Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.siderolabs.com/llms.txt

Use this file to discover all available pages before exploring further.

In this guide, we will enable the Talos feature to access the Talos API from within Kubernetes.

Enable the feature

Edit the machine configuration to enable the feature, specifying the Kubernetes namespaces from which Talos API can be accessed and the allowed Talos API roles. 
talosctl -n 172.20.0.2 edit machineconfig
Configure the kubernetesTalosAPIAccess like the following: 
spec:
  machine:
    features:
      kubernetesTalosAPIAccess:
        enabled: true
        allowedRoles:
          - os:reader
        allowedKubernetesNamespaces:
          - default

Inject Talos ServiceAccount into manifests

Create the following manifest file deployment.yaml: Note: make sure that you replace the IP 172.20.0.2 with a valid Talos node IP. Use talosctl inject serviceaccount command to inject the Talos ServiceAccount into the manifest. 
talosctl inject serviceaccount -f deployment.yaml > deployment-injected.yaml
Inspect the generated manifest: As you can notice, your deployment manifest is now injected with the Talos ServiceAccount.

Test API access

Apply the new manifest into default namespace: 
kubectl apply -n default -f deployment-injected.yaml
Follow the logs of the pods belonging to the deployment: 
kubectl logs -n default -f -l app=talos-api-access
You’ll see a repeating output similar to the following: 
Client:
    Tag:         <talos version>
    SHA:         ....
    Built:
    Go version:  go1.18.4
    OS/Arch:     linux/amd64
Server:
    NODE:        172.20.0.2
    Tag:         <talos version>
    SHA:         ...
    Built:
    Go version:  go1.18.4
    OS/Arch:     linux/amd64
    Enabled:     RBAC
This means that the pod can talk to Talos API of node 172.20.0.2 successfully.