Documentation Index
Fetch the complete documentation index at: https://docs.siderolabs.com/llms.txt
Use this file to discover all available pages before exploring further.
talosctl apply-config
Apply a new configuration to a node
talosctl apply-config [flags]
Options
--cert-fingerprint strings list of server certificate fingeprints to accept (defaults to no check)
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
-p, --config-patch stringArray the list of config patches to apply to the local config file before sending it to the node
--context string Context to be used in command
--dry-run check how the config change will be applied in dry-run mode
-e, --endpoints strings override default endpoints in Talos configuration
-f, --file string the filename of the updated configuration
-h, --help help for apply-config
-i, --insecure apply the config using the insecure (encrypted with no auth) maintenance service
-m, --mode auto, no-reboot, reboot, staged, try apply config mode (default auto)
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
--timeout duration the config will be rolled back after specified timeout (if try mode is selected) (default 1m0s)
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl bootstrap
Bootstrap the etcd cluster on the specified node.
Synopsis
When Talos cluster is created etcd service on control plane nodes enter the join loop waiting
to join etcd peers from other control plane nodes. One node should be picked as the bootstrap node.
When bootstrap command is issued, the node aborts join process and bootstraps etcd cluster as a single node cluster.
Other control plane nodes will join etcd cluster once Kubernetes is bootstrapped on the bootstrap node.
This command should not be used when “init” type node are used.
Talos etcd cluster can be recovered from a known snapshot with ‘—recover-from=’ flag.
talosctl bootstrap [flags]
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for bootstrap
-n, --nodes strings target the specified nodes
--recover-from string recover etcd cluster from the snapshot
--recover-skip-hash-check skip integrity check when recovering etcd (use when recovering from data directory copy)
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl cgroups
Retrieve cgroups usage information
Synopsis
The cgroups command fetches control group v2 (cgroupv2) usage details from the machine.
Several presets are available to focus on specific cgroup subsystems:
- cpu
- cpuset
- io
- memory
- process
- swap
You can specify the preset using the —preset flag.
Alternatively, a custom schema can be provided using the —schema-file flag.
To see schema examples, refer to https://github.com/siderolabs/talos/tree/main/cmd/talosctl/cmd/talos/cgroupsprinter/schemas.
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for cgroups
-n, --nodes strings target the specified nodes
--preset string preset name (one of: [cpu cpuset io memory process psi swap])
--schema-file string path to the columns schema file
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--skip-cri-resolve do not resolve cgroup names via a request to CRI
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl cluster create dev
Creates a local QEMU-based cluster for Talos development.
talosctl cluster create dev [flags]
Options
--airgapped limit VM network access to the provisioning network only
--arch string cluster architecture (default "amd64")
--bad-rtc launch VM with bad RTC state
--cidr string CIDR of the cluster network (IPv4, ULA network for IPv6 is derived in automated way) (default "10.5.0.0/24")
--cni-bin-path strings search path for CNI binaries (default [/.talos/cni/bin])
--cni-bundle-url string URL to download CNI bundle from (default "https://github.com/siderolabs/talos/releases/download/v1.13.0/talosctl-cni-bundle-${ARCH}.tar.gz")
--cni-cache-dir string CNI cache directory path (default "/.talos/cni/cache")
--cni-conf-dir string CNI config directory path (default "/.talos/cni/conf.d")
--config-injection-method string a method to inject machine config: default is HTTP server, 'metal-iso' to mount an ISO
--config-patch stringArray patch generated machineconfigs (applied to all node types), use @file to read a patch from file
--config-patch-control-plane stringArray patch generated machineconfigs (applied to 'controlplane' type)
--config-patch-worker stringArray patch generated machineconfigs (applied to 'worker' type)
--control-plane-port int control plane port (load balancer and local API port) (default 6443)
--controlplanes int the number of controlplanes to create (default 1)
--cpus string the share of CPUs as fraction for each control plane/VM (default "2.0")
--cpus-workers string the share of CPUs as fraction for each worker/VM (default "2.0")
--custom-cni-url string install custom CNI from the URL (Talos cluster)
--disable-dhcp-hostname skip announcing hostname via DHCP
--disk int default limit on disk size in MB (each VM) (default 6144)
--disk-block-size uint disk block size (default 512)
--disk-encryption-key-types stringArray encryption key types to use for disk encryption (uuid, kms) (default [uuid])
--disk-image-path string disk image to use
--disk-preallocate whether disk space should be preallocated (default true)
--dns-domain string the dns domain to use for cluster (default "cluster.local")
--encrypt-ephemeral enable ephemeral partition encryption
--encrypt-state enable state partition encryption
--encrypt-user-volumes enable ephemeral partition encryption
--endpoint string use endpoint instead of provider defaults
--extra-boot-kernel-args string add extra kernel args to the initial boot from vmlinuz and initramfs
--extra-disks int number of extra disks to create for each worker VM
--extra-disks-drivers strings driver for each extra disk (virtio, ide, ahci, scsi, nvme, megaraid)
--extra-disks-serials strings serials for each extra disk
--extra-disks-size int default limit on disk size in MB (each VM) (default 5120)
--extra-disks-tags strings tags for each extra disk (only used by virtiofs)
--extra-uefi-search-paths strings additional search paths for UEFI firmware (only applies when UEFI is enabled)
-h, --help help for dev
--image-cache-path string path to image cache
--image-cache-port uint16 port on which to serve image cache (default 5000)
--image-cache-tls-cert-file string path to image cache TLS cert
--image-cache-tls-key-file string path to image cache TLS key
--init-node-as-endpoint use init node as endpoint instead of any load balancer endpoint
--initrd-path string initramfs image to use (default "_out/initramfs-${ARCH}.xz")
--install-image string the installer image to use (default "ghcr.io/siderolabs/installer:v1.13.0")
--ipv4 enable IPv4 network in the cluster (default true)
--ipv6 enable IPv6 network in the cluster
--ipxe-boot-script string iPXE boot script (URL) to use
--iso-path string the ISO path to use for the initial boot
--kubeprism-port int KubePrism port (set to 0 to disable) (default 7445)
--kubernetes-version string desired kubernetes version to run (default "1.36.0")
--memory string(mb,gb) the limit on memory usage for each control plane/VM (default 2.0GiB)
--memory-workers string(mb,gb) the limit on memory usage for each worker/VM (default 2.0GiB)
--mtu int MTU of the cluster network (default 1500)
--nameservers strings list of nameservers to use
--no-masquerade-cidrs strings list of CIDRs to exclude from NAT
--omni-api-endpoint string the Omni API endpoint (must include a scheme, a hostname and a join token, e.g. 'https://siderolink.omni.example?jointoken=foobar')
--registry-insecure-skip-verify strings list of registry hostnames to skip TLS verification for
--registry-mirror strings list of registry mirrors to use in format: <registry host>=<mirror URL>
--skip-injecting-config skip injecting config from embedded metadata server, write config files to current directory
--skip-injecting-extra-cmdline skip injecting extra kernel cmdline parameters via EFI vars through bootloader
--skip-k8s-node-readiness-check skip k8s node readiness checks
--skip-kubeconfig skip merging kubeconfig from the created cluster
--talos-version string the desired Talos version to generate config for (default "v1.13.0")
--talosconfig string The location to save the generated Talos configuration file to. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
--uki-path string the UKI image path to use for the initial boot
--usb-path string the USB stick image path to use for the initial boot
--use-vip use a virtual IP for the controlplane endpoint instead of the loadbalancer
--user-volumes strings list of user volumes to create for each VM in format: <name1>:<size1>:<name2>:<size2>
--vmlinuz-path string the compressed kernel image to use (default "_out/vmlinuz-${ARCH}")
--wait wait for the cluster to be ready before returning (default true)
--wait-timeout duration timeout to wait for the cluster to be ready (default 20m0s)
--wireguard-cidr string CIDR of the wireguard network
--with-apply-config enable apply config when the VM is starting in maintenance mode
--with-bootloader enable bootloader to load kernel and initramfs from disk image after install (default true)
--with-cluster-discovery enable cluster discovery (default true)
--with-debug enable debug in Talos config to send service logs to the console
--with-firewall string inject firewall rules into the cluster, value is default policy - accept/block
--with-init-node create the cluster with an init node
--with-iommu enable IOMMU support, this also add a new PCI root port and an interface attached to it
--with-json-logs enable JSON logs receiver and configure Talos to send logs there
--with-kubespan enable KubeSpan system
--with-network-bandwidth int specify bandwidth restriction (in kbps) on the bridge interface
--with-network-chaos enable to use network chaos parameters
--with-network-jitter duration specify jitter on the bridge interface
--with-network-latency duration specify latency on the bridge interface
--with-network-packet-corrupt float specify percent of corrupt packets on the bridge interface. e.g. 50% = 0.50 (default: 0.0)
--with-network-packet-loss float specify percent of packet loss on the bridge interface. e.g. 50% = 0.50 (default: 0.0)
--with-network-packet-reorder float specify percent of reordered packets on the bridge interface. e.g. 50% = 0.50 (default: 0.0)
--with-siderolink true enables the use of siderolink agent as configuration apply mechanism. true or `wireguard` enables the agent, `tunnel` enables the agent with grpc tunneling (default none)
--with-tpm1_2 enable TPM 1.2 emulation support using swtpm
--with-tpm2 enable TPM 2.0 emulation support using swtpm
--with-uefi enable UEFI on x86_64 architecture (default true)
--with-uuid-hostnames use machine UUIDs as default hostnames
--workers int the number of workers to create (default 1)
Options inherited from parent commands
--name string the name of the cluster (default "talos-default")
--state string directory path to store cluster state (default "/.talos/clusters")
SEE ALSO
talosctl cluster create docker
Create a local Docker based kubernetes cluster
talosctl cluster create docker [flags]
Options
--config-patch stringArray patch generated machineconfigs (applied to all node types), use @file to read a patch from file
--config-patch-controlplanes stringArray patch generated machineconfigs (applied to 'controlplane' type)
--config-patch-workers stringArray patch generated machineconfigs (applied to 'worker' type)
--cpus-controlplanes string the share of CPUs as fraction for each control plane/VM (default "2.0")
--cpus-workers string the share of CPUs as fraction for each worker/VM (default "2.0")
-p, --exposed-ports string comma-separated list of ports/protocols to expose on init node. Ex -p <hostPort>:<containerPort>/<protocol (tcp or udp)>
-h, --help help for docker
--host-ip string Host IP to forward exposed ports to (default "0.0.0.0")
--image string the talos image to run (default "ghcr.io/siderolabs/talos:v1.13.0")
--kubernetes-version string desired kubernetes version to run (default "1.36.0")
--memory-controlplanes string(mb,gb) the limit on memory usage for each control plane/VM (default 2.0GiB)
--memory-workers string(mb,gb) the limit on memory usage for each worker/VM (default 2.0GiB)
--mount mount attach a mount to the container (docker --mount syntax)
--subnet string Docker network subnet CIDR (default "10.5.0.0/24")
--talosconfig-destination string The location to save the generated Talos configuration file to. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
--workers int the number of workers to create (default 1)
Options inherited from parent commands
--name string the name of the cluster (default "talos-default")
--state string directory path to store cluster state (default "/.talos/clusters")
SEE ALSO
talosctl cluster create qemu
Create a local QEMU based Talos cluster.
Synopsis
Create a local QEMU based Talos cluster.
Available presets:
- iso: Configure Talos to boot from an ISO from the Image Factory.
- iso-secureboot: Configure Talos for Secureboot via ISO. Only available on Linux hosts.
- pxe: Configure Talos to boot via PXE from the Image Factory.
- disk-image: Configure Talos to boot from a disk image from the Image Factory.
- maintenance: Skip applying machine configuration and leave the machines in maintenance mode. The machine configuration files are written to the working directory.
Note: exactly one of ‘iso’, ‘iso-secureboot’, ‘pxe’ or ‘disk-image’ presets must be specified.
talosctl cluster create qemu [flags]
Options
--cidr string CIDR of the cluster network (default "10.5.0.0/24")
--config-patch stringArray patch generated machineconfigs (applied to all node types), use @file to read a patch from file
--config-patch-controlplanes stringArray patch generated machineconfigs (applied to 'controlplane' type)
--config-patch-workers stringArray patch generated machineconfigs (applied to 'worker' type)
--controlplanes int the number of controlplanes to create (default 1)
--cpus-controlplanes string the share of CPUs as fraction for each control plane/VM (default "2.0")
--cpus-workers string the share of CPUs as fraction for each worker/VM (default "2.0")
--disks disks list of disks to create in format "<driver1>:<size1>" (disks after the first one are added only to worker machines) (default virtio:10GiB,virtio:6GiB)
-h, --help help for qemu
--image-factory-auth string username:password for authenticating with the Image Factory
--image-factory-url string Image Factory url (default "https://factory.talos.dev/")
--kubernetes-version string desired kubernetes version to run (default "1.36.0")
--memory-controlplanes string(mb,gb) the limit on memory usage for each control plane/VM (default 2.0GiB)
--memory-workers string(mb,gb) the limit on memory usage for each worker/VM (default 2.0GiB)
--omni-api-endpoint string the Omni API endpoint (must include a scheme, a hostname and a join token, e.g. 'https://siderolink.omni.example?jointoken=foobar')
--presets strings list of presets to apply (default [iso])
--schematic-id string Image Factory schematic id (defaults to an empty schematic)
--talos-version string the desired talos version (default "v1.13.0")
--talosconfig-destination string The location to save the generated Talos configuration file to. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
--workers int the number of workers to create (default 1)
Options inherited from parent commands
--name string the name of the cluster (default "talos-default")
--state string directory path to store cluster state (default "/.talos/clusters")
SEE ALSO
talosctl cluster create dev
Creates a local QEMU-based cluster for Talos development.
talosctl cluster create dev [flags]
Options
--airgapped limit VM network access to the provisioning network only
--arch string cluster architecture (default "amd64")
--bad-rtc launch VM with bad RTC state
--cidr string CIDR of the cluster network (IPv4, ULA network for IPv6 is derived in automated way) (default "10.5.0.0/24")
--cni-bin-path strings search path for CNI binaries (default [/.talos/cni/bin])
--cni-bundle-url string URL to download CNI bundle from (default "https://github.com/siderolabs/talos/releases/download/v1.13.0/talosctl-cni-bundle-${ARCH}.tar.gz")
--cni-cache-dir string CNI cache directory path (default "/.talos/cni/cache")
--cni-conf-dir string CNI config directory path (default "/.talos/cni/conf.d")
--config-injection-method string a method to inject machine config: default is HTTP server, 'metal-iso' to mount an ISO
--config-patch stringArray patch generated machineconfigs (applied to all node types), use @file to read a patch from file
--config-patch-control-plane stringArray patch generated machineconfigs (applied to 'controlplane' type)
--config-patch-worker stringArray patch generated machineconfigs (applied to 'worker' type)
--control-plane-port int control plane port (load balancer and local API port) (default 6443)
--controlplanes int the number of controlplanes to create (default 1)
--cpus string the share of CPUs as fraction for each control plane/VM (default "2.0")
--cpus-workers string the share of CPUs as fraction for each worker/VM (default "2.0")
--custom-cni-url string install custom CNI from the URL (Talos cluster)
--disable-dhcp-hostname skip announcing hostname via DHCP
--disk int default limit on disk size in MB (each VM) (default 6144)
--disk-block-size uint disk block size (default 512)
--disk-encryption-key-types stringArray encryption key types to use for disk encryption (uuid, kms) (default [uuid])
--disk-image-path string disk image to use
--disk-preallocate whether disk space should be preallocated (default true)
--dns-domain string the dns domain to use for cluster (default "cluster.local")
--encrypt-ephemeral enable ephemeral partition encryption
--encrypt-state enable state partition encryption
--encrypt-user-volumes enable ephemeral partition encryption
--endpoint string use endpoint instead of provider defaults
--extra-boot-kernel-args string add extra kernel args to the initial boot from vmlinuz and initramfs
--extra-disks int number of extra disks to create for each worker VM
--extra-disks-drivers strings driver for each extra disk (virtio, ide, ahci, scsi, nvme, megaraid)
--extra-disks-serials strings serials for each extra disk
--extra-disks-size int default limit on disk size in MB (each VM) (default 5120)
--extra-disks-tags strings tags for each extra disk (only used by virtiofs)
--extra-uefi-search-paths strings additional search paths for UEFI firmware (only applies when UEFI is enabled)
-h, --help help for dev
--image-cache-path string path to image cache
--image-cache-port uint16 port on which to serve image cache (default 5000)
--image-cache-tls-cert-file string path to image cache TLS cert
--image-cache-tls-key-file string path to image cache TLS key
--init-node-as-endpoint use init node as endpoint instead of any load balancer endpoint
--initrd-path string initramfs image to use (default "_out/initramfs-${ARCH}.xz")
--install-image string the installer image to use (default "ghcr.io/siderolabs/installer:v1.13.0")
--ipv4 enable IPv4 network in the cluster (default true)
--ipv6 enable IPv6 network in the cluster
--ipxe-boot-script string iPXE boot script (URL) to use
--iso-path string the ISO path to use for the initial boot
--kubeprism-port int KubePrism port (set to 0 to disable) (default 7445)
--kubernetes-version string desired kubernetes version to run (default "1.36.0")
--memory string(mb,gb) the limit on memory usage for each control plane/VM (default 2.0GiB)
--memory-workers string(mb,gb) the limit on memory usage for each worker/VM (default 2.0GiB)
--mtu int MTU of the cluster network (default 1500)
--nameservers strings list of nameservers to use
--no-masquerade-cidrs strings list of CIDRs to exclude from NAT
--omni-api-endpoint string the Omni API endpoint (must include a scheme, a hostname and a join token, e.g. 'https://siderolink.omni.example?jointoken=foobar')
--registry-insecure-skip-verify strings list of registry hostnames to skip TLS verification for
--registry-mirror strings list of registry mirrors to use in format: <registry host>=<mirror URL>
--skip-injecting-config skip injecting config from embedded metadata server, write config files to current directory
--skip-injecting-extra-cmdline skip injecting extra kernel cmdline parameters via EFI vars through bootloader
--skip-k8s-node-readiness-check skip k8s node readiness checks
--skip-kubeconfig skip merging kubeconfig from the created cluster
--talos-version string the desired Talos version to generate config for (default "v1.13.0")
--talosconfig string The location to save the generated Talos configuration file to. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
--uki-path string the UKI image path to use for the initial boot
--usb-path string the USB stick image path to use for the initial boot
--use-vip use a virtual IP for the controlplane endpoint instead of the loadbalancer
--user-volumes strings list of user volumes to create for each VM in format: <name1>:<size1>:<name2>:<size2>
--vmlinuz-path string the compressed kernel image to use (default "_out/vmlinuz-${ARCH}")
--wait wait for the cluster to be ready before returning (default true)
--wait-timeout duration timeout to wait for the cluster to be ready (default 20m0s)
--wireguard-cidr string CIDR of the wireguard network
--with-apply-config enable apply config when the VM is starting in maintenance mode
--with-bootloader enable bootloader to load kernel and initramfs from disk image after install (default true)
--with-cluster-discovery enable cluster discovery (default true)
--with-debug enable debug in Talos config to send service logs to the console
--with-firewall string inject firewall rules into the cluster, value is default policy - accept/block
--with-init-node create the cluster with an init node
--with-iommu enable IOMMU support, this also add a new PCI root port and an interface attached to it
--with-json-logs enable JSON logs receiver and configure Talos to send logs there
--with-kubespan enable KubeSpan system
--with-network-bandwidth int specify bandwidth restriction (in kbps) on the bridge interface
--with-network-chaos enable to use network chaos parameters
--with-network-jitter duration specify jitter on the bridge interface
--with-network-latency duration specify latency on the bridge interface
--with-network-packet-corrupt float specify percent of corrupt packets on the bridge interface. e.g. 50% = 0.50 (default: 0.0)
--with-network-packet-loss float specify percent of packet loss on the bridge interface. e.g. 50% = 0.50 (default: 0.0)
--with-network-packet-reorder float specify percent of reordered packets on the bridge interface. e.g. 50% = 0.50 (default: 0.0)
--with-siderolink true enables the use of siderolink agent as configuration apply mechanism. true or `wireguard` enables the agent, `tunnel` enables the agent with grpc tunneling (default none)
--with-tpm1_2 enable TPM 1.2 emulation support using swtpm
--with-tpm2 enable TPM 2.0 emulation support using swtpm
--with-uefi enable UEFI on x86_64 architecture (default true)
--with-uuid-hostnames use machine UUIDs as default hostnames
--workers int the number of workers to create (default 1)
Options inherited from parent commands
--name string the name of the cluster (default "talos-default")
--state string directory path to store cluster state (default "/.talos/clusters")
SEE ALSO
talosctl cluster create docker
Create a local Docker based kubernetes cluster
talosctl cluster create docker [flags]
Options
--config-patch stringArray patch generated machineconfigs (applied to all node types), use @file to read a patch from file
--config-patch-controlplanes stringArray patch generated machineconfigs (applied to 'controlplane' type)
--config-patch-workers stringArray patch generated machineconfigs (applied to 'worker' type)
--cpus-controlplanes string the share of CPUs as fraction for each control plane/VM (default "2.0")
--cpus-workers string the share of CPUs as fraction for each worker/VM (default "2.0")
-p, --exposed-ports string comma-separated list of ports/protocols to expose on init node. Ex -p <hostPort>:<containerPort>/<protocol (tcp or udp)>
-h, --help help for docker
--host-ip string Host IP to forward exposed ports to (default "0.0.0.0")
--image string the talos image to run (default "ghcr.io/siderolabs/talos:v1.13.0")
--kubernetes-version string desired kubernetes version to run (default "1.36.0")
--memory-controlplanes string(mb,gb) the limit on memory usage for each control plane/VM (default 2.0GiB)
--memory-workers string(mb,gb) the limit on memory usage for each worker/VM (default 2.0GiB)
--mount mount attach a mount to the container (docker --mount syntax)
--subnet string Docker network subnet CIDR (default "10.5.0.0/24")
--talosconfig-destination string The location to save the generated Talos configuration file to. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
--workers int the number of workers to create (default 1)
Options inherited from parent commands
--name string the name of the cluster (default "talos-default")
--state string directory path to store cluster state (default "/.talos/clusters")
SEE ALSO
talosctl cluster create qemu
Create a local QEMU based Talos cluster.
Synopsis
Create a local QEMU based Talos cluster.
Available presets:
- iso: Configure Talos to boot from an ISO from the Image Factory.
- iso-secureboot: Configure Talos for Secureboot via ISO. Only available on Linux hosts.
- pxe: Configure Talos to boot via PXE from the Image Factory.
- disk-image: Configure Talos to boot from a disk image from the Image Factory.
- maintenance: Skip applying machine configuration and leave the machines in maintenance mode. The machine configuration files are written to the working directory.
Note: exactly one of ‘iso’, ‘iso-secureboot’, ‘pxe’ or ‘disk-image’ presets must be specified.
talosctl cluster create qemu [flags]
Options
--cidr string CIDR of the cluster network (default "10.5.0.0/24")
--config-patch stringArray patch generated machineconfigs (applied to all node types), use @file to read a patch from file
--config-patch-controlplanes stringArray patch generated machineconfigs (applied to 'controlplane' type)
--config-patch-workers stringArray patch generated machineconfigs (applied to 'worker' type)
--controlplanes int the number of controlplanes to create (default 1)
--cpus-controlplanes string the share of CPUs as fraction for each control plane/VM (default "2.0")
--cpus-workers string the share of CPUs as fraction for each worker/VM (default "2.0")
--disks disks list of disks to create in format "<driver1>:<size1>" (disks after the first one are added only to worker machines) (default virtio:10GiB,virtio:6GiB)
-h, --help help for qemu
--image-factory-auth string username:password for authenticating with the Image Factory
--image-factory-url string Image Factory url (default "https://factory.talos.dev/")
--kubernetes-version string desired kubernetes version to run (default "1.36.0")
--memory-controlplanes string(mb,gb) the limit on memory usage for each control plane/VM (default 2.0GiB)
--memory-workers string(mb,gb) the limit on memory usage for each worker/VM (default 2.0GiB)
--omni-api-endpoint string the Omni API endpoint (must include a scheme, a hostname and a join token, e.g. 'https://siderolink.omni.example?jointoken=foobar')
--presets strings list of presets to apply (default [iso])
--schematic-id string Image Factory schematic id (defaults to an empty schematic)
--talos-version string the desired talos version (default "v1.13.0")
--talosconfig-destination string The location to save the generated Talos configuration file to. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
--workers int the number of workers to create (default 1)
Options inherited from parent commands
--name string the name of the cluster (default "talos-default")
--state string directory path to store cluster state (default "/.talos/clusters")
SEE ALSO
talosctl cluster destroy
Destroys a local Talos kubernetes cluster
talosctl cluster destroy [flags]
Options
-f, --force force deletion of cluster directory if there were errors
-h, --help help for destroy
--save-cluster-logs-archive-path string save cluster logs archive to the specified file on destroy
--save-support-archive-path string save support archive to the specified file on destroy
Options inherited from parent commands
--name string the name of the cluster (default "talos-default")
--state string directory path to store cluster state (default "/.talos/clusters")
SEE ALSO
- talosctl cluster - A collection of commands for managing local docker-based or QEMU-based clusters
talosctl cluster show
Shows info about a local provisioned kubernetes cluster
talosctl cluster show [flags]
Options
-h, --help help for show
--provisioner string cluster provisioner to use (default "docker")
Options inherited from parent commands
--name string the name of the cluster (default "talos-default")
--state string directory path to store cluster state (default "/.talos/clusters")
SEE ALSO
- talosctl cluster - A collection of commands for managing local docker-based or QEMU-based clusters
talosctl cluster
A collection of commands for managing local docker-based or QEMU-based clusters
Options
-h, --help help for cluster
--name string the name of the cluster (default "talos-default")
--state string directory path to store cluster state (default "/.talos/clusters")
SEE ALSO
talosctl completion bash
Generate the autocompletion script for bash
Synopsis
Generate the autocompletion script for the bash shell.
This script depends on the ‘bash-completion’ package.
If it is not installed already, you can install it via your OS’s package manager.
To load completions in your current shell session:
source <(talosctl completion bash)
Linux:
talosctl completion bash > /etc/bash_completion.d/talosctl
macOS:
talosctl completion bash > $(brew --prefix)/etc/bash_completion.d/talosctl
Options
-h, --help help for bash
--no-descriptions disable completion descriptions
SEE ALSO
talosctl completion fish
Generate the autocompletion script for fish
Synopsis
Generate the autocompletion script for the fish shell.
To load completions in your current shell session:
talosctl completion fish | source
talosctl completion fish > ~/.config/fish/completions/talosctl.fish
talosctl completion fish [flags]
Options
-h, --help help for fish
--no-descriptions disable completion descriptions
SEE ALSO
talosctl completion powershell
Generate the autocompletion script for powershell
Synopsis
Generate the autocompletion script for powershell.
To load completions in your current shell session:
talosctl completion powershell | Out-String | Invoke-Expression
talosctl completion powershell [flags]
Options
-h, --help help for powershell
--no-descriptions disable completion descriptions
SEE ALSO
talosctl completion zsh
Generate the autocompletion script for zsh
Synopsis
Generate the autocompletion script for the zsh shell.
If shell completion is not already enabled in your environment you will need
to enable it. You can execute the following once:
echo "autoload -U compinit; compinit" >> ~/.zshrc
source <(talosctl completion zsh)
Linux:
talosctl completion zsh > "${fpath[1]}/_talosctl"
macOS:
talosctl completion zsh > $(brew --prefix)/share/zsh/site-functions/_talosctl
talosctl completion zsh [flags]
Options
-h, --help help for zsh
--no-descriptions disable completion descriptions
SEE ALSO
talosctl completion
Generate the autocompletion script for the specified shell
Synopsis
Generate the autocompletion script for talosctl for the specified shell.
See each sub-command’s help for details on how to use the generated script.
Options
-h, --help help for completion
SEE ALSO
talosctl config add
Add a new context
talosctl config add <context> [flags]
Options
--ca string the path to the CA certificate
--crt string the path to the certificate
-h, --help help for add
--key string the path to the key
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl config context
Set the current context
talosctl config context <context> [flags]
Options
-h, --help help for context
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl config contexts
List defined contexts
talosctl config contexts [flags]
Options
-h, --help help for contexts
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl config endpoint
Set the endpoint(s) for the current context
talosctl config endpoint <endpoint>... [flags]
Options
-h, --help help for endpoint
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl config info
Show information about the current context
talosctl config info [flags]
Options
-h, --help help for info
-o, --output string output format (json|yaml|text). Default text. (default "text")
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl config merge
Merge additional contexts from another client configuration file
Synopsis
Contexts with the same name are renamed while merging configs.
talosctl config merge <from> [flags]
Options
-h, --help help for merge
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl config new
Generate a new client configuration file
talosctl config new [<path>] [flags]
Options
--crt-ttl duration certificate TTL (default 8760h0m0s)
-h, --help help for new
--roles strings roles (default [os:admin])
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl config node
Set the node(s) for the current context
talosctl config node <endpoint>... [flags]
Options
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl config remove
Remove contexts
talosctl config remove <context> [flags]
Options
--dry-run dry run
-h, --help help for remove
-y, --noconfirm do not ask for confirmation
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl config
Manage the client configuration file (talosconfig)
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for config
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
Run Kubernetes conformance tests
talosctl conformance kubernetes [flags]
Options
-h, --help help for kubernetes
--mode string conformance test mode: [fast, certified, network-policy] (default "fast")
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
Run conformance tests
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for conformance
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl containers
List containers
talosctl containers [flags]
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for containers
-k, --kubernetes use the k8s.io containerd namespace
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl copy
Copy data out from the node
Synopsis
Creates an .tar.gz archive at the node starting at src-path and
streams it back to the client.
If ’-’ is given for local-path, archive is written to stdout.
Otherwise archive is extracted to local-path which should be an empty directory or
talosctl creates a directory if local-path doesn’t exist. Command doesn’t preserve
ownership and access mode for the files in extract mode, while streamed .tar archive
captures ownership and permission bits.
talosctl copy <src-path> -|<local-path> [flags]
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for copy
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl dashboard
Cluster dashboard with node overview, logs and real-time metrics
Synopsis
Provide a text-based UI to navigate node overview, logs and real-time metrics.
Keyboard shortcuts:
- h, Left - switch one node to the left
- l, Right - switch one node to the right
- j, Down - scroll logs/process list down
- k, Up - scroll logs/process list up
- C-d - scroll logs/process list half page down
- C-u - scroll logs/process list half page up
- C-f - scroll logs/process list one page down
- C-b - scroll logs/process list one page up
talosctl dashboard [flags]
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for dashboard
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
-d, --update-interval duration interval between updates (default 3s)
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl debug
Run a debug container from an image archive or reference
talosctl debug <image-tar-path|image ref> [args] [flags]
Examples
# Run a debug container from a local tar archive (image will be loaded into Talos from the archive)
talosctl debug ./debug-tools.tar --args /bin/sh
# Run a debug container from an image reference (Talos will pull the image if not present)
talosctl debug docker.io/library/alpine:latest --args /bin/sh
Options
--args strings arguments to pass to the container
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for debug
--namespace system namespace to use: system (CRI containerd) or `inmem` for in-memory containerd instance (default "inmem")
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl dmesg
Retrieve kernel logs
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-f, --follow specify if the kernel log should be streamed
-h, --help help for dmesg
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--tail specify if only new messages should be sent (makes sense only when combined with --follow)
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl edit
Edit Talos node machine configuration with the default editor.
Synopsis
The edit command allows you to directly edit the machine configuration
of a Talos node using your preferred text editor.
It will open the editor defined by your TALOS_EDITOR,
or EDITOR environment variables, or fall back to ‘vi’ for Linux
or ‘notepad’ for Windows.
talosctl edit machineconfig [flags]
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
--dry-run do not apply the change after editing and print the change summary instead
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for edit
-m, --mode auto, no-reboot, reboot, staged, try apply config mode (default auto)
--namespace string resource namespace (default is to use default namespace per resource)
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
--timeout duration the config will be rolled back after specified timeout (if try mode is selected) (default 1m0s)
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl etcd alarm disarm
Disarm the etcd alarms for the node.
talosctl etcd alarm disarm [flags]
Options
-h, --help help for disarm
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl etcd alarm list
List the etcd alarms for the node.
talosctl etcd alarm list [flags]
Options
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl etcd alarm
Manage etcd alarms
Options
-h, --help help for alarm
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl etcd defrag
Defragment etcd database on the node
Synopsis
Defragmentation is a maintenance operation that releases unused space from the etcd database file.
Defragmentation is a resource heavy operation and should be performed only when necessary on a single node at a time.
talosctl etcd defrag [flags]
Options
-h, --help help for defrag
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl etcd downgrade cancel
Cancel etcd storage system downgrade.
talosctl etcd downgrade cancel [flags]
Options
-h, --help help for cancel
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl etcd downgrade enable
Enable etcd storage system downgrade to the specified version.
talosctl etcd downgrade enable <version> [flags]
Options
-h, --help help for enable
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl etcd downgrade validate
Validate if the etcd storage system can be downgraded to the specified version.
talosctl etcd downgrade validate <version> [flags]
Options
-h, --help help for validate
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl etcd downgrade
Manage etcd storage system downgrades
Options
-h, --help help for downgrade
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl etcd forfeit-leadership
Tell node to forfeit etcd cluster leadership
talosctl etcd forfeit-leadership [flags]
Options
-h, --help help for forfeit-leadership
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl etcd leave
Tell nodes to leave etcd cluster
talosctl etcd leave [flags]
Options
-h, --help help for leave
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl etcd members
Get the list of etcd cluster members
talosctl etcd members [flags]
Options
-h, --help help for members
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl etcd remove-member
Remove the node from etcd cluster
Synopsis
Use this command only if you want to remove a member which is in broken state.
If there is no access to the node, or the node can’t access etcd to call etcd leave.
Always prefer etcd leave over this command.
talosctl etcd remove-member <member ID> [flags]
Options
-h, --help help for remove-member
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl etcd snapshot
Stream snapshot of the etcd node to the path.
talosctl etcd snapshot <path> [flags]
Options
-h, --help help for snapshot
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl etcd status
Get the status of etcd cluster member
Synopsis
Returns the status of etcd member on the node, use multiple nodes to get status of all members.
talosctl etcd status [flags]
Options
-h, --help help for status
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl etcd
Manage etcd
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for etcd
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl events
Stream runtime events
Options
--actor-id string filter events by the specified actor ID (default is no filter)
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
--duration duration show events for the past duration interval (one second resolution, default is to show no history)
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for events
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--since string show events after the specified event ID (default is to show no history)
--tail int32 show specified number of past events (use -1 to show full history, default is to show no history)
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl gen ca
Generates a self-signed X.509 certificate authority
Options
-h, --help help for ca
--hours int the hours from now on which the certificate validity period ends (default 87600)
--organization string X.509 distinguished name for the Organization
--rsa generate in RSA format
Options inherited from parent commands
-f, --force will overwrite existing files
SEE ALSO
talosctl gen config
Generates a set of configuration files for Talos cluster
Synopsis
The cluster endpoint is the URL for the Kubernetes API. If you decide to use
a control plane node, common in a single node control plane setup, use port 6443 as
this is the port that the API server binds to on every control plane node. For an HA
setup, usually involving a load balancer, use the IP and port of the load balancer.
talosctl gen config <cluster name> <cluster endpoint> [flags]
Options
--additional-sans strings additional Subject-Alt-Names for the APIServer certificate
--config-patch stringArray patch generated machineconfigs (applied to all node types), use @file to read a patch from file
--config-patch-control-plane stringArray patch generated machineconfigs (applied to 'init' and 'controlplane' types)
--config-patch-worker stringArray patch generated machineconfigs (applied to 'worker' type)
--dns-domain string the dns domain to use for cluster (default "cluster.local")
-h, --help help for config
--install-disk string the disk to install to (default "/dev/sda")
--install-image string the image used to perform an installation (default "ghcr.io/siderolabs/installer:v1.13.0")
--kubernetes-version string desired kubernetes version to run (default "1.36.0")
-o, --output string destination to output generated files. when multiple output types are specified, it must be a directory. for a single output type, it must either be a file path, or "-" for stdout
-t, --output-types strings types of outputs to be generated. valid types are: ["controlplane" "worker" "talosconfig"] (default [controlplane,worker,talosconfig])
--registry-mirror strings list of registry mirrors to use in format: <registry host>=<mirror URL>
--talos-version string the desired Talos version to generate config for (backwards compatibility, e.g. v0.8)
--version string the desired machine config version to generate (default "v1alpha1")
--with-cluster-discovery enable cluster discovery feature (default true)
--with-docs renders all machine configs adding the documentation for each field (default true)
--with-examples renders all machine configs with the commented examples (default true)
--with-kubespan enable KubeSpan feature
--with-secrets string use a secrets file generated using 'gen secrets'
Options inherited from parent commands
-f, --force will overwrite existing files
SEE ALSO
talosctl gen crt
Generates an X.509 Ed25519 certificate
Options
--ca string path to the PEM encoded CERTIFICATE
--csr string path to the PEM encoded CERTIFICATE REQUEST
-h, --help help for crt
--hours int the hours from now on which the certificate validity period ends (default 24)
--name string the basename of the generated file
Options inherited from parent commands
-f, --force will overwrite existing files
SEE ALSO
talosctl gen csr
Generates a CSR using an Ed25519 private key
Options
-h, --help help for csr
--ip string generate the certificate for this IP address
--key string path to the PEM encoded EC or RSA PRIVATE KEY
--roles strings roles (default [os:admin])
Options inherited from parent commands
-f, --force will overwrite existing files
SEE ALSO
talosctl gen key
Generates an Ed25519 private key
Options
-h, --help help for key
--name string the basename of the generated file
Options inherited from parent commands
-f, --force will overwrite existing files
SEE ALSO
talosctl gen keypair
Generates an X.509 Ed25519 key pair
talosctl gen keypair [flags]
Options
-h, --help help for keypair
--ip string generate the certificate for this IP address
--organization string X.509 distinguished name for the Organization
Options inherited from parent commands
-f, --force will overwrite existing files
SEE ALSO
talosctl gen secrets
Generates a secrets bundle file which can later be used to generate a config
talosctl gen secrets [flags]
Options
--from-controlplane-config string use the provided controlplane Talos machine configuration as input
-p, --from-kubernetes-pki string use a Kubernetes PKI directory (e.g. /etc/kubernetes/pki) as input
-h, --help help for secrets
-t, --kubernetes-bootstrap-token string use the provided bootstrap token as input
-o, --output-file string path of the output file, or "-" for stdout (default "secrets.yaml")
--talos-version string the desired Talos version to generate secrets bundle for (backwards compatibility, e.g. v0.8)
Options inherited from parent commands
-f, --force will overwrite existing files
SEE ALSO
talosctl gen secureboot database
Generates a UEFI database to enroll the signing certificate
talosctl gen secureboot database [flags]
Options
--enrolled-certificate string path to the certificate to enroll (default "_out/uki-signing-cert.pem")
-h, --help help for database
--include-well-known-uefi-certs include well-known UEFI (Microsoft) certificates in the database
--signing-certificate string path to the certificate used to sign the database (default "_out/uki-signing-cert.pem")
--signing-key string path to the key used to sign the database (default "_out/uki-signing-key.pem")
Options inherited from parent commands
-f, --force will overwrite existing files
-o, --output string path to the directory storing the generated files (default "_out")
SEE ALSO
talosctl gen secureboot pcr
Generates a key which is used to sign TPM PCR values
talosctl gen secureboot pcr [flags]
Options
Options inherited from parent commands
-f, --force will overwrite existing files
-o, --output string path to the directory storing the generated files (default "_out")
SEE ALSO
talosctl gen secureboot uki
Generates a certificate which is used to sign boot assets (UKI)
talosctl gen secureboot uki [flags]
Options
--common-name string common name for the certificate (default "Test UKI Signing Key")
-h, --help help for uki
Options inherited from parent commands
-f, --force will overwrite existing files
-o, --output string path to the directory storing the generated files (default "_out")
SEE ALSO
talosctl gen secureboot
Generates secrets for the SecureBoot process
Options
-h, --help help for secureboot
-o, --output string path to the directory storing the generated files (default "_out")
Options inherited from parent commands
-f, --force will overwrite existing files
SEE ALSO
talosctl gen
Generate CAs, certificates, and private keys
Options
-f, --force will overwrite existing files
-h, --help help for gen
SEE ALSO
talosctl get
Get a specific resource or list of resources (use ‘talosctl get rd’ to see all available resource types).
Synopsis
Similar to ‘kubectl get’, ‘talosctl get’ returns a set of resources from the OS.
To get a list of all available resource definitions, issue ‘talosctl get rd’
talosctl get <type> [<id>] [flags]
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for get
-i, --insecure get resources using the insecure (encrypted with no auth) maintenance service
--namespace string resource namespace (default is to use default namespace per resource)
-n, --nodes strings target the specified nodes
-o, --output string output mode (json, table, yaml, jsonpath) (default "table")
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
-w, --watch watch resource changes
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl health
Check cluster health
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
--control-plane-nodes strings specify IPs of control plane nodes
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for health
--init-node string specify IPs of init node
--k8s-endpoint string use endpoint instead of kubeconfig default
-n, --nodes strings target the specified nodes
--run-e2e run Kubernetes e2e test
--server run server-side check (default true)
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
--wait-timeout duration timeout to wait for the cluster to be ready (default 20m0s)
--worker-nodes strings specify IPs of worker nodes
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl image cache-cert-gen
Generate TLS certificates and CA patch required for securing image cache to Talos communication
Synopsis
Generate TLS certificates and CA patch required for securing image cache to Talos communication
talosctl image cache-cert-gen [flags]
Options
--advertised-address ipSlice The addresses to advertise. (default [])
--advertised-name strings The DNS names to advertise.
-h, --help help for cache-cert-gen
--tls-ca-file string TLS certificate authority file (default "ca.crt")
--tls-cert-file string TLS certificate file to use for serving (default "tls.crt")
--tls-key-file string TLS key file to use for serving (default "tls.key")
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
--namespace string namespace to use: "system" (etcd and kubelet images), "cri" for all Kubernetes workloads, "inmem" for in-memory containerd instance (default "cri")
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl image cache-create
Create a cache of images in OCI format into a directory
Synopsis
Create a cache of images in OCI format into a directory
talosctl image cache-create [flags]
Examples
talosctl images cache-create --images=ghcr.io/siderolabs/kubelet:v1.36.0 --image-cache-path=/tmp/talos-image-cache
Alternatively, stdin can be piped to the command:
talosctl images default | talosctl images cache-create --image-cache-path=/tmp/talos-image-cache --images=-
Options
--cosign-signatures pull and cache cosign signatures for images (default true)
--force force overwrite of existing image cache
-h, --help help for cache-create
--image-cache-path string directory to save the image cache in OCI format
--image-layer-cache-path string directory to save the image layer cache
--images strings images to cache
--insecure allow insecure registries
--layout string Specifies the cache layout format: "oci" for an OCI image layout directory, or "flat" for a registry-like flat file structure (default "oci")
--platform strings platform(s) to cache (e.g. linux/amd64,linux/arm64), or "all" to cache every platform in the image index (default [linux/amd64])
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
--namespace string namespace to use: "system" (etcd and kubelet images), "cri" for all Kubernetes workloads, "inmem" for in-memory containerd instance (default "cri")
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl image cache-serve
Serve an OCI image cache directory over HTTP(S) as a container registry
Synopsis
Serve an OCI image cache directory over HTTP(S) as a container registry
talosctl image cache-serve [flags]
Options
--address string address to serve the registry on (default "127.0.0.1:3172")
-h, --help help for cache-serve
--image-cache-path string directory to save the image cache in flat format
--mirror strings list of registry mirrors to add to the Talos config patch (default [docker.io,ghcr.io,registry.k8s.io])
--tls-cert-file string TLS certificate file to use for serving
--tls-key-file string TLS key file to use for serving
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
--namespace string namespace to use: "system" (etcd and kubelet images), "cri" for all Kubernetes workloads, "inmem" for in-memory containerd instance (default "cri")
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl image k8s-bundle
List the default Kubernetes images used by Talos
talosctl image k8s-bundle [flags]
Options
--coredns-version semver CoreDNS semantic version (default v1.14.2)
--etcd-version semver ETCD semantic version (default v3.6.9)
--flannel-version semver Flannel CNI semantic version (default v0.28.4)
-h, --help help for k8s-bundle
--k8s-version semver Kubernetes semantic version (default v1.36.0)
--kube-network-policies-version semver kube-network-policies semantic version (default v1.0.0)
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
--namespace string namespace to use: "system" (etcd and kubelet images), "cri" for all Kubernetes workloads, "inmem" for in-memory containerd instance (default "cri")
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl image list
List images in the machine’s container runtime
talosctl image list [flags]
Options
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
--namespace string namespace to use: "system" (etcd and kubelet images), "cri" for all Kubernetes workloads, "inmem" for in-memory containerd instance (default "cri")
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl image pull
Pull an image into the machine’s container runtime
talosctl image pull <image> [flags]
Options
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
--namespace string namespace to use: "system" (etcd and kubelet images), "cri" for all Kubernetes workloads, "inmem" for in-memory containerd instance (default "cri")
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl image remove
Remove an image from the machine’s container runtime
talosctl image remove <image> [flags]
Options
-h, --help help for remove
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
--namespace string namespace to use: "system" (etcd and kubelet images), "cri" for all Kubernetes workloads, "inmem" for in-memory containerd instance (default "cri")
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl image talos-bundle
List the default system images and extensions used for Talos
talosctl image talos-bundle [talos-version] [flags]
Options
--extensions Include images that belong to Talos extensions (default true)
-h, --help help for talos-bundle
--overlays Include images that belong to Talos overlays (default true)
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
--namespace string namespace to use: "system" (etcd and kubelet images), "cri" for all Kubernetes workloads, "inmem" for in-memory containerd instance (default "cri")
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl image
Manage container images
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for image
--namespace string namespace to use: "system" (etcd and kubelet images), "cri" for all Kubernetes workloads, "inmem" for in-memory containerd instance (default "cri")
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl inject serviceaccount
Inject Talos API ServiceAccount into Kubernetes manifests
talosctl inject serviceaccount [--roles='<ROLE_1>,<ROLE_2>'] -f <manifest.yaml> [flags]
Examples
talosctl inject serviceaccount --roles="os:admin" -f deployment.yaml > deployment-injected.yaml
Alternatively, stdin can be piped to the command:
cat deployment.yaml | talosctl inject serviceaccount --roles="os:admin" -f - > deployment-injected.yaml
Options
-f, --file string file with Kubernetes manifests to be injected with ServiceAccount
-h, --help help for serviceaccount
-r, --roles strings roles to add to the generated ServiceAccount manifests (default [os:reader])
SEE ALSO
talosctl inject
Inject Talos API resources into Kubernetes manifests
Options
-h, --help help for inject
SEE ALSO
talosctl inspect dependencies
Inspect controller-resource dependencies as graphviz graph.
Synopsis
Inspect controller-resource dependencies as graphviz graph.
Pipe the output of the command through the “dot” program (part of graphviz package)
to render the graph:
talosctl inspect dependencies | dot -Tpng > graph.png
talosctl inspect dependencies [flags]
Options
-h, --help help for dependencies
--with-resources display live resource information with dependencies
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl inspect
Inspect internals of Talos
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for inspect
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl kubeconfig
Download the admin kubeconfig from the node
Synopsis
Download the admin kubeconfig from the node.
If merge flag is true, config will be merged with ~/.kube/config or [local-path] if specified.
Otherwise, kubeconfig will be written to PWD or [local-path] if specified.
If merge flag is false and [local-path] is ”-”, config will be written to stdout.
talosctl kubeconfig [local-path] [flags]
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-f, --force Force overwrite of kubeconfig if already present, force overwrite on kubeconfig merge
--force-context-name string Force context name for kubeconfig merge
-h, --help help for kubeconfig
-m, --merge Merge with existing kubeconfig (default true)
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl list
Retrieve a directory listing
talosctl list [path] [flags]
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-d, --depth int32 maximum recursion depth (default 1)
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for list
-H, --humanize humanize size and time in the output
-l, --long display additional file details
-n, --nodes strings target the specified nodes
-r, --recurse recurse into subdirectories
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
-t, --type strings filter by specified types:
f regular file
d directory
l, L symbolic link
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl logs
Retrieve logs for a service
talosctl logs <service name> [flags]
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-f, --follow specify if the logs should be streamed
-h, --help help for logs
-k, --kubernetes use the k8s.io containerd namespace
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--tail int32 lines of log file to display (default is to show from the beginning) (default -1)
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl machineconfig gen
Generates a set of configuration files for Talos cluster
Synopsis
The cluster endpoint is the URL for the Kubernetes API. If you decide to use
a control plane node, common in a single node control plane setup, use port 6443 as
this is the port that the API server binds to on every control plane node. For an HA
setup, usually involving a load balancer, use the IP and port of the load balancer.
talosctl machineconfig gen <cluster name> <cluster endpoint> [flags]
Options
SEE ALSO
talosctl machineconfig patch
Patch a machine config
talosctl machineconfig patch <machineconfig-file> [flags]
Options
-h, --help help for patch
-o, --output string output destination. if not specified, output will be printed to stdout
-p, --patch stringArray patch generated machineconfigs (applied to all node types), use @file to read a patch from file
SEE ALSO
talosctl machineconfig
Machine config related commands
Options
-h, --help help for machineconfig
SEE ALSO
talosctl memory
Show memory usage
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for memory
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
-v, --verbose display extended memory statistics
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
Delete a key from the META partition.
talosctl meta delete key [flags]
Options
-h, --help help for delete
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-i, --insecure write|delete meta using the insecure (encrypted with no auth) maintenance service
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
Write a key-value pair to the META partition.
talosctl meta write key value [flags]
Options
-h, --help help for write
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-i, --insecure write|delete meta using the insecure (encrypted with no auth) maintenance service
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
Write and delete keys in the META partition
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for meta
-i, --insecure write|delete meta using the insecure (encrypted with no auth) maintenance service
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl mounts
List mounts
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for mounts
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl netstat
Show network connections and sockets
Synopsis
Show network connections and sockets.
You can pass an optional argument to view a specific pod’s connections.
To do this, format the argument as “namespace/pod”.
Note that only pods with a pod network namespace are allowed.
If you don’t pass an argument, the command will show host connections.
Options
-a, --all display all sockets states (default: connected)
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-x, --extend show detailed socket information
-h, --help help for netstat
-4, --ipv4 display only ipv4 sockets
-6, --ipv6 display only ipv6 sockets
-l, --listening display listening server sockets
-n, --nodes strings target the specified nodes
-k, --pods show sockets used by Kubernetes pods
-p, --programs show process using socket
-w, --raw display only RAW sockets
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
-t, --tcp display only TCP sockets
-o, --timers display timers
-u, --udp display only UDP sockets
-U, --udplite display only UDPLite sockets
-v, --verbose display sockets of all supported transport protocols
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl patch
Patch machine configuration of a Talos node with a local patch.
talosctl patch machineconfig [flags]
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
--dry-run print the change summary and patch preview without applying the changes
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for patch
-m, --mode auto, no-reboot, reboot, staged, try apply config mode (default auto)
--namespace string resource namespace (default is to use default namespace per resource)
-n, --nodes strings target the specified nodes
-p, --patch stringArray the patch to be applied to the resource file, use @file to read a patch from file.
--patch-file string a file containing a patch to be applied to the resource.
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
--timeout duration the config will be rolled back after specified timeout (if try mode is selected) (default 1m0s)
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl pcap
Capture the network packets from the node.
Synopsis
The command launches packet capture on the node and streams back the packets as raw pcap file.
Examples
Default behavior is to decode the packets with internal decoder to stdout:
talosctl pcap -i eth0
Raw pcap file can be saved with `--output` flag:
talosctl pcap -i eth0 --output eth0.pcap
Output can be piped to tcpdump:
talosctl pcap -i eth0 -o - | tcpdump -vvv -r -
BPF filter can be applied, but it has to compiled to BPF instructions first using tcpdump.
Correct link type should be specified for the tcpdump: EN10MB for Ethernet links and RAW
for e.g. Wireguard tunnels:
talosctl pcap -i eth0 --bpf-filter "$(tcpdump -dd -y EN10MB 'tcp and dst port 80')"
talosctl pcap -i kubespan --bpf-filter "$(tcpdump -dd -y RAW 'port 50000')"
As packet capture is transmitted over the network, it is recommended to filter out the Talos API traffic,
e.g. by excluding packets with the port 50000.
Options
--bpf-filter string bpf filter to apply, tcpdump -dd format
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
--duration duration duration of the capture
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for pcap
-i, --interface string interface name to capture packets on (default "eth0")
-n, --nodes strings target the specified nodes
-o, --output string if not set, decode packets to stdout; if set write raw pcap data to a file, use '-' for stdout
--promiscuous put interface into promiscuous mode
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl processes
List running processes
talosctl processes [flags]
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for processes
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
-s, --sort string Column to sort output by. [rss|cpu] (default "rss")
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl read
Read a file on the machine
talosctl read <path> [flags]
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for read
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl reboot
Reboot a node
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
--debug debug operation from kernel logs. --wait is set to true when this flag is set
--drain drain the Kubernetes node before rebooting (cordon + evict pods)
--drain-timeout duration timeout for draining the Kubernetes node (default 5m0s)
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for reboot
-m, --mode string select the reboot mode during upgrade. Mode "powercycle" bypasses kexec. Values: [default force powercycle] (default "default")
-n, --nodes strings target the specified nodes
--progress string output mode for upgrade progress. Values: [auto plain] (default "auto")
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
--timeout duration time to wait for the operation is complete if --debug or --wait is set (default 30m0s)
--wait wait for the operation to complete, tracking its progress. always set to true when --debug is set (default true)
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl reset
Reset a node
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
--debug debug operation from kernel logs. --wait is set to true when this flag is set
-e, --endpoints strings override default endpoints in Talos configuration
--graceful if true, attempt to cordon/drain node and leave etcd (if applicable) (default true)
-h, --help help for reset
--insecure reset using the insecure (encrypted with no auth) maintenance service
-n, --nodes strings target the specified nodes
--reboot if true, reboot the node after resetting instead of shutting down
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--system-labels-to-wipe strings if set, just wipe selected system disk partitions by label but keep other partitions intact
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
--timeout duration time to wait for the operation is complete if --debug or --wait is set (default 30m0s)
--user-disks-to-wipe strings if set, wipes defined devices in the list
--wait wait for the operation to complete, tracking its progress. always set to true when --debug is set (default true)
--wipe-mode all, system-disk, user-disks disk reset mode (default all)
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl restart
Restart a process
talosctl restart <id> [flags]
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for restart
-k, --kubernetes use the k8s.io containerd namespace
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl rollback
Rollback a node to the previous installation
talosctl rollback [flags]
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for rollback
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl rotate-ca
Rotate cluster CAs (Talos and Kubernetes APIs).
Synopsis
The command can rotate both Talos and Kubernetes root CAs (for the API).
By default both CAs are rotated, but you can choose to rotate just one or another.
The command starts by generating new CAs, and gracefully applying it to the cluster.
For Kubernetes, the command only rotates the API server issuing CA, and other Kubernetes
PKI can be rotated by applying machine config changes to the controlplane nodes.
talosctl rotate-ca [flags]
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
--control-plane-nodes strings specify IPs of control plane nodes
--dry-run dry-run mode (no changes to the cluster) (default true)
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for rotate-ca
--init-node string specify IPs of init node
--k8s-endpoint string use endpoint instead of kubeconfig default
--kubernetes rotate Kubernetes API CA (default true)
-n, --nodes strings target the specified nodes
-o, --output talosconfig path to the output new talosconfig (default "talosconfig")
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talos rotate Talos API CA (default true)
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
--with-docs patch all machine configs adding the documentation for each field (default true)
--with-examples patch all machine configs with the commented examples (default true)
--worker-nodes strings specify IPs of worker nodes
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl service
Retrieve the state of a service (or all services), control service state
Synopsis
Service control command. If run without arguments, lists all the services and their state.
If service ID is specified, default action ‘status’ is executed which shows status of a single list service.
With actions ‘start’, ‘stop’, ‘restart’, service state is updated respectively.
talosctl service [<id> [start|stop|restart|status]] [flags]
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for service
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl shutdown
Shutdown a node
talosctl shutdown [flags]
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
--debug debug operation from kernel logs. --wait is set to true when this flag is set
-e, --endpoints strings override default endpoints in Talos configuration
--force if true, force a node to shutdown without a cordon/drain
-h, --help help for shutdown
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
--timeout duration time to wait for the operation is complete if --debug or --wait is set (default 30m0s)
--wait wait for the operation to complete, tracking its progress. always set to true when --debug is set (default true)
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl stats
Get container stats
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for stats
-k, --kubernetes use the k8s.io containerd namespace
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl support
Dump debug information about the cluster
Synopsis
Generated bundle contains the following debug information:
-
For each node:
- Kernel logs.
- All Talos internal services logs.
- All kube-system pods logs.
- Talos COSI resources without secrets.
- COSI runtime state graph.
- Processes snapshot.
- IO pressure snapshot.
- Mounts list.
- PCI devices info.
- Talos version.
-
For the cluster:
- Kubernetes nodes and kube-system pods manifests.
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for support
-n, --nodes strings target the specified nodes
-w, --num-workers int number of workers per node (default 1)
-O, --output string output file to write support archive to
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
-v, --verbose verbose output
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl time
Gets current server time
talosctl time [--check server] [flags]
Options
--check string checks server time against specified ntp server
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for time
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl upgrade
Upgrade Talos on the target node
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
--debug debug operation from kernel logs. --wait is set to true when this flag is set
--drain drain the Kubernetes node before rebooting (cordon + evict pods) (default true)
--drain-timeout duration timeout for draining the Kubernetes node (default 5m0s)
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for upgrade
-i, --image string the container image to use for performing the install (default "ghcr.io/siderolabs/installer:v1.13.0")
--legacy force use of legacy upgrade method
--namespace string namespace to use: "system" (etcd and kubelet images), "cri" for all Kubernetes workloads, "inmem" for in-memory containerd instance (default "system")
-n, --nodes strings target the specified nodes
--progress string output mode for upgrade progress. Values: [auto plain] (default "auto")
-m, --reboot-mode string select the reboot mode during upgrade. Mode "powercycle" bypasses kexec. Values: [default force powercycle] (default "default")
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
--timeout duration time to wait for the operation is complete if --debug or --wait is set (default 30m0s)
--wait wait for the operation to complete, tracking its progress. always set to true when --debug is set (default true)
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl upgrade-k8s
Upgrade Kubernetes control plane in the Talos cluster.
Synopsis
Command runs upgrade of Kubernetes control plane components between specified versions.
talosctl upgrade-k8s [flags]
Options
--apiserver-image string kube-apiserver image to use (default "registry.k8s.io/kube-apiserver")
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
--controller-manager-image string kube-controller-manager image to use (default "registry.k8s.io/kube-controller-manager")
--dry-run skip the actual upgrade and show the upgrade plan instead
--endpoint string the cluster control plane endpoint
-e, --endpoints strings override default endpoints in Talos configuration
--from string the Kubernetes control plane version to upgrade from
-h, --help help for upgrade-k8s
--kubelet-image string kubelet image to use (default "ghcr.io/siderolabs/kubelet")
--manifests-force whether to recreate objects that contain immutable field changes
--manifests-inventory-policy string kubernetes SSA inventory policy (one of 'MustMatch', 'AdoptIfNoInventory' or 'AdoptAll') (default "AdoptIfNoInventory")
--manifests-no-prune whether pruning of previously applied objects should happen after apply
--manifests-reconcile-timeout duration how long to wait for resources to be fully reconciled (set to zero to disable waiting) (default 5m0s)
-n, --nodes strings target the specified nodes
--pre-pull-images pre-pull images before upgrade (default true)
--proxy-image string kube-proxy image to use (default "registry.k8s.io/kube-proxy")
--scheduler-image string kube-scheduler image to use (default "registry.k8s.io/kube-scheduler")
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
--to string the Kubernetes control plane version to upgrade to (default "1.36.0")
--upgrade-kubelet upgrade kubelet service (default true)
--with-docs patch all machine configs adding the documentation for each field (default true)
--with-examples patch all machine configs with the commented examples (default true)
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl usage
Retrieve a disk usage
talosctl usage [path1] [path2] ... [pathN] [flags]
Options
-a, --all write counts for all files, not just directories
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-d, --depth int32 maximum recursion depth
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for usage
-H, --humanize humanize size and time in the output
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
-t, --threshold int threshold exclude entries smaller than SIZE if positive, or entries greater than SIZE if negative
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl validate
Validate config
talosctl validate [flags]
Options
-c, --config string the path of the config file
-h, --help help for validate
-m, --mode string the mode to validate the config for (valid values are metal, cloud, and container)
--strict treat validation warnings as errors
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl version
Prints the version
Options
--client Print client version only
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for version
-i, --insecure use Talos maintenance mode API
-n, --nodes strings target the specified nodes
--short Print the short version
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
talosctl wipe disk
Wipe a block device (disk or partition) which is not used as a volume
Synopsis
Wipe a block device (disk or partition) which is not used as a volume.
Use device names as arguments, for example: vda or sda5.
talosctl wipe disk <device names>... [flags]
Options
--drop-partition drop partition after wipe (if applicable)
-h, --help help for disk
-i, --insecure use Talos maintenance mode API
--method string wipe method to use [FAST ZEROES] (default "FAST")
Options inherited from parent commands
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
talosctl wipe
Wipe block device or volumes
Options
-c, --cluster string Cluster to connect to if a proxy endpoint is used.
--context string Context to be used in command
-e, --endpoints strings override default endpoints in Talos configuration
-h, --help help for wipe
-n, --nodes strings target the specified nodes
--siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth.
--talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
SEE ALSO
- talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
- talosctl wipe disk - Wipe a block device (disk or partition) which is not used as a volume
talosctl
A CLI for out-of-band management of Kubernetes nodes created by Talos
Options
-h, --help help for talosctl
SEE ALSO
Talos
Omni
Kubernetes Guides