backports: for v1.9.2

Makefile

@@ -22,7 +22,7 @@ TOOLS ?= ghcr.io/siderolabs/tools:v1.9.0-1-geaad82f
 DEBUG_TOOLS_SOURCE := scratch
 
 PKGS_PREFIX ?= ghcr.io/siderolabs
-PKGS ?= v1.9.0-15-g45c4ba4
+PKGS ?= v1.9.0-21-gc1f06e5
 EXTRAS ?= v1.9.0
 
 KRES_IMAGE ?= ghcr.io/siderolabs/kres:latest

cmd/talosctl/cmd/mgmt/cluster/create.go

@@ -144,6 +144,7 @@ var (
 	workersMemory             int
 	clusterDiskSize           int
 	clusterDiskPreallocate    bool
+	diskBlockSize             uint
 	clusterDisks              []string
 	extraDisks                int
 	extraDiskSize             int
@@ -950,6 +951,7 @@ func create(ctx context.Context) error {
 			Size:            uint64(extraDiskSize) * 1024 * 1024,
 			SkipPreallocate: !clusterDiskPreallocate,
 			Driver:          driver,
+			BlockSize:       diskBlockSize,
 		})
 	}
 
@@ -1175,6 +1177,7 @@ func getDisks() ([]*provision.Disk, error) {
 			Size:            uint64(clusterDiskSize) * 1024 * 1024,
 			SkipPreallocate: !clusterDiskPreallocate,
 			Driver:          "virtio",
+			BlockSize:       diskBlockSize,
 		},
 	}
 
@@ -1223,6 +1226,7 @@ func getDisks() ([]*provision.Disk, error) {
 			Partitions:      diskPartitions,
 			SkipPreallocate: !clusterDiskPreallocate,
 			Driver:          "ide",
+			BlockSize:       diskBlockSize,
 		})
 	}
 
@@ -1274,6 +1278,7 @@ func init() {
 	createCmd.Flags().IntVar(&controlPlaneMemory, "memory", 2048, "the limit on memory usage in MB (each control plane/VM)")
 	createCmd.Flags().IntVar(&workersMemory, "memory-workers", 2048, "the limit on memory usage in MB (each worker/VM)")
 	createCmd.Flags().IntVar(&clusterDiskSize, clusterDiskSizeFlag, 6*1024, "default limit on disk size in MB (each VM)")
+	createCmd.Flags().UintVar(&diskBlockSize, "disk-block-size", 512, "disk block size (VM only)")
 	createCmd.Flags().BoolVar(&clusterDiskPreallocate, clusterDiskPreallocateFlag, true, "whether disk space should be preallocated")
 	createCmd.Flags().StringSliceVar(&clusterDisks, clusterDisksFlag, []string{}, "list of disks to create for each VM in format: <mount_point1>:<size1>:<mount_point2>:<size2>")
 	createCmd.Flags().IntVar(&extraDisks, "extra-disks", 0, "number of extra disks to create for each worker VM")

go.mod

@@ -142,7 +142,7 @@ require (
 	github.com/siderolabs/gen v0.7.0
 	github.com/siderolabs/go-api-signature v0.3.6
 	github.com/siderolabs/go-blockdevice v0.4.8
-	github.com/siderolabs/go-blockdevice/v2 v2.0.9
+	github.com/siderolabs/go-blockdevice/v2 v2.0.11
 	github.com/siderolabs/go-circular v0.2.1
 	github.com/siderolabs/go-cmd v0.1.3
 	github.com/siderolabs/go-copy v0.1.0

go.sum

@@ -645,8 +645,8 @@ github.com/siderolabs/go-api-signature v0.3.6 h1:wDIsXbpl7Oa/FXvxB6uz4VL9INA9fmr
 github.com/siderolabs/go-api-signature v0.3.6/go.mod h1:hoH13AfunHflxbXfh+NoploqV13ZTDfQ1mQJWNVSW9U=
 github.com/siderolabs/go-blockdevice v0.4.8 h1:KfdWvIx0Jft5YVuCsFIJFwjWEF1oqtzkgX9PeU9cX4c=
 github.com/siderolabs/go-blockdevice v0.4.8/go.mod h1:4PeOuk71pReJj1JQEXDE7kIIQJPVe8a+HZQa+qjxSEA=
-github.com/siderolabs/go-blockdevice/v2 v2.0.9 h1:OTo+ADN/3LT4XtI8p7Dz3hlh6DJABHwMAnOlK7MOtMk=
-github.com/siderolabs/go-blockdevice/v2 v2.0.9/go.mod h1:74htzCV913UzaLZ4H+NBXkwWlYnBJIq5m/379ZEcu8w=
+github.com/siderolabs/go-blockdevice/v2 v2.0.11 h1:r7mbbXMn8OZmJA2fJJdomjlZKexRi66ELVZGXJUaNU8=
+github.com/siderolabs/go-blockdevice/v2 v2.0.11/go.mod h1:74htzCV913UzaLZ4H+NBXkwWlYnBJIq5m/379ZEcu8w=
 github.com/siderolabs/go-circular v0.2.1 h1:a++iVCn9jyhICX3POQZZX8n72p2h5JGdGU6w1ulmpcA=
 github.com/siderolabs/go-circular v0.2.1/go.mod h1:ZDItzVyXK+B/XuqTBV5MtQtSv06VI+oCmWGRnNCATo8=
 github.com/siderolabs/go-cmd v0.1.3 h1:JrgZwqhJQeoec3QRON0LK+fv+0y7d0DyY7zsfkO6ciw=

hack/cri-containerd.toml

@@ -1,7 +1,6 @@
 version = 3
 
 disabled_plugins = [
-    "io.containerd.nri.v1.nri",
     "io.containerd.internal.v1.tracing",
     "io.containerd.snapshotter.v1.blockfile",
     "io.containerd.tracing.processor.v1.otlp",

hack/cri-plugin.part

@@ -5,3 +5,6 @@ version = 3
 
 [plugins."io.containerd.cri.v1.runtime".containerd.runtimes.runc]
   base_runtime_spec = "/etc/cri/conf.d/base-spec.json"
+
+[plugins."io.containerd.nri.v1.nri"]
+  disable = true

hack/release.toml

@@ -7,7 +7,7 @@ match_deps = "^github.com/((talos-systems|siderolabs)/[a-zA-Z0-9-]+)$"
 ignore_deps = ["github.com/coredns/coredns"]
 
 # previous release
-previous = "v1.9.0"
+previous = "v1.9.1"
 
 pre_release = false
 
@@ -18,10 +18,47 @@ preface = """
     [notes.updates]
         title = "Component Updates"
         description = """\
-* Linux: 6.12.6
-* CNI plugins: 1.6.1
+* Linux: 6.12.9
+* runc: 1.2.4
+* containerd: 2.0.2
 
 Talos is built with Go 1.23.4.
+"""
+
+    [notes.kube-apiserver-authorization-config]
+        title = "kube-apiserver Authorization Config"
+        description = """\
+When using `.cluster.apiServer.authorizationConfig` the user provided order for the authorizers is honoured and `Node` and `RBAC` authorizers are always added to the end if not explicitly specified.
+
+Eg: If user provides only `Webhook` authorizer, the final order will be `Webhook`, `Node`, `RBAC`.
+
+To provide a specific order for `Node` or `RBAC` explicitly, user can provide the authorizer in the order they want.
+
+Eg:
+
+```yaml
+cluster:
+  apiServer:
+    authorizationConfig:
+      - type: Node
+        name: Node
+      - type: Webhook
+        name: Webhook
+        webhook:
+          connectionInfo:
+            type: InClusterConfig
+        ...
+      - type: RBAC
+        name: rbac
+```
+
+Usage of `authorization-mode` CLI argument will not support this form of customization.
+"""
+
+    [notes.auditd]
+        title = "auditd"
+        description = """\
+Kernel parameter `talos.auditd.disabled=1` can be used to disable Talos built-in `auditd` service.
 """
 
 [make_deps]

hack/test/patches/image-cache.yaml

@@ -23,3 +23,4 @@ name: IMAGECACHE
 provisioning:
   diskSelector:
     match: 'system_disk'
+  grow: true

internal/app/machined/pkg/controllers/k8s/control_plane.go

@@ -131,11 +131,6 @@ func NewControlPlaneAuthorizationController() *ControlPlaneAuthorizationControll
 				var authorizers []k8s.AuthorizationAuthorizersSpec
 
 				for _, authorizer := range cfgProvider.Cluster().APIServer().AuthorizationConfig() {
-					// skip Node and RBAC authorizers as we add them by default later on.
-					if authorizer.Type() == "Node" || authorizer.Type() == "RBAC" {
-						continue
-					}
-
 					authorizers = slices.Concat(authorizers, []k8s.AuthorizationAuthorizersSpec{
 						{
 							Type:    authorizer.Type(),
@@ -145,7 +140,25 @@ func NewControlPlaneAuthorizationController() *ControlPlaneAuthorizationControll
 					})
 				}
 
-				res.TypedSpec().Config = slices.Concat(v1alpha1.APIServerDefaultAuthorizationConfigAuthorizers, authorizers)
+				if !slices.ContainsFunc(authorizers, func(a k8s.AuthorizationAuthorizersSpec) bool {
+					return a.Type == "Node"
+				}) {
+					authorizers = slices.Insert(authorizers, 0, k8s.AuthorizationAuthorizersSpec{
+						Type: "Node",
+						Name: "node",
+					})
+				}
+
+				if !slices.ContainsFunc(authorizers, func(a k8s.AuthorizationAuthorizersSpec) bool {
+					return a.Type == "RBAC"
+				}) {
+					authorizers = slices.Insert(authorizers, 1, k8s.AuthorizationAuthorizersSpec{
+						Type: "RBAC",
+						Name: "rbac",
+					})
+				}
+
+				res.TypedSpec().Config = authorizers
 
 				return nil
 			},

internal/app/machined/pkg/controllers/k8s/control_plane_test.go

@@ -270,10 +270,88 @@ func (suite *K8sControlPlaneSuite) TestReconcileAdditionalAuthorizationConfigAut
 									},
 								},
 							},
+							{
+								AuthorizerType: "Node",
+								AuthorizerName: "bar",
+							},
+						},
+					},
+				},
+			},
+		),
+	)
+
+	suite.setupMachine(cfg)
+
+	expectedAuthorizers := []k8s.AuthorizationAuthorizersSpec{
+		{
+			Type: "RBAC",
+			Name: "foo",
+		},
+		{
+			Type: "Webhook",
+			Name: "webhook",
+			Webhook: map[string]any{
+				"timeout":                    "3s",
+				"subjectAccessReviewVersion": "v1",
+				"matchConditionSubjectAccessReviewVersion": "v1",
+				"failurePolicy": "NoOpinion",
+				"connectionInfo": map[string]any{
+					"type": "InClusterConfig",
+				},
+			},
+		},
+		{
+			Type: "Node",
+			Name: "bar",
+		},
+	}
+
+	rtestutils.AssertResources(suite.Ctx(), suite.T(), suite.State(), []resource.ID{k8s.AuthorizationConfigID},
+		func(authorizationConfig *k8s.AuthorizationConfig, assert *assert.Assertions) {
+			assert.Equal(expectedAuthorizers, authorizationConfig.TypedSpec().Config)
+		},
+	)
+}
+
+func (suite *K8sControlPlaneSuite) TestReconcileAdditionalAuthorizationConfigAuthorizersWithOnlyNodeSet() {
+	u, err := url.Parse("https://foo:6443")
+	suite.Require().NoError(err)
+
+	cfg := config.NewMachineConfig(
+		container.NewV1Alpha1(
+			&v1alpha1.Config{
+				ConfigVersion: "v1alpha1",
+				MachineConfig: &v1alpha1.MachineConfig{
+					MachineType: "controlplane",
+				},
+				ClusterConfig: &v1alpha1.ClusterConfig{
+					ControlPlane: &v1alpha1.ControlPlaneConfig{
+						Endpoint: &v1alpha1.Endpoint{
+							URL: u,
+						},
+					},
+					APIServerConfig: &v1alpha1.APIServerConfig{
+						AuthorizationConfigConfig: []*v1alpha1.AuthorizationConfigAuthorizerConfig{
 							{
 								AuthorizerType: "Node",
 								AuthorizerName: "foo",
 							},
+							{
+								AuthorizerType: "Webhook",
+								AuthorizerName: "webhook",
+								AuthorizerWebhook: v1alpha1.Unstructured{
+									Object: map[string]any{
+										"timeout":                    "3s",
+										"subjectAccessReviewVersion": "v1",
+										"matchConditionSubjectAccessReviewVersion": "v1",
+										"failurePolicy": "NoOpinion",
+										"connectionInfo": map[string]any{
+											"type": "InClusterConfig",
+										},
+									},
+								},
+							},
 						},
 					},
 				},
@@ -283,7 +361,15 @@ func (suite *K8sControlPlaneSuite) TestReconcileAdditionalAuthorizationConfigAut
 
 	suite.setupMachine(cfg)
 
-	expectedAuthorizers := slices.Concat(v1alpha1.APIServerDefaultAuthorizationConfigAuthorizers, []k8s.AuthorizationAuthorizersSpec{
+	expectedAuthorizers := []k8s.AuthorizationAuthorizersSpec{
+		{
+			Type: "Node",
+			Name: "foo",
+		},
+		{
+			Type: "RBAC",
+			Name: "rbac",
+		},
 		{
 			Type: "Webhook",
 			Name: "webhook",
@@ -297,7 +383,7 @@ func (suite *K8sControlPlaneSuite) TestReconcileAdditionalAuthorizationConfigAut
 				},
 			},
 		},
-	})
+	}
 
 	rtestutils.AssertResources(suite.Ctx(), suite.T(), suite.State(), []resource.ID{k8s.AuthorizationConfigID},
 		func(authorizationConfig *k8s.AuthorizationConfig, assert *assert.Assertions) {

internal/app/machined/pkg/controllers/k8s/endpoint.go

@@ -269,7 +269,7 @@ func (ctrl *EndpointController) watchKubernetesEndpoint(ctx context.Context, r c
 
 func kubernetesEndpointWatcher(ctx context.Context, logger *zap.Logger, client *kubernetes.Client) (chan *corev1.Endpoints, func(), error) {
 	informerFactory := informers.NewSharedInformerFactoryWithOptions(
-		client.Clientset, 30*time.Second,
+		client.Clientset, constants.KubernetesInformerDefaultResyncPeriod,
 		informers.WithNamespace(corev1.NamespaceDefault),
 		informers.WithTweakListOptions(func(options *v1.ListOptions) {
 			options.FieldSelector = fields.OneTermEqualSelector("metadata.name", "kubernetes").String()

internal/app/machined/pkg/controllers/k8s/internal/nodewatch/nodewatch.go

@@ -9,6 +9,7 @@ import (
 	"context"
 	"fmt"
 
+	"go.uber.org/zap"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
@@ -17,6 +18,7 @@ import (
 	"k8s.io/client-go/tools/cache"
 
 	"github.com/siderolabs/talos/pkg/kubernetes"
+	"github.com/siderolabs/talos/pkg/machinery/constants"
 )
 
 // NodeWatcher defines a NodeWatcher-based node watcher.
@@ -46,10 +48,12 @@ func (r *NodeWatcher) Get() (*corev1.Node, error) {
 }
 
 // Watch starts watching Node state and notifies on updates via notify channel.
-func (r *NodeWatcher) Watch(ctx context.Context) (<-chan struct{}, <-chan error, func(), error) {
+func (r *NodeWatcher) Watch(ctx context.Context, logger *zap.Logger) (<-chan struct{}, <-chan error, func(), error) {
+	logger.Debug("starting node watcher", zap.String("nodename", r.nodename))
+
 	informerFactory := informers.NewSharedInformerFactoryWithOptions(
 		r.client.Clientset,
-		0,
+		constants.KubernetesInformerDefaultResyncPeriod,
 		informers.WithTweakListOptions(
 			func(opts *metav1.ListOptions) {
 				opts.FieldSelector = fields.OneTermEqualSelector(metav1.ObjectNameField, r.nodename).String()
@@ -88,7 +92,11 @@ func (r *NodeWatcher) Watch(ctx context.Context) (<-chan struct{}, <-chan error,
 
 	informerFactory.Start(ctx.Done())
 
+	logger.Debug("waiting for node cache sync")
+
 	informerFactory.WaitForCacheSync(ctx.Done())
 
+	logger.Debug("node cache sync done")
+
 	return notifyCh, watchErrCh, informerFactory.Shutdown, nil
 }

internal/app/machined/pkg/controllers/k8s/node_status.go

@@ -158,9 +158,9 @@ func (ctrl *NodeStatusController) Run(ctx context.Context, r controller.Runtime,
 			var watchCtx context.Context
 			watchCtx, watchCtxCancel = context.WithCancel(ctx) //nolint:govet
 
-			notifyCh, watchErrCh, notifyCloser, err = nodewatcher.Watch(watchCtx)
+			notifyCh, watchErrCh, notifyCloser, err = nodewatcher.Watch(watchCtx, logger)
 			if err != nil {
-				return fmt.Errorf("error setting up registry watcher: %w", err) //nolint:govet
+				return fmt.Errorf("error setting up node watcher: %w", err) //nolint:govet
 			}
 		}