as-a-service-kaas-in-proxmox-using-talos-3egh https://dev.to/bnovickovs/kubernetes-as-a-service-kaas-in-proxmox-using-talos-3egh <p>The Talos-Proxmox-KaaS repository demonstrates how to use Talos Linux, Sidero (CAPI), FluxCD, and Proxmox Operator to provision Kubernetes clusters in a GitOps-driven environment. This setup integrates various tools such as Talos, Proxmox, Cilium, and FluxCD for seamless cluster management and deployment.</p> <p>Key Features:</p> <ul> <li>Proxmox &amp; Talos Integration: Using Terraform to provision and manage clusters.</li> <li>GitOps: Automates Kubernetes application management with FluxCD.</li> <li>Infrastructure Automation: Automates provisioning and deployment using tools like Packer, Terraform.</li> </ul> <p><a href="https://github.com/kubebn/talos-proxmox-kaas" rel="noopener noreferrer">https://github.com/kubebn/talos-proxmox-kaas</a></p> proxmox kubernetes fluxcd terraform Boriss V Fri, 14 Mar 2025 07:31:47 +0000 https://dev.to/bnovickovs/managing-kiali-instance-finalizers-during-helm-chart-uninstallation-in-kiali-operator-4ga2 https://dev.to/bnovickovs/managing-kiali-instance-finalizers-during-helm-chart-uninstallation-in-kiali-operator-4ga2 <p>When deploying the Kiali-operator using the Helm chart from <a href="https://github.com/kiali/helm-charts/tree/master/kiali-operator" rel="noopener noreferrer">Kiali's GitHub repository</a>, you might configure it to create a Kiali instance after the operator is deployed. In such cases, you may use the Custom Resource (CR) value provided in the Helm chart: <a href="https://github.com/kiali/helm-charts/blob/56009cff505e71c21d9449726827c85999f8a3f7/kiali-operator/values.yaml#L92" rel="noopener noreferrer">Kiali-Operator Values.yaml</a>.</p> <p>However, an issue arises when you try to uninstall the Kiali-operator Helm chart. The Kiali instance will have a finalizer attached to it, which prevents its deletion. This results in the successful uninstallation of the operator, but the Kiali instance remains running in your cluster.</p> <p>To resolve this, you have two options:</p> <ol> <li>Manually avoid using the CR object in the Helm values and create your own Kiali instance manifest. This way, you can manage the Kiali instance directly, avoiding the Helm chart's default behavior.</li> <li>Automate the deletion of the Kiali instance by adding a Helm hook job that will run before the operator is uninstalled. This job will patch the Kiali instance to remove the finalizer and then delete the instance, ensuring the operator is fully removed.</li> </ol> <p>Here’s how you can define a Helm hook job to handle this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">batch/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Job</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">delete-kiali-cr"</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">.Release.Namespace</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s2">"</span><span class="s">kiali-operator"</span> <span class="na">annotations</span><span class="pi">:</span> <span class="s2">"</span><span class="s">helm.sh/hook"</span><span class="err">:</span> <span class="s">pre-delete</span> <span class="s">"helm.sh/hook-weight"</span><span class="err">:</span> <span class="s2">"</span><span class="s">-1"</span> <span class="s2">"</span><span class="s">helm.sh/hook-delete-policy"</span><span class="err">:</span> <span class="s">before-hook-creation,hook-succeeded</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceAccount</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "kiali-operator.fullname" .</span> <span class="pi">}}</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">include "kiali-operator.fullname" .</span> <span class="pi">}}</span> <span class="c1"># Use the service account defined above</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">kubectl"</span> <span class="na">image</span><span class="pi">:</span> <span class="s2">"</span><span class="s">bitnami/kubectl:latest"</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/bin/sh"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-c"</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">kubectl patch kiali kiali -p '{"metadata":{"finalizers":null}}' --type=merge -n "{{ .Values.cr.namespace }}"</span> <span class="s">kubectl delete kiali kiali -n "{{ .Values.cr.namespace }}"</span> <span class="na">restartPolicy</span><span class="pi">:</span> <span class="s">Never</span> <span class="pi">{{</span><span class="nv">- if .Values.tolerations</span> <span class="pi">}}</span> <span class="na">tolerations</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- toYaml .Values.tolerations | nindent 8</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- if .Values.nodeSelector</span> <span class="pi">}}</span> <span class="na">nodeSelector</span><span class="pi">:</span> <span class="pi">{{</span><span class="nv">- toYaml .Values.nodeSelector | nindent 8</span> <span class="pi">}}</span> <span class="pi">{{</span><span class="nv">- end</span> <span class="pi">}}</span> </code></pre> </div> <p>In this post, we explore the challenges that arise when deploying the Kiali-operator with Helm and creating a Kiali instance, especially when uninstalling the operator. We’ll walk through two solutions for dealing with the Kiali instance finalizer issue and ensuring smooth removal of the operator and associated resources.</p> kiali istio helm kubernetes Boriss V Fri, 14 Mar 2025 07:06:00 +0000 https://dev.to/bnovickovs/k3s-pull-through-image-cache-49h5 https://dev.to/bnovickovs/k3s-pull-through-image-cache-49h5 <p>When running K3s locally, pulling images from container registries can take a significant amount of time. To address this, we set up local caching pass-through registries to store images and configure the local K3s cluster to use these proxies. A similar method can be employed in production environments, particularly in air-gapped setups. This approach can also be used to ensure that all necessary images are available in local registries. It also helps overcome issues with Docker Hub rate limits.</p> <p>Regarding <a href="https://docs.k3s.io/installation/private-registry" rel="noopener noreferrer">the guide on private registries for K3s</a>, it provides a useful overview. However, it doesn't go into detail about using one of the most popular open-source registries, Harbor. In this post, I will explain how this can be done.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwa11hscpqwnl1rkhjpde.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwa11hscpqwnl1rkhjpde.png" alt=" " width="800" height="345"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fniffvtl5d5f5lx9ql7uj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fniffvtl5d5f5lx9ql7uj.png" alt=" " width="800" height="345"></a></p> <p>Whenever the Harbor registry is configured as shown in the screenshots above (you can also use Terraform for this if needed), it's time to configure containerd for K3s. Ensure that your registry is configured for HTTPS with the following settings:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># https related config</span> https: <span class="c"># https port for harbor, default is 443</span> port: 443 <span class="c"># The path of cert and key files for nginx</span> certificate: /etc/letsencrypt/live/.../fullchain.pem private_key: /etc/letsencrypt/live/.../privkey.pem<span class="sb">`</span> </code></pre> </div> <p>Configure containerd mirrors:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">cat registries.yaml</span> <span class="na">mirrors</span><span class="pi">:</span> <span class="na">docker.io</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://your-registry-com:443/v2/proxy-docker.io</span> <span class="na">ghcr.io</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://your-registry-com:443/v2/proxy-ghcr.io</span> <span class="na">gcr.io</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://your-registry-com:443/v2/proxy-gcr.io</span> <span class="na">registry.k8s.io</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://your-registry-com:443/v2/proxy-registry.k8s.io</span> <span class="na">quay.io</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://your-registry-com:443/v2/proxy-quay.io</span> </code></pre> </div> <p>This file should be placed in the K3s folder before starting the cluster.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> /etc/rancher/k3s/ <span class="nb">cp </span>registries.yaml /etc/rancher/k3s/registries.yaml curl <span class="nt">-sfL</span> https://get.k3s.io | <span class="nv">INSTALL_K3S_EXEC</span><span class="o">=</span><span class="s1">'...'</span> <span class="nv">K3S_TOKEN</span><span class="o">=</span>... sh - </code></pre> </div> <p>By following the steps outlined in this guide, you'll ensure that your K3s cluster is efficiently pulling images from your local registry, reducing latency and increasing reliability. </p> <p>References:</p> <p><a href="https://www.talos.dev/v1.9/talos-guides/configuration/pull-through-cache/" rel="noopener noreferrer">https://www.talos.dev/v1.9/talos-guides/configuration/pull-through-cache/</a></p> k3s kubernetes containers harbor