Node Labels

Talos can propagate labels from machine.nodeLabels to the Kubernetes Node object. These labels are written using the node’s kubelet identity, which is restricted by the Kubernetes NodeRestriction admission controller. With NodeRestriction in place, a kubelet is only allowed to modify a small, whitelisted set of labels, such as:

topology.kubernetes.io/region
topology.kubernetes.io/zone
kubernetes.io/hostname
kubernetes.io/arch
kubernetes.io/os
some node.kubernetes.io/* labels

Labels outside that set, including the conventional role labels node-role.kubernetes.io/<role>, are rejected by the API server when requested by the node itself. This prevents a worker node from assigning itself a privileged role.

Apply nodeLabels

You can add labels to a node by specifying them under machine.nodeLabels in the machine configuration. For example:

machine:
  nodeLabels:
    topology.kubernetes.io/zone: "pve03"
    topology.kubernetes.io/region: "Region-1"

After you patch and reboot, the nodes will have the labels applied. Verify them with

kubectl describe node <node-name>

Role Labels

If you need to assign role labels, for example, node-role.kubernetes.io/worker or node-role.kubernetes.io/ingress, you must set them with a cluster-admin account:

kubectl label node <node-name> node-role.kubernetes.io/worker

Alternatively, you can use the Talos Cloud Controller Manager or your own controller to translate custom domain labels into the conventional node-role.kubernetes.io/* form if required.

Overview

CNI

CSI

Security

Monitoring & Observability

Advanced Guides

Apply nodeLabels

Role Labels

Overview

CNI

CSI

Security

Monitoring & Observability

Advanced Guides

​Apply nodeLabels

​Role Labels

Apply nodeLabels

Role Labels