Virtual machines running on proxmox should have the qemu-guest-agent installed as it improves the way virtual machines are restarted as it does not simply rely on virtualized ACPI commands. Additionally qemu-guest-agent provides information like network addresses. Talos linux does not feature the qemu-quest-agent.

The qemu-guest-agent can run as daemonset in kubernetes but id does not allow to reboot or shutdown a node when using e.g. proxmox as infrastructure. As proxmox sends all the machine run state events like reboot and shutdown to the agent the daemon pod must be capable to restart the host. This can be achieved by using talosctl to restart the host node. For talsoctl talos config is required to have the api access to restart the host node.

Qemu / KVM must have the guest agent enabled for node virtual machine. In Proxmox you find this setting under virtual machine options.

To have the talosctl fully functional you need a talos config. This config must be injected either as secret or as service account. The advantage of a service account is, that you do not need to create the config itself. Unfortunately the privileges required to reboot or shutdown a node is os:admin. As talos config only allows setting the allowed permissions (os:read, os:admin) but lacks a way to set this per namespace, this option is not recommended. If you need the talos config only in the qemu-guest-agent namespace it would be ok to grant os:admin for this namespace, but for arbitrary namespaces os:read is already more than enough. If you want the version with the service account use the qemu-guest-agent-with-sa.yaml. Ensure that you have the right permissions granted in your node talos machine config (machine.features.kubernetesTalosAPIAccess).

Otherwise just create the secret using:

k create secret -n qemu-guest-agent generic talosconfig --from-file=config=<path to your config>

As the container runs as root and uses a hostFolder mount for the virtio device, it requires either the PodSecurity being set very low or better switch it of for the qemu-quest-agent namespace.

            admissionControl:
            - name: PodSecurity
              configuration:
                apiVersion: pod-security.admission.config.k8s.io/v1alpha1
                defaults:
                    audit: restricted
                    audit-version: latest
                    enforce: baseline
                    enforce-version: latest
                    warn: restricted
                    warn-version: latest
                exemptions:
                    namespaces:
                        - kube-system
                        - qemu-guest-agent
                    runtimeClasses: []
                    usernames: []
                kind: PodSecurityConfiguratio

Set this in your control plane config using talosctl.

Create image pull secret with your docker or podman auth.json / client.json. This is only required in case you pull from a private registry

kubectl create secret generic regcred     \
   --from-file=.dockerconfigjson=/run/user/.../containers/auth.json \
   --type=kubernetes.io/dockerconfigjson --namespace qemu-guest-agent

Install using:

kubectl create -f qemu-ga-talos.yaml

Uninstall using:

kubectl delete -f qemu-ga-talos.yaml

This code is provided under the BSD-3 license.

The following external dependencies are used:

• alpine Linux as base for container
• qemu-guest-agent inside the container
• talosctl to talk to the talos host