Files

Laur IVAN f7e635e3f1 talos: tune kube-apiserver audit policy to reduce CPU overhead

Add targeted audit policy rules that suppress high-frequency, low-value
requests which were generating ~570k audit events per 10 hours and
causing kube-apiserver to consume 260-316m CPU per node.

Suppressed categories (no security impact):
- coordination.k8s.io/leases: controller/node heartbeats (86k GET + 46k PUT/10h)
- /healthz*, /readyz*, /livez*, /openapi*, /version: probe & discovery endpoints
- system:nodes user group: kubelet node status updates
- endpoints + endpointslices GET/LIST/WATCH: Cilium/CoreDNS polling

All other requests continue to be logged at Metadata level.

Result: 76% of audit events suppressed, non-leader apiserver CPU dropped
~50-60% (316m -> 125m on standby nodes). Policy lives in the patch file
so it survives cluster resets via talhelper genconfig.

2026-02-25 11:56:36 +01:00

controller

talos: tune kube-apiserver audit policy to reduce CPU overhead

2026-02-25 11:56:36 +01:00

global

feat: Bootstrap cluster with Talos 1.11.3 ✅

2026-02-07 00:37:01 +01:00

README.md

chore: initial commit 🚀

2026-02-04 16:21:02 +01:00

README.md

Talos Patching

This directory contains Kustomization patches that are added to the talhelper configuration file.

https://www.talos.dev/v1.7/talos-guides/configuration/patching/

Patch Directories

Under this patches directory, there are several sub-directories that can contain patches that are added to the talhelper configuration file. Each directory is optional and therefore might not created by default.

global/: patches that are applied to both the controller and worker configurations
controller/: patches that are applied to the controller configurations
worker/: patches that are applied to the worker configurations
${node-hostname}/: patches that are applied to the node with the specified name