feat: add filter for KubeSpan advertised networks#12758
Merged
talos-bot merged 1 commit intosiderolabs:mainfrom Feb 12, 2026
Merged
feat: add filter for KubeSpan advertised networks#12758talos-bot merged 1 commit intosiderolabs:mainfrom
talos-bot merged 1 commit intosiderolabs:mainfrom
Conversation
90a5619 to
c9846c6
Compare
smira
reviewed
Feb 10, 2026
internal/app/machined/pkg/controllers/cluster/local_affiliate.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull request overview
Adds support for filtering which Kubernetes networks (e.g., Pod CIDRs) get advertised over KubeSpan when advertiseKubernetesNetworks is enabled, enabling hybrid setups to avoid routing private ranges through KubeSpan.
Changes:
- Introduces
filters.advertisedNetworksin the machine config schema/docs and wires it through config providers and validation. - Extends the KubeSpan Config resource/API (proto + generated code) with
advertised_network_filters. - Applies the configured filters when populating
Affiliate.KubeSpan.AdditionalAddresses, with test coverage for both config parsing/validation and runtime behavior.
Reviewed changes
Copilot reviewed 23 out of 23 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| website/content/v1.13/schemas/config.schema.json | Documents filters.advertisedNetworks in the website schema for v1.13. |
| website/content/v1.13/reference/configuration/v1alpha1/networkkubespan.md | Adds advertisedNetworks to rendered v1alpha1 KubeSpan reference docs. |
| website/content/v1.13/reference/configuration/network/kubespanconfig.md | Adds advertisedNetworks examples and field table entry for KubeSpan config docs. |
| website/content/v1.13/reference/api.md | Adds advertised_network_filters to the published API reference table. |
| pkg/machinery/resources/kubespan/deep_copy.generated.go | Deep-copy support for AdvertisedNetworkFilters. |
| pkg/machinery/resources/kubespan/config.go | Adds AdvertisedNetworkFilters to the KubeSpan Config resource spec. |
| pkg/machinery/config/types/v1alpha1/v1alpha1_validation_test.go | Adds validation tests for good/bad advertised network filters. |
| pkg/machinery/config/types/v1alpha1/v1alpha1_validation.go | Validates filters.advertisedNetworks CIDR/address inputs. |
| pkg/machinery/config/types/v1alpha1/v1alpha1_types.go | Adds advertisedNetworks to the v1alpha1 KubeSpanFilters type. |
| pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go | Exposes AdvertisedNetworks() via the provider interface implementation. |
| pkg/machinery/config/types/network/network_doc.go | Adds doc generation for the advertisedNetworks filter field and example. |
| pkg/machinery/config/types/network/kubespan_test.go | Adds unmarshal/interface/validate tests for advertised network filters. |
| pkg/machinery/config/types/network/kubespan.go | Adds ConfigAdvertisedNetworks field, docs, validation, and interface method. |
| pkg/machinery/config/types/network/deep_copy.generated.go | Deep-copy support for ConfigAdvertisedNetworks. |
| pkg/machinery/config/schemas/config.schema.json | Adds advertisedNetworks to the machinery JSON schema. |
| pkg/machinery/config/config/network.go | Extends NetworkKubeSpanFilters interface with AdvertisedNetworks(). |
| pkg/machinery/api/resource/definitions/kubespan/kubespan_vtproto.pb.go | vtproto marshal/size/unmarshal support for field 10. |
| pkg/machinery/api/resource/definitions/kubespan/kubespan.pb.go | Adds AdvertisedNetworkFilters to generated protobuf Go types. |
| internal/app/machined/pkg/controllers/kubespan/config_test.go | Ensures controller maps advertised network filters into KubeSpan config resource. |
| internal/app/machined/pkg/controllers/kubespan/config.go | Wires filters.advertisedNetworks into ConfigSpec.AdvertisedNetworkFilters. |
| internal/app/machined/pkg/controllers/cluster/local_affiliate_test.go | Tests filtering behavior for advertised Pod CIDRs at runtime. |
| internal/app/machined/pkg/controllers/cluster/local_affiliate.go | Applies AdvertisedNetworkFilters to Affiliate.KubeSpan.AdditionalAddresses. |
| api/resource/definitions/kubespan/kubespan.proto | Adds repeated string advertised_network_filters = 10; to the API. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
pkg/machinery/config/types/v1alpha1/v1alpha1_validation_test.go
Outdated
Show resolved
Hide resolved
smira
added a commit
to smira/discovery-api
that referenced
this pull request
Feb 10, 2026
This is extracted part of PR siderolabs/talos#12758 The goal is to make each peer to publish its addresses and filters to the discovery service, so that other peers can apply the filters accordingly to build a proper view of advertised addresses. We don't apply filtering on "client" side as `Addresses` field is also used in generic discovery, so it's good to report all addresses and also KubeSpan-specific filter for advertised addresses. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira
added a commit
to smira/discovery-api
that referenced
this pull request
Feb 10, 2026
This is extracted part of PR siderolabs/talos#12758 The goal is to make each peer to publish its addresses and filters to the discovery service, so that other peers can apply the filters accordingly to build a proper view of advertised addresses. We don't apply filtering on "client" side as `Addresses` field is also used in generic discovery, so it's good to report all addresses and also KubeSpan-specific filter for advertised addresses. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
1ef30ff to
3da81d7
Compare
70554a1 to
7b8264f
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 39 out of 40 changed files in this pull request and generated 9 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
website/content/v1.13/reference/configuration/network/kubespanconfig.md
Outdated
Show resolved
Hide resolved
website/content/v1.13/reference/configuration/v1alpha1/networkkubespan.md
Outdated
Show resolved
Hide resolved
website/content/v1.13/reference/configuration/v1alpha1/networkkubespan.md
Outdated
Show resolved
Hide resolved
website/content/v1.13/reference/configuration/network/kubespanconfig.md
Outdated
Show resolved
Hide resolved
d0f9a82 to
25742e0
Compare
smira
reviewed
Feb 11, 2026
Member
There was a problem hiding this comment.
this file shouldn't have been there in the first place, it was a leftover from previous refactoring, so gc it
smira
reviewed
Feb 11, 2026
| builder.Add(ip) | ||
| } | ||
|
|
||
| for _, ipPrefix := range spec.KubeSpan.ExcludeAdvertisedNetworks { |
Member
There was a problem hiding this comment.
these 3 lines are the gist of this PR, everything else is distributing excludeAdvertiseNetworks across peers
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 39 out of 40 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
oguzkilcan
approved these changes
Feb 11, 2026
Add advertisedNetworks filter to KubeSpan configuration that allows filtering which additional networks (e.g., pod CIDRs) are advertised over KubeSpan when advertiseKubernetesNetworks is enabled. Signed-off-by: Daniil Kivenko <daniil.kivenko@p2p.org> Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
25742e0 to
70c6c21
Compare
Member
|
/m |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
What? (description)
Add a new
advertisedNetworksfilter underfiltersconfiguration that allows excluding specific networks (e.g., private IP ranges) from being advertised over KubeSpan whenadvertiseKubernetesNetworksis enabled.#12358 - issues for this changes
Why? (reasoning)
This is useful for hybrid cloud environments where private pod CIDRs should not be routed through KubeSpan.
Acceptance
Please use the following checklist:
make conformance)make fmt)make lint)make docs)make unit-tests)