From c0fcd3976bfcaad89f9f2b6a35ccbc7743d82f6f Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Wed, 30 Jul 2025 21:59:32 +0800
Subject: [PATCH] feat(biohazard/talos): yeetecus KubePrism & discovery

---
 kube/bootstrap/flux/flux-install-localhost.yaml | 2 +-
 kube/clusters/biohazard/talos/talconfig.yaml    | 9 ++++-----
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/kube/bootstrap/flux/flux-install-localhost.yaml b/kube/bootstrap/flux/flux-install-localhost.yaml
index 3b4c981e..432b24f7 100644
--- a/kube/bootstrap/flux/flux-install-localhost.yaml
+++ b/kube/bootstrap/flux/flux-install-localhost.yaml
@@ -66,7 +66,7 @@ spec:
           path: /spec/template/spec/containers/0/env/-
           value:
             name: KUBERNETES_SERVICE_PORT
-            value: "7445" # Talos KubePrism
+            value: "6443" # schedules on controlplane only
         - op: add
           path: /spec/template/spec/containers/0/env/-
           value:
diff --git a/kube/clusters/biohazard/talos/talconfig.yaml b/kube/clusters/biohazard/talos/talconfig.yaml
index f477c3ad..979f6c63 100755
--- a/kube/clusters/biohazard/talos/talconfig.yaml
+++ b/kube/clusters/biohazard/talos/talconfig.yaml
@@ -302,10 +302,10 @@ patches:
       allowSchedulingOnMasters: true
       allowSchedulingOnControlPlanes: true
       discovery:
-        enabled: true
+        enabled: false
         registries:
           kubernetes:
-            disabled: false
+            disabled: true
           service:
             disabled: true
       proxy:
@@ -315,8 +315,7 @@ patches:
     machine:
       features:
         kubePrism:
-          enabled: true
-          port: 7445
+          enabled: false
 
   - &hostDNS |
     machine:
@@ -576,7 +575,7 @@ controlPlane:
       cluster:
         apiServer:
           extraArgs:
-            feature-gates: AuthorizeNodeWithSelectors=false,UserNamespacesSupport=true,UserNamespacesPodSecurityStandards=true,PodLevelResources=true,MutatingAdmissionPolicy=true # K8s 1.32 authz breaks Talos node discovery via Kubernetes, K8s 1.32+ user namespaces, K8s 1.32+ pod level resources, K8s 1.32+ mutating admission policy to avoid Kyverno
+            feature-gates: UserNamespacesSupport=true,UserNamespacesPodSecurityStandards=true,PodLevelResources=true,MutatingAdmissionPolicy=true # K8s 1.32+ user namespaces, K8s 1.32+ pod level resources, K8s 1.32+ mutating admission policy to avoid Kyverno
         controllerManager:
           extraArgs:
             feature-gates: PodLevelResources=true