> ## Documentation Index
> Fetch the complete documentation index at: https://docs.siderolabs.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Talos API access from Kubernetes
> How to access Talos API from within Kubernetes.
export const release = 'v1.13.5';
In this guide, we will enable the Talos feature to access the Talos API from within Kubernetes.
## Enable the feature
Edit the machine configuration to enable the feature, specifying the Kubernetes namespaces from which Talos API
can be accessed and the allowed Talos API roles.
```bash theme={null}
talosctl -n 172.20.0.2 edit machineconfig
```
Configure the `kubernetesTalosAPIAccess` like the following:
```yaml theme={null}
spec:
machine:
features:
kubernetesTalosAPIAccess:
enabled: true
allowedRoles:
- os:reader
allowedKubernetesNamespaces:
- default
```
## Inject Talos ServiceAccount into manifests
Create the following manifest file `deployment.yaml`:
{"apiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: talos-api-access\nspec:\n selector:\n matchLabels:\n app: talos-api-access\n template:\n metadata:\n labels:\n app: talos-api-access\n spec:\n containers:\n - name: talos-api-access\n image: alpine:3\n command:\n - sh\n - -c\n - |\n wget -O /usr/local/bin/talosctl https://github.com/siderolabs/talos/releases/download/${release}/talosctl-linux-amd64\n chmod +x /usr/local/bin/talosctl\n while true; talosctl -n 172.20.0.2 version; do sleep 1; done\n"}
**Note:** make sure that you replace the IP `172.20.0.2` with a valid Talos node IP.
Use `talosctl inject serviceaccount` command to inject the Talos ServiceAccount into the manifest.
```bash theme={null}
talosctl inject serviceaccount -f deployment.yaml > deployment-injected.yaml
```
Inspect the generated manifest:
{"apiVersion: apps/v1\nkind: Deployment\nmetadata:\n creationTimestamp: null\n name: talos-api-access\nspec:\n selector:\n matchLabels:\n app: talos-api-access\n strategy: {}\n template:\n metadata:\n creationTimestamp: null\n labels:\n app: talos-api-access\n spec:\n containers:\n - command:\n - sh\n - -c\n - |\n wget -O /usr/local/bin/talosctl https://github.com/siderolabs/talos/releases/download/${release}/talosctl-linux-amd64\n chmod +x /usr/local/bin/talosctl\n while true; talosctl -n 172.20.0.2 version; do sleep 1; done\n image: alpine:3\n name: talos-api-access\n resources: {}\n volumeMounts:\n - mountPath: /var/run/secrets/talos.dev\n name: talos-secrets\n tolerations:\n - operator: Exists\n volumes:\n - name: talos-secrets\n secret:\n secretName: talos-api-access-talos-secrets\nstatus: {}\n---\napiVersion: talos.dev/v1alpha1\nkind: ServiceAccount\nmetadata:\n name: talos-api-access-talos-secrets\nspec:\n roles:\n - os:reader\n---\n"}
As you can notice, your deployment manifest is now injected with the Talos ServiceAccount.
## Test API access
Apply the new manifest into `default` namespace:
```bash theme={null}
kubectl apply -n default -f deployment-injected.yaml
```
Follow the logs of the pods belonging to the deployment:
```bash theme={null}
kubectl logs -n default -f -l app=talos-api-access
```
You'll see a repeating output similar to the following:
```text theme={null}
Client:
Tag:
SHA: ....
Built:
Go version: go1.18.4
OS/Arch: linux/amd64
Server:
NODE: 172.20.0.2
Tag:
SHA: ...
Built:
Go version: go1.18.4
OS/Arch: linux/amd64
Enabled: RBAC
```
This means that the pod can talk to Talos API of node 172.20.0.2 successfully.