A few days ago, American engineer Andrew Rynhard
presented an interesting project: a compact Linux distribution kit, designed specifically for launching Kubernetes clusters. It got its name from ancient Greek mythology -
Talos .
The project appeared under the inspiration from
Kelsey Hightower's tweet as far back as 2015, in which he said that we had only to wait for the appearance of a conditional KubeOS (after which the life of cloud environments would become absolutely wonderful):
By the way, with the advent of Talos, this story continued : someone answered the historical tweet that such a system had already appeared, and the author Talos said that he would be happy if Kelsey looked at the project. The reaction of the latter, however, (yet) was not followed.Apparently, the development of Talos involved one person
(representing himself in the framework of the whole company - Autonomy ) - it took him more than a year. And now, when the status of minimum readiness is reached, the author expects that other representatives of Kubernetes / cloud native-community will join him. So what is the essence of the project?
Talos principles and features
Talos is positioned as a modern Linux distribution, specially created (and exclusively!) For Kubernetes. To achieve this goal in its implementation follow the following approaches:
Minimalism
Ubiquitous minimalism is one of the cornerstones of Talos architecture. One of the clearest examples here is
the initialization service used, which (contrary to current trends in this area) follows the UNIX philosophy that “every program does one thing but well”:
We wanted to make init focused on a single task — launch Kubernetes. It simply has no mechanisms for any other actions.
The developers went further and deprived their operating system of the usual system administrators of user access to the host:
in Talos there are no command shells, no SSH daemon, or even the ability to run their own processes on the host. And really: why all this if you need to run Kubernetes and only? Virtually all processes in Talos operate within containers.
However, since the world is not so perfect (for the OS to fully function "itself"), there are still tools for operating the OS:
- The osd daemon, implemented according to the principle of providing the minimum necessary privileges (Principle of Least Privilege) and offering an API (based on gRPC) for managing nodes;
- An osctl CLI utility that allows you to communicate with the osd service that runs on each node.
This is how a set of basic operating capabilities is implemented: rebooting services and cluster nodes, getting kernel logs (dmesg) from containers, inserting data into node configuration files, etc.
All the listed components (init, osd, osctl ...), like
some others in the distribution,
are written in the Go language . By the way, all the source code is distributed under the terms of the Open Source-license Mozilla Public License 2.0.
Security
The minimalist approach described above (all necessary
only for launching Kubernetes) + the principle of issuing only minimal privileges by themselves reduces the potential attack surface. In addition, in Talos:
- The included kernel is configured in accordance with the recommendations of the KSSP (Kernel Self Protection Project) project, which focuses on the ability of the kernel to protect itself against potential bugs and vulnerabilities (instead of using userspace utilities for the same purposes);
- the root file system is mounted in read-only, which - combined with the absence of shells / SSH - makes the system immutable;
- uses two-way TLS (mTLS) to interact with the API;
- Kubernetes settings and configurations are applied in accordance with CIS guidelines (Center for Internet Security).
An additional plus, resulting from minimalism and focusing on immutable, is the
predictability of the system in its behavior (since the number of factors affecting the environment is reduced).
Relevance
The authors promise to base Talos on the penultimate upstream release of Kubernetes (however, K8s 1.13.3 is
supported right now) and the latest available LTS release of the Linux kernel (4.19.10 is currently used).
System components
The main components of the distribution (in addition to the kernel and "proprietary" utilities) are:
- musl-libc - as standard C library;
- golang - for
init
and its other tools; - gRPC - for API;
- containerd - to run system services in containers (used with the CRI plugin for Kubernetes);
- kubeadm - for deploying clusters.
Work with Talos
Examples of Talos deployments for AWS, KVM and Xen use cases are provided in the
project documentation . To quickly illustrate how this looks, here is an installation algorithm with Linux KVM virtual machines:
1. Installing the master node on the host:
docker run --rm --privileged --volume /dev:/dev \ autonomy/talos:latest image -b /dev/sdb -f -p bare-metal \ -u http://${IP}:8080/master.yaml
2. Create VM:
virt-install -n master --description "Kubernetes master node." \ --os-type=Linux --os-variant=generic --virt-type=kvm --cpu=host \ --vcpus=2 --ram=4096 --disk path=/dev/sdb \ --network bridge=br0,model=e1000,mac=52:54:00:A8:4C:E1 \ --graphics none --boot hd --rng /dev/random
3. Similar steps to create a work node:
docker run --rm --privileged --volume /dev:/dev \ autonomy/talos:latest image -b /dev/sdc -f -p bare-metal \ -u http://${IP}:8080/worker.yaml virt-install -n master --description "Kubernetes worker node." \ --os-type=Linux --os-variant=generic --virt-type=kvm --cpu=host \ --vcpus=2 --ram=4096 --disk path=/dev/sdc \ --network bridge=br0,model=e1000,mac=52:54:00:B9:5D:F2 \ --graphics none --boot hd --rng /dev/random
Configuring the interaction between osd and osctl by and large comes down to generating keys for their authentication (already mentioned mTLS) and is described
here .
Further work with them comes down to commands like
osctl reboot
,
osctl stats
and
osctl logs
. Demonstration of container output in the
k8s.io
namespace:
$ osctl ps -k NAMESPACE ID IMAGE PID STATUS k8s.io 0ca1… sha256:da86… 2341 RUNNING k8s.io 356f… sha256:da86… 2342 RUNNING … k8s.io e42e… sha256:4ff8… 2508 RUNNING k8s.io kubelet k8s.gcr.io/… 2068 RUNNING
The process of configuring a Kubernetes cluster with Talos is available
here (mater nodes) and
here (workers).
Status and prospects
The project is in the alpha version stage (the latest release is
v0.1.0-alpha.18 ) and, of course, at this stage it looks more like an amusing experiment than anything really close to production.
However, a surge of interest in Talos after its recent announcement (already 600+ stars on GitHub) and the call of the only author to work together can serve as an excellent incentive for its development.
Activity on issues of the Talos project in recent daysAt least, the distribution kit contains ideas relevant for the world of cloud native, the qualitative implementation of which is a matter of time.
PS
Read also in our blog: