os:operator role, which provides privileges similar to those available through Omni.
Once break glass credentials are used, the cluster is considered tainted, client certificates or operator configs now exist outside Omni’s control. While the cluster remains functional, Omni cannot revoke or reliably track this access until certificate authority (CA) rotation (or equivalent credential rotation) is performed.
How to enable Omni break glass
Break glass can be enabled in two ways, depending on your Omni deployment type.-
SaaS environments: If you’re using the Omni SaaS platform, contact SideroLabs Support to request break glass access.
Support will enable it for your account and guide you through downloading the operator
talosconfig. -
On-Prem environments: For self-hosted (on-premises) Omni installations, break glass mode must be explicitly enabled by setting a server flag when you start Omni. To enable this configuration on Omni you need to pass the
--enable-break-glass-configsto Omni at run time.
Generate an operator talosconfig
After enabling break glass (either via support or server flag), use the following command to generate an operator Talos configuration:Reverting Break-Glass Access
Once break-glass credentials have been used, the cluster is considered tainted, any operator configs or client certificates generated during break-glass access exist outside Omni’s normal control, and Omni cannot reliably revoke or track that access until the cluster’s certificate authorities are rotated. To restore full Omni-managed control, rotate both CAs:- Rotate the Talos API CA
talosconfig.
- Rotate the Kubernetes API CA
--wait-timeout, or pass --wait=false to return immediately). Only one rotation can run at a time.
Check progress with: