Skip to main content
Omni provides a break glass mechanism that allows direct access to Talos nodes and the Kubernetes API when the Omni management plane is unavailable. This mode is intended for emergency recovery and bypasses normal Omni authentication and access controls. When break glass mode is enabled, Talos nodes temporarily allow direct API access on any network interface. This access grants the os:operator role, which provides privileges similar to those available through Omni. Once break glass credentials are used, the cluster is considered tainted, client certificates or operator configs now exist outside Omni’s control. While the cluster remains functional, Omni cannot revoke or reliably track this access until certificate authority (CA) rotation (or equivalent credential rotation) is performed.

How to enable Omni break glass

Break glass can be enabled in two ways, depending on your Omni deployment type.
  • SaaS environments: If you’re using the Omni SaaS platform, contact SideroLabs Support to request break glass access. Support will enable it for your account and guide you through downloading the operator talosconfig.
  • On-Prem environments: For self-hosted (on-premises) Omni installations, break glass mode must be explicitly enabled by setting a server flag when you start Omni. To enable this configuration on Omni you need to pass the --enable-break-glass-configs to Omni at run time.

Generate an operator talosconfig

After enabling break glass (either via support or server flag), use the following command to generate an operator Talos configuration:
omnictl talosconfig --cluster <cluster-name> --break-glass

Reverting Break-Glass Access

Once break-glass credentials have been used, the cluster is considered tainted, any operator configs or client certificates generated during break-glass access exist outside Omni’s normal control, and Omni cannot reliably revoke or track that access until the cluster’s certificate authorities are rotated. To restore full Omni-managed control, rotate both CAs:
  1. Rotate the Talos API CA
omnictl cluster -n <cluster-name> secret rotate talos-ca
This invalidates any Talos-level credentials issued during break-glass access. Rotation doesn’t interrupt connections within the cluster and doesn’t require a node reboot. If you’re using the Talos API access from Kubernetes feature, pods may need to be restarted manually to pick up the new talosconfig.
  1. Rotate the Kubernetes API CA
omnictl cluster -n <cluster-name> secret rotate kubernetes-ca
This invalidates any Kubernetes-level credentials issued during break-glass access. At the end of the process, control plane components are restarted automatically to pick up the change, and each node’s kubelet rejoins the cluster with a new client certificate. You may need to manually restart some workloads to pick up the new CA. Both commands wait for the rotation to complete by default (configurable via --wait-timeout, or pass --wait=false to return immediately). Only one rotation can run at a time. Check progress with:
omnictl cluster -n <cluster-name> secret rotate status