Attempt at Talos on KubeVirt

kubevirt-talos.yaml

---
apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
  name: talos
  labels:
    vm: talos
spec:
 dataVolumeTemplates:
   - metadata:
       name: talos
     spec:
       storage:
         storageClassName: local-path
         accessModes:
           - ReadWriteOnce
         resources:
           requests:
             storage: 10Gi
       source:
         http:
           url: https://factory.talos.dev/image/ab1024449cff00f2e27caee13298635e8fd178c6079d4de34a9370a55a54b938/v1.8.1/metal-amd64.qcow2
 runStrategy: Always
 template:
   metadata:
     labels:
       kubevirt.io/vm: fedora
   spec:
     terminationGracePeriodSeconds: 0
     domain:
       devices:
         networkInterfaceMultiqueue: true
         autoattachSerialConsole: true
         autoattachGraphicsDevice: true
         autoattachPodInterface: false
         disks:
         - disk:
             bus: virtio
           name: talos
         interfaces:
         - masquerade: {}
           name: default
         rng: {}
       resources:
         requests:
           memory: 4Gi
           devices.kubevirt.io/kvm: "1"
     networks:
     - name: default
       pod: {}
     volumes:
       - dataVolume:
           name: talos
         name: talos
---
apiVersion: v1
kind: Service
metadata:
  name: talos
spec:
  ports:
  - port: 6443
    targetPort: 6443
    name: apiserver
  - port: 50000
    targetPort: 50000
    name: talos
  selector:
    vm.kubevirt.io/name: talos
  type: ClusterIP

steps.sh

talosctl gen secrets
TALOS_VM_SVC_IP="$(kubectl get svc talos -o=jsonpath='{.spec.clusterIP}')"
TALOS_VM_IP="$(kubectl get pod -l vm.kubevirt.io/name=talos -o=jsonpath='{.items[0].status.podIP}')"
talosctl gen config talos "https://$TALOS_VM_SVC_IP:6443" --config-patch @config-patch-strategic.yaml --with-secrets ./secrets.yaml --force --install-disk /dev/vda
talosctl apply-config -e "$TALOS_VM_SVC_IP" -n "$TALOS_VM_SVC_IP" -i --file ./controlplane.yaml
talosctl -e "$TALOS_VM_SVC_IP" -n "$TALOS_VM_SVC_IP" --talosconfig ./talosconfig dmesg -f # FAILS
talosctl -e "$TALOS_VM_IP" -n "$TALOS_VM_IP" --talosconfig ./talosconfig dmesg -f # TIMES OUT

talos-config-patch-strategic.yaml

cluster:
  allowSchedulingOnControlPlanes: true
  apiServer:
    certSANs:
      - talos
    extraArgs:
      audit-webhook-config-file: /etc/kubernetes/policies/sink.yaml
      audit-policy-file: /etc/kubernetes/policies/policy.yaml
machine:
  certSANs:
    - talos
  kubelet:
    extraMounts:
      - destination: /opt/local-path-provisioner
        type: bind
        source: /opt/local-path-provisioner
        options:
          - bind
          - rshared
          - rw
  files:
    - content: |
        apiVersion: v1
        kind: Config
        clusters:
        - cluster:
            server: http://10.96.96.96:9900/events
          name: auditsink-cluster
        contexts:
        - context:
            cluster: auditsink-cluster
            user: ""
          name: auditsink-context
        current-context: auditsink-context
        users: []
        preferences: {}
      permissions: 0o644 # The file's permissions in octal.
      path: /etc/kubernetes/policies/sink.yaml # The path of the file.
      op: create # The operation to use
    - content: |
        apiVersion: audit.k8s.io/v1
        kind: Policy
        rules:
          - level: Metadata
            stages:
              - ResponseComplete
      permissions: 0o644 # The file's permissions in octal.
      path: /etc/kubernetes/policies/policy.yaml # The path of the file.
      op: create # The operation to use