to navigate
    to select
    esc to close
    Homelab

    Kubernetes Architecture

    Node layout, CNI, platform services, and workload placement on the Talos cluster.

    Overview

    Three Talos control-plane nodes sit behind a KubeVIP virtual IP. Four worker nodes run all workloads. Cilium handles CNI, Gateway API ingress, and L2 LoadBalancer announcements. ArgoCD syncs all apps via GitOps.

    Node Inventory

    NameRoleIPCPURAMStorage
    k8s-controller1Control plane192.168.1.2114 vCPU8 GiB50 GiB
    k8s-controller2Control plane192.168.1.2124 vCPU8 GiB50 GiB
    k8s-controller3Control plane192.168.1.2134 vCPU8 GiB50 GiB
    k8s-worker1Worker192.168.1.2214 vCPU14 GiB200 GiB
    k8s-worker2Worker192.168.1.2224 vCPU14 GiB200 GiB
    k8s-worker3Worker192.168.1.2234 vCPU14 GiB200 GiB
    k8s-worker4Worker + GPU192.168.1.2248 vCPU16 GiB250 GiB + RTX 5070 Ti
    KubeVIPVirtual IP192.168.1.210Floats across control-plane nodes
    Cilium L2 LBLoadBalancer pool192.168.1.220–230Assigned per LoadBalancer Service

    Cluster Diagram

     flowchart TB
    subgraph CP["Control Plane · 3 nodes"]
        VIP["KubeVIP<br/>192.168.1.210:6443"]
        CP1["k8s-controller1<br/>.211"]
        CP2["k8s-controller2<br/>.212"]
        CP3["k8s-controller3<br/>.213"]
        VIP --- CP1 & CP2 & CP3
    end

    subgraph WRK["Workers"]
        W1["k8s-worker1<br/>.221"]
        W2["k8s-worker2<br/>.222"]
        W3["k8s-worker3<br/>.223"]
        W4["k8s-worker4<br/>.224<br/>RTX 5070 Ti"]
    end

    subgraph PLT["Platform Services"]
        CIL["Cilium L2 LB<br/>192.168.1.220"]
        ARGO["ArgoCD<br/>ApplicationSet"]
        LONG["Longhorn<br/>distributed storage"]
        OB["OpenBao<br/>CSI Driver + KV secrets"]
        CERT["cert-manager<br/>wildcard TLS"]
    end

    subgraph BIFROST["Bifrost VPS · Hetzner"]
        WG["NetBird routing peer<br/>WireGuard mesh"]
    end

    VIP --> CIL
    CIL --> W1 & W2 & W3 & W4
    ARGO -->|"syncs workloads<br/>from manifests branch"| W1 & W2 & W3 & W4
    LONG --> W1 & W2 & W3 & W4
    OB -->|"CSI volume mounts"| W1 & W2 & W3 & W4
    CERT -->|"cert-manager ACME"| CIL
    WG <-->|"WireGuard<br/>192.168.1.0/24"| CIL

    Talos Configuration

    Talos Linux is provisioned by Pulumi (core/platform/talos.go). Each role gets a machine config with role-specific patches:

    PatchControllerWorkerWorker4 (GPU)
    controlplane.patch.yaml
    worker.patch.yaml
    nvidia.patch.yaml

    Talos image schematics (from factory.talos.dev):

    SchematicExtensionsUsed by
    Baseiscsi-tools, qemu-guest-agentAll nodes
    GPUBase + nvidia-container-toolkitk8s-worker4

    The cluster endpoint is https://192.168.1.210:6443 (KubeVIP).

    Cilium + Gateway API

    Cilium handles both CNI and north-south ingress via the Gateway API:

    FeatureConfig
    CNI modekube-proxy replacement
    L2 announcements192.168.1.220–230 pool (LAN)
    Gateway classcilium
    HTTPRoute for Hubble UIhubble.madhan.app → hubble-relay:80
    ForwardAuthVia Traefik on Bifrost (not in-cluster)

    The Gateway API GatewayClass is provisioned by core/platform/cilium.go. App HTTPRoutes are defined in CDK8s (workloads/**/*.go).

    Workload Placement

    PackageComponentsNode affinity
    storage/LonghornDaemonSet — all workers
    secrets/OpenBao + CSI DriverAny worker
    observability/VictoriaMetrics, VictoriaLogs, OTelDeployment + DaemonSet
    monitoring/GrafanaAny worker
    security/Falco (eBPF), Kyverno, TrivyDaemonSet + CronJob
    hardware/NVIDIA GPU OperatorDaemonSet, NodeFeatureDiscovery
    networking/NetBird peerhostNetwork: true, any worker
    registry/HarborDeployments + RWO PVCs
    automation/n8n + PostgreSQLAny worker
    ai/Ollama, ComfyUIk8s-worker4 only (GPU)
    management/Headlamp, Rancher, FleetAny worker
    support/Stakater ReloaderAny worker

    Service Access

    Service URLDNS resolves toAccess
    grafana.madhan.app178.156.199.250 (public)Via Bifrost + ForwardAuth
    auth.madhan.app178.156.199.250 (public)Authentik on Bifrost
    netbird.madhan.app178.156.199.250 (public)NetBird on Bifrost
    harbor.madhan.app192.168.1.220 (LAN)LAN or VPN only
    headlamp.madhan.app192.168.1.220 (LAN)LAN or VPN only
    hubble.madhan.app192.168.1.220 (LAN)LAN or VPN only

    See Network Flow for the complete traffic path breakdown.

    Edit this page