Dev/talos-cluster
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
62 Commits 1 Branch 0 Tags
f7e635e3f13577d7d060f3e3985e269c013c14b8
Commit Graph

62 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Laur IVAN
f7e635e3f1 talos: tune kube-apiserver audit policy to reduce CPU overhead 
Add targeted audit policy rules that suppress high-frequency, low-value
requests which were generating ~570k audit events per 10 hours and
causing kube-apiserver to consume 260-316m CPU per node.

Suppressed categories (no security impact):
- coordination.k8s.io/leases: controller/node heartbeats (86k GET + 46k PUT/10h)
- /healthz*, /readyz*, /livez*, /openapi*, /version: probe & discovery endpoints
- system:nodes user group: kubelet node status updates
- endpoints + endpointslices GET/LIST/WATCH: Cilium/CoreDNS polling

All other requests continue to be logged at Metadata level.

Result: 76% of audit events suppressed, non-leader apiserver CPU dropped
~50-60% (316m -> 125m on standby nodes). Policy lives in the patch file
so it survives cluster resets via talhelper genconfig.
 2026-02-25 11:56:36 +01:00
Laur IVAN
9b1b3e62a4 chore: removed some apps temporary 2026-02-25 01:12:28 +01:00
Laur IVAN
3402709523 fix(rook-ceph): reduce CPU requests for homelab 4-vCPU VMs 
Default Rook requests (mon=1100m, mgr=700m, CSI sidecars=250-650m)
were consuming 17,860m across an 11,850m cluster, causing ESXi CPU
overcommit stalls that broke kube-apiserver connectivity and lost
leader elections in kube-controller-manager/cilium-operator/openebs.

New values target ~2,500m total Rook CPU requests:
- mon: 200m (was 1100m)
- mgr: 100m (was 700m)
- mds: 100m (was ~500m)
- osd: 200m (was no request, 8Gi memory limit)
- CSI sidecars: 10-50m each (was 100-250m each)
 2026-02-24 23:55:44 +01:00
Laur IVAN
14ab7d1a26 fix(infisical): update chart to 0.4.2, migrate to MongoDB schema 2026-02-24 23:28:41 +01:00
Laur IVAN
e81b41c938 chore: Again, not using OCI. 2026-02-24 23:08:16 +01:00
Laur IVAN
f66d1dd54f chore: Again 2026-02-24 22:46:06 +01:00
Laur IVAN
44887ef302 fix: oci dir 2026-02-24 20:49:56 +01:00
Laur IVAN
bed6ec3064 chore.: some aliases 2026-02-24 20:47:51 +01:00
Laur IVAN
77ce16909e chore:: Initial commit for mysql. 2026-02-24 19:20:36 +01:00
Laur IVAN
e6aa0abcd9 fix: Fix deployment for infisical 2026-02-24 19:13:53 +01:00
Laur IVAN
9fe66a27eb chore: Add infisical 2026-02-24 19:06:42 +01:00
Laur IVAN
8d1814b58b fix: wrong namespace for dependency 2026-02-24 16:17:51 +01:00
Laur IVAN
4f90e1a09d chore: Forgot helmrelease. 2026-02-24 14:56:46 +01:00
Laur IVAN
0e8a05c334 fix: No external secrets yet 2026-02-24 14:49:55 +01:00
Laur IVAN
b1d5500d77 feat: Add rook-ceph on the spare disks (VM only) 2026-02-24 14:47:26 +01:00
Laur IVAN
718b49f971 fix: Old file name 2026-02-24 14:17:14 +01:00
Laur IVAN
65d9b5ca2c chore: Repurpose openebs to be local FS 2026-02-24 14:14:26 +01:00
Laur IVAN
aef3651518 chore: Add skeletons for future containers 
fix: Corrected observability namespace

- Add atuin but not enabled yet.
 2026-02-24 13:56:21 +01:00
Laur IVAN
355e247ff5 fix: Target namespace for grafana. Still doesn't work because of external secrets. 2026-02-24 11:52:47 +01:00
Laur IVAN
f2311ddc7a chore: final? 2026-02-12 03:04:02 +01:00
Laur IVAN
a2f997aff2 Again 2026-02-12 02:53:53 +01:00
Laur IVAN
124bc7fd85 chore: Again 2026-02-12 02:36:38 +01:00
Laur IVAN
8da9ae3d6b chore: again 2026-02-12 02:33:39 +01:00
Laur IVAN
0d8b027855 chore: cleanup. 2026-02-12 02:27:01 +01:00
Laur IVAN
d640040720 chore: enable hubble 2026-02-12 02:10:19 +01:00
Laur IVAN
2c7850ef38 chore: Remove oidc 2026-02-12 01:43:22 +01:00
Laur IVAN
6412ee3601 fix: Proper internal name 2026-02-12 01:00:39 +01:00
Laur IVAN
1b75e06a3b chore: Again 2026-02-12 00:29:33 +01:00
Laur IVAN
f5997b2256 chore: Another fix for headlamp 2026-02-12 00:27:19 +01:00
Laur IVAN
f40ee202da chore: Move tuppr to beta for the time being. 2026-02-12 00:03:54 +01:00
Laur IVAN
0009156ad4 chore: Another attempt 2026-02-12 00:01:39 +01:00
Laur IVAN
b8023c4105 chore: More namespace 2026-02-11 23:59:18 +01:00
Laur IVAN
afe0203815 chore: Another attempt 2026-02-11 23:53:03 +01:00
Laur IVAN
1132da2501 fix: Remove targetNamespace 2026-02-11 23:38:21 +01:00
Laur IVAN
dbbdbe41df fix: Typo in tuppr 2026-02-11 23:34:37 +01:00
Laur IVAN
74c7f551a9 fix: fix tuppr 2026-02-11 23:26:15 +01:00
Laur IVAN
0d386b9de1 fix: add namespace to tuppr kustomizations to prevent duplicate namespace error 2026-02-11 21:10:30 +01:00
Laur IVAN
e610b5dd4d chore: Add dummy security kustomization (only namespace). 2026-02-11 20:24:38 +01:00
Laur IVAN
f73b1ece5a fix: Attempt to install headlamp again. 2026-02-11 20:10:01 +01:00
Laur IVAN
df439c9866 chore: Removed obsolete externalsecrets 2026-02-11 15:08:37 +01:00
Laur IVAN
2790e3921c chore: Update headlamp 2026-02-11 15:02:21 +01:00
Laur IVAN
b68634a624 fix: Fix kubeconfig for editor. 2026-02-11 14:59:27 +01:00
Laur IVAN
b06be19c5a fix: Fixed the volsync jitter. 2026-02-11 11:59:56 +01:00
Laur IVAN
0c1aaa5f8b chore: Update talos to 1.12.3/ k8s to 1.35.0 2026-02-11 10:06:28 +01:00
Laur IVAN
282ce1f09c fix: Add missing file. 2026-02-11 01:04:21 +01:00
Laur IVAN
f1c7fcc784 fix: Fix ocirepo. 2026-02-11 00:53:07 +01:00
Laur IVAN
111e6035ae chore: Add talos upgrade 2026-02-11 00:44:30 +01:00
Laur IVAN
3a222fcc62 chore: Rebuild cluster 2026-02-11 00:37:26 +01:00
Laur IVAN
e11ec69113 feat: Add volsync and snapshot-controller. 2026-02-09 09:45:27 +01:00
Laur IVAN
5a90c0c27f feat: Add OpenEBS. 2026-02-09 09:19:43 +01:00