| Field | Type | Description | Value(s) |
|---|---|---|---|
| `version` | string | Indicates the schema used to decode the contents. | `v1alpha1` |
| `debug` | bool | Enable verbose logging to the console. All system containers logs will flow into serial console. **Note:** To avoid breaking Talos bootstrap flow enable this option only if serial console can handle high message throughput. |
`true` `yes` `false` `no` |
| `machine` | MachineConfig | Provides machine specific configuration options. | |
| `cluster` | ClusterConfig | Provides cluster specific configuration options. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `type` | string | Defines the role of the machine within the cluster. **Control Plane** Control Plane node type designates the node as a control plane member. This means it will host etcd along with the Kubernetes controlplane components such as API Server, Controller Manager, Scheduler. **Worker** Worker node type designates the node as a worker node. This means it will be an available compute node for scheduling workloads. This node type was previously known as "join"; that value is still supported but deprecated. |
`controlplane` `worker` |
| `token` | string | The `token` is used by a machine to join the PKI of the cluster. Using this token, a machine will create a certificate signing request (CSR), and request a certificate that will be used as its' identity. |
|
| `ca` | PEMEncodedCertificateAndKey | The root certificate authority of the PKI. It is composed of a base64 encoded `crt` and `key`. |
|
| `acceptedCAs` | \[]PEMEncodedCertificate | The certificates issued by certificate authorities are accepted in addition to issuing 'ca'. It is composed of a base64 encoded \`crt\`\`. |
|
| `certSANs` | \[]string | Extra certificate subject alternative names for the machine's certificate. By default, all non-loopback interface IPs are automatically added to the certificate's SANs. |
|
| `controlPlane` | MachineControlPlaneConfig | Provides machine specific control plane configuration options. | |
| `kubelet` | KubeletConfig | Used to provide additional options to the kubelet. | |
| `pods` | \[]Unstructured | Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver. Static pods can be used to run components which should be started before the Kubernetes control plane is up. Talos doesn't validate the pod definition. Updates to this field can be applied without a reboot. See [https://kubernetes.io/docs/tasks/configure-pod-container/static-pod/](https://kubernetes.io/docs/tasks/configure-pod-container/static-pod/). |
|
| `network` | NetworkConfig | Provides machine specific network configuration options. | |
| `install` | InstallConfig | Used to provide instructions for installations. Note that this configuration section gets silently ignored by Talos images that are considered pre-installed. To make sure Talos installs according to the provided configuration, Talos should be booted with ISO or PXE-booted. |
|
| `files` | MachineFile | Allows the addition of user specified files. The value of `op` can be `create`, `overwrite`, or `append`. In the case of `create`, `path` must not exist. In the case of `overwrite`, and `append`, `path` must be a valid file. If an `op` value of `append` is used, the existing file will be appended. Note that the file contents are not required to be base64 encoded. |
|
| `env` | Env | The `env` field allows for the addition of environment variables. All environment variables are set on PID 1 in addition to every service. |
`GRPC_GO_LOG_VERBOSITY_LEVEL` `GRPC_GO_LOG_SEVERITY_LEVEL` `http_proxy` `https_proxy` `no_proxy` |
| `time` | TimeConfig | Used to configure the machine's time settings. | |
| `sysctls` | map\[string]string | Used to configure the machine's sysctls. | |
| `sysfs` | map\[string]string | Used to configure the machine's sysfs. | |
| `registries` | RegistriesConfig | Used to configure the machine's container image registry mirrors. Automatically generates matching CRI configuration for registry mirrors. The `mirrors` section allows to redirect requests for images to a non-default registry, which might be a local registry or a caching mirror. The `config` section provides a way to authenticate to the registry with TLS client identity, provide registry CA, or authentication information. Authentication information has same meaning with the corresponding field in [`.docker/config.json`](https://docs.docker.com/engine/api/v1.41/#section/Authentication). See also matching configuration for [CRI containerd plugin](https://github.com/containerd/cri/blob/master/docs/registry.md). |
|
| `features` | FeaturesConfig | Features describe individual Talos features that can be switched on or off. | |
| `udev` | UdevConfig | Configures the udev system. | |
| `logging` | LoggingConfig | Configures the logging system. | |
| `kernel` | KernelConfig | Configures the kernel. | |
| `seccompProfiles` | MachineSeccompProfile | Configures the seccomp profiles for the machine. | |
| `baseRuntimeSpecOverrides` | Unstructured | Override (patch) settings in the default OCI runtime spec for CRI containers. It can be used to set some default container settings which are not configurable in Kubernetes, for example default ulimits. Note: this change applies to all newly created containers, and it requires a reboot to take effect. |
|
| `nodeLabels` | map\[string]string | Configures the node labels for the machine. Note: In the default Kubernetes configuration, worker nodes are restricted to set labels with some prefixes (see [NodeRestriction](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction) admission plugin). |
|
| `nodeAnnotations` | map\[string]string | Configures the node annotations for the machine. | |
| `nodeTaints` | map\[string]string | Configures the node taints for the machine. Effect is optional. Note: In the default Kubernetes configuration, worker nodes are not allowed to modify the taints (see [NodeRestriction](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction) admission plugin). |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `controllerManager` | MachineControllerManagerConfig | Controller manager machine specific configuration options. | |
| `scheduler` | MachineSchedulerConfig | Scheduler machine specific configuration options. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `disabled` | bool | Disable kube-controller-manager on the node. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `disabled` | bool | Disable kube-scheduler on the node. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `image` | string | The `image` field is an optional reference to an alternative kubelet image. | |
| `clusterDNS` | \[]string | The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list. | |
| `extraArgs` | map\[string]string | The `extraArgs` field is used to provide additional flags to the kubelet. | |
| `extraMounts` | ExtraMount | The `extraMounts` field is used to add additional mounts to the kubelet container. Note that either `bind` or `rbind` are required in the `options`. |
|
| `extraConfig` | Unstructured | The `extraConfig` field is used to provide kubelet configuration overrides. Some fields are not allowed to be overridden: authentication and authorization, cgroups configuration, ports, etc. |
|
| `credentialProviderConfig` | Unstructured | The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration. | |
| `defaultRuntimeSeccompProfileEnabled` | bool | Enable container runtime default Seccomp profile. | `true` `yes` `false` `no` |
| `registerWithFQDN` | bool | The `registerWithFQDN` field is used to force kubelet to use the node FQDN for registration. This is required in clouds like AWS. |
`true` `yes` `false` `no` |
| `nodeIP` | KubeletNodeIPConfig | The `nodeIP` field is used to configure `--node-ip` flag for the kubelet. This is used when a node has multiple addresses to choose from. |
|
| `skipNodeRegistration` | bool | The `skipNodeRegistration` is used to run the kubelet without registering with the apiserver. This runs kubelet as standalone and only runs static pods. |
`true` `yes` `false` `no` |
| `disableManifestsDirectory` | bool | The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory. It's recommended to configure static pods with the "pods" key instead. |
`true` `yes` `false` `no` |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `destination` | string | Destination is the absolute path where the mount will be placed in the container. | |
| `type` | string | Type specifies the mount kind. | |
| `source` | string | Source specifies the source path of the mount. | |
| `options` | \[]string | Options are fstab style mount options. | |
| `uidMappings` | LinuxIDMapping | UID/GID mappings used for changing file owners w/o calling chown, fs should support it. Every mount point could have its own mapping. |
|
| `gidMappings` | LinuxIDMapping | UID/GID mappings used for changing file owners w/o calling chown, fs should support it. Every mount point could have its own mapping. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `containerID` | uint32 | ContainerID is the starting UID/GID in the container. | |
| `hostID` | uint32 | HostID is the starting UID/GID on the host to be mapped to 'ContainerID'. | |
| `size` | uint32 | Size is the number of IDs to be mapped. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `containerID` | uint32 | ContainerID is the starting UID/GID in the container. | |
| `hostID` | uint32 | HostID is the starting UID/GID on the host to be mapped to 'ContainerID'. | |
| `size` | uint32 | Size is the number of IDs to be mapped. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `validSubnets` | \[]string | The `validSubnets` field configures the networks to pick kubelet node IP from. For dual stack configuration, there should be two subnets: one for IPv4, another for IPv6. IPs can be excluded from the list by using negative match with `!`, e.g `!10.0.0.0/8`. Negative subnet matches should be specified last to filter out IPs picked by positive matches. If not specified, node IP is picked based on cluster podCIDRs: IPv4/IPv6 address or both. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `hostname` | string | Used to statically set the hostname for the machine. | |
| `interfaces` | Device | `interfaces` is used to define the network interface configuration. By default all network interfaces will attempt a DHCP discovery. This can be further tuned through this configuration parameter. |
|
| `nameservers` | \[]string | Used to statically set the nameservers for the machine. Defaults to `1.1.1.1` and `8.8.8.8` |
|
| `searchDomains` | \[]string | Used to statically set arbitrary search domains. | |
| `extraHostEntries` | ExtraHost | Allows for extra entries to be added to the `/etc/hosts` file | |
| `kubespan` | NetworkKubeSpan | Configures KubeSpan feature. | |
| `disableSearchDomain` | bool | Disable generating a default search domain in /etc/resolv.conf based on the machine hostname. Defaults to `false`. |
`true` `yes` `false` `no` |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `interface` | string | The interface name. Mutually exclusive with `deviceSelector`. |
|
| `deviceSelector` | NetworkDeviceSelector | Picks a network device using the selector. Mutually exclusive with `interface`. Supports partial match using wildcard syntax. |
|
| `addresses` | \[]string | Assigns static IP addresses to the interface. An address can be specified either in proper CIDR notation or as a standalone address (netmask of all ones is assumed). |
|
| `routes` | Route | A list of routes associated with the interface. If used in combination with DHCP, these routes will be appended to routes returned by DHCP server. |
|
| `bond` | Bond | Bond specific options. | |
| `bridge` | Bridge | Bridge specific options. | |
| `bridgePort` | BridgePort | Configure this device as a bridge port. This can be used to dynamically assign network interfaces to a bridge. |
|
| `vlans` | Vlan | VLAN specific options. | |
| `mtu` | int | The interface's MTU. If used in combination with DHCP, this will override any MTU settings returned from DHCP server. |
|
| `dhcp` | bool | Indicates if DHCP should be used to configure the interface. The following DHCP options are supported: - `OptionClasslessStaticRoute` - `OptionDomainNameServer` - `OptionDNSDomainSearchList` - `OptionHostName` |
|
| `ignore` | bool | Indicates if the interface should be ignored (skips configuration). | |
| `dummy` | bool | Indicates if the interface is a dummy interface. `dummy` is used to specify that this interface should be a virtual-only, dummy interface. |
|
| `dhcpOptions` | DHCPOptions | DHCP specific options. `dhcp` *must* be set to true for these to take effect. |
|
| `wireguard` | DeviceWireguardConfig | Wireguard specific configuration. Includes things like private key, listen port, peers. |
|
| `vip` | DeviceVIPConfig | Virtual (shared) IP address configuration. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `busPath` | string | PCI, USB bus prefix, supports matching by wildcard. | |
| `hardwareAddr` | string | Device hardware (MAC) address, supports matching by wildcard. | |
| `permanentAddr` | string | Device permanent hardware address, supports matching by wildcard. The permanent address doesn't change when the link is enslaved to a bond, so it's recommended to use this field for bond members. |
|
| `pciID` | string | PCI ID (vendor ID, product ID), supports matching by wildcard. | |
| `driver` | string | Kernel driver, supports matching by wildcard. | |
| `physical` | bool | Select only physical devices. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `network` | string | The route's network (destination). | |
| `gateway` | string | The route's gateway (if empty, creates link scope route). | |
| `source` | string | The route's source address (optional). | |
| `metric` | uint32 | The optional metric for the route. | |
| `mtu` | uint32 | The optional MTU for the route. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `interfaces` | \[]string | The interfaces that make up the bond. | |
| `deviceSelectors` | NetworkDeviceSelector | Picks a network device using the selector. Mutually exclusive with `interfaces`. Supports partial match using wildcard syntax. |
|
| `arpIPTarget` | \[]string | A bond option. Please see the official kernel documentation. Not supported at the moment. |
|
| `mode` | string | A bond option. Please see the official kernel documentation. |
|
| `xmitHashPolicy` | string | A bond option. Please see the official kernel documentation. |
|
| `lacpRate` | string | A bond option. Please see the official kernel documentation. |
|
| `adActorSystem` | string | A bond option. Please see the official kernel documentation. Not supported at the moment. |
|
| `arpValidate` | string | A bond option. Please see the official kernel documentation. |
|
| `arpAllTargets` | string | A bond option. Please see the official kernel documentation. |
|
| `primary` | string | A bond option. Please see the official kernel documentation. |
|
| `primaryReselect` | string | A bond option. Please see the official kernel documentation. |
|
| `failOverMac` | string | A bond option. Please see the official kernel documentation. |
|
| `adSelect` | string | A bond option. Please see the official kernel documentation. |
|
| `miimon` | uint32 | A bond option. Please see the official kernel documentation. |
|
| `updelay` | uint32 | A bond option. Please see the official kernel documentation. |
|
| `downdelay` | uint32 | A bond option. Please see the official kernel documentation. |
|
| `arpInterval` | uint32 | A bond option. Please see the official kernel documentation. |
|
| `resendIgmp` | uint32 | A bond option. Please see the official kernel documentation. |
|
| `minLinks` | uint32 | A bond option. Please see the official kernel documentation. |
|
| `lpInterval` | uint32 | A bond option. Please see the official kernel documentation. |
|
| `packetsPerSlave` | uint32 | A bond option. Please see the official kernel documentation. |
|
| `numPeerNotif` | uint8 | A bond option. Please see the official kernel documentation. |
|
| `tlbDynamicLb` | uint8 | A bond option. Please see the official kernel documentation. |
|
| `allSlavesActive` | uint8 | A bond option. Please see the official kernel documentation. |
|
| `useCarrier` | bool | A bond option. Please see the official kernel documentation. |
|
| `adActorSysPrio` | uint16 | A bond option. Please see the official kernel documentation. |
|
| `adUserPortKey` | uint16 | A bond option. Please see the official kernel documentation. |
|
| `peerNotifyDelay` | uint32 | A bond option. Please see the official kernel documentation. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `busPath` | string | PCI, USB bus prefix, supports matching by wildcard. | |
| `hardwareAddr` | string | Device hardware (MAC) address, supports matching by wildcard. | |
| `permanentAddr` | string | Device permanent hardware address, supports matching by wildcard. The permanent address doesn't change when the link is enslaved to a bond, so it's recommended to use this field for bond members. |
|
| `pciID` | string | PCI ID (vendor ID, product ID), supports matching by wildcard. | |
| `driver` | string | Kernel driver, supports matching by wildcard. | |
| `physical` | bool | Select only physical devices. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `interfaces` | \[]string | The interfaces that make up the bridge. | |
| `stp` | STP | Enable STP on this bridge. Please see the official kernel documentation. |
|
| `vlan` | BridgeVLAN | Enable VLAN-awareness on this bridge. Please see the official kernel documentation. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `enabled` | bool | Whether Spanning Tree Protocol (STP) is enabled. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `vlanFiltering` | bool | Whether VLAN filtering is enabled. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `master` | string | The name of the bridge master interface |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `addresses` | \[]string | The addresses in CIDR notation or as plain IPs to use. | |
| `routes` | Route | A list of routes associated with the VLAN. | |
| `dhcp` | bool | Indicates if DHCP should be used. | |
| `vlanId` | uint16 | The VLAN's ID. | |
| `mtu` | uint32 | The VLAN's MTU. | |
| `vip` | DeviceVIPConfig | The VLAN's virtual IP address configuration. | |
| `dhcpOptions` | DHCPOptions | DHCP specific options. `dhcp` *must* be set to true for these to take effect. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `network` | string | The route's network (destination). | |
| `gateway` | string | The route's gateway (if empty, creates link scope route). | |
| `source` | string | The route's source address (optional). | |
| `metric` | uint32 | The optional metric for the route. | |
| `mtu` | uint32 | The optional MTU for the route. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `ip` | string | Specifies the IP address to be used. | |
| `equinixMetal` | VIPEquinixMetalConfig | Specifies the Equinix Metal API settings to assign VIP to the node. | |
| `hcloud` | VIPHCloudConfig | Specifies the Hetzner Cloud API settings to assign VIP to the node. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `apiToken` | string | Specifies the Equinix Metal API Token. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `apiToken` | string | Specifies the Hetzner Cloud API Token. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `routeMetric` | uint32 | The priority of all routes received via DHCP. | |
| `ipv4` | bool | Enables DHCPv4 protocol for the interface (default is enabled). | |
| `ipv6` | bool | Enables DHCPv6 protocol for the interface (default is disabled). | |
| `duidv6` | string | Set client DUID (hex string). |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `routeMetric` | uint32 | The priority of all routes received via DHCP. | |
| `ipv4` | bool | Enables DHCPv4 protocol for the interface (default is enabled). | |
| `ipv6` | bool | Enables DHCPv6 protocol for the interface (default is disabled). | |
| `duidv6` | string | Set client DUID (hex string). |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `privateKey` | string | Specifies a private key configuration (base64 encoded). Can be generated by `wg genkey`. |
|
| `listenPort` | int | Specifies a device's listening port. | |
| `firewallMark` | int | Specifies a device's firewall mark. | |
| `peers` | DeviceWireguardPeer | Specifies a list of peer configurations to apply to a device. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `publicKey` | string | Specifies the public key of this peer. Can be extracted from private key by running `wg pubkey {"<"} private.key {">"} public.key && cat public.key`. |
|
| `endpoint` | string | Specifies the endpoint of this peer entry. | |
| `persistentKeepaliveInterval` | Duration | Specifies the persistent keepalive interval for this peer. Field format accepts any Go time.Duration format ('1h' for one hour, '10m' for ten minutes). |
|
| `allowedIPs` | \[]string | AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `ip` | string | Specifies the IP address to be used. | |
| `equinixMetal` | VIPEquinixMetalConfig | Specifies the Equinix Metal API settings to assign VIP to the node. | |
| `hcloud` | VIPHCloudConfig | Specifies the Hetzner Cloud API settings to assign VIP to the node. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `apiToken` | string | Specifies the Equinix Metal API Token. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `apiToken` | string | Specifies the Hetzner Cloud API Token. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `ip` | string | The IP of the host. | |
| `aliases` | \[]string | The host alias. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `enabled` | bool | Enable the KubeSpan feature. Cluster discovery should be enabled with .cluster.discovery.enabled for KubeSpan to be enabled. |
|
| `advertiseKubernetesNetworks` | bool | Control whether Kubernetes pod CIDRs are announced over KubeSpan from the node. If disabled, CNI handles encapsulating pod-to-pod traffic into some node-to-node tunnel, and KubeSpan handles the node-to-node traffic. If enabled, KubeSpan will take over pod-to-pod traffic and send it over KubeSpan directly. When enabled, KubeSpan should have a way to detect complete pod CIDRs of the node which is not always the case with CNIs not relying on Kubernetes for IPAM. |
|
| `allowDownPeerBypass` | bool | Skip sending traffic via KubeSpan if the peer connection state is not up. This provides configurable choice between connectivity and security: either traffic is always forced to go via KubeSpan (even if Wireguard peer connection is not up), or traffic can go directly to the peer if Wireguard connection can't be established. |
|
| `harvestExtraEndpoints` | bool | KubeSpan can collect and publish extra endpoints for each member of the cluster based on Wireguard endpoint information for each peer. This feature is disabled by default, don't enable it with high number of peers (>50) in the KubeSpan network (performance issues). |
|
| `mtu` | uint32 | KubeSpan link MTU size. Default value is 1420. |
|
| `filters` | KubeSpanFilters | KubeSpan advanced filtering of network addresses . Settings in this section are optional, and settings apply only to the node. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `endpoints` | \[]string | Filter node addresses which will be advertised as KubeSpan endpoints for peer-to-peer Wireguard connections. By default, all addresses are advertised, and KubeSpan cycles through all endpoints until it finds one that works. Default value: no filtering. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `disk` | string | The disk used for installations. | |
| `diskSelector` | InstallDiskSelector | Look up disk using disk attributes like model, size, serial and others. Always has priority over `disk`. |
|
| `extraKernelArgs` | \[]string | Allows for supplying extra kernel args via the bootloader. Existing kernel args can be removed by prefixing the argument with a `-`. For example `-console` removes all `console={"<"}value{">"}` arguments, whereas `-console=tty0` removes the `console=tty0` default argument. If Talos is using systemd-boot as a bootloader (default for UEFI) this setting will be ignored. |
|
| `image` | string | Allows for supplying the image used to perform the installation. Image reference for each Talos release can be found on [GitHub releases page](https://github.com/siderolabs/talos/releases). |
|
| `wipe` | bool | Indicates if the installation disk should be wiped at installation time. Defaults to `true`. |
`true` `yes` `false` `no` |
| `legacyBIOSSupport` | bool | Indicates if MBR partition should be marked as bootable (active). Should be enabled only for the systems with legacy BIOS that doesn't support GPT partitioning scheme. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `size` | InstallDiskSizeMatcher | Disk size. | |
| `name` | string | Disk name `/sys/block/{"<"}dev{">"}/device/name`. | |
| `model` | string | Disk model `/sys/block/{"<"}dev{">"}/device/model`. | |
| `serial` | string | Disk serial number `/sys/block/{"<"}dev{">"}/serial`. | |
| `modalias` | string | Disk modalias `/sys/block/{"<"}dev{">"}/device/modalias`. | |
| `uuid` | string | Disk UUID `/sys/block/{"<"}dev{">"}/uuid`. | |
| `wwid` | string | Disk WWID `/sys/block/{"<"}dev{">"}/wwid`. | |
| `type` | InstallDiskType | Disk Type. | `ssd` `hdd` `nvme` `sd` |
| `busPath` | string | Disk bus path. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `content` | string | The contents of the file. | |
| `permissions` | FileMode | The file's permissions in octal. | |
| `path` | string | The path of the file. | |
| `op` | string | The operation to use | `create` `append` `overwrite` |
| Field | Type | Description | Value(s) | |
|---|---|---|---|---|
| `disabled` | bool | Indicates if the time service is disabled for the machine. Defaults to `false`. |
||
| `servers` | \[]string | description: | Specifies time (NTP) servers to use for setting the system time. Defaults to `time.cloudflare.com`. Talos can also sync to the PTP time source (e.g provided by the hypervisor), provide the path to the PTP device as "/dev/ptp0" or "/dev/ptp\_kvm". |
|
| `bootTimeout` | Duration | Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence. NTP sync will be still running in the background. Defaults to "infinity" (waiting forever for time sync) |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `mirrors` | map\[string]RegistryMirrorConfig | Specifies mirror configuration for each registry host namespace. This setting allows to configure local pull-through caching registires, air-gapped installations, etc. For example, when pulling an image with the reference `example.com:123/image:v1`, the `example.com:123` key will be used to lookup the mirror configuration. Optionally the `*` key can be used to configure a fallback mirror. Registry name is the first segment of image identifier, with 'docker.io' being default one. |
|
| `config` | map\[string]RegistryConfig | Specifies TLS & auth configuration for HTTPS image registries. Mutual TLS can be enabled with 'clientIdentity' option. The full hostname and port (if not using a default port 443) should be used as the key. The fallback key `*` can't be used for TLS configuration. TLS configuration can be skipped if registry has trusted server certificate. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `endpoints` | \[]string | List of endpoints (URLs) for registry mirrors to use. Endpoint configures HTTP/HTTPS access mode, host name, port and path (if path is not set, it defaults to `/v2`). |
|
| `overridePath` | bool | Use the exact path specified for the endpoint (don't append /v2/). This setting is often required for setting up multiple mirrors on a single instance of a registry. |
|
| `skipFallback` | bool | Skip fallback to the upstream endpoint, for example the mirror configuration for `docker.io` will not fallback to `registry-1.docker.io`. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `tls` | RegistryTLSConfig | The TLS configuration for the registry. | |
| `auth` | RegistryAuthConfig | The auth configuration for this registry. Note: changes to the registry auth will not be picked up by the CRI containerd plugin without a reboot. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `clientIdentity` | PEMEncodedCertificateAndKey | Enable mutual TLS authentication with the registry. Client certificate and key should be base64-encoded. |
|
| `ca` | Base64Bytes | CA registry certificate to add the list of trusted certificates. Certificate should be base64-encoded. |
|
| `insecureSkipVerify` | bool | Skip TLS server certificate verification (not recommended). |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `username` | string | Optional registry authentication. The meaning of each field is the same with the corresponding field in [`.docker/config.json`](https://docs.docker.com/engine/api/v1.41/#section/Authentication). |
|
| `password` | string | Optional registry authentication. The meaning of each field is the same with the corresponding field in [`.docker/config.json`](https://docs.docker.com/engine/api/v1.41/#section/Authentication). |
|
| `auth` | string | Optional registry authentication. The meaning of each field is the same with the corresponding field in [`.docker/config.json`](https://docs.docker.com/engine/api/v1.41/#section/Authentication). |
|
| `identityToken` | string | Optional registry authentication. The meaning of each field is the same with the corresponding field in [`.docker/config.json`](https://docs.docker.com/engine/api/v1.41/#section/Authentication). |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `rbac` | bool | Enable role-based access control (RBAC). | |
| `stableHostname` | bool | Enable stable default hostname. | |
| `kubernetesTalosAPIAccess` | KubernetesTalosAPIAccessConfig | Configure Talos API access from Kubernetes pods. This feature is disabled if the feature config is not specified. |
|
| `apidCheckExtKeyUsage` | bool | Enable checks for extended key usage of client certificates in apid. | |
| `diskQuotaSupport` | bool | Enable XFS project quota support for EPHEMERAL partition and user disks. Also enables kubelet tracking of ephemeral disk usage in the kubelet via quota. |
|
| `kubePrism` | KubePrism | KubePrism - local proxy/load balancer on defined port that will distribute requests to all API servers in the cluster. |
|
| `hostDNS` | HostDNSConfig | Configures host DNS caching resolver. | |
| `imageCache` | ImageCacheConfig | Enable Image Cache feature. | |
| `nodeAddressSortAlgorithm` | string | Select the node address sort algorithm. The 'v1' algorithm sorts addresses by the address itself. The 'v2' algorithm prefers more specific prefixes. If unset, defaults to 'v1'. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `enabled` | bool | Enable Talos API access from Kubernetes pods. | |
| `allowedRoles` | \[]string | The list of Talos API roles which can be granted for access from Kubernetes pods. Empty list means that no roles can be granted, so access is blocked. |
|
| `allowedKubernetesNamespaces` | \[]string | The list of Kubernetes namespaces Talos API access is available from. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `enabled` | bool | Enable KubePrism support - will start local load balancing proxy. | |
| `port` | int | KubePrism port. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `enabled` | bool | Enable host DNS caching resolver. | |
| `forwardKubeDNSToHost` | bool | Use the host DNS resolver as upstream for Kubernetes CoreDNS pods. When enabled, CoreDNS pods use host DNS server as the upstream DNS (instead of using configured upstream DNS resolvers directly). |
|
| `resolveMemberNames` | bool | Resolve member hostnames using the host DNS resolver. When enabled, cluster member hostnames and node names are resolved using the host DNS resolver. This requires service discovery to be enabled. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `localEnabled` | bool | Enable local image cache. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `rules` | \[]string | List of udev rules to apply to the udev system |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `destinations` | LoggingDestination | Logging destination. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `endpoint` | Endpoint | Where to send logs. Supported protocols are "tcp" and "udp". | |
| `format` | string | Logs format. | `json_lines` |
| `extraTags` | map\[string]string | Extra tags (key-value) pairs to attach to every log message sent. |
| Field | Type | Description | Value(s) |
|---|
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `modules` | KernelModuleConfig | Kernel modules to load. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `name` | string | Module name. | |
| `parameters` | \[]string | Module parameters, changes applied after reboot. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `name` | string | The `name` field is used to provide the file name of the seccomp profile. | |
| `value` | Unstructured | The `value` field is used to provide the seccomp profile. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `id` | string | Globally unique identifier for this cluster (base64 encoded random 32 bytes). | |
| `secret` | string | Shared secret of cluster (base64 encoded random 32 bytes). This secret is shared among cluster members but should never be sent over the network. |
|
| `controlPlane` | ControlPlaneConfig | Provides control plane specific configuration options. | |
| `clusterName` | string | Configures the cluster's name. | |
| `network` | ClusterNetworkConfig | Provides cluster specific network configuration options. | |
| `token` | string | The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster. | |
| `aescbcEncryptionSecret` | string | A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). Enables encryption with AESCBC. |
|
| `secretboxEncryptionSecret` | string | A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). Enables encryption with secretbox. Secretbox has precedence over AESCBC. |
|
| `ca` | PEMEncodedCertificateAndKey | The base64 encoded root certificate authority used by Kubernetes. | |
| `acceptedCAs` | \[]PEMEncodedCertificate | The list of base64 encoded accepted certificate authorities used by Kubernetes. | |
| `aggregatorCA` | PEMEncodedCertificateAndKey | The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation. This CA can be self-signed. |
|
| `serviceAccount` | PEMEncodedKey | The base64 encoded private key for service account token generation. | |
| `apiServer` | APIServerConfig | API server specific configuration options. | |
| `controllerManager` | ControllerManagerConfig | Controller manager server specific configuration options. | |
| `proxy` | ProxyConfig | Kube-proxy server-specific configuration options | |
| `scheduler` | SchedulerConfig | Scheduler server specific configuration options. | |
| `discovery` | ClusterDiscoveryConfig | Configures cluster member discovery. | |
| `etcd` | EtcdConfig | Etcd specific configuration options. | |
| `coreDNS` | CoreDNS | Core DNS specific configuration options. | |
| `externalCloudProvider` | ExternalCloudProviderConfig | External cloud provider configuration. | |
| `extraManifests` | \[]string | A list of urls that point to additional manifests. These will get automatically deployed as part of the bootstrap. |
|
| `extraManifestHeaders` | map\[string]string | A map of key value pairs that will be added while fetching the extraManifests. | |
| `inlineManifests` | ClusterInlineManifest | A list of inline Kubernetes manifests. These will get automatically deployed as part of the bootstrap. |
|
| `adminKubeconfig` | AdminKubeconfigConfig | Settings for admin kubeconfig generation. Certificate lifetime can be configured. |
|
| `allowSchedulingOnControlPlanes` | bool | Allows running workload on control-plane nodes. | `true` `yes` `false` `no` |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `endpoint` | Endpoint | Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname. It is single-valued, and may optionally include a port number. |
|
| `localAPIServerPort` | int | The port that the API server listens on internally. This may be different than the port portion listed in the endpoint field above. The default is `6443`. |
| Field | Type | Description | Value(s) |
|---|
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `cni` | CNIConfig | The CNI used. Composed of "name" and "urls". The "name" key supports the following options: "flannel", "custom", and "none". "flannel" uses Talos-managed Flannel CNI, and that's the default option. "custom" uses custom manifests that should be provided in "urls". "none" indicates that Talos will not manage any CNI installation. |
|
| `dnsDomain` | string | The domain used by Kubernetes DNS. The default is `cluster.local` |
|
| `podSubnets` | \[]string | The pod subnet CIDR. | |
| `serviceSubnets` | \[]string | The service subnet CIDR. |
| Field | Type | Description | Value(s) | |
|---|---|---|---|---|
| `name` | string | Name of CNI to use. | `flannel` `custom` `none` |
|
| `urls` | \[]string | URLs containing manifests to apply for the CNI. Should be present for "custom", must be empty for "flannel" and "none". |
||
| `flannel` | FlannelCNIConfig | description: | Flannel configuration options. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `extraArgs` | \[]string | Extra arguments for 'flanneld'. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `image` | string | The container image used in the API server manifest. | |
| `extraArgs` | map\[string]string | Extra arguments to supply to the API server. | |
| `extraVolumes` | VolumeMountConfig | Extra volumes to mount to the API server static pod. | |
| `env` | Env | The `env` field allows for the addition of environment variables for the control plane component. | |
| `certSANs` | \[]string | Extra certificate subject alternative names for the API server's certificate. | |
| `disablePodSecurityPolicy` | bool | Disable PodSecurityPolicy in the API server and default manifests. | |
| `admissionControl` | AdmissionPluginConfig | Configure the API server admission plugins. | |
| `auditPolicy` | Unstructured | Configure the API server audit policy. | |
| `resources` | ResourcesConfig | Configure the API server resources. | |
| `authorizationConfig` | AuthorizationConfigAuthorizerConfig | Configure the API server authorization config. Node and RBAC authorizers are always added irrespective of the configuration. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `hostPath` | string | Path on the host. | |
| `mountPath` | string | Path in the container. | |
| `readonly` | bool | Mount the volume read only. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `name` | string | Name is the name of the admission controller. It must match the registered admission plugin name. |
|
| `configuration` | Unstructured | Configuration is an embedded configuration object to be used as the plugin's configuration. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `requests` | Unstructured | Requests configures the reserved cpu/memory resources. | |
| `limits` | Unstructured | Limits configures the maximum cpu/memory resources a container can use. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `type` | string | Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`. | |
| `name` | string | Name is used to describe the authorizer. | |
| `webhook` | Unstructured | webhook is the configuration for the webhook authorizer. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `image` | string | The container image used in the controller manager manifest. | |
| `extraArgs` | map\[string]string | Extra arguments to supply to the controller manager. | |
| `extraVolumes` | VolumeMountConfig | Extra volumes to mount to the controller manager static pod. | |
| `env` | Env | The `env` field allows for the addition of environment variables for the control plane component. | |
| `resources` | ResourcesConfig | Configure the controller manager resources. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `hostPath` | string | Path on the host. | |
| `mountPath` | string | Path in the container. | |
| `readonly` | bool | Mount the volume read only. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `requests` | Unstructured | Requests configures the reserved cpu/memory resources. | |
| `limits` | Unstructured | Limits configures the maximum cpu/memory resources a container can use. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `disabled` | bool | Disable kube-proxy deployment on cluster bootstrap. | |
| `image` | string | The container image used in the kube-proxy manifest. | |
| `mode` | string | proxy mode of kube-proxy. The default is 'iptables'. |
|
| `extraArgs` | map\[string]string | Extra arguments to supply to kube-proxy. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `image` | string | The container image used in the scheduler manifest. | |
| `extraArgs` | map\[string]string | Extra arguments to supply to the scheduler. | |
| `extraVolumes` | VolumeMountConfig | Extra volumes to mount to the scheduler static pod. | |
| `env` | Env | The `env` field allows for the addition of environment variables for the control plane component. | |
| `resources` | ResourcesConfig | Configure the scheduler resources. | |
| `config` | Unstructured | Specify custom kube-scheduler configuration. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `hostPath` | string | Path on the host. | |
| `mountPath` | string | Path in the container. | |
| `readonly` | bool | Mount the volume read only. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `requests` | Unstructured | Requests configures the reserved cpu/memory resources. | |
| `limits` | Unstructured | Limits configures the maximum cpu/memory resources a container can use. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `enabled` | bool | Enable the cluster membership discovery feature. Cluster discovery is based on individual registries which are configured under the registries field. |
|
| `registries` | DiscoveryRegistriesConfig | Configure registries used for cluster member discovery. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `kubernetes` | RegistryKubernetesConfig | Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information as annotations on the Node resources. This feature is deprecated as it is not compatible with Kubernetes 1.32+. See [https://github.com/siderolabs/talos/issues/9980](https://github.com/siderolabs/talos/issues/9980) for more information. |
|
| `service` | RegistryServiceConfig | Service registry is using an external service to push and pull information about cluster members. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `disabled` | bool | Disable Kubernetes discovery registry. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `disabled` | bool | Disable external service discovery registry. | |
| `endpoint` | string | External service endpoint. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `image` | string | The container image used to create the etcd service. | |
| `ca` | PEMEncodedCertificateAndKey | The `ca` is the root certificate authority of the PKI. It is composed of a base64 encoded `crt` and `key`. |
|
| `extraArgs` | map\[string]string | Extra arguments to supply to etcd. Note that the following args are not allowed: - `name` - `data-dir` - `initial-cluster-state` - `listen-peer-urls` - `listen-client-urls` - `cert-file` - `key-file` - `trusted-ca-file` - `peer-client-cert-auth` - `peer-cert-file` - `peer-trusted-ca-file` - `peer-key-file` |
|
| `advertisedSubnets` | \[]string | The `advertisedSubnets` field configures the networks to pick etcd advertised IP from. IPs can be excluded from the list by using negative match with `!`, e.g `!10.0.0.0/8`. Negative subnet matches should be specified last to filter out IPs picked by positive matches. If not specified, advertised IP is selected as the first routable address of the node. |
|
| `listenSubnets` | \[]string | The `listenSubnets` field configures the networks for the etcd to listen for peer and client connections. If `listenSubnets` is not set, but `advertisedSubnets` is set, `listenSubnets` defaults to `advertisedSubnets`. If neither `advertisedSubnets` nor `listenSubnets` is set, `listenSubnets` defaults to listen on all addresses. IPs can be excluded from the list by using negative match with `!`, e.g `!10.0.0.0/8`. Negative subnet matches should be specified last to filter out IPs picked by positive matches. If not specified, advertised IP is selected as the first routable address of the node. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `disabled` | bool | Disable coredns deployment on cluster bootstrap. | |
| `image` | string | The `image` field is an override to the default coredns image. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `enabled` | bool | Enable external cloud provider. | `true` `yes` `false` `no` |
| `manifests` | \[]string | A list of urls that point to additional manifests for an external cloud provider. These will get automatically deployed as part of the bootstrap. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `name` | string | Name of the manifest. Name should be unique. |
|
| `contents` | string | Manifest contents as a string. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `certLifetime` | Duration | Admin kubeconfig certificate lifetime (default is 1 year). Field format accepts any Go time.Duration format ('1h' for one hour, '10m' for ten minutes). |