Prerequisites
Before you begin, you must have:- A running Talos Linux Kubernetes cluster
kubectlconfigured to access your clustertalosctlconfigured to access your nodeshelminstalled (version 3.8 or newer)
Ready state.
Step 1: Configure Talos containerd to preserve unpacked layers
By default, Talos configures containerd to discard unpacked image layers after an image is pulled. This behavior helps conserve disk space, but it prevents Spegel from serving images to other nodes, because there are no local layers available to share. Spegel relies on these unpacked layers to function as a peer-to-peer registry mirror. To enable this capability, you must configure containerd to retain unpacked layers. This is done by applying a machine configuration patch to each node.1.1: Create the machine configuration patch
Create a patch file namedspegel-machine-patch.yaml with the following contents:
1.2: Apply the patch to all nodes
Next, apply this configuration to every node in your cluster.- Apply patch directly to Talos machines
- Apply patch through Omni
To apply the patch directly to Talos machines:This command collects the node IP addresses that This updates the machine configuration on each node, but the change will not take effect until the nodes are rebooted.Each node is rebooted one at a time to avoid disrupting the cluster. During the reboot, the node will be temporarily unavailable.Proceed once all nodes report
- Retrieve the internal IP addresses of all nodes:
talosctl will use to connect to each machine.- Apply the patch to each node:
- Reboot each node so containerd loads the updated configuration:
- Monitor their status and wait until they return to the
Readystate:
Ready.Step 2: Configure Spegel to use Talos containerd registry settings
Talos stores containerd registry configuration in a non-default location. In order for Spegel to correctly configure itself as a registry mirror, it must be explicitly pointed to this path. You will do this by creating a Helm values file that tells Spegel where to write its registry configuration. Create a file namedspegel-values.yaml with the following contents:
Step 3: Install Spegel using Helm
Spegel is distributed as an OCI-based Helm chart and runs as a DaemonSet, deploying one instance on each node. This allows every node to serve and retrieve container images from its peers. Install Spegel using the Helm values file you created:Step 4: Allow Spegel to run with privileged access
Talos enables Pod Security Admission with restrictive defaults to improve cluster security. Because Spegel interacts directly with the container runtime and host filesystem, it requires privileged access. To allow Spegel to function correctly, label thespegel namespace to use the privileged security profile:
Step 5: Verify Spegel is running
After installation, confirm that the Spegel pods are running on all nodes:Running state, Spegel is active and ready to configure containerd.
Step 6: Test peer-to-peer image distribution
Deploy a test workload to trigger an image pull:Step 7: Verify Spegel activity
Check the Spegel logs to confirm it is serving registry traffic:How Spegel integrates with Talos
With Spegel installed, containerd pulls images using this order:- Spegel registry on the local node
- Spegel registry on peer nodes
- Upstream container registry (for example, Docker Hub)