Kubernetes homelab
Questo progetto documenta la creazione di un ambiente Kubernetes completo per uso domestico, ideale per sperimentare e apprendere tecnologie cloud-native. Un homelab Kubernetes offre l'opportunità di acquisire competenze pratiche su orchestrazione di container, alta disponibilità e automazione dell'infrastruttura in un ambiente controllato.
Setup dei nodi e del bastion
Dove si crea la configurazione iniziale dell'infrastruttura e si predispone il sistema di accesso sicuro.
Airgapped talos
https://www.talos.dev/v1.10/advanced/air-gapped/
Test pull di una immagine e push su repo locale:
docker pull nginx:1.29.0
docker tag nginx:1.29.0 registry.300510300.xyz:6000/nginx:1.29.0
docker push registry.300510300.xyz:6000/nginx:1.29.0
Air-gapped Talos linux
Dove si installa un sistema operativo specializzato in ambiente isolato dalla rete esterna.
talosctl gen config nuc https://192.168.0.104:6443 --with-docs=false --with-examples=false
talosctl apply-config --insecure -f controlplane-airgapped.yaml --nodes 192.168.1.104
talosctl bootstrap --nodes 192.168.1.104
version: v1alpha1 # Indicates the schema used to decode the contents.
debug: false # Enable verbose logging to the console.
persist: true
# Provides machine specific configuration options.
machine:
registries:
mirrors:
docker.io:
endpoints:
- 'http://192.168.1.103:6000/'
gcr.io:
endpoints:
- 'http://192.168.1.103:6000/'
ghcr.io:
endpoints:
- 'http://192.168.1.103:6000/'
registry.k8s.io:
endpoints:
- 'http://192.168.1.103:6000/'
registry.300510300.xyz:5000:
endpoints:
- 'http://192.168.1.103:6000/'
config:
registry.300510300.xyz:6000:
tls:
insecureSkipVerify: true
type: controlplane # Defines the role of the machine within the cluster.
token: 8u3t8s.8iuxgvf1r90w5igf # The `token` is used by a machine to join the PKI of the cluster.
# The root certificate authority of the PKI.
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBcERQd2Z5QXErVngyQlRLL3ViejRvakFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qVXdOakl3TVRZd01UUTNXaGNOTXpVd05qRTRNVFl3TVRRM1dqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQUVDRzlEUkxncTNnQXNCVS9TWE5aU1J2MS9sMlJ6VTA3UUl3CkhtVEZTVERSbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRk41bXdnb3gyb2tWZVMyMwo0U2lNcVl1WUY0V1dNQVVHQXl0bGNBTkJBRlJLejMzZStRWlhKNDlQKy9iV3RWdVlHWHJyUmRCVjE3aWQySWNuCnE0ak1rQmJGODBQN0U4SHFVMlpzM3BMLytDRHJtSVF0amdRYVNJbVZSdElRUGdRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJRXRrSzdIWkVMeXhEQkRNT0R4eXI5VHd3amh1a0JqZVlmai84TDNYN2E0WgotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K
# Extra certificate subject alternative names for the machine's certificate.
certSANs: []
# # Uncomment this to enable SANs.
# - 10.0.0.10
# - 172.16.0.10
# - 192.168.0.10
# Used to provide additional options to the kubelet.
kubelet:
image: ghcr.io/siderolabs/kubelet:v1.33.1 # The `image` field is an optional reference to an alternative kubelet image.
defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile.
disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.
# # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list.
# clusterDNS:
# - 10.96.0.10
# - 169.254.2.53
# # The `extraArgs` field is used to provide additional flags to the kubelet.
# extraArgs:
# key: value
# # The `extraMounts` field is used to add additional mounts to the kubelet container.
# extraMounts:
# - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container.
# type: bind # Type specifies the mount kind.
# source: /var/lib/example # Source specifies the source path of the mount.
# # Options are fstab style mount options.
# options:
# - bind
# - rshared
# - rw
# # The `extraConfig` field is used to provide kubelet configuration overrides.
# extraConfig:
# serverTLSBootstrap: true
# # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration.
# credentialProviderConfig:
# apiVersion: kubelet.config.k8s.io/v1
# kind: CredentialProviderConfig
# providers:
# - apiVersion: credentialprovider.kubelet.k8s.io/v1
# defaultCacheDuration: 12h
# matchImages:
# - '*.dkr.ecr.*.amazonaws.com'
# - '*.dkr.ecr.*.amazonaws.com.cn'
# - '*.dkr.ecr-fips.*.amazonaws.com'
# - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov'
# - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov'
# name: ecr-credential-provider
# # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet.
# nodeIP:
# # The `validSubnets` field configures the networks to pick kubelet node IP from.
# validSubnets:
# - 10.0.0.0/8
# - '!10.0.0.3/32'
# - fdc7::/16
# Provides machine specific network configuration options.
network: {}
# # `interfaces` is used to define the network interface configuration.
# interfaces:
# - interface: enp0s1 # The interface name.
# # Assigns static IP addresses to the interface.
# addresses:
# - 192.168.2.0/24
# # A list of routes associated with the interface.
# routes:
# - network: 0.0.0.0/0 # The route's network (destination).
# gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route).
# metric: 1024 # The optional metric for the route.
# mtu: 1500 # The interface's MTU.
#
# # # Picks a network device using the selector.
# # # select a device with bus prefix 00:*.
# # deviceSelector:
# # busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
# # deviceSelector:
# # hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
# # driver: virtio_net # Kernel driver, supports matching by wildcard.
# # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
# # deviceSelector:
# # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# # - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
# # driver: virtio_net # Kernel driver, supports matching by wildcard.
# # # Bond specific options.
# # bond:
# # # The interfaces that make up the bond.
# # interfaces:
# # - enp2s0
# # - enp2s1
# # # Picks a network device using the selector.
# # deviceSelectors:
# # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# # - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
# # driver: virtio_net # Kernel driver, supports matching by wildcard.
# # mode: 802.3ad # A bond option.
# # lacpRate: fast # A bond option.
# # # Bridge specific options.
# # bridge:
# # # The interfaces that make up the bridge.
# # interfaces:
# # - enxda4042ca9a51
# # - enxae2a6774c259
# # # Enable STP on this bridge.
# # stp:
# # enabled: true # Whether Spanning Tree Protocol (STP) is enabled.
# # # Configure this device as a bridge port.
# # bridgePort:
# # master: br0 # The name of the bridge master interface
# # # Indicates if DHCP should be used to configure the interface.
# # dhcp: true
# # # DHCP specific options.
# # dhcpOptions:
# # routeMetric: 1024 # The priority of all routes received via DHCP.
# # # Wireguard specific configuration.
# # # wireguard server example
# # wireguard:
# # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
# # listenPort: 51111 # Specifies a device's listening port.
# # # Specifies a list of peer configurations to apply to a device.
# # peers:
# # - publicKey: ABCDEF... # Specifies the public key of this peer.
# # endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
# # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
# # allowedIPs:
# # - 192.168.1.0/24
# # # wireguard peer example
# # wireguard:
# # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
# # # Specifies a list of peer configurations to apply to a device.
# # peers:
# # - publicKey: ABCDEF... # Specifies the public key of this peer.
# # endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
# # persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
# # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
# # allowedIPs:
# # - 192.168.1.0/24
# # # Virtual (shared) IP address configuration.
# # # layer2 vip example
# # vip:
# # ip: 172.16.199.55 # Specifies the IP address to be used.
# # Used to statically set the nameservers for the machine.
# nameservers:
# - 8.8.8.8
# - 1.1.1.1
# # Used to statically set arbitrary search domains.
# searchDomains:
# - example.org
# - example.com
# # Allows for extra entries to be added to the `/etc/hosts` file
# extraHostEntries:
# - ip: 192.168.1.100 # The IP of the host.
# # The host alias.
# aliases:
# - example
# - example.domain.tld
# # Configures KubeSpan feature.
# kubespan:
# enabled: true # Enable the KubeSpan feature.
# Used to provide instructions for installations.
install:
disk: /dev/sda # The disk used for installations.
image: ghcr.io/siderolabs/installer:v1.10.4 # Allows for supplying the image used to perform the installation.
wipe: false # Indicates if the installation disk should be wiped at installation time.
# # Look up disk using disk attributes like model, size, serial and others.
# diskSelector:
# size: 4GB # Disk size.
# model: WDC* # Disk model `/sys/block/<dev>/device/model`.
# busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path.
# # Allows for supplying extra kernel args via the bootloader.
# extraKernelArgs:
# - talos.platform=metal
# - reboot=k
# Used to configure the machine's container image registry mirrors.
#registries: {}
# # Specifies mirror configuration for each registry host namespace.
# mirrors:
# ghcr.io:
# # List of endpoints (URLs) for registry mirrors to use.
# endpoints:
# - https://registry.insecure
# - https://ghcr.io/v2/
# # Specifies TLS & auth configuration for HTTPS image registries.
# config:
# registry.insecure:
# # The TLS configuration for the registry.
# tls:
# insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).
#
# # # Enable mutual TLS authentication with the registry.
# # clientIdentity:
# # crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
# # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
#
# # # The auth configuration for this registry.
# # auth:
# # username: username # Optional registry authentication.
# # password: password # Optional registry authentication.
# Features describe individual Talos features that can be switched on or off.
features:
rbac: true # Enable role-based access control (RBAC).
stableHostname: true # Enable stable default hostname.
apidCheckExtKeyUsage: true # Enable checks for extended key usage of client certificates in apid.
diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks.
# KubePrism - local proxy/load balancer on defined port that will distribute
kubePrism:
enabled: true # Enable KubePrism support - will start local load balancing proxy.
port: 7445 # KubePrism port.
# Configures host DNS caching resolver.
hostDNS:
enabled: true # Enable host DNS caching resolver.
forwardKubeDNSToHost: true # Use the host DNS resolver as upstream for Kubernetes CoreDNS pods.
# # Configure Talos API access from Kubernetes pods.
# kubernetesTalosAPIAccess:
# enabled: true # Enable Talos API access from Kubernetes pods.
# # The list of Talos API roles which can be granted for access from Kubernetes pods.
# allowedRoles:
# - os:reader
# # The list of Kubernetes namespaces Talos API access is available from.
# allowedKubernetesNamespaces:
# - kube-system
# Configures the node labels for the machine.
nodeLabels:
node.kubernetes.io/exclude-from-external-load-balancers: ""
# # Provides machine specific control plane configuration options.
# # ControlPlane definition example.
# controlPlane:
# # Controller manager machine specific configuration options.
# controllerManager:
# disabled: false # Disable kube-controller-manager on the node.
# # Scheduler machine specific configuration options.
# scheduler:
# disabled: true # Disable kube-scheduler on the node.
# # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver.
# # nginx static pod.
# pods:
# - apiVersion: v1
# kind: pod
# metadata:
# name: nginx
# spec:
# containers:
# - image: nginx
# name: nginx
# # Allows the addition of user specified files.
# # MachineFiles usage example.
# files:
# - content: '...' # The contents of the file.
# permissions: 0o666 # The file's permissions in octal.
# path: /tmp/file.txt # The path of the file.
# op: append # The operation to use
# # The `env` field allows for the addition of environment variables.
# # Environment variables definition examples.
# env:
# GRPC_GO_LOG_SEVERITY_LEVEL: info
# GRPC_GO_LOG_VERBOSITY_LEVEL: "99"
# https_proxy: http://SERVER:PORT/
# env:
# GRPC_GO_LOG_SEVERITY_LEVEL: error
# https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/
# env:
# https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/
# # Used to configure the machine's time settings.
# # Example configuration for cloudflare ntp server.
# time:
# disabled: false # Indicates if the time service is disabled for the machine.
# # description: |
# servers:
# - time.cloudflare.com
# bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence.
# # Used to configure the machine's sysctls.
# # MachineSysctls usage example.
# sysctls:
# kernel.domainname: talos.dev
# net.ipv4.ip_forward: "0"
# net/ipv6/conf/eth0.100/disable_ipv6: "1"
# # Used to configure the machine's sysfs.
# # MachineSysfs usage example.
# sysfs:
# devices.system.cpu.cpu0.cpufreq.scaling_governor: performance
# # Machine system disk encryption configuration.
# systemDiskEncryption:
# # Ephemeral partition encryption.
# ephemeral:
# provider: luks2 # Encryption provider to use for the encryption.
# # Defines the encryption keys generation and storage method.
# keys:
# - # Deterministically generated key from the node UUID and PartitionLabel.
# nodeID: {}
# slot: 0 # Key slot number for LUKS2 encryption.
#
# # # KMS managed encryption key.
# # kms:
# # endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
#
# # # Cipher kind to use for the encryption. Depends on the encryption provider.
# # cipher: aes-xts-plain64
# # # Defines the encryption sector size.
# # blockSize: 4096
# # # Additional --perf parameters for the LUKS2 encryption.
# # options:
# # - no_read_workqueue
# # - no_write_workqueue
# # Configures the udev system.
# udev:
# # List of udev rules to apply to the udev system
# rules:
# - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660"
# # Configures the logging system.
# logging:
# # Logging destination.
# destinations:
# - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp".
# format: json_lines # Logs format.
# # Configures the kernel.
# kernel:
# # Kernel modules to load.
# modules:
# - name: brtfs # Module name.
# # Configures the seccomp profiles for the machine.
# seccompProfiles:
# - name: audit.json # The `name` field is used to provide the file name of the seccomp profile.
# # The `value` field is used to provide the seccomp profile.
# value:
# defaultAction: SCMP_ACT_LOG
# # Override (patch) settings in the default OCI runtime spec for CRI containers.
# # override default open file limit
# baseRuntimeSpecOverrides:
# process:
# rlimits:
# - hard: 1024
# soft: 1024
# type: RLIMIT_NOFILE
# # Configures the node annotations for the machine.
# # node annotations example.
# nodeAnnotations:
# customer.io/rack: r13a25
# # Configures the node taints for the machine. Effect is optional.
# # node taints example.
# nodeTaints:
# exampleTaint: exampleTaintValue:NoSchedule
# Provides cluster specific configuration options.
cluster:
id: i8RMAnjwHHD-gkVjDzKn3yXhjnVpEndltNqvxa_xpEM= # Globally unique identifier for this cluster (base64 encoded random 32 bytes).
secret: 8K5vhVpgReFTuD6+DfXSGJ8u7qeSZHZI4DKuzx/Kxs8= # Shared secret of cluster (base64 encoded random 32 bytes).
# Provides control plane specific configuration options.
controlPlane:
endpoint: https://192.168.1.100:6443 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
clusterName: pdc # Configures the cluster's name.
# Provides cluster specific network configuration options.
network:
dnsDomain: cluster.local # The domain used by Kubernetes DNS.
# The pod subnet CIDR.
podSubnets:
- 10.244.0.0/16
# The service subnet CIDR.
serviceSubnets:
- 10.96.0.0/12
# # The CNI used.
# cni:
# name: custom # Name of CNI to use.
# # URLs containing manifests to apply for the CNI.
# urls:
# - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml
token: i5ttj2.xr9csgoriu9wqhyq # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster.
secretboxEncryptionSecret: ZN5LOKOSAkoIMmuzXgXPzEtwxDPBcBROl2MzZ29JewM= # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
# The base64 encoded root certificate authority used by Kubernetes.
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVRDZ0F3SUJBZ0lSQU44aTFtQWhmOTNZc0s4aGxlZkNtY0F3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOVEEyTWpBeE5qQXhORGRhRncwek5UQTJNVGd4TmpBeApORGRhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVFXR2hXcGdkdCtDNDhkOGRqTzNNNEpJWE1wNzk2UjJMZ1VZbjZpbXNhYkFzUnBJZzhtK250aVlMVysKV0RhWnlqc3BEbTVOTmJGYzZiSEJmeUFRR3lUVG8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGSHBxcWZuUE94VHdldjhkTGZQTzRSR2NoYVBTTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFDVXlLK2MKTW1VenE1MzJKc0M0M2JlWjBSeDJpSEdOZVpDdE50Y1Q4N3hrUUFJZ1JSRHRkNDNBSmIzRzNFOXF2UnlqZzRPWQpRT2hpL3BtTVJ2QlJJeTA0K2k0PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSVBnMEppTVFNNmMvMFNsdzNaek1yUWNaTjdkSWY1d2w3WjBvM3BheksvUEhvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFRmhvVnFZSGJmZ3VQSGZIWXp0ek9DU0Z6S2UvZWtkaTRGR0orb3ByR213TEVhU0lQSnZwNwpZbUMxdmxnMm1jbzdLUTV1VFRXeFhPbXh3WDhnRUJzazB3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
# The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation.
aggregatorCA:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJYekNDQVFhZ0F3SUJBZ0lSQU1oZEhUbFBOU01abWsycUxFbUZVMnN3Q2dZSUtvWkl6ajBFQXdJd0FEQWUKRncweU5UQTJNakF4TmpBeE5EZGFGdzB6TlRBMk1UZ3hOakF4TkRkYU1BQXdXVEFUQmdjcWhrak9QUUlCQmdncQpoa2pPUFFNQkJ3TkNBQVNOQUZvTnZJdUFNRnZZNFArM0dFNHRhSjVabWRnZGlhMi95T0pUcDZiSExYaGxLWWlXCkZ0R1ZlNFhKTWM1MzYvckdadkNsWmRsdVpvNTEzSXZEc2ExMm8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXcKSFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4dwpIUVlEVlIwT0JCWUVGS0ZXclpDOEdEbUpTeGZNa3A2WDEyNGM3cnZGTUFvR0NDcUdTTTQ5QkFNQ0EwY0FNRVFDCklIa1o5YVpPVGUwekFXK1VYVjVndWR6djZ6ZXAzQm9CTGdZOW5peDlTMnUrQWlCcWtTU21nZjVnRkZ1aklKdk8KSFdSa1ByQkdsYXcyUG96Q0F0dkNaREwwenc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUhLYTZ1ejNzTTA3Wi9TUnVWcmczU2xQNUx1WTB6d0Y0bER4YWtQNWw0bFFvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFalFCYURieUxnREJiMk9EL3R4aE9MV2llV1puWUhZbXR2OGppVTZlbXh5MTRaU21JbGhiUgpsWHVGeVRIT2QrdjZ4bWJ3cFdYWmJtYU9kZHlMdzdHdGRnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
# The base64 encoded private key for service account token generation.
serviceAccount:
key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS0FJQkFBS0NBZ0VBMVp5OHNSV0xaVVdqbXZ4dy84eVdxSElDdUtUUTJ0TjVMV1l4U2NKNFRPV3FzM0pjClBoaUl5ZDR5NzBBVUdjenRNRHVuWnppS21wQnNNSHVlMWtXTHdlb1dRTDhCM0I0bWtYTVBrM2dmTjB1RDB0cXIKNnh1QTlDSUw0NlRTMUFndktqeWtsTmpyRWorcXorYW9TdDdkbU5ocGFHK3I2bUp2eDUvN25oSXcyaEp4K3FMZApKTzRSaVNaMFQrc0pPWU01eGNNY3BXREJUTWJUMWVBNWUxbDU5TU9KRFI0REJ1YXVyMmxKYWxweUFETWxoWDFZCmRvR2RhaFRzQVlBUTJaMW9nM05USkNzWjVCektWZzBLck9VcmxYdTBnUXgvc3ZtczJ3Q2hpWGZCK3FMc2RnTEIKSUp3ejdDQ3ZEWmdqbVpyQzlPZHQza3VpWXljKzFBZlFMSHRjR3lJNm9GRDR1Wkk2R0pwb2d1QzBsQW4xck9zcApDWkVaRGN5TytCQjhFaEdUMEgySVQzMnVDMFVib0VhRnZ2VWRrWjlIbFhBcXFVZ0xocGs4dCtOYm9MTmdkMjlxCnArNnhoRTNvRFhEb3p0YkgvdzlVTGJsc2phR25NOVUxZkI2ZEpXODZuVFQ1MWV4cWNlNkc5cWc3aUdJZnZLSmsKWGltbnlRQW9ZdXRnVlQ5QThSVURnVHVDMkdJbHEreFhZU3RFdDlGamZUSFBjcHVUKzB5SVFYY09xbjA5TTZVTApIc1VMUmozRUpoTXJnbk1hTmpBRCtNVXpwNG40WHJRUDRjMStZSDZHVGxSMW92clZwWGNOd2J0WEw0ZGhsYTFyCmpXdmQyV1BCZUpkTjJsSFc0QUVaQlpIN01pQXNsTnRIZWw2ZXdERTNVbkNVZ2puWU5wWVVTUE0wazUwQ0F3RUEKQVFLQ0FnQlVCUUhjLzFYa1lBZFJjMEM1Qkk0dnRDUm8zdjc5UzFlcTZUcXl3ZWlTaW5WaGZyWlVnRTd4WTlJUgo4OWpVS3h3U01DeVF0NWNnNDNTQ2YyVkM3M2pncllQU05LNzFGdkRobmVtKy9lejlVVmtJNnhUYTlXYjczNVpnCmxGaU9xS2R3akFqS09TWUErQVRtSUZvS2xPMkJiSUhOWDdzMWhrRmtPZ044c2JnQVZtZjVodXpIMVZJVmFZZ3YKVlFtOFV1YTY2QnNRMjJVOG55bjhRbVVwcE5DSTJ3NUJtQS9sdTM5ekpFMEpwWWlZbG9XSUkzelRvL2k0SElHVgp0M3NwTlRaQ0dlN1dWNU9uKzBFRXByMlBzdFk1Umo2QjBkbzZtZVVKQVE4SXBJK3FWMEg5eXVpT3ZKSFpxeU5mCmkvdFl0QnhCdXZPbWo0WlFUTVAwSHh5ZEdtcG4wOFBkNmJHYUhJWGVlUnN4RTJFZ3JBbWx4d3pCV2tvOUVCNjkKMk5tcVJYT3VFYkFweXRWN3I1NDVKdjlZQldzWFl3QWcveTZUOFE2Ni9SbUpPK2kvT25raEI4YUI2QmhqY2p2dwpiVFJHN2tWT003SWpvdGh1NUlxdXdhdU9QV05tVEdReGE4YVFyZmw1OENWcG50R1JCaUppVnBvL2YvbCtIZ2VYCmt4NGwyZmZVVVFrK0NsTXIxNTA5MzByQ2FJb21OaEpZQW85OHlPRE9pOCt0SysvT1ByUTdIQm5IYS9TUnlScG8Kcmk5SktlcU12ZUcwa1Y1dlZTZUpYM2s2NjdjWGxXSXVDc2RmUUJUTmRNb3k5SVA0L2I0S0YxNDBndWhoRHEzZApXcnQ4SHB4NTJnWE40R2hWN2x6TTVYdjB2ejBjV29Kd2xIZ3BVdG5zNjEyMmNnbmIyd0tDQVFFQTc0cGNwTXVNCloyZElVWWJQK21hdnhZRGhkTTZrcjY3dGUzV0VBU2tmNHhESVMwTVlKY2dXZSs4V0FrRm9SSDVhZjFHWW9KU0MKaWpDY2I1ZUhJTHFqRFd5Rk5QbFYxV2VqM3QxcHN2S2tML3FJL3l4Vmlpb2pUWDhBQlFLZElPY1QzdllLaXQxVgpRa0VTZ09Zb29vNXNrcDRaUCtJaDRXOTc0WFVBVXpSVU9laGo3YWRHMldPSVdSU2Z1NWtpRE1xL0FIRHdERlNQCmRUbVdKUEsvbjliRmVnL2ZjSkFkOFRxRTFzQUJ2azNaczRXTnBWSU5TVW5uMW5DZzV2SnhLT1hwVDUwSThnQ1QKcnd1M2xkdmxlRW9UWjYrcmZQSjZTRFRGN3p6ekw2M3h2REltSTlWb3lpWGpZUUhzSldYUGsvU2cvZlQ5b01ZUwpjbHloc1p1TlFkdXBYd0tDQVFFQTVFcEkzdlJKcnUxL3BpYzlaZ3ZvblpoUXVmR3lLMCt2bitQY08wM1BkMW92ClhiakdiNnozVlFqL3MwSG1mWUZXNU1hdU9rYXFqU1ZwcG9KZm9EajlrNWk3elRieGtuREw0by9PQUtsOTdIamYKZWltSGl6eHJac3dMSEtrU2lNUUNsRndOVHpkNTNJa28xS0FnZHBkbjJ6WU91d3REckhNMlBRUzNGaVFvb0FnVQoyL0tUS1h6bHA3aUFieC9Tc0JpaEhmZkhmMjV1SXpHd0tkSS9DR1NDS0dFZDROeUREVmk5ZmlkZjhuMEJmdm43CjlzdkdyYkZoOUpTY3BXRWxpTVg2SFp2Si9GRDZ5S002S091L3d5c3FtS2Z1UWM5Tmw4YkZQS1ZWVVRZdTNjUjIKRys3YktUUzZSTzFJTVIwUlp6cjdSekZsMXU4L0NEZG0wYXBxWTVRWWd3S0NBUUVBanB6SHIyMW9PQi9ybEc0NAo0SkhHVUVYODlMZ2FvR1g3Q2FmYllYMkVlSUdEWGh1aUFzeHZablhmbXBRcWFhejRZQmpLVDhCYlA3N1ZSRExvCnhubVhuZVJnSWp2WCtHZnR6ai93TUJQNTRINitsWDFscUE2U1dnOGtpZGNXaVlKSitGSnYwR0VaNDRvdVpBT2oKYWJSMXU0elk1NG5RTmhGVHBkVXN6bHkzVUlxbEE5YTFmYk9lZDdxcHB0enl3cjdxbkc2ZzNCWjBHb3lnY1hyOAp6MExrNjFrTDVFNUpKVmQ3d3djcGdvMkM4VGl3TGg3OXZnWjhPdFZ2VmxBOVF1WXUwN0ZncEFQbjZTMkdyWGZ2CjFILzFzYU9LNjZiSldyZmdxQ0NYZ0dtRkpGQ1BHSUowRXZZZnU1K1RZbWlNL3orRG9lNzhHWDRUZVhiZzVZY0EKd0pidzdRS0NBUUFVVlIxcVpoMk42Kzg3a0RFaXZwcklOb0d5SGZtOWE4cDdsaUxPVVY3U0JZRkVlcW1KMXNEcwpuUEdST0tSYnQwSlMrL01XazZhckRaTDhWbzVIeWV1ajBxMmZXRzVwbVl3L01JbXJlMjBRdTY5RHhTRWlZSTQ4ClNKNFF2bW85TGlBQXNMWXF3UWtrZ0Q3WHVTOUxBSzhxVWdVNzJZUDhmd0pzcXRmWHEvN0dTaEg1aVFCY2FKaFgKdU5JUGs2a0RNQjVoZWVrVnkzTVp4Vm9vVDJaM3krUGZ6czZIY1h4bW11bTlxNm9iQWRFNVN2Q0xDWmszYlI0SgpWNWNnRDZmMUo1VGdRRGpjTlNZdzZvREtsanl0R0ZJaDZJc0s1M2pFdE5wcVRWdHM4VU41VXY4bCs3OGZTMmZ2CnJhYUpZVXBraEZkTy92SlFFMXpzMFdwaDhDaXJsOHdiQW9JQkFIeGZrVm9ZNXFmRDZINldaOHhrbXpSNldTTUIKNXlNNEVMSzRzZkdGV2k4eGFCZTd0OWFSSlgyMGFzR0w5YVRKRjhScmpvd2NNQmhUVVg1OFBHZmxiS0lpTXc4dwp3RFdocmZETHFpK1VPdzNZRmtIVTZ1dHF2VG1zd244dkJkYlM5NlR2eXJKZ0lLTmt4cFQwTVE5alFpUFc4azJQCmtHNXlxeG9BcWZ6aVlGYjFWZHREbkF2TEQyWnZZdk54ZDBzTVhvM2o4amx3Q1RGbFVSaWJzcGE3YXFucjNzS0oKWERtdlArek9UYkxnZGwzVkhLZ1doLzFYOC9yN2JFdUdWU2h5a3UyMisyRmlTdkdZRlFqK2JNWGNGN09aRU40aAo5aWxvcnkzU1p2RVpuN2RuazIyNnZLY2s5QWw5Y1h0Kzk0Z1ZQZnNwcWxyTkxVUnp2NXBGemZ2NGljdz0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
# API server specific configuration options.
apiServer:
image: registry.k8s.io/kube-apiserver:v1.33.1 # The container image used in the API server manifest.
# Extra certificate subject alternative names for the API server's certificate.
certSANs:
- 192.168.1.100
disablePodSecurityPolicy: true # Disable PodSecurityPolicy in the API server and default manifests.
# Configure the API server admission plugins.
admissionControl:
- name: PodSecurity # Name is the name of the admission controller.
# Configuration is an embedded configuration object to be used as the plugin's
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1alpha1
defaults:
audit: restricted
audit-version: latest
enforce: baseline
enforce-version: latest
warn: restricted
warn-version: latest
exemptions:
namespaces:
- kube-system
runtimeClasses: []
usernames: []
kind: PodSecurityConfiguration
# Configure the API server audit policy.
auditPolicy:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
# # Configure the API server authorization config. Node and RBAC authorizers are always added irrespective of the configuration.
# authorizationConfig:
# - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
# name: webhook # Name is used to describe the authorizer.
# # webhook is the configuration for the webhook authorizer.
# webhook:
# connectionInfo:
# type: InClusterConfig
# failurePolicy: Deny
# matchConditionSubjectAccessReviewVersion: v1
# matchConditions:
# - expression: has(request.resourceAttributes)
# - expression: '!(\''system:serviceaccounts:kube-system\'' in request.groups)'
# subjectAccessReviewVersion: v1
# timeout: 3s
# - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
# name: in-cluster-authorizer # Name is used to describe the authorizer.
# # webhook is the configuration for the webhook authorizer.
# webhook:
# connectionInfo:
# type: InClusterConfig
# failurePolicy: NoOpinion
# matchConditionSubjectAccessReviewVersion: v1
# subjectAccessReviewVersion: v1
# timeout: 3s
# Controller manager server specific configuration options.
controllerManager:
image: registry.k8s.io/kube-controller-manager:v1.33.1 # The container image used in the controller manager manifest.
# Kube-proxy server-specific configuration options
proxy:
image: registry.k8s.io/kube-proxy:v1.33.1 # The container image used in the kube-proxy manifest.
# # Disable kube-proxy deployment on cluster bootstrap.
# disabled: false
# Scheduler server specific configuration options.
scheduler:
image: registry.k8s.io/kube-scheduler:v1.33.1 # The container image used in the scheduler manifest.
# Configures cluster member discovery.
discovery:
enabled: true # Enable the cluster membership discovery feature.
# Configure registries used for cluster member discovery.
registries:
# Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information
kubernetes:
disabled: true # Disable Kubernetes discovery registry.
# Service registry is using an external service to push and pull information about cluster members.
service: {}
# # External service endpoint.
# endpoint: https://discovery.talos.dev/
# Etcd specific configuration options.
etcd:
# The `ca` is the root certificate authority of the PKI.
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmekNDQVNTZ0F3SUJBZ0lSQUt1Uzg3ckMxTUR0OThXVlI5ZEtzdFl3Q2dZSUtvWkl6ajBFQXdJd0R6RU4KTUFzR0ExVUVDaE1FWlhSalpEQWVGdzB5TlRBMk1qQXhOakF4TkRkYUZ3MHpOVEEyTVRneE5qQXhORGRhTUE4eApEVEFMQmdOVkJBb1RCR1YwWTJRd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFSS1FXeTRuRThvCm1wU3F5d085cVlrQVVWL0ppaWh4Znloa0NzYTFGTWJFeFdCYUpYWlVOT3Q3S1NTTXUvRyt0cE1MUklWdWFoSFkKUDZEYkhOZHJIdDhpbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSApBd0VHQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkxkRzFuQTVXUkJFCmlFZU52ZXhtNnBBbzFFOHdNQW9HQ0NxR1NNNDlCQU1DQTBrQU1FWUNJUURvVHRjam5qa24yeXU2V3lJbzNIYTcKajduTUEyS0NSVkNSY3pSa2pPUmFpd0loQUxYL2FxdkZCSFloZjBIS2ZyeVF5OGduVVNXc21EYWczNkIycmROYgp4NzFpCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUtXS1EwbGNDSUdSRitIRGxaUDQwV3MvdGgwNHFydzdxV3FCNFhLNWVseEVvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFU2tGc3VKeFBLSnFVcXNzRHZhbUpBRkZmeVlvb2NYOG9aQXJHdFJUR3hNVmdXaVYyVkRUcgpleWtrakx2eHZyYVRDMFNGYm1vUjJEK2cyeHpYYXg3ZklnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
# # The container image used to create the etcd service.
# image: gcr.io/etcd-development/etcd:v3.5.21
# # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from.
# advertisedSubnets:
# - 10.0.0.0/8
# A list of urls that point to additional manifests.
extraManifests: []
# - https://www.example.com/manifest1.yaml
# - https://www.example.com/manifest2.yaml
# A list of inline Kubernetes manifests.
inlineManifests: []
# - name: namespace-ci # Name of the manifest.
# contents: |- # Manifest contents as a string.
# apiVersion: v1
# kind: Namespace
# metadata:
# name: ci
# # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
# # Decryption secret example (do not use in production!).
# aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
# # Core DNS specific configuration options.
# coreDNS:
# image: registry.k8s.io/coredns/coredns:v1.12.1 # The `image` field is an override to the default coredns image.
# # External cloud provider configuration.
# externalCloudProvider:
# enabled: true # Enable external cloud provider.
# # A list of urls that point to additional manifests for an external cloud provider.
# manifests:
# - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml
# - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml
# # A map of key value pairs that will be added while fetching the extraManifests.
# extraManifestHeaders:
# Token: "1234567"
# X-ExtraInfo: info
# # Settings for admin kubeconfig generation.
# adminKubeconfig:
# certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year).
# # Allows running workload on control-plane nodes.
allowSchedulingOnControlPlanes: true
config kubectl and talosctl
.kube/config:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVRDZ0F3SUJBZ0lSQU44aTFtQWhmOTNZc0s4aGxlZkNtY0F3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOVEEyTWpBeE5qQXhORGRhRncwek5UQTJNVGd4TmpBeApORGRhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVFXR2hXcGdkdCtDNDhkOGRqTzNNNEpJWE1wNzk2UjJMZ1VZbjZpbXNhYkFzUnBJZzhtK250aVlMVysKV0RhWnlqc3BEbTVOTmJGYzZiSEJmeUFRR3lUVG8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGSHBxcWZuUE94VHdldjhkTGZQTzRSR2NoYVBTTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFDVXlLK2MKTW1VenE1MzJKc0M0M2JlWjBSeDJpSEdOZVpDdE50Y1Q4N3hrUUFJZ1JSRHRkNDNBSmIzRzNFOXF2UnlqZzRPWQpRT2hpL3BtTVJ2QlJJeTA0K2k0PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.1.104:6443
name: pdc
contexts:
- context:
cluster: pdc
namespace: default
user: admin@pdc
name: admin@pdc
current-context: admin@pdc
kind: Config
preferences: {}
users:
- name: admin@pdc
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJoVENDQVN1Z0F3SUJBZ0lSQU5mQUttNkE5MzJQbTB3Y00vcHhPdFF3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOVEEyTWpBeE5qUTJNRGRhRncweU5qQTJNakF4TmpRMgpNVGRhTUNreEZ6QVZCZ05WQkFvVERuTjVjM1JsYlRwdFlYTjBaWEp6TVE0d0RBWURWUVFERXdWaFpHMXBiakJaCk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkZNS3ZxQlh0OEpuZmRkU1BtZVVWN2xHOE00akY5ZzIKTWNIQ1N1aGdoSiszMG5PZzRTR3k3Y1pyam9oL2pOY2EwOVNaSXRGZG1zdm1rbTh2UjlTNFJEV2pTREJHTUE0RwpBMVVkRHdFQi93UUVBd0lGb0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFqQWZCZ05WSFNNRUdEQVdnQlI2CmFxbjV6enNVOEhyL0hTM3p6dUVSbklXajBqQUtCZ2dxaGtqT1BRUURBZ05JQURCRkFpRUFsVzdqcHY0MXdINUUKQVFJbko4MGJjWlREMFBmVURhcFhCNElqcFNFbm10UUNJQ2Nwa3lBTm1Cb3ZzUWtOUWhyc1VJZHRQRXFkNWQ1SQo0NmMyakttTE1SZncKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUliSnBVSmRmeTlQaSs2b2VUUlAxbGFSazVjY29aYS9ZU1QzN1g0VGdwN2FvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFVXdxK29GZTN3bWQ5MTFJK1o1Ulh1VWJ3emlNWDJEWXh3Y0pLNkdDRW43ZlNjNkRoSWJMdAp4bXVPaUgrTTF4clQxSmtpMFYyYXkrYVNieTlIMUxoRU5RPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
.talos/config:
context: pdc
contexts:
pdc:
endpoints: ["192.168.1.104"]
ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBcERQd2Z5QXErVngyQlRLL3ViejRvakFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qVXdOakl3TVRZd01UUTNXaGNOTXpVd05qRTRNVFl3TVRRM1dqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQUVDRzlEUkxncTNnQXNCVS9TWE5aU1J2MS9sMlJ6VTA3UUl3CkhtVEZTVERSbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRk41bXdnb3gyb2tWZVMyMwo0U2lNcVl1WUY0V1dNQVVHQXl0bGNBTkJBRlJLejMzZStRWlhKNDlQKy9iV3RWdVlHWHJyUmRCVjE3aWQySWNuCnE0ak1rQmJGODBQN0U4SHFVMlpzM3BMLytDRHJtSVF0amdRYVNJbVZSdElRUGdRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJLRENCMjZBREFnRUNBaEJPais3ZHRjSm1McmtVcEFNdnlNUGlNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5UQTJNakF4TmpBeE5EZGFGdzB5TmpBMk1qQXhOakF4TkRkYU1CTXhFVEFQQmdOVgpCQW9UQ0c5ek9tRmtiV2x1TUNvd0JRWURLMlZ3QXlFQVY4a1ZreG16KzFiNkkvMlpDSUVMSmt0MHdwRXNlZ1ZMCk5PUzJmMEl0WjFTalNEQkdNQTRHQTFVZER3RUIvd1FFQXdJSGdEQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0QKQWpBZkJnTlZIU01FR0RBV2dCVGVac0lLTWRxSkZYa3R0K0VvakttTG1CZUZsakFGQmdNclpYQURRUUJDZWJ2Vgo1MVo5QVpVWDcxOTRBSDhPdUo2YVJseGtSYnlmSTNZNzNRY1QrNWRwUXpjc1BmVlNmR2ZKbkxNeU43dkREeUZ2Cjd5amlBdnArSHcvdzBrY0EKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJQ0o1WkxLOVRxOXdtUi85K0czWTR4b1RHV0NmbWVpTWY2UVFEZFlyWllucAotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K
Test deploy
nginx-test.yaml:
---
apiVersion: v1
kind: Pod
metadata:
name: test-private-reg
spec:
containers:
- name: test-container
image: registry.300510300.xyz:6000/nginx:1.29.0
kubectl apply --kubeconfig=kubeconfig -f nginx-test.yaml
kubectl get pods -A
kubectl get events --sort-by='.lastTimestamp'
Monitoraggio con Prometheus e Grafana
Dove si configurano strumenti per la visualizzazione e l'analisi delle metriche di sistema in tempo reale.
Distributed block storage con Longhorn
Dove si installa un sistema di storage persistente e ridondante per le applicazioni stateful.
Log Management
Dove si implementa un sistema centralizzato per la raccolta, l'analisi e la visualizzazione dei log distribuiti, garantendo tracciabilità e diagnosi rapida dei problemi in ambienti complessi.
LiteLLM Proxy
Dove si costruisce un layer di astrazione per i modelli di linguaggio, ottimizzando costi, gestendo fallback automatici e garantendo alta disponibilità dei servizi AI nell'infrastruttura Kubernetes.
Vault
Dove si implementa una gestione sicura dei segreti con rotazione automatica delle credenziali, protezione crittografica e integrazione profonda con l'identity management nativo di Kubernetes.
Cert Manager con Let's Encrypt
Dove si automatizza completamente il ciclo di vita dei certificati SSL/TLS, eliminando la gestione manuale e garantendo comunicazioni sicure senza interruzioni di servizio.
Osservabilità
Dove si costruisce un sistema integrato di monitoraggio che correla metriche, log e tracce distribuite per fornire visibilità completa dalla performance infrastrutturale fino all'esperienza utente finale.