diff --git a/kube/bootstrap/flux/flux-install-localhost.yaml b/kube/bootstrap/flux/flux-install-localhost.yaml index 3b4c981e..432b24f7 100644 --- a/kube/bootstrap/flux/flux-install-localhost.yaml +++ b/kube/bootstrap/flux/flux-install-localhost.yaml @@ -66,7 +66,7 @@ spec: path: /spec/template/spec/containers/0/env/- value: name: KUBERNETES_SERVICE_PORT - value: "7445" # Talos KubePrism + value: "6443" # schedules on controlplane only - op: add path: /spec/template/spec/containers/0/env/- value: diff --git a/kube/clusters/biohazard/talos/talconfig.yaml b/kube/clusters/biohazard/talos/talconfig.yaml index f477c3ad..979f6c63 100755 --- a/kube/clusters/biohazard/talos/talconfig.yaml +++ b/kube/clusters/biohazard/talos/talconfig.yaml @@ -302,10 +302,10 @@ patches: allowSchedulingOnMasters: true allowSchedulingOnControlPlanes: true discovery: - enabled: true + enabled: false registries: kubernetes: - disabled: false + disabled: true service: disabled: true proxy: @@ -315,8 +315,7 @@ patches: machine: features: kubePrism: - enabled: true - port: 7445 + enabled: false - &hostDNS | machine: @@ -576,7 +575,7 @@ controlPlane: cluster: apiServer: extraArgs: - feature-gates: AuthorizeNodeWithSelectors=false,UserNamespacesSupport=true,UserNamespacesPodSecurityStandards=true,PodLevelResources=true,MutatingAdmissionPolicy=true # K8s 1.32 authz breaks Talos node discovery via Kubernetes, K8s 1.32+ user namespaces, K8s 1.32+ pod level resources, K8s 1.32+ mutating admission policy to avoid Kyverno + feature-gates: UserNamespacesSupport=true,UserNamespacesPodSecurityStandards=true,PodLevelResources=true,MutatingAdmissionPolicy=true # K8s 1.32+ user namespaces, K8s 1.32+ pod level resources, K8s 1.32+ mutating admission policy to avoid Kyverno controllerManager: extraArgs: feature-gates: PodLevelResources=true