In this guide, we will enable the Talos feature to access the Talos API from within Kubernetes.

​
Enabling the Feature

Edit the machine configuration to enable the feature, specifying the Kubernetes namespaces from which Talos API can be accessed and the allowed Talos API roles. 
talosctl -n 172.20.0.2 edit machineconfig
Configure the kubernetesTalosAPIAccess like the following: 
spec:
  machine:
    features:
      kubernetesTalosAPIAccess:
        enabled: true
        allowedRoles:
          - os:reader
        allowedKubernetesNamespaces:
          - default

​
Injecting Talos ServiceAccount into manifests

Create the following manifest file deployment.yaml: Note: make sure that you replace the IP 172.20.0.2 with a valid Talos node IP. Use talosctl inject serviceaccount command to inject the Talos ServiceAccount into the manifest. 
talosctl inject serviceaccount -f deployment.yaml > deployment-injected.yaml
Inspect the generated manifest: As you can notice, your deployment manifest is now injected with the Talos ServiceAccount.

​
Testing API Access

Apply the new manifest into default namespace: 
kubectl apply -n default -f deployment-injected.yaml
Follow the logs of the pods belong to the deployment: 
kubectl logs -n default -f -l app=talos-api-access
You’ll see a repeating output similar to the following: 
Client:
    Tag:         <talos version>
    SHA:         ....
    Built:
    Go version:  go1.18.4
    OS/Arch:     linux/amd64
Server:
    NODE:        172.20.0.2
    Tag:         <talos version>
    SHA:         ...
    Built:
    Go version:  go1.18.4
    OS/Arch:     linux/amd64
    Enabled:     RBAC
This means that the pod can talk to Talos API of node 172.20.0.2 successfully.