| Field | Type | Description | Value(s) |
|---|---|---|---|
| `version` | string | Indicates the schema used to decode the contents. | `v1alpha1` |
| `debug` | bool | Enable verbose logging to the console. All system containers logs will flow into serial console. **Note:** To avoid breaking Talos bootstrap flow enable this option only if serial console can handle high message throughput. |
`true` `yes` `false` `no` |
| `machine` | MachineConfig | Provides machine specific configuration options. | |
| `cluster` | ClusterConfig | Provides cluster specific configuration options. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `type` | string | Defines the role of the machine within the cluster. **Control Plane** Control Plane node type designates the node as a control plane member. This means it will host etcd along with the Kubernetes controlplane components such as API Server, Controller Manager, Scheduler. **Worker** Worker node type designates the node as a worker node. This means it will be an available compute node for scheduling workloads. This node type was previously known as "join"; that value is still supported but deprecated. |
`controlplane` `worker` |
| `token` | string | The `token` is used by a machine to join the PKI of the cluster. Using this token, a machine will create a certificate signing request (CSR), and request a certificate that will be used as its' identity. |
|
| `ca` | PEMEncodedCertificateAndKey | The root certificate authority of the PKI. It is composed of a base64 encoded `crt` and `key`. |
|
| `acceptedCAs` | \[]PEMEncodedCertificate | The certificates issued by certificate authorities are accepted in addition to issuing 'ca'. It is composed of a base64 encoded \`crt\`\`. |
|
| `certSANs` | \[]string | Extra certificate subject alternative names for the machine's certificate. By default, all non-loopback interface IPs are automatically added to the certificate's SANs. |
|
| `kubelet` | KubeletConfig | Used to provide additional options to the kubelet. | |
| `pods` | \[]Unstructured | Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver. Static pods can be used to run components which should be started before the Kubernetes control plane is up. Talos doesn't validate the pod definition. Updates to this field can be applied without a reboot. See [https://kubernetes.io/docs/tasks/configure-pod-container/static-pod/](https://kubernetes.io/docs/tasks/configure-pod-container/static-pod/). |
|
| `install` | InstallConfig | Used to provide instructions for installations. Note that this configuration section gets silently ignored by Talos images that are considered pre-installed. To make sure Talos installs according to the provided configuration, Talos should be booted with ISO or PXE-booted. |
|
| `files` | MachineFile | Allows the addition of user specified files. The value of `op` can be `create`, `overwrite`, or `append`. In the case of `create`, `path` must not exist. In the case of `overwrite`, and `append`, `path` must be a valid file. If an `op` value of `append` is used, the existing file will be appended. Note that the file contents are not required to be base64 encoded. |
|
| `features` | FeaturesConfig | Features describe individual Talos features that can be switched on or off. | |
| `udev` | UdevConfig | Configures the udev system. | |
| `logging` | LoggingConfig | Configures the logging system. | |
| `kernel` | KernelConfig | Configures the kernel. | |
| `seccompProfiles` | MachineSeccompProfile | Configures the seccomp profiles for the machine. | |
| `baseRuntimeSpecOverrides` | Unstructured | Override (patch) settings in the default OCI runtime spec for CRI containers. It can be used to set some default container settings which are not configurable in Kubernetes, for example default ulimits. Note: this change applies to all newly created containers, and it requires a reboot to take effect. |
|
| `nodeLabels` | map\[string]string | Configures the node labels for the machine. Note: In the default Kubernetes configuration, worker nodes are restricted to set labels with some prefixes (see [NodeRestriction](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction) admission plugin). |
|
| `nodeAnnotations` | map\[string]string | Configures the node annotations for the machine. | |
| `nodeTaints` | map\[string]string | Configures the node taints for the machine. Effect is optional. Note: In the default Kubernetes configuration, worker nodes are not allowed to modify the taints (see [NodeRestriction](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction) admission plugin). |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `image` | string | The `image` field is an optional reference to an alternative kubelet image. | |
| `clusterDNS` | \[]string | The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list. | |
| `extraArgs` | Args | The `extraArgs` field is used to provide additional flags to the kubelet. | |
| `extraMounts` | ExtraMount | The `extraMounts` field is used to add additional mounts to the kubelet container. Note that either `bind` or `rbind` are required in the `options`. |
|
| `extraConfig` | Unstructured | The `extraConfig` field is used to provide kubelet configuration overrides. Some fields are not allowed to be overridden: authentication and authorization, cgroups configuration, ports, etc. |
|
| `credentialProviderConfig` | Unstructured | The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration. | |
| `defaultRuntimeSeccompProfileEnabled` | bool | Enable container runtime default Seccomp profile. | `true` `yes` `false` `no` |
| `registerWithFQDN` | bool | The `registerWithFQDN` field is used to force kubelet to use the node FQDN for registration. This is required in clouds like AWS. |
`true` `yes` `false` `no` |
| `nodeIP` | KubeletNodeIPConfig | The `nodeIP` field is used to configure `--node-ip` flag for the kubelet. This is used when a node has multiple addresses to choose from. |
|
| `skipNodeRegistration` | bool | The `skipNodeRegistration` is used to run the kubelet without registering with the apiserver. This runs kubelet as standalone and only runs static pods. |
`true` `yes` `false` `no` |
| `disableManifestsDirectory` | bool | The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory. It's recommended to configure static pods with the "pods" key instead. |
`true` `yes` `false` `no` |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `destination` | string | Destination is the absolute path where the mount will be placed in the container. | |
| `type` | string | Type specifies the mount kind. | |
| `source` | string | Source specifies the source path of the mount. | |
| `options` | \[]string | Options are fstab style mount options. | |
| `uidMappings` | LinuxIDMapping | UID/GID mappings used for changing file owners w/o calling chown, fs should support it. Every mount point could have its own mapping. |
|
| `gidMappings` | LinuxIDMapping | UID/GID mappings used for changing file owners w/o calling chown, fs should support it. Every mount point could have its own mapping. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `containerID` | uint32 | ContainerID is the starting UID/GID in the container. | |
| `hostID` | uint32 | HostID is the starting UID/GID on the host to be mapped to 'ContainerID'. | |
| `size` | uint32 | Size is the number of IDs to be mapped. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `containerID` | uint32 | ContainerID is the starting UID/GID in the container. | |
| `hostID` | uint32 | HostID is the starting UID/GID on the host to be mapped to 'ContainerID'. | |
| `size` | uint32 | Size is the number of IDs to be mapped. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `validSubnets` | \[]string | The `validSubnets` field configures the networks to pick kubelet node IP from. For dual stack configuration, there should be two subnets: one for IPv4, another for IPv6. IPs can be excluded from the list by using negative match with `!`, e.g `!10.0.0.0/8`. Negative subnet matches should be specified last to filter out IPs picked by positive matches. If not specified, node IP is picked based on cluster podCIDRs: IPv4/IPv6 address or both. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `disk` | string | The disk used for installations. | |
| `diskSelector` | InstallDiskSelector | Look up disk using disk attributes like model, size, serial and others. Always has priority over `disk`. |
|
| `image` | string | Allows for supplying the image used to perform the installation. Image reference for each Talos release can be found on [GitHub releases page](https://github.com/siderolabs/talos/releases). |
|
| `wipe` | bool | Indicates if the installation disk should be wiped at installation time. Defaults to `true`. |
`true` `yes` `false` `no` |
| `legacyBIOSSupport` | bool | Indicates if MBR partition should be marked as bootable (active). Should be enabled only for the systems with legacy BIOS that doesn't support GPT partitioning scheme. |
|
| `grubUseUKICmdline` | bool | Indicates if legacy GRUB bootloader should use kernel cmdline from the UKI instead of building it on the host. This changes the way cmdline is managed with GRUB bootloader to be more consistent with UKI/systemd-boot. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `size` | InstallDiskSizeMatcher | Disk size. | |
| `name` | string | Disk name `/sys/block/ |
|
| `model` | string | Disk model `/sys/block/ |
|
| `serial` | string | Disk serial number `/sys/block/ |
|
| `modalias` | string | Disk modalias `/sys/block/ |
|
| `uuid` | string | Disk UUID `/sys/block/ |
|
| `wwid` | string | Disk WWID `/sys/block/ |
|
| `type` | InstallDiskType | Disk Type. | `ssd` `hdd` `nvme` `sd` |
| `busPath` | string | Disk bus path. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `content` | string | The contents of the file. | |
| `permissions` | FileMode | The file's permissions in octal. | |
| `path` | string | The path of the file. | |
| `op` | string | The operation to use | `create` `append` `overwrite` |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `kubernetesTalosAPIAccess` | KubernetesTalosAPIAccessConfig | Configure Talos API access from Kubernetes pods. This feature is disabled if the feature config is not specified. |
|
| `diskQuotaSupport` | bool | Enable XFS project quota support for EPHEMERAL partition and user disks. Also enables kubelet tracking of ephemeral disk usage in the kubelet via quota. |
|
| `kubePrism` | KubePrism | KubePrism - local proxy/load balancer on defined port that will distribute requests to all API servers in the cluster. |
|
| `nodeAddressSortAlgorithm` | string | Select the node address sort algorithm. The 'v1' algorithm sorts addresses by the address itself. The 'v2' algorithm prefers more specific prefixes. If unset, defaults to 'v1'. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `enabled` | bool | Enable Talos API access from Kubernetes pods. | |
| `allowedRoles` | \[]string | The list of Talos API roles which can be granted for access from Kubernetes pods. Empty list means that no roles can be granted, so access is blocked. |
|
| `allowedKubernetesNamespaces` | \[]string | The list of Kubernetes namespaces Talos API access is available from. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `enabled` | bool | Enable KubePrism support - will start local load balancing proxy. | |
| `port` | int | KubePrism port. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `rules` | \[]string | List of udev rules to apply to the udev system |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `destinations` | LoggingDestination | Logging destination. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `endpoint` | Endpoint | Where to send logs. Supported protocols are "tcp" and "udp". | |
| `format` | string | Logs format. | `json_lines` |
| `extraTags` | map\[string]string | Extra tags (key-value) pairs to attach to every log message sent. |
| Field | Type | Description | Value(s) |
|---|
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `modules` | KernelModuleConfig | Kernel modules to load. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `name` | string | Module name. | |
| `parameters` | \[]string | Module parameters, changes applied after reboot. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `name` | string | The `name` field is used to provide the file name of the seccomp profile. | |
| `value` | Unstructured | The `value` field is used to provide the seccomp profile. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `id` | string | Globally unique identifier for this cluster (base64 encoded random 32 bytes). | |
| `secret` | string | Shared secret of cluster (base64 encoded random 32 bytes). This secret is shared among cluster members but should never be sent over the network. |
|
| `controlPlane` | ControlPlaneConfig | Provides control plane specific configuration options. | |
| `clusterName` | string | Configures the cluster's name. | |
| `token` | string | The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster. | |
| `ca` | PEMEncodedCertificateAndKey | The base64 encoded root certificate authority used by Kubernetes. | |
| `acceptedCAs` | \[]PEMEncodedCertificate | The list of base64 encoded accepted certificate authorities used by Kubernetes. | |
| `aggregatorCA` | PEMEncodedCertificateAndKey | The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation. This CA can be self-signed. |
|
| `serviceAccount` | PEMEncodedKey | The base64 encoded private key for service account token generation. | |
| `etcd` | EtcdConfig | Etcd specific configuration options. | |
| `coreDNS` | CoreDNS | Core DNS specific configuration options. | |
| `externalCloudProvider` | ExternalCloudProviderConfig | External cloud provider configuration. | |
| `extraManifests` | \[]string | A list of urls that point to additional manifests. These will get automatically deployed as part of the bootstrap. |
|
| `extraManifestHeaders` | map\[string]string | A map of key value pairs that will be added while fetching the extraManifests. | |
| `inlineManifests` | ClusterInlineManifest | A list of inline Kubernetes manifests. These will get automatically deployed as part of the bootstrap. |
|
| `adminKubeconfig` | AdminKubeconfigConfig | Settings for admin kubeconfig generation. Certificate lifetime can be configured. |
|
| `allowSchedulingOnControlPlanes` | bool | Allows running workload on control-plane nodes. | `true` `yes` `false` `no` |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `endpoint` | Endpoint | Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname. It is single-valued, and may optionally include a port number. |
| Field | Type | Description | Value(s) |
|---|
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `image` | string | The container image used to create the etcd service. | |
| `ca` | PEMEncodedCertificateAndKey | The `ca` is the root certificate authority of the PKI. It is composed of a base64 encoded `crt` and `key`. |
|
| `extraArgs` | Args | Extra arguments to supply to etcd. Note that the following args are not allowed: - `name` - `data-dir` - `initial-cluster-state` - `listen-peer-urls` - `listen-client-urls` - `cert-file` - `key-file` - `trusted-ca-file` - `peer-client-cert-auth` - `peer-cert-file` - `peer-trusted-ca-file` - `peer-key-file` |
|
| `advertisedSubnets` | \[]string | The `advertisedSubnets` field configures the networks to pick etcd advertised IP from. IPs can be excluded from the list by using negative match with `!`, e.g `!10.0.0.0/8`. Negative subnet matches should be specified last to filter out IPs picked by positive matches. If not specified, advertised IP is selected as the first routable address of the node. |
|
| `listenSubnets` | \[]string | The `listenSubnets` field configures the networks for the etcd to listen for peer and client connections. If `listenSubnets` is not set, but `advertisedSubnets` is set, `listenSubnets` defaults to `advertisedSubnets`. If neither `advertisedSubnets` nor `listenSubnets` is set, `listenSubnets` defaults to listen on all addresses. IPs can be excluded from the list by using negative match with `!`, e.g `!10.0.0.0/8`. Negative subnet matches should be specified last to filter out IPs picked by positive matches. If not specified, advertised IP is selected as the first routable address of the node. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `disabled` | bool | Disable coredns deployment on cluster bootstrap. | |
| `image` | string | The `image` field is an override to the default coredns image. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `enabled` | bool | Enable external cloud provider. | `true` `yes` `false` `no` |
| `manifests` | \[]string | A list of urls that point to additional manifests for an external cloud provider. These will get automatically deployed as part of the bootstrap. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `name` | string | Name of the manifest. Name should be unique. |
|
| `contents` | string | Manifest contents as a string. |
| Field | Type | Description | Value(s) |
|---|---|---|---|
| `certLifetime` | Duration | Admin kubeconfig certificate lifetime (default is 1 year). Field format accepts any Go time.Duration format ('1h' for one hour, '10m' for ten minutes). |