Question about setting Pod and Service Subnets, and also Node IP and DNS address

[TazTheManiac]

I am trying a setup of Kubernetes v1.34.0 using Talos v1.11.1 with the custom PodSubnet: 10.42.0.0/16 and ServiceSubnet: 10.43.0.0/16 using the OpenTofu provider. But are running into issues with applications trying to reach the DNS using the wrong address and node IPs getting set to internal adresses.

kube-dns service

NAMESPACE	NAME	TYPE	CLUSTER-IP	EXTERNAL-IP	PORT(S)
kube-system	kube-dns	ClusterIP	10.43.0.10		53/UDP,53/TCP,9153/TCP

Log from hubble-relay

time=2025-09-24T13:40:02.765581239Z level=info msg="Failed to create peer notify client for peers change notification; will try again after the timeout has expired" subsys=hubble-relay error="rpc error: code = Unavailable desc = dns: A record lookup error: lookup hubble-peer.kube-system.svc.cluster.local. on 10.96.0.10:53: read udp 10.42.7.163:55304->10.96.0.10:53: i/o timeout" connectionTimeout=30s

See how Hubble Relay is trying to reach the DNS using the default Talos service subnet DNS address.
I also see this with other applications trying to reach external resources using DNS lookup, for example the Rancher cattle-cluster-agent.

Log cattle-cluster-agent

INFO: Using resolv.conf: search cattle-system.svc.cluster.local svc.cluster.local cluster.local nameserver 10.96.0.10 options ndots:5
ERROR: https://rancher.<REDACTED>.com/ping is not accessible (Could not resolve host: rancher.<REDACTED>.com)

I have tried setting the machine.kubelet.clusterDNS to 10.43.0.10 manually, and that do work to some degree, but after a while some other odd behaviors like logs not being able to load because of timeouts appear.

Running the command talosctl --talosconfig health -n 10.182.76.10 stalls on trying to connect to the nodes using their internal IP, so that lead me to setting the machine.kubelet.nodeIP.validSubnets manually (see the talos_machine_configuration_apply resources below), and as of writing the issues seams to be solved for the moment.

Comming from a more of a "everything is handed to you solution" like RKE2. Is this way of working expected, and required, or am I missing something else with the setup?

Usefull info:

CNI: Cilium with kube-proxy replacement (config at the bottom)

Talos OpenTofu config

variable "talos_version" { default = "1.11.1" }
variable "kubernetes_version" { default = "1.34.0" }
variable "kubernetes_vip_address" { default = "10.182.76.10" }
variable "kubernetes_pod_cidr_list" { default = ["10.42.0.0/16"] }
variable "kubernetes_service_cidr_list" { default = ["10.43.0.0/16"] }
variable "kubernetes_dns_address_list" { default = [ "10.43.0.10" ] }
variable "nameserver_addresses" { default = [
  "10.185.10.10",
  "10.185.11.11"
]}

resource "talos_machine_secrets" "global" {}

data "talos_machine_configuration" "controlplane" {
  talos_version      = var.talos_version
  kubernetes_version = var.kubernetes_version
  cluster_name       = var.cluster_name
  machine_type       = "controlplane"
  cluster_endpoint   = "https://${var.kubernetes_vip_address}:6443"
  machine_secrets    = talos_machine_secrets.global.machine_secrets

  config_patches = [
    yamlencode({
      machine = {
        time = {
          servers = var.nameserver_addresses
        }
        network = {
          interfaces = [{
            interface = "eth0"
            vip = {
              ip = var.kubernetes_vip_address
            }
          }]
        }
        kubelet = {
          clusterDNS = var.kubernetes_dns_address_list
        }
      }
    })
  ]
}

resource "talos_machine_configuration_apply" "controlplane" {
  count                       = var.cluster_controller_count
  node                        = var.controller_address_list[count.index]
  client_configuration        = talos_machine_secrets.global.client_configuration
  machine_configuration_input = data.talos_machine_configuration.controlplane.machine_configuration

  config_patches = [
    yamlencode({
      cluster = {
        network = {
          cni = {
            name = "none"
          }
          podSubnets     = var.kubernetes_pod_cidr_list
          serviceSubnets = var.kubernetes_service_cidr_list
        }
        externalCloudProvider = {
          enabled = true
        }
        proxy = {
          disabled = true
        }
        extraManifests = [
          rancher2_cluster.imported.cluster_registration_token[0].manifest_url
        ]
      }
      machine = {
        kubelet = {
          nodeIP = {
            validSubnets = [
              "${var.controller_address_list[count.index]}/32"
            ]
          }
        }
      }
    })
  ]
}

data "talos_machine_configuration" "worker" {
  talos_version      = var.talos_version
  kubernetes_version = var.kubernetes_version
  cluster_name       = var.cluster_name
  machine_type       = "worker"
  cluster_endpoint   = "https://${var.kubernetes_vip_address}:6443"
  machine_secrets    = talos_machine_secrets.global.machine_secrets

  config_patches = [
    yamlencode({
      machine = {
        time = {
          servers = var.nameserver_addresses
        }
        kubelet = {
          clusterDNS = var.kubernetes_dns_address_list
        }
      }
    })
  ]
}

resource "talos_machine_configuration_apply" "worker" {
  count                       = var.cluster_worker_count
  node                        = var.worker_address_list[count.index]
  client_configuration        = talos_machine_secrets.global.client_configuration
  machine_configuration_input = data.talos_machine_configuration.worker.machine_configuration

  config_patches = [
    yamlencode({
      machine = {
        kubelet = {
          nodeIP = {
            validSubnets = [
              "${var.worker_address_list[count.index]}/32"
            ]
          }
        }
      }
    })
  ]
}

resource "talos_machine_bootstrap" "cluster" {
  node                 = var.controller_address_list[0]
  client_configuration = talos_machine_secrets.global.client_configuration

  depends_on = [talos_machine_configuration_apply.controlplane, talos_machine_configuration_apply.worker]
}

Cilium config

cgroup:
  autoMount:
    enabled: false
  hostRoot: /sys/fs/cgroup
devices: eth0
hubble:
  enabled: true
  relay:
    enabled: true
  ui:
    enabled: true
ipam:
  mode: kubernetes
k8sServiceHost: localhost
k8sServicePort: 7445
kubeProxyReplacement: true
nodePort:
  enabled: true
securityContext:
  capabilities:
    ciliumAgent:
      - CHOWN
      - KILL
      - NET_ADMIN
      - NET_RAW
      - IPC_LOCK
      - SYS_ADMIN
      - SYS_RESOURCE
      - DAC_OVERRIDE
      - FOWNER
      - SETGID
      - SETUID
    cleanCiliumState:
      - NET_ADMIN
      - SYS_ADMIN
      - SYS_RESOURCE

[smira]

There are too many questions mixed together, but in general changing pod/service subnets is not easy for a running cluster, set them at the cluster creation time and you're good.

If you have multiple IPs per node, see https://www.talos.dev/v1.11/talos-guides/network/multihoming/

Also see https://www.talos.dev/v1.11/introduction/troubleshooting/#conflict-on-kubernetes-and-host-subnets

[TazTheManiac]

It is during setup that the pod and service subnets are defined, the config is applied to the nodes and then the cluster gets bootstrapped. But it seems like the DNS address is not set correctly for the kublet without defining it manually?

And the nodes seems to take an address from the service subnet as the node-ip, and there is no conflict of overlapping subnets for the pods, services, or hosts.

As mentioned, it no issues setting these manually, but I will take a look at the articles you linked and see it that helps. Thanks for the reply!

[smira]

DNS address is set correctly if you put correct config. It might be that you don't push service/pod subnets to the workers in your case.

[TazTheManiac]

You were correct. I removed the config setting custom DNS and node-ip then pushed the service and pod subnets to the worker nodes during setup, and that did the trick.

Thought those were only meant to be pushed to the controlplane nodes due to it being a kubernetes setting and that those would be pushed out to the workers.