MachineConfig - Sidero Documentation

version: v1alpha1
machine: # ...
cluster: # ...

Field	Type	Description	Value(s)
`version`	string	Indicates the schema used to decode the contents.	`v1alpha1`
`debug`	bool		`true` `yes` `false` `no`
`machine`	MachineConfig	Provides machine specific configuration options.
`cluster`	ClusterConfig	Provides cluster specific configuration options.

machine

MachineConfig represents the machine-specific config values.

machine:
    type: controlplane
    # InstallConfig represents the installation options for preparing a node.
    install:
        disk: /dev/sda # The disk used for installations.
        # Allows for supplying extra kernel args via the bootloader.
        extraKernelArgs:
            - console=ttyS1
            - panic=10
        image: ghcr.io/siderolabs/installer:latest # Allows for supplying the image used to perform the installation.
        wipe: false # Indicates if the installation disk should be wiped at installation time.

        # # Look up disk using disk attributes like model, size, serial and others.
        # diskSelector:
        #     size: 4GB # Disk size.
        #     model: WDC* # Disk model `/sys/block/{"<"}dev{">"}/device/model`.
        #     busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path.

Field	Type	Description	Value(s)
`type`	string		`controlplane` `worker`
`token`	string
`ca`	PEMEncodedCertificateAndKey
`acceptedCAs`	[]PEMEncodedCertificate
`certSANs`	[]string
`controlPlane`	MachineControlPlaneConfig	Provides machine specific control plane configuration options.
`kubelet`	KubeletConfig	Used to provide additional options to the kubelet.
`pods`	[]Unstructured
`network`	NetworkConfig	Provides machine specific network configuration options.
`install`	InstallConfig
`files`	[]MachineFile
`env`	Env		`GRPC_GO_LOG_VERBOSITY_LEVEL` `GRPC_GO_LOG_SEVERITY_LEVEL` `http_proxy` `https_proxy` `no_proxy`
`time`	TimeConfig	Used to configure the machine’s time settings.
`sysctls`	map[string]string	Used to configure the machine’s sysctls.
`sysfs`	map[string]string	Used to configure the machine’s sysfs.
`registries`	RegistriesConfig
`systemDiskEncryption`	SystemDiskEncryptionConfig
`features`	FeaturesConfig	Features describe individual Talos features that can be switched on or off.
`udev`	UdevConfig	Configures the udev system.
`logging`	LoggingConfig	Configures the logging system.
`kernel`	KernelConfig	Configures the kernel.
`seccompProfiles`	[]MachineSeccompProfile	Configures the seccomp profiles for the machine.
`baseRuntimeSpecOverrides`	Unstructured
`nodeLabels`	map[string]string
`nodeAnnotations`	map[string]string	Configures the node annotations for the machine.
`nodeTaints`	map[string]string

controlPlane

MachineControlPlaneConfig machine specific configuration options.

machine:
    controlPlane:
        # Controller manager machine specific configuration options.
        controllerManager:
            disabled: false # Disable kube-controller-manager on the node.
        # Scheduler machine specific configuration options.
        scheduler:
            disabled: true # Disable kube-scheduler on the node.

Field	Type	Description	Value(s)
`controllerManager`	MachineControllerManagerConfig	Controller manager machine specific configuration options.
`scheduler`	MachineSchedulerConfig	Scheduler machine specific configuration options.

controllerManager

MachineControllerManagerConfig represents the machine specific ControllerManager config values.

Field	Type	Description	Value(s)
`disabled`	bool	Disable kube-controller-manager on the node.

scheduler

MachineSchedulerConfig represents the machine specific Scheduler config values.

Field	Type	Description	Value(s)
`disabled`	bool	Disable kube-scheduler on the node.

kubelet

KubeletConfig represents the kubelet config values.

machine:
    kubelet:
        image: ghcr.io/siderolabs/kubelet:v1.33.4 # The `image` field is an optional reference to an alternative kubelet image.
        # The `extraArgs` field is used to provide additional flags to the kubelet.
        extraArgs:
            feature-gates: ServerSideApply=true

        # # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list.
        # clusterDNS:
        #     - 10.96.0.10
        #     - 169.254.2.53

        # # The `extraMounts` field is used to add additional mounts to the kubelet container.
        # extraMounts:
        #     - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container.
        #       type: bind # Type specifies the mount kind.
        #       source: /var/lib/example # Source specifies the source path of the mount.
        #       # Options are fstab style mount options.
        #       options:
        #         - bind
        #         - rshared
        #         - rw

        # # The `extraConfig` field is used to provide kubelet configuration overrides.
        # extraConfig:
        #     serverTLSBootstrap: true

        # # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration.
        # credentialProviderConfig:
        #     apiVersion: kubelet.config.k8s.io/v1
        #     kind: CredentialProviderConfig
        #     providers:
        #         - apiVersion: credentialprovider.kubelet.k8s.io/v1
        #           defaultCacheDuration: 12h
        #           matchImages:
        #             - '*.dkr.ecr.*.amazonaws.com'
        #             - '*.dkr.ecr.*.amazonaws.com.cn'
        #             - '*.dkr.ecr-fips.*.amazonaws.com'
        #             - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov'
        #             - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov'
        #           name: ecr-credential-provider

        # # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet.
        # nodeIP:
        #     # The `validSubnets` field configures the networks to pick kubelet node IP from.
        #     validSubnets:
        #         - 10.0.0.0/8
        #         - '!10.0.0.3/32'
        #         - fdc7::/16

Field	Type	Description	Value(s)
`image`	string	The `image` field is an optional reference to an alternative kubelet image.
`clusterDNS`	[]string	The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list.
`extraArgs`	map[string]string	The `extraArgs` field is used to provide additional flags to the kubelet.
`extraMounts`	[]ExtraMount
`extraConfig`	Unstructured
`credentialProviderConfig`	Unstructured	The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration.
`defaultRuntimeSeccompProfileEnabled`	bool	Enable container runtime default Seccomp profile.	`true` `yes` `false` `no`
`registerWithFQDN`	bool		`true` `yes` `false` `no`
`nodeIP`	KubeletNodeIPConfig
`skipNodeRegistration`	bool		`true` `yes` `false` `no`
`disableManifestsDirectory`	bool		`true` `yes` `false` `no`

extraMounts[]

ExtraMount wraps OCI Mount specification.

machine:
    kubelet:
        extraMounts:
            - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container.
              type: bind # Type specifies the mount kind.
              source: /var/lib/example # Source specifies the source path of the mount.
              # Options are fstab style mount options.
              options:
                - bind
                - rshared
                - rw

Field	Type	Description
`destination`	string	Destination is the absolute path where the mount will be placed in the container.
`type`	string	Type specifies the mount kind.
`source`	string	Source specifies the source path of the mount.
`options`	[]string	Options are fstab style mount options.
`uidMappings`	[]LinuxIDMapping
`gidMappings`	[]LinuxIDMapping

uidMappings[]

LinuxIDMapping represents the Linux ID mapping.

Field	Type	Description
`containerID`	uint32	ContainerID is the starting UID/GID in the container.
`hostID`	uint32	HostID is the starting UID/GID on the host to be mapped to ‘ContainerID’.
`size`	uint32	Size is the number of IDs to be mapped.

gidMappings[]

LinuxIDMapping represents the Linux ID mapping.

Field	Type	Description
`containerID`	uint32	ContainerID is the starting UID/GID in the container.
`hostID`	uint32	HostID is the starting UID/GID on the host to be mapped to ‘ContainerID’.
`size`	uint32	Size is the number of IDs to be mapped.

nodeIP

KubeletNodeIPConfig represents the kubelet node IP configuration.

machine:
    kubelet:
        nodeIP:
            # The `validSubnets` field configures the networks to pick kubelet node IP from.
            validSubnets:
                - 10.0.0.0/8
                - '!10.0.0.3/32'
                - fdc7::/16

Field	Type	Description	Value(s)
`validSubnets`	[]string

network

NetworkConfig represents the machine’s networking config values.

machine:
    network:
        hostname: worker-1 # Used to statically set the hostname for the machine.
        # `interfaces` is used to define the network interface configuration.
        interfaces:
            - interface: enp0s1 # The interface name.
              # Assigns static IP addresses to the interface.
              addresses:
                - 192.168.2.0/24
              # A list of routes associated with the interface.
              routes:
                - network: 0.0.0.0/0 # The route's network (destination).
                  gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route).
                  metric: 1024 # The optional metric for the route.
              mtu: 1500 # The interface's MTU.

              # # Picks a network device using the selector.

              # # select a device with bus prefix 00:*.
              # deviceSelector:
              #     busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
              # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
              # deviceSelector:
              #     hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
              #     driver: virtio_net # Kernel driver, supports matching by wildcard.
              # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
              # deviceSelector:
              #     - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
              #     - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
              #       driver: virtio_net # Kernel driver, supports matching by wildcard.

              # # Bond specific options.
              # bond:
              #     # The interfaces that make up the bond.
              #     interfaces:
              #         - enp2s0
              #         - enp2s1
              #     # Picks a network device using the selector.
              #     deviceSelectors:
              #         - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
              #         - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
              #           driver: virtio_net # Kernel driver, supports matching by wildcard.
              #     mode: 802.3ad # A bond option.
              #     lacpRate: fast # A bond option.

              # # Bridge specific options.
              # bridge:
              #     # The interfaces that make up the bridge.
              #     interfaces:
              #         - enxda4042ca9a51
              #         - enxae2a6774c259
              #     # Enable STP on this bridge.
              #     stp:
              #         enabled: true # Whether Spanning Tree Protocol (STP) is enabled.

              # # Configure this device as a bridge port.
              # bridgePort:
              #     master: br0 # The name of the bridge master interface

              # # Indicates if DHCP should be used to configure the interface.
              # dhcp: true

              # # DHCP specific options.
              # dhcpOptions:
              #     routeMetric: 1024 # The priority of all routes received via DHCP.

              # # Wireguard specific configuration.

              # # wireguard server example
              # wireguard:
              #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
              #     listenPort: 51111 # Specifies a device's listening port.
              #     # Specifies a list of peer configurations to apply to a device.
              #     peers:
              #         - publicKey: ABCDEF... # Specifies the public key of this peer.
              #           endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
              #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
              #           allowedIPs:
              #             - 192.168.1.0/24
              # # wireguard peer example
              # wireguard:
              #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
              #     # Specifies a list of peer configurations to apply to a device.
              #     peers:
              #         - publicKey: ABCDEF... # Specifies the public key of this peer.
              #           endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
              #           persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
              #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
              #           allowedIPs:
              #             - 192.168.1.0/24

              # # Virtual (shared) IP address configuration.

              # # layer2 vip example
              # vip:
              #     ip: 172.16.199.55 # Specifies the IP address to be used.
        # Used to statically set the nameservers for the machine.
        nameservers:
            - 9.8.7.6
            - 8.7.6.5
        # Used to statically set arbitrary search domains.
        searchDomains:
            - example.org
            - example.com

        # # Allows for extra entries to be added to the `/etc/hosts` file
        # extraHostEntries:
        #     - ip: 192.168.1.100 # The IP of the host.
        #       # The host alias.
        #       aliases:
        #         - example
        #         - example.domain.tld

        # # Configures KubeSpan feature.
        # kubespan:
        #     enabled: true # Enable the KubeSpan feature.

Field	Type	Description	Value(s)
`hostname`	string	Used to statically set the hostname for the machine.
`interfaces`	[]Device
`nameservers`	[]string
`searchDomains`	[]string	Used to statically set arbitrary search domains.
`extraHostEntries`	[]ExtraHost	Allows for extra entries to be added to the `/etc/hosts` file
`kubespan`	NetworkKubeSpan	Configures KubeSpan feature.
`disableSearchDomain`	bool		`true` `yes` `false` `no`

interfaces[]

Device represents a network interface.

machine:
    network:
        interfaces:
            - interface: enp0s1 # The interface name.
              # Assigns static IP addresses to the interface.
              addresses:
                - 192.168.2.0/24
              # A list of routes associated with the interface.
              routes:
                - network: 0.0.0.0/0 # The route's network (destination).
                  gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route).
                  metric: 1024 # The optional metric for the route.
              mtu: 1500 # The interface's MTU.

              # # Picks a network device using the selector.

              # # select a device with bus prefix 00:*.
              # deviceSelector:
              #     busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
              # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
              # deviceSelector:
              #     hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
              #     driver: virtio_net # Kernel driver, supports matching by wildcard.
              # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
              # deviceSelector:
              #     - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
              #     - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
              #       driver: virtio_net # Kernel driver, supports matching by wildcard.

              # # Bond specific options.
              # bond:
              #     # The interfaces that make up the bond.
              #     interfaces:
              #         - enp2s0
              #         - enp2s1
              #     # Picks a network device using the selector.
              #     deviceSelectors:
              #         - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
              #         - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
              #           driver: virtio_net # Kernel driver, supports matching by wildcard.
              #     mode: 802.3ad # A bond option.
              #     lacpRate: fast # A bond option.

              # # Bridge specific options.
              # bridge:
              #     # The interfaces that make up the bridge.
              #     interfaces:
              #         - enxda4042ca9a51
              #         - enxae2a6774c259
              #     # Enable STP on this bridge.
              #     stp:
              #         enabled: true # Whether Spanning Tree Protocol (STP) is enabled.

              # # Configure this device as a bridge port.
              # bridgePort:
              #     master: br0 # The name of the bridge master interface

              # # Indicates if DHCP should be used to configure the interface.
              # dhcp: true

              # # DHCP specific options.
              # dhcpOptions:
              #     routeMetric: 1024 # The priority of all routes received via DHCP.

              # # Wireguard specific configuration.

              # # wireguard server example
              # wireguard:
              #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
              #     listenPort: 51111 # Specifies a device's listening port.
              #     # Specifies a list of peer configurations to apply to a device.
              #     peers:
              #         - publicKey: ABCDEF... # Specifies the public key of this peer.
              #           endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
              #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
              #           allowedIPs:
              #             - 192.168.1.0/24
              # # wireguard peer example
              # wireguard:
              #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
              #     # Specifies a list of peer configurations to apply to a device.
              #     peers:
              #         - publicKey: ABCDEF... # Specifies the public key of this peer.
              #           endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
              #           persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
              #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
              #           allowedIPs:
              #             - 192.168.1.0/24

              # # Virtual (shared) IP address configuration.

              # # layer2 vip example
              # vip:
              #     ip: 172.16.199.55 # Specifies the IP address to be used.

Field	Type	Description
`interface`	string
`deviceSelector`	NetworkDeviceSelector
`addresses`	[]string
`routes`	[]Route
`bond`	Bond	Bond specific options.
`bridge`	Bridge	Bridge specific options.
`bridgePort`	BridgePort
`vlans`	[]Vlan	VLAN specific options.
`mtu`	int
`dhcp`	bool
`ignore`	bool	Indicates if the interface should be ignored (skips configuration).
`dummy`	bool
`dhcpOptions`	DHCPOptions
`wireguard`	DeviceWireguardConfig
`vip`	DeviceVIPConfig	Virtual (shared) IP address configuration.

deviceSelector

NetworkDeviceSelector struct describes network device selector.

machine:
    network:
        interfaces:
            - deviceSelector:
                busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.

machine:
    network:
        interfaces:
            - deviceSelector:
                hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
                driver: virtio_net # Kernel driver, supports matching by wildcard.

machine:
    network:
        interfaces:
            - deviceSelector:
                - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
                - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
                  driver: virtio_net # Kernel driver, supports matching by wildcard.

Field	Type	Description
`busPath`	string	PCI, USB bus prefix, supports matching by wildcard.
`hardwareAddr`	string	Device hardware (MAC) address, supports matching by wildcard.
`permanentAddr`	string
`pciID`	string	PCI ID (vendor ID, product ID), supports matching by wildcard.
`driver`	string	Kernel driver, supports matching by wildcard.
`physical`	bool	Select only physical devices.

routes[]

Route represents a network route.

machine:
    network:
        interfaces:
            - routes:
                - network: 0.0.0.0/0 # The route's network (destination).
                  gateway: 10.5.0.1 # The route's gateway (if empty, creates link scope route).
                - network: 10.2.0.0/16 # The route's network (destination).
                  gateway: 10.2.0.1 # The route's gateway (if empty, creates link scope route).

Field	Type	Description
`network`	string	The route’s network (destination).
`gateway`	string	The route’s gateway (if empty, creates link scope route).
`source`	string	The route’s source address (optional).
`metric`	uint32	The optional metric for the route.
`mtu`	uint32	The optional MTU for the route.

bond

Bond contains the various options for configuring a bonded interface.

machine:
    network:
        interfaces:
            - bond:
                # The interfaces that make up the bond.
                interfaces:
                    - enp2s0
                    - enp2s1
                mode: 802.3ad # A bond option.
                lacpRate: fast # A bond option.

                # # Picks a network device using the selector.

                # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
                # deviceSelectors:
                #     - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
                #     - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
                #       driver: virtio_net # Kernel driver, supports matching by wildcard.

Field	Type	Description
`interfaces`	[]string	The interfaces that make up the bond.
`deviceSelectors`	[]NetworkDeviceSelector
`arpIPTarget`	[]string
`mode`	string
`xmitHashPolicy`	string
`lacpRate`	string
`adActorSystem`	string
`arpValidate`	string
`arpAllTargets`	string
`primary`	string
`primaryReselect`	string
`failOverMac`	string
`adSelect`	string
`miimon`	uint32
`updelay`	uint32
`downdelay`	uint32
`arpInterval`	uint32
`resendIgmp`	uint32
`minLinks`	uint32
`lpInterval`	uint32
`packetsPerSlave`	uint32
`numPeerNotif`	uint8
`tlbDynamicLb`	uint8
`allSlavesActive`	uint8
`useCarrier`	bool
`adActorSysPrio`	uint16
`adUserPortKey`	uint16
`peerNotifyDelay`	uint32

deviceSelectors[]

NetworkDeviceSelector struct describes network device selector.

machine:
    network:
        interfaces:
            - bond:
                deviceSelectors:
                    busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.

machine:
    network:
        interfaces:
            - bond:
                deviceSelectors:
                    hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
                    driver: virtio_net # Kernel driver, supports matching by wildcard.

machine:
    network:
        interfaces:
            - bond:
                deviceSelectors:
                    - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
                    - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
                      driver: virtio_net # Kernel driver, supports matching by wildcard.

Field	Type	Description
`busPath`	string	PCI, USB bus prefix, supports matching by wildcard.
`hardwareAddr`	string	Device hardware (MAC) address, supports matching by wildcard.
`permanentAddr`	string
`pciID`	string	PCI ID (vendor ID, product ID), supports matching by wildcard.
`driver`	string	Kernel driver, supports matching by wildcard.
`physical`	bool	Select only physical devices.

bridge

Bridge contains the various options for configuring a bridge interface.

machine:
    network:
        interfaces:
            - bridge:
                # The interfaces that make up the bridge.
                interfaces:
                    - enxda4042ca9a51
                    - enxae2a6774c259
                # Enable STP on this bridge.
                stp:
                    enabled: true # Whether Spanning Tree Protocol (STP) is enabled.

Field	Type	Description
`interfaces`	[]string	The interfaces that make up the bridge.
`stp`	STP
`vlan`	BridgeVLAN

stp

STP contains the various options for configuring the STP properties of a bridge interface.

Field	Type	Description	Value(s)
`enabled`	bool	Whether Spanning Tree Protocol (STP) is enabled.

vlan

BridgeVLAN contains the various options for configuring the VLAN properties of a bridge interface.

Field	Type	Description	Value(s)
`vlanFiltering`	bool	Whether VLAN filtering is enabled.

bridgePort

BridgePort contains settings for assigning a link to a bridge interface.

machine:
    network:
        interfaces:
            - bridgePort:
                master: br0 # The name of the bridge master interface

Field	Type	Description	Value(s)
`master`	string	The name of the bridge master interface

vlans[]

Vlan represents vlan settings for a device.

Field	Type	Description
`addresses`	[]string	The addresses in CIDR notation or as plain IPs to use.
`routes`	[]Route	A list of routes associated with the VLAN.
`dhcp`	bool	Indicates if DHCP should be used.
`vlanId`	uint16	The VLAN’s ID.
`mtu`	uint32	The VLAN’s MTU.
`vip`	DeviceVIPConfig	The VLAN’s virtual IP address configuration.
`dhcpOptions`	DHCPOptions

routes[]

Route represents a network route.

machine:
    network:
        interfaces:
            - vlans:
                - routes:
                    - network: 0.0.0.0/0 # The route's network (destination).
                      gateway: 10.5.0.1 # The route's gateway (if empty, creates link scope route).
                    - network: 10.2.0.0/16 # The route's network (destination).
                      gateway: 10.2.0.1 # The route's gateway (if empty, creates link scope route).

Field	Type	Description
`network`	string	The route’s network (destination).
`gateway`	string	The route’s gateway (if empty, creates link scope route).
`source`	string	The route’s source address (optional).
`metric`	uint32	The optional metric for the route.
`mtu`	uint32	The optional MTU for the route.

vip

DeviceVIPConfig contains settings for configuring a Virtual Shared IP on an interface.

machine:
    network:
        interfaces:
            - vlans:
                - vip:
                    ip: 172.16.199.55 # Specifies the IP address to be used.

Field	Type	Description
`ip`	string	Specifies the IP address to be used.
`equinixMetal`	VIPEquinixMetalConfig	Specifies the Equinix Metal API settings to assign VIP to the node.
`hcloud`	VIPHCloudConfig	Specifies the Hetzner Cloud API settings to assign VIP to the node.

equinixMetal

VIPEquinixMetalConfig contains settings for Equinix Metal VIP management.

Field	Type	Description	Value(s)
`apiToken`	string	Specifies the Equinix Metal API Token.

hcloud

VIPHCloudConfig contains settings for Hetzner Cloud VIP management.

Field	Type	Description	Value(s)
`apiToken`	string	Specifies the Hetzner Cloud API Token.

dhcpOptions

DHCPOptions contains options for configuring the DHCP settings for a given interface.

machine:
    network:
        interfaces:
            - vlans:
                - dhcpOptions:
                    routeMetric: 1024 # The priority of all routes received via DHCP.

Field	Type	Description
`routeMetric`	uint32	The priority of all routes received via DHCP.
`ipv4`	bool	Enables DHCPv4 protocol for the interface (default is enabled).
`ipv6`	bool	Enables DHCPv6 protocol for the interface (default is disabled).
`duidv6`	string	Set client DUID (hex string).

dhcpOptions

DHCPOptions contains options for configuring the DHCP settings for a given interface.

machine:
    network:
        interfaces:
            - dhcpOptions:
                routeMetric: 1024 # The priority of all routes received via DHCP.

Field	Type	Description
`routeMetric`	uint32	The priority of all routes received via DHCP.
`ipv4`	bool	Enables DHCPv4 protocol for the interface (default is enabled).
`ipv6`	bool	Enables DHCPv6 protocol for the interface (default is disabled).
`duidv6`	string	Set client DUID (hex string).

wireguard

DeviceWireguardConfig contains settings for configuring Wireguard network interface.

machine:
    network:
        interfaces:
            - wireguard:
                privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
                listenPort: 51111 # Specifies a device's listening port.
                # Specifies a list of peer configurations to apply to a device.
                peers:
                    - publicKey: ABCDEF... # Specifies the public key of this peer.
                      endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
                      # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
                      allowedIPs:
                        - 192.168.1.0/24

machine:
    network:
        interfaces:
            - wireguard:
                privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
                # Specifies a list of peer configurations to apply to a device.
                peers:
                    - publicKey: ABCDEF... # Specifies the public key of this peer.
                      endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
                      persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
                      # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
                      allowedIPs:
                        - 192.168.1.0/24

Field	Type	Description
`privateKey`	string
`listenPort`	int	Specifies a device’s listening port.
`firewallMark`	int	Specifies a device’s firewall mark.
`peers`	[]DeviceWireguardPeer	Specifies a list of peer configurations to apply to a device.

peers[]

DeviceWireguardPeer a WireGuard device peer configuration.

Field	Type	Description
`publicKey`	string
`endpoint`	string	Specifies the endpoint of this peer entry.
`persistentKeepaliveInterval`	Duration
`allowedIPs`	[]string	AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.

vip

DeviceVIPConfig contains settings for configuring a Virtual Shared IP on an interface.

machine:
    network:
        interfaces:
            - vip:
                ip: 172.16.199.55 # Specifies the IP address to be used.

Field	Type	Description
`ip`	string	Specifies the IP address to be used.
`equinixMetal`	VIPEquinixMetalConfig	Specifies the Equinix Metal API settings to assign VIP to the node.
`hcloud`	VIPHCloudConfig	Specifies the Hetzner Cloud API settings to assign VIP to the node.

equinixMetal

VIPEquinixMetalConfig contains settings for Equinix Metal VIP management.

Field	Type	Description	Value(s)
`apiToken`	string	Specifies the Equinix Metal API Token.

hcloud

VIPHCloudConfig contains settings for Hetzner Cloud VIP management.

Field	Type	Description	Value(s)
`apiToken`	string	Specifies the Hetzner Cloud API Token.

extraHostEntries[]

ExtraHost represents a host entry in /etc/hosts.

machine:
    network:
        extraHostEntries:
            - ip: 192.168.1.100 # The IP of the host.
              # The host alias.
              aliases:
                - example
                - example.domain.tld

Field	Type	Description	Value(s)
`ip`	string	The IP of the host.
`aliases`	[]string	The host alias.

kubespan

NetworkKubeSpan struct describes KubeSpan configuration.

machine:
    network:
        kubespan:
            enabled: true # Enable the KubeSpan feature.

Field	Type	Description	Value(s)
`enabled`	bool
`advertiseKubernetesNetworks`	bool
`allowDownPeerBypass`	bool
`harvestExtraEndpoints`	bool
`mtu`	uint32
`filters`	KubeSpanFilters

filters

KubeSpanFilters struct describes KubeSpan advanced network addresses filtering.

Field	Type	Description	Value(s)
`endpoints`	[]string

install

InstallConfig represents the installation options for preparing a node.

machine:
    install:
        disk: /dev/sda # The disk used for installations.
        # Allows for supplying extra kernel args via the bootloader.
        extraKernelArgs:
            - console=ttyS1
            - panic=10
        image: ghcr.io/siderolabs/installer:latest # Allows for supplying the image used to perform the installation.
        wipe: false # Indicates if the installation disk should be wiped at installation time.

        # # Look up disk using disk attributes like model, size, serial and others.
        # diskSelector:
        #     size: 4GB # Disk size.
        #     model: WDC* # Disk model `/sys/block/{"<"}dev{">"}/device/model`.
        #     busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path.

Field	Type	Description	Value(s)
`disk`	string	The disk used for installations.
`diskSelector`	InstallDiskSelector
`extraKernelArgs`	[]string
`image`	string
`wipe`	bool		`true` `yes` `false` `no`
`legacyBIOSSupport`	bool

diskSelector

InstallDiskSelector represents a disk query parameters for the install disk lookup.

machine:
    install:
        diskSelector:
            size: '>= 1TB' # Disk size.
            model: WDC* # Disk model `/sys/block/{"<"}dev{">"}/device/model`.

            # # Disk bus path.
            # busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0
            # busPath: /pci0000:00/*

Field	Type	Description	Value(s)
`size`	InstallDiskSizeMatcher	Disk size.
`name`	string	Disk name `/sys/block/{"<"}dev{">"}/device/name`.
`model`	string	Disk model `/sys/block/{"<"}dev{">"}/device/model`.
`serial`	string	Disk serial number `/sys/block/{"<"}dev{">"}/serial`.
`modalias`	string	Disk modalias `/sys/block/{"<"}dev{">"}/device/modalias`.
`uuid`	string	Disk UUID `/sys/block/{"<"}dev{">"}/uuid`.
`wwid`	string	Disk WWID `/sys/block/{"<"}dev{">"}/wwid`.
`type`	InstallDiskType	Disk Type.	`ssd` `hdd` `nvme` `sd`
`busPath`	string	Disk bus path.

files[]

MachineFile represents a file to write to disk.

machine:
    files:
        - content: '...' # The contents of the file.
          permissions: 0o666 # The file's permissions in octal.
          path: /tmp/file.txt # The path of the file.
          op: append # The operation to use

Field	Type	Description	Value(s)
`content`	string	The contents of the file.
`permissions`	FileMode	The file’s permissions in octal.
`path`	string	The path of the file.
`op`	string	The operation to use	`create` `append` `overwrite`

time

TimeConfig represents the options for configuring time on a machine.

machine:
    time:
        disabled: false # Indicates if the time service is disabled for the machine.
        # description: |
        servers:
            - time.cloudflare.com
        bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence.

Field	Type	Description	Value(s)
`disabled`	bool
`servers`	[]string
`bootTimeout`	Duration

registries

RegistriesConfig represents the image pull options.

machine:
    registries:
        # Specifies mirror configuration for each registry host namespace.
        mirrors:
            docker.io:
                # List of endpoints (URLs) for registry mirrors to use.
                endpoints:
                    - https://registry.local
        # Specifies TLS & auth configuration for HTTPS image registries.
        config:
            registry.local:
                # The TLS configuration for the registry.
                tls:
                    # Enable mutual TLS authentication with the registry.
                    clientIdentity:
                        crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
                        key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
                # The auth configuration for this registry.
                auth:
                    username: username # Optional registry authentication.
                    password: password # Optional registry authentication.

Field	Type	Description	Value(s)
`mirrors`	map[string]RegistryMirrorConfig
`config`	map[string]RegistryConfig

mirrors.*

RegistryMirrorConfig represents mirror configuration for a registry.

machine:
    registries:
        mirrors:
            ghcr.io:
                # List of endpoints (URLs) for registry mirrors to use.
                endpoints:
                    - https://registry.insecure
                    - https://ghcr.io/v2/

Field	Type	Description	Value(s)
`endpoints`	[]string
`overridePath`	bool
`skipFallback`	bool

config.*

RegistryConfig specifies auth & TLS config per registry.

machine:
    registries:
        config:
            registry.insecure:
                # The TLS configuration for the registry.
                tls:
                    insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).

                    # # Enable mutual TLS authentication with the registry.
                    # clientIdentity:
                    #     crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
                    #     key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==

                # # The auth configuration for this registry.
                # auth:
                #     username: username # Optional registry authentication.
                #     password: password # Optional registry authentication.

Field	Type	Description	Value(s)
`tls`	RegistryTLSConfig	The TLS configuration for the registry.
`auth`	RegistryAuthConfig

tls

RegistryTLSConfig specifies TLS config for HTTPS registries.

machine:
    registries:
        config:
            example.com:
                tls:
                    # Enable mutual TLS authentication with the registry.
                    clientIdentity:
                        crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
                        key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==

machine:
    registries:
        config:
            example.com:
                tls:
                    insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).

                    # # Enable mutual TLS authentication with the registry.
                    # clientIdentity:
                    #     crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
                    #     key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==

Field	Type	Description
`clientIdentity`	PEMEncodedCertificateAndKey
`ca`	Base64Bytes
`insecureSkipVerify`	bool	Skip TLS server certificate verification (not recommended).

auth

RegistryAuthConfig specifies authentication configuration for a registry.

machine:
    registries:
        config:
            example.com:
                auth:
                    username: username # Optional registry authentication.
                    password: password # Optional registry authentication.

Field	Type	Description	Value(s)
`username`	string
`password`	string
`auth`	string
`identityToken`	string

systemDiskEncryption

SystemDiskEncryptionConfig specifies system disk partitions encryption settings.

machine:
    systemDiskEncryption:
        # Ephemeral partition encryption.
        ephemeral:
            provider: luks2 # Encryption provider to use for the encryption.
            # Defines the encryption keys generation and storage method.
            keys:
                - # Deterministically generated key from the node UUID and PartitionLabel.
                  nodeID: {}
                  slot: 0 # Key slot number for LUKS2 encryption.

                  # # KMS managed encryption key.
                  # kms:
                  #     endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.

            # # Cipher kind to use for the encryption. Depends on the encryption provider.
            # cipher: aes-xts-plain64

            # # Defines the encryption sector size.
            # blockSize: 4096

            # # Additional --perf parameters for the LUKS2 encryption.
            # options:
            #     - no_read_workqueue
            #     - no_write_workqueue

Field	Type	Description	Value(s)
`state`	EncryptionConfig	State partition encryption.
`ephemeral`	EncryptionConfig	Ephemeral partition encryption.

state

EncryptionConfig represents partition encryption settings.

Field	Type	Description	Value(s)
`provider`	string	Encryption provider to use for the encryption.
`keys`	[]EncryptionKey	Defines the encryption keys generation and storage method.
`cipher`	string	Cipher kind to use for the encryption. Depends on the encryption provider.	`aes-xts-plain64` `xchacha12,aes-adiantum-plain64` `xchacha20,aes-adiantum-plain64`
`keySize`	uint	Defines the encryption key length.
`blockSize`	uint64	Defines the encryption sector size.
`options`	[]string	Additional —perf parameters for the LUKS2 encryption.	`no_read_workqueue` `no_write_workqueue` `same_cpu_crypt`

keys[]

EncryptionKey represents configuration for disk encryption key.

Field	Type	Description
`static`	EncryptionKeyStatic	Key which value is stored in the configuration file.
`nodeID`	EncryptionKeyNodeID	Deterministically generated key from the node UUID and PartitionLabel.
`kms`	EncryptionKeyKMS	KMS managed encryption key.
`slot`	int	Key slot number for LUKS2 encryption.
`tpm`	EncryptionKeyTPM	Enable TPM based disk encryption.

static

EncryptionKeyStatic represents throw away key type.

Field	Type	Description	Value(s)
`passphrase`	string	Defines the static passphrase value.

nodeID

EncryptionKeyNodeID represents deterministically generated key from the node UUID and PartitionLabel.

kms

EncryptionKeyKMS represents a key that is generated and then sealed/unsealed by the KMS server.

machine:
    systemDiskEncryption:
        state:
            keys:
                - kms:
                    endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.

Field	Type	Description	Value(s)
`endpoint`	string	KMS endpoint to Seal/Unseal the key.

tpm

EncryptionKeyTPM represents a key that is generated and then sealed/unsealed by the TPM.

Field	Type	Description	Value(s)
`checkSecurebootStatusOnEnroll`	bool

ephemeral

EncryptionConfig represents partition encryption settings.

Field	Type	Description	Value(s)
`provider`	string	Encryption provider to use for the encryption.
`keys`	[]EncryptionKey	Defines the encryption keys generation and storage method.
`cipher`	string	Cipher kind to use for the encryption. Depends on the encryption provider.	`aes-xts-plain64` `xchacha12,aes-adiantum-plain64` `xchacha20,aes-adiantum-plain64`
`keySize`	uint	Defines the encryption key length.
`blockSize`	uint64	Defines the encryption sector size.
`options`	[]string	Additional —perf parameters for the LUKS2 encryption.	`no_read_workqueue` `no_write_workqueue` `same_cpu_crypt`

keys[]

EncryptionKey represents configuration for disk encryption key.

Field	Type	Description
`static`	EncryptionKeyStatic	Key which value is stored in the configuration file.
`nodeID`	EncryptionKeyNodeID	Deterministically generated key from the node UUID and PartitionLabel.
`kms`	EncryptionKeyKMS	KMS managed encryption key.
`slot`	int	Key slot number for LUKS2 encryption.
`tpm`	EncryptionKeyTPM	Enable TPM based disk encryption.

static

EncryptionKeyStatic represents throw away key type.

Field	Type	Description	Value(s)
`passphrase`	string	Defines the static passphrase value.

nodeID

EncryptionKeyNodeID represents deterministically generated key from the node UUID and PartitionLabel.

kms

EncryptionKeyKMS represents a key that is generated and then sealed/unsealed by the KMS server.

machine:
    systemDiskEncryption:
        ephemeral:
            keys:
                - kms:
                    endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.

Field	Type	Description	Value(s)
`endpoint`	string	KMS endpoint to Seal/Unseal the key.

tpm

EncryptionKeyTPM represents a key that is generated and then sealed/unsealed by the TPM.

Field	Type	Description	Value(s)
`checkSecurebootStatusOnEnroll`	bool

features

FeaturesConfig describes individual Talos features that can be switched on or off.

machine:
    features:
        rbac: true # Enable role-based access control (RBAC).

        # # Configure Talos API access from Kubernetes pods.
        # kubernetesTalosAPIAccess:
        #     enabled: true # Enable Talos API access from Kubernetes pods.
        #     # The list of Talos API roles which can be granted for access from Kubernetes pods.
        #     allowedRoles:
        #         - os:reader
        #     # The list of Kubernetes namespaces Talos API access is available from.
        #     allowedKubernetesNamespaces:
        #         - kube-system

Field	Type	Description
`rbac`	bool	Enable role-based access control (RBAC).
`stableHostname`	bool	Enable stable default hostname.
`kubernetesTalosAPIAccess`	KubernetesTalosAPIAccessConfig
`apidCheckExtKeyUsage`	bool	Enable checks for extended key usage of client certificates in apid.
`diskQuotaSupport`	bool
`kubePrism`	KubePrism
`hostDNS`	HostDNSConfig	Configures host DNS caching resolver.
`imageCache`	ImageCacheConfig	Enable Image Cache feature.
`nodeAddressSortAlgorithm`	string

kubernetesTalosAPIAccess

KubernetesTalosAPIAccessConfig describes the configuration for the Talos API access from Kubernetes pods.

machine:
    features:
        kubernetesTalosAPIAccess:
            enabled: true # Enable Talos API access from Kubernetes pods.
            # The list of Talos API roles which can be granted for access from Kubernetes pods.
            allowedRoles:
                - os:reader
            # The list of Kubernetes namespaces Talos API access is available from.
            allowedKubernetesNamespaces:
                - kube-system

Field	Type	Description
`enabled`	bool	Enable Talos API access from Kubernetes pods.
`allowedRoles`	[]string
`allowedKubernetesNamespaces`	[]string	The list of Kubernetes namespaces Talos API access is available from.

kubePrism

KubePrism describes the configuration for the KubePrism load balancer.

Field	Type	Description	Value(s)
`enabled`	bool	Enable KubePrism support - will start local load balancing proxy.
`port`	int	KubePrism port.

hostDNS

HostDNSConfig describes the configuration for the host DNS resolver.

Field	Type	Description
`enabled`	bool	Enable host DNS caching resolver.
`forwardKubeDNSToHost`	bool
`resolveMemberNames`	bool

imageCache

ImageCacheConfig describes the configuration for the Image Cache feature.

Field	Type	Description	Value(s)
`localEnabled`	bool	Enable local image cache.

udev

UdevConfig describes how the udev system should be configured.

machine:
    udev:
        # List of udev rules to apply to the udev system
        rules:
            - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660"

Field	Type	Description	Value(s)
`rules`	[]string	List of udev rules to apply to the udev system

logging

LoggingConfig struct configures Talos logging.

machine:
    logging:
        # Logging destination.
        destinations:
            - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp".
              format: json_lines # Logs format.

Field	Type	Description	Value(s)
`destinations`	[]LoggingDestination	Logging destination.

destinations[]

LoggingDestination struct configures Talos logging destination.

Field	Type	Description	Value(s)
`endpoint`	Endpoint	Where to send logs. Supported protocols are “tcp” and “udp”.
`format`	string	Logs format.	`json_lines`
`extraTags`	map[string]string	Extra tags (key-value) pairs to attach to every log message sent.

endpoint

Endpoint represents the endpoint URL parsed out of the machine config.

machine:
    logging:
        destinations:
            - endpoint: https://1.2.3.4:6443

machine:
    logging:
        destinations:
            - endpoint: https://cluster1.internal:6443

machine:
    logging:
        destinations:
            - endpoint: udp://127.0.0.1:12345

machine:
    logging:
        destinations:
            - endpoint: tcp://1.2.3.4:12345

Field	Type	Description	Value(s)

kernel

KernelConfig struct configures Talos Linux kernel.

machine:
    kernel:
        # Kernel modules to load.
        modules:
            - name: brtfs # Module name.

Field	Type	Description	Value(s)
`modules`	[]KernelModuleConfig	Kernel modules to load.

modules[]

KernelModuleConfig struct configures Linux kernel modules to load.

Field	Type	Description	Value(s)
`name`	string	Module name.
`parameters`	[]string	Module parameters, changes applied after reboot.

seccompProfiles[]

MachineSeccompProfile defines seccomp profiles for the machine.

machine:
    seccompProfiles:
        - name: audit.json # The `name` field is used to provide the file name of the seccomp profile.
          # The `value` field is used to provide the seccomp profile.
          value:
            defaultAction: SCMP_ACT_LOG

Field	Type	Description	Value(s)
`name`	string	The `name` field is used to provide the file name of the seccomp profile.
`value`	Unstructured	The `value` field is used to provide the seccomp profile.

cluster

ClusterConfig represents the cluster-wide config values.

cluster:
    # ControlPlaneConfig represents the control plane configuration options.
    controlPlane:
        endpoint: https://1.2.3.4 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
        localAPIServerPort: 443 # The port that the API server listens on internally.
    clusterName: talos.local
    # ClusterNetworkConfig represents kube networking configuration options.
    network:
        # The CNI used.
        cni:
            name: flannel # Name of CNI to use.
        dnsDomain: cluster.local # The domain used by Kubernetes DNS.
        # The pod subnet CIDR.
        podSubnets:
            - 10.244.0.0/16
        # The service subnet CIDR.
        serviceSubnets:
            - 10.96.0.0/12

Field	Type	Description	Value(s)
`id`	string	Globally unique identifier for this cluster (base64 encoded random 32 bytes).
`secret`	string
`controlPlane`	ControlPlaneConfig	Provides control plane specific configuration options.
`clusterName`	string	Configures the cluster’s name.
`network`	ClusterNetworkConfig	Provides cluster specific network configuration options.
`token`	string	The bootstrap token used to join the cluster.
`aescbcEncryptionSecret`	string
`secretboxEncryptionSecret`	string
`ca`	PEMEncodedCertificateAndKey	The base64 encoded root certificate authority used by Kubernetes.
`acceptedCAs`	[]PEMEncodedCertificate	The list of base64 encoded accepted certificate authorities used by Kubernetes.
`aggregatorCA`	PEMEncodedCertificateAndKey
`serviceAccount`	PEMEncodedKey	The base64 encoded private key for service account token generation.
`apiServer`	APIServerConfig	API server specific configuration options.
`controllerManager`	ControllerManagerConfig	Controller manager server specific configuration options.
`proxy`	ProxyConfig	Kube-proxy server-specific configuration options
`scheduler`	SchedulerConfig	Scheduler server specific configuration options.
`discovery`	ClusterDiscoveryConfig	Configures cluster member discovery.
`etcd`	EtcdConfig	Etcd specific configuration options.
`coreDNS`	CoreDNS	Core DNS specific configuration options.
`externalCloudProvider`	ExternalCloudProviderConfig	External cloud provider configuration.
`extraManifests`	[]string
`extraManifestHeaders`	map[string]string	A map of key value pairs that will be added while fetching the extraManifests.
`inlineManifests`	[]ClusterInlineManifest
`adminKubeconfig`	AdminKubeconfigConfig
`allowSchedulingOnControlPlanes`	bool	Allows running workload on control-plane nodes.	`true` `yes` `false` `no`

controlPlane

ControlPlaneConfig represents the control plane configuration options.

cluster:
    controlPlane:
        endpoint: https://1.2.3.4 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
        localAPIServerPort: 443 # The port that the API server listens on internally.

Field	Type	Description	Value(s)
`endpoint`	Endpoint
`localAPIServerPort`	int

endpoint

Endpoint represents the endpoint URL parsed out of the machine config.

cluster:
    controlPlane:
        endpoint: https://1.2.3.4:6443

cluster:
    controlPlane:
        endpoint: https://cluster1.internal:6443

cluster:
    controlPlane:
        endpoint: udp://127.0.0.1:12345

cluster:
    controlPlane:
        endpoint: tcp://1.2.3.4:12345

Field	Type	Description	Value(s)

network

ClusterNetworkConfig represents kube networking configuration options.

cluster:
    network:
        # The CNI used.
        cni:
            name: flannel # Name of CNI to use.
        dnsDomain: cluster.local # The domain used by Kubernetes DNS.
        # The pod subnet CIDR.
        podSubnets:
            - 10.244.0.0/16
        # The service subnet CIDR.
        serviceSubnets:
            - 10.96.0.0/12

Field	Type	Description
`cni`	CNIConfig
`dnsDomain`	string
`podSubnets`	[]string	The pod subnet CIDR.
`serviceSubnets`	[]string	The service subnet CIDR.

cni

CNIConfig represents the CNI configuration options.

cluster:
    network:
        cni:
            name: custom # Name of CNI to use.
            # URLs containing manifests to apply for the CNI.
            urls:
                - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml

Field	Type	Description	Value(s)
`name`	string	Name of CNI to use.	`flannel` `custom` `none`
`urls`	[]string
`flannel`	FlannelCNIConfig

flannel

FlannelCNIConfig represents the Flannel CNI configuration options.

Field	Type	Description	Value(s)
`extraArgs`	[]string	Extra arguments for ‘flanneld’.

apiServer

APIServerConfig represents the kube apiserver configuration options.

cluster:
    apiServer:
        image: registry.k8s.io/kube-apiserver:v1.33.4 # The container image used in the API server manifest.
        # Extra arguments to supply to the API server.
        extraArgs:
            feature-gates: ServerSideApply=true
            http2-max-streams-per-connection: "32"
        # Extra certificate subject alternative names for the API server's certificate.
        certSANs:
            - 1.2.3.4
            - 4.5.6.7

        # # Configure the API server admission plugins.
        # admissionControl:
        #     - name: PodSecurity # Name is the name of the admission controller.
        #       # Configuration is an embedded configuration object to be used as the plugin's
        #       configuration:
        #         apiVersion: pod-security.admission.config.k8s.io/v1alpha1
        #         defaults:
        #             audit: restricted
        #             audit-version: latest
        #             enforce: baseline
        #             enforce-version: latest
        #             warn: restricted
        #             warn-version: latest
        #         exemptions:
        #             namespaces:
        #                 - kube-system
        #             runtimeClasses: []
        #             usernames: []
        #         kind: PodSecurityConfiguration

        # # Configure the API server audit policy.
        # auditPolicy:
        #     apiVersion: audit.k8s.io/v1
        #     kind: Policy
        #     rules:
        #         - level: Metadata

        # # Configure the API server authorization config. Node and RBAC authorizers are always added irrespective of the configuration.
        # authorizationConfig:
        #     - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
        #       name: webhook # Name is used to describe the authorizer.
        #       # webhook is the configuration for the webhook authorizer.
        #       webhook:
        #         connectionInfo:
        #             type: InClusterConfig
        #         failurePolicy: Deny
        #         matchConditionSubjectAccessReviewVersion: v1
        #         matchConditions:
        #             - expression: has(request.resourceAttributes)
        #             - expression: '!(\''system:serviceaccounts:kube-system\'' in request.groups)'
        #         subjectAccessReviewVersion: v1
        #         timeout: 3s
        #     - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
        #       name: in-cluster-authorizer # Name is used to describe the authorizer.
        #       # webhook is the configuration for the webhook authorizer.
        #       webhook:
        #         connectionInfo:
        #             type: InClusterConfig
        #         failurePolicy: NoOpinion
        #         matchConditionSubjectAccessReviewVersion: v1
        #         subjectAccessReviewVersion: v1
        #         timeout: 3s

Field	Type	Description
`image`	string	The container image used in the API server manifest.
`extraArgs`	map[string]string	Extra arguments to supply to the API server.
`extraVolumes`	[]VolumeMountConfig	Extra volumes to mount to the API server static pod.
`env`	Env	The `env` field allows for the addition of environment variables for the control plane component.
`certSANs`	[]string	Extra certificate subject alternative names for the API server’s certificate.
`disablePodSecurityPolicy`	bool	Disable PodSecurityPolicy in the API server and default manifests.
`admissionControl`	[]AdmissionPluginConfig	Configure the API server admission plugins.
`auditPolicy`	Unstructured	Configure the API server audit policy.
`resources`	ResourcesConfig	Configure the API server resources.
`authorizationConfig`	[]AuthorizationConfigAuthorizerConfig	Configure the API server authorization config. Node and RBAC authorizers are always added irrespective of the configuration.

extraVolumes[]

VolumeMountConfig struct describes extra volume mount for the static pods.

Field	Type	Description
`hostPath`	string	Path on the host.
`mountPath`	string	Path in the container.
`readonly`	bool	Mount the volume read only.

admissionControl[]

AdmissionPluginConfig represents the API server admission plugin configuration.

cluster:
    apiServer:
        admissionControl:
            - name: PodSecurity # Name is the name of the admission controller.
              # Configuration is an embedded configuration object to be used as the plugin's
              configuration:
                apiVersion: pod-security.admission.config.k8s.io/v1alpha1
                defaults:
                    audit: restricted
                    audit-version: latest
                    enforce: baseline
                    enforce-version: latest
                    warn: restricted
                    warn-version: latest
                exemptions:
                    namespaces:
                        - kube-system
                    runtimeClasses: []
                    usernames: []
                kind: PodSecurityConfiguration

Field	Type	Description	Value(s)
`name`	string
`configuration`	Unstructured

resources

ResourcesConfig represents the pod resources.

Field	Type	Description	Value(s)
`requests`	Unstructured	Requests configures the reserved cpu/memory resources.
`limits`	Unstructured	Limits configures the maximum cpu/memory resources a container can use.

authorizationConfig[]

AuthorizationConfigAuthorizerConfig represents the API server authorization config authorizer configuration.

cluster:
    apiServer:
        authorizationConfig:
            - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
              name: webhook # Name is used to describe the authorizer.
              # webhook is the configuration for the webhook authorizer.
              webhook:
                connectionInfo:
                    type: InClusterConfig
                failurePolicy: Deny
                matchConditionSubjectAccessReviewVersion: v1
                matchConditions:
                    - expression: has(request.resourceAttributes)
                    - expression: '!(\''system:serviceaccounts:kube-system\'' in request.groups)'
                subjectAccessReviewVersion: v1
                timeout: 3s
            - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
              name: in-cluster-authorizer # Name is used to describe the authorizer.
              # webhook is the configuration for the webhook authorizer.
              webhook:
                connectionInfo:
                    type: InClusterConfig
                failurePolicy: NoOpinion
                matchConditionSubjectAccessReviewVersion: v1
                subjectAccessReviewVersion: v1
                timeout: 3s

Field	Type	Description
`type`	string	Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
`name`	string	Name is used to describe the authorizer.
`webhook`	Unstructured	webhook is the configuration for the webhook authorizer.

controllerManager

ControllerManagerConfig represents the kube controller manager configuration options.

cluster:
    controllerManager:
        image: registry.k8s.io/kube-controller-manager:v1.33.4 # The container image used in the controller manager manifest.
        # Extra arguments to supply to the controller manager.
        extraArgs:
            feature-gates: ServerSideApply=true

Field	Type	Description
`image`	string	The container image used in the controller manager manifest.
`extraArgs`	map[string]string	Extra arguments to supply to the controller manager.
`extraVolumes`	[]VolumeMountConfig	Extra volumes to mount to the controller manager static pod.
`env`	Env	The `env` field allows for the addition of environment variables for the control plane component.
`resources`	ResourcesConfig	Configure the controller manager resources.

extraVolumes[]

VolumeMountConfig struct describes extra volume mount for the static pods.

Field	Type	Description
`hostPath`	string	Path on the host.
`mountPath`	string	Path in the container.
`readonly`	bool	Mount the volume read only.

resources

ResourcesConfig represents the pod resources.

Field	Type	Description	Value(s)
`requests`	Unstructured	Requests configures the reserved cpu/memory resources.
`limits`	Unstructured	Limits configures the maximum cpu/memory resources a container can use.

proxy

ProxyConfig represents the kube proxy configuration options.

cluster:
    proxy:
        image: registry.k8s.io/kube-proxy:v1.33.4 # The container image used in the kube-proxy manifest.
        mode: ipvs # proxy mode of kube-proxy.
        # Extra arguments to supply to kube-proxy.
        extraArgs:
            proxy-mode: iptables

        # # Disable kube-proxy deployment on cluster bootstrap.
        # disabled: false

Field	Type	Description
`disabled`	bool	Disable kube-proxy deployment on cluster bootstrap.
`image`	string	The container image used in the kube-proxy manifest.
`mode`	string
`extraArgs`	map[string]string	Extra arguments to supply to kube-proxy.

scheduler

SchedulerConfig represents the kube scheduler configuration options.

cluster:
    scheduler:
        image: registry.k8s.io/kube-scheduler:v1.33.4 # The container image used in the scheduler manifest.
        # Extra arguments to supply to the scheduler.
        extraArgs:
            feature-gates: AllBeta=true

Field	Type	Description
`image`	string	The container image used in the scheduler manifest.
`extraArgs`	map[string]string	Extra arguments to supply to the scheduler.
`extraVolumes`	[]VolumeMountConfig	Extra volumes to mount to the scheduler static pod.
`env`	Env	The `env` field allows for the addition of environment variables for the control plane component.
`resources`	ResourcesConfig	Configure the scheduler resources.
`config`	Unstructured	Specify custom kube-scheduler configuration.

extraVolumes[]

VolumeMountConfig struct describes extra volume mount for the static pods.

Field	Type	Description
`hostPath`	string	Path on the host.
`mountPath`	string	Path in the container.
`readonly`	bool	Mount the volume read only.

resources

ResourcesConfig represents the pod resources.

Field	Type	Description	Value(s)
`requests`	Unstructured	Requests configures the reserved cpu/memory resources.
`limits`	Unstructured	Limits configures the maximum cpu/memory resources a container can use.

discovery

ClusterDiscoveryConfig struct configures cluster membership discovery.

cluster:
    discovery:
        enabled: true # Enable the cluster membership discovery feature.
        # Configure registries used for cluster member discovery.
        registries:
            # Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information
            kubernetes: {}
            # Service registry is using an external service to push and pull information about cluster members.
            service:
                endpoint: https://discovery.talos.dev/ # External service endpoint.

Field	Type	Description	Value(s)
`enabled`	bool
`registries`	DiscoveryRegistriesConfig	Configure registries used for cluster member discovery.

registries

DiscoveryRegistriesConfig struct configures cluster membership discovery.

Field	Type	Description	Value(s)
`kubernetes`	RegistryKubernetesConfig
`service`	RegistryServiceConfig	Service registry is using an external service to push and pull information about cluster members.

kubernetes

RegistryKubernetesConfig struct configures Kubernetes discovery registry.

Field	Type	Description	Value(s)
`disabled`	bool	Disable Kubernetes discovery registry.

service

RegistryServiceConfig struct configures Kubernetes discovery registry.

Field	Type	Description	Value(s)
`disabled`	bool	Disable external service discovery registry.
`endpoint`	string	External service endpoint.

etcd

EtcdConfig represents the etcd configuration options.

cluster:
    etcd:
        image: gcr.io/etcd-development/etcd:v3.5.21 # The container image used to create the etcd service.
        # The `ca` is the root certificate authority of the PKI.
        ca:
            crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
            key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
        # Extra arguments to supply to etcd.
        extraArgs:
            election-timeout: "5000"

        # # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from.
        # advertisedSubnets:
        #     - 10.0.0.0/8

Field	Type	Description
`image`	string	The container image used to create the etcd service.
`ca`	PEMEncodedCertificateAndKey
`extraArgs`	map[string]string
`advertisedSubnets`	[]string
`listenSubnets`	[]string

coreDNS

CoreDNS represents the CoreDNS config values.

cluster:
    coreDNS:
        image: registry.k8s.io/coredns/coredns:v1.12.1 # The `image` field is an override to the default coredns image.

Field	Type	Description	Value(s)
`disabled`	bool	Disable coredns deployment on cluster bootstrap.
`image`	string	The `image` field is an override to the default coredns image.

externalCloudProvider

ExternalCloudProviderConfig contains external cloud provider configuration.

cluster:
    externalCloudProvider:
        enabled: true # Enable external cloud provider.
        # A list of urls that point to additional manifests for an external cloud provider.
        manifests:
            - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml
            - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml

Field	Type	Description	Value(s)
`enabled`	bool	Enable external cloud provider.	`true` `yes` `false` `no`
`manifests`	[]string

inlineManifests[]

ClusterInlineManifest struct describes inline bootstrap manifests for the user.

cluster:
    inlineManifests:
        - name: namespace-ci # Name of the manifest.
          contents: |- # Manifest contents as a string.
            apiVersion: v1
            kind: Namespace
            metadata:
            	name: ci

Field	Type	Description	Value(s)
`name`	string
`contents`	string	Manifest contents as a string.

adminKubeconfig

AdminKubeconfigConfig contains admin kubeconfig settings.

cluster:
    adminKubeconfig:
        certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year).

Field	Type	Description	Value(s)
`certLifetime`	Duration

Overview

Getting Started

Platform specific installation

Deploying and managing workloads

Networking

Security

Build and extend Talos

Configure your Talos cluster

Advanced guides

Reference

Troubleshooting and support

Learn more

​machine

​controlPlane

​controllerManager

​scheduler

​kubelet

​extraMounts[]

uidMappings[]

gidMappings[]

​nodeIP

​network

​interfaces[]

deviceSelector

routes[]

bond

deviceSelectors[]

bridge

stp

vlan

bridgePort

vlans[]

routes[]

vip

equinixMetal

hcloud

dhcpOptions

dhcpOptions

wireguard

peers[]

vip

equinixMetal

hcloud

​extraHostEntries[]

​kubespan

filters

​install

​diskSelector

​files[]

​time

​registries

​mirrors.*

​config.*

tls

auth

​systemDiskEncryption

​state

keys[]

static

nodeID

kms

tpm

​ephemeral

keys[]

static

nodeID

kms

tpm

​features

​kubernetesTalosAPIAccess

​kubePrism

​hostDNS

​imageCache

​udev

​logging

​destinations[]

endpoint

​kernel

​modules[]

​seccompProfiles[]

machine

controlPlane

controllerManager

scheduler

kubelet

extraMounts[]

nodeIP

network

interfaces[]

extraHostEntries[]

kubespan

install

diskSelector

files[]

time

registries

mirrors.*

config.*

systemDiskEncryption

state

ephemeral

features

kubernetesTalosAPIAccess

kubePrism

hostDNS

imageCache

udev

logging

destinations[]

kernel

modules[]

seccompProfiles[]

cluster

controlPlane

endpoint

network

cni

apiServer

extraVolumes[]

admissionControl[]

resources

authorizationConfig[]

controllerManager

extraVolumes[]

resources

proxy

scheduler

extraVolumes[]

resources

discovery

registries

etcd

coreDNS

externalCloudProvider

inlineManifests[]

adminKubeconfig