-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathapparmor.yaml
More file actions
22 lines (22 loc) · 1.17 KB
/
Copy pathapparmor.yaml
File metadata and controls
22 lines (22 loc) · 1.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
machine:
install:
extraKernelArgs:
- security=apparmor
# MUST stay false while extraKernelArgs is set above.
#
# Talos >= 1.13.4 rejects a machine config that sets BOTH
# install.extraKernelArgs and install.grubUseUKICmdline=true:
# "install.extraKernelArgs and install.grubUseUKICmdline can't be used together"
# and grubUseUKICmdline defaults to TRUE here — KSail generates this cluster's
# config with the Talos >=1.12 version contract, and that contract's default
# for grubUseUKICmdline is true (gated at >1.11). Without this explicit
# override the freshly-generated config carries extraKernelArgs + the
# defaulted grubUseUKICmdline:true, so the v1.13.4 installer fails validation
# mid-upgrade and `ksail cluster update` aborts on the first node.
#
# grubUseUKICmdline controls whether the legacy GRUB bootloader reuses the
# UKI's baked-in kernel cmdline instead of building one on the host. This
# cluster boots GRUB on Hetzner (no SecureBoot/UKI), so the cmdline MUST be
# built host-side to carry security=apparmor — which is exactly what
# grubUseUKICmdline:false selects.
grubUseUKICmdline: false