Talos (Linux)

Talos is a popular Linux distribution designed for Kubernetes. It is secure, immutable, and minimal.

Enabling AppArmor on Talos

To use the bifrost service with Talos, AppArmor must be enabled in the kernel. Since Talos Linux v1.9, SELinux is enabled by default. To use AppArmor, ensure SELinux is disabled, as they cannot be used simultaneously, yet.

Talos has a powerful Image Factory that makes it easy to configure an image. When creating an image with support for AppArmor, add the following Extra kernel command line arguments at the Customization step:

-selinux lsm=lockdown,capability,yama,apparmor,bpf apparmor=1

If you use Talos Image factory with image schematic, then add the following to your schematic yaml:

customization:
    extraKernelArgs:
        - -selinux
        - lsm=lockdown,capability,yama,apparmor,bpf
        - apparmor=1

This produces a Talos image with AppArmor enabled and ready for use with bifrost.

Using a machine configuration

Note

Since Talos v1.10 the .machine.install.extraKernelArgs field in the machine configuration is ignored, as kernel arguments are embedded in the UKI (Unified Kernel Image) and cannot be modified without upgrading the UKI.

If you manage Talos prior V1.10 via a machine configuration, include:

machine:
    install:
        extraKernelArgs:
            - lsm=lockdown,capability,yama,apparmor,bpf
            - apparmor=1
            - -selinux

Note: extraKernelArgs are applied during install or on upgrade. Simply applying a machine config does not change kernel arguments on an already provisioned node.

For anything else regarding Talos, please consult the Talos Linux Documentation.