Documentation Index
Fetch the complete documentation index at: https://docs.siderolabs.com/llms.txt
Use this file to discover all available pages before exploring further.
version: v1alpha1
machine: # ...
cluster: # ...
| Field | Type | Description | Value(s) |
|---|
version | string | Indicates the schema used to decode the contents. | v1alpha1
|
debug | bool | | true
yes
false
no
|
machine | MachineConfig | Provides machine specific configuration options. | |
cluster | ClusterConfig | Provides cluster specific configuration options. | |
machine
MachineConfig represents the machine-specific config values.
machine:
type: controlplane
# InstallConfig represents the installation options for preparing a node.
install:
disk: /dev/sda # The disk used for installations.
# Allows for supplying extra kernel args via the bootloader.
extraKernelArgs:
- console=ttyS1
- panic=10
image: ghcr.io/siderolabs/installer:latest # Allows for supplying the image used to perform the installation.
wipe: false # Indicates if the installation disk should be wiped at installation time.
# # Look up disk using disk attributes like model, size, serial and others.
# diskSelector:
# size: 4GB # Disk size.
# model: WDC* # Disk model `/sys/block/{"<"}dev{">"}/device/model`.
# busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path.
# # Allows for supplying additional system extension images to install on top of base Talos image.
# extensions:
# - image: ghcr.io/siderolabs/gvisor:20220117.0-v1.0.0 # System extension image.
| Field | Type | Description | Value(s) |
|---|
type | string | | controlplane
worker
|
token | string | | |
ca | PEMEncodedCertificateAndKey | | |
acceptedCAs | []PEMEncodedCertificate | | |
certSANs | []string | | |
controlPlane | MachineControlPlaneConfig | Provides machine specific control plane configuration options. | |
kubelet | KubeletConfig | Used to provide additional options to the kubelet. | |
pods | []Unstructured | | |
network | NetworkConfig | Provides machine specific network configuration options. | |
disks | MachineDisk | | |
install | InstallConfig | | |
files | MachineFile | | |
env | Env | | GRPC_GO_LOG_VERBOSITY_LEVEL
GRPC_GO_LOG_SEVERITY_LEVEL
http_proxy
https_proxy
no_proxy
|
time | TimeConfig | Used to configure the machine’s time settings. | |
sysctls | map[string]string | Used to configure the machine’s sysctls. | |
sysfs | map[string]string | Used to configure the machine’s sysfs. | |
registries | RegistriesConfig | | |
systemDiskEncryption | SystemDiskEncryptionConfig | | |
features | FeaturesConfig | Features describe individual Talos features that can be switched on or off. | |
udev | UdevConfig | Configures the udev system. | |
logging | LoggingConfig | Configures the logging system. | |
kernel | KernelConfig | Configures the kernel. | |
seccompProfiles | MachineSeccompProfile | Configures the seccomp profiles for the machine. | |
nodeLabels | map[string]string | | |
nodeTaints | map[string]string | | |
controlPlane
MachineControlPlaneConfig machine specific configuration options.
machine:
controlPlane:
# Controller manager machine specific configuration options.
controllerManager:
disabled: false # Disable kube-controller-manager on the node.
# Scheduler machine specific configuration options.
scheduler:
disabled: true # Disable kube-scheduler on the node.
controllerManager
MachineControllerManagerConfig represents the machine specific ControllerManager config values.
| Field | Type | Description | Value(s) |
|---|
disabled | bool | Disable kube-controller-manager on the node. | |
scheduler
MachineSchedulerConfig represents the machine specific Scheduler config values.
| Field | Type | Description | Value(s) |
|---|
disabled | bool | Disable kube-scheduler on the node. | |
kubelet
KubeletConfig represents the kubelet config values.
machine:
kubelet:
image: ghcr.io/siderolabs/kubelet:v1.30.5 # The `image` field is an optional reference to an alternative kubelet image.
# The `extraArgs` field is used to provide additional flags to the kubelet.
extraArgs:
feature-gates: ServerSideApply=true
# # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list.
# clusterDNS:
# - 10.96.0.10
# - 169.254.2.53
# # The `extraMounts` field is used to add additional mounts to the kubelet container.
# extraMounts:
# - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container.
# type: bind # Type specifies the mount kind.
# source: /var/lib/example # Source specifies the source path of the mount.
# # Options are fstab style mount options.
# options:
# - bind
# - rshared
# - rw
# # The `extraConfig` field is used to provide kubelet configuration overrides.
# extraConfig:
# serverTLSBootstrap: true
# # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration.
# credentialProviderConfig:
# apiVersion: kubelet.config.k8s.io/v1
# kind: CredentialProviderConfig
# providers:
# - apiVersion: credentialprovider.kubelet.k8s.io/v1
# defaultCacheDuration: 12h
# matchImages:
# - '*.dkr.ecr.*.amazonaws.com'
# - '*.dkr.ecr.*.amazonaws.com.cn'
# - '*.dkr.ecr-fips.*.amazonaws.com'
# - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov'
# - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov'
# name: ecr-credential-provider
# # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet.
# nodeIP:
# # The `validSubnets` field configures the networks to pick kubelet node IP from.
# validSubnets:
# - 10.0.0.0/8
# - '!10.0.0.3/32'
# - fdc7::/16
| Field | Type | Description | Value(s) |
|---|
image | string | The image field is an optional reference to an alternative kubelet image. | |
clusterDNS | []string | The ClusterDNS field is an optional reference to an alternative kubelet clusterDNS ip list. | |
extraArgs | map[string]string | The extraArgs field is used to provide additional flags to the kubelet. | |
extraMounts | ExtraMount | | |
extraConfig | Unstructured | | |
credentialProviderConfig | Unstructured | The KubeletCredentialProviderConfig field is used to provide kubelet credential configuration. | |
defaultRuntimeSeccompProfileEnabled | bool | Enable container runtime default Seccomp profile. | true
yes
false
no
|
registerWithFQDN | bool | | true
yes
false
no
|
nodeIP | KubeletNodeIPConfig | | |
skipNodeRegistration | bool | | true
yes
false
no
|
disableManifestsDirectory | bool | | true
yes
false
no
|
ExtraMount wraps OCI Mount specification.
machine:
kubelet:
extraMounts:
- destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container.
type: bind # Type specifies the mount kind.
source: /var/lib/example # Source specifies the source path of the mount.
# Options are fstab style mount options.
options:
- bind
- rshared
- rw
| Field | Type | Description | Value(s) |
|---|
destination | string | Destination is the absolute path where the mount will be placed in the container. | |
type | string | Type specifies the mount kind. | |
source | string | Source specifies the source path of the mount. | |
options | []string | Options are fstab style mount options. | |
uidMappings | LinuxIDMapping | | |
gidMappings | LinuxIDMapping | | |
uidMappings[]
LinuxIDMapping represents the Linux ID mapping.
| Field | Type | Description | Value(s) |
|---|
containerID | uint32 | ContainerID is the starting UID/GID in the container. | |
hostID | uint32 | HostID is the starting UID/GID on the host to be mapped to ‘ContainerID’. | |
size | uint32 | Size is the number of IDs to be mapped. | |
gidMappings[]
LinuxIDMapping represents the Linux ID mapping.
| Field | Type | Description | Value(s) |
|---|
containerID | uint32 | ContainerID is the starting UID/GID in the container. | |
hostID | uint32 | HostID is the starting UID/GID on the host to be mapped to ‘ContainerID’. | |
size | uint32 | Size is the number of IDs to be mapped. | |
nodeIP
KubeletNodeIPConfig represents the kubelet node IP configuration.
machine:
kubelet:
nodeIP:
# The `validSubnets` field configures the networks to pick kubelet node IP from.
validSubnets:
- 10.0.0.0/8
- '!10.0.0.3/32'
- fdc7::/16
| Field | Type | Description | Value(s) |
|---|
validSubnets | []string | | |
network
NetworkConfig represents the machine’s networking config values.
machine:
network:
hostname: worker-1 # Used to statically set the hostname for the machine.
# `interfaces` is used to define the network interface configuration.
interfaces:
- interface: enp0s1 # The interface name.
# Assigns static IP addresses to the interface.
addresses:
- 192.168.2.0/24
# A list of routes associated with the interface.
routes:
- network: 0.0.0.0/0 # The route's network (destination).
gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route).
metric: 1024 # The optional metric for the route.
mtu: 1500 # The interface's MTU.
# # Picks a network device using the selector.
# # select a device with bus prefix 00:*.
# deviceSelector:
# busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
# deviceSelector:
# hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
# driver: virtio # Kernel driver, supports matching by wildcard.
# # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
# deviceSelector:
# - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# - hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
# driver: virtio # Kernel driver, supports matching by wildcard.
# # Bond specific options.
# bond:
# # The interfaces that make up the bond.
# interfaces:
# - enp2s0
# - enp2s1
# # Picks a network device using the selector.
# deviceSelectors:
# - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# - hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
# driver: virtio # Kernel driver, supports matching by wildcard.
# mode: 802.3ad # A bond option.
# lacpRate: fast # A bond option.
# # Bridge specific options.
# bridge:
# # The interfaces that make up the bridge.
# interfaces:
# - enxda4042ca9a51
# - enxae2a6774c259
# # A bridge option.
# stp:
# enabled: true # Whether Spanning Tree Protocol (STP) is enabled.
# # Indicates if DHCP should be used to configure the interface.
# dhcp: true
# # DHCP specific options.
# dhcpOptions:
# routeMetric: 1024 # The priority of all routes received via DHCP.
# # Wireguard specific configuration.
# # wireguard server example
# wireguard:
# privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
# listenPort: 51111 # Specifies a device's listening port.
# # Specifies a list of peer configurations to apply to a device.
# peers:
# - publicKey: ABCDEF... # Specifies the public key of this peer.
# endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
# # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
# allowedIPs:
# - 192.168.1.0/24
# # wireguard peer example
# wireguard:
# privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
# # Specifies a list of peer configurations to apply to a device.
# peers:
# - publicKey: ABCDEF... # Specifies the public key of this peer.
# endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
# persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
# # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
# allowedIPs:
# - 192.168.1.0/24
# # Virtual (shared) IP address configuration.
# # layer2 vip example
# vip:
# ip: 172.16.199.55 # Specifies the IP address to be used.
# Used to statically set the nameservers for the machine.
nameservers:
- 9.8.7.6
- 8.7.6.5
# # Allows for extra entries to be added to the `/etc/hosts` file
# extraHostEntries:
# - ip: 192.168.1.100 # The IP of the host.
# # The host alias.
# aliases:
# - example
# - example.domain.tld
# # Configures KubeSpan feature.
# kubespan:
# enabled: true # Enable the KubeSpan feature.
| Field | Type | Description | Value(s) |
|---|
hostname | string | Used to statically set the hostname for the machine. | |
interfaces | Device | | |
nameservers | []string | | |
extraHostEntries | ExtraHost | Allows for extra entries to be added to the /etc/hosts file | |
kubespan | NetworkKubeSpan | Configures KubeSpan feature. | |
disableSearchDomain | bool | | true
yes
false
no
|
interfaces[]
Device represents a network interface.
machine:
network:
interfaces:
- interface: enp0s1 # The interface name.
# Assigns static IP addresses to the interface.
addresses:
- 192.168.2.0/24
# A list of routes associated with the interface.
routes:
- network: 0.0.0.0/0 # The route's network (destination).
gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route).
metric: 1024 # The optional metric for the route.
mtu: 1500 # The interface's MTU.
# # Picks a network device using the selector.
# # select a device with bus prefix 00:*.
# deviceSelector:
# busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
# deviceSelector:
# hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
# driver: virtio # Kernel driver, supports matching by wildcard.
# # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
# deviceSelector:
# - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# - hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
# driver: virtio # Kernel driver, supports matching by wildcard.
# # Bond specific options.
# bond:
# # The interfaces that make up the bond.
# interfaces:
# - enp2s0
# - enp2s1
# # Picks a network device using the selector.
# deviceSelectors:
# - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# - hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
# driver: virtio # Kernel driver, supports matching by wildcard.
# mode: 802.3ad # A bond option.
# lacpRate: fast # A bond option.
# # Bridge specific options.
# bridge:
# # The interfaces that make up the bridge.
# interfaces:
# - enxda4042ca9a51
# - enxae2a6774c259
# # A bridge option.
# stp:
# enabled: true # Whether Spanning Tree Protocol (STP) is enabled.
# # Indicates if DHCP should be used to configure the interface.
# dhcp: true
# # DHCP specific options.
# dhcpOptions:
# routeMetric: 1024 # The priority of all routes received via DHCP.
# # Wireguard specific configuration.
# # wireguard server example
# wireguard:
# privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
# listenPort: 51111 # Specifies a device's listening port.
# # Specifies a list of peer configurations to apply to a device.
# peers:
# - publicKey: ABCDEF... # Specifies the public key of this peer.
# endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
# # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
# allowedIPs:
# - 192.168.1.0/24
# # wireguard peer example
# wireguard:
# privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
# # Specifies a list of peer configurations to apply to a device.
# peers:
# - publicKey: ABCDEF... # Specifies the public key of this peer.
# endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
# persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
# # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
# allowedIPs:
# - 192.168.1.0/24
# # Virtual (shared) IP address configuration.
# # layer2 vip example
# vip:
# ip: 172.16.199.55 # Specifies the IP address to be used.
deviceSelector
NetworkDeviceSelector struct describes network device selector.
machine:
network:
interfaces:
- deviceSelector:
busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
machine:
network:
interfaces:
- deviceSelector:
hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
driver: virtio # Kernel driver, supports matching by wildcard.
machine:
network:
interfaces:
- deviceSelector:
- busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
- hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
driver: virtio # Kernel driver, supports matching by wildcard.
| Field | Type | Description | Value(s) |
|---|
busPath | string | PCI, USB bus prefix, supports matching by wildcard. | |
hardwareAddr | string | Device hardware address, supports matching by wildcard. | |
pciID | string | PCI ID (vendor ID, product ID), supports matching by wildcard. | |
driver | string | Kernel driver, supports matching by wildcard. | |
physical | bool | Select only physical devices. | |
routes[]
Route represents a network route.
machine:
network:
interfaces:
- routes:
- network: 0.0.0.0/0 # The route's network (destination).
gateway: 10.5.0.1 # The route's gateway (if empty, creates link scope route).
- network: 10.2.0.0/16 # The route's network (destination).
gateway: 10.2.0.1 # The route's gateway (if empty, creates link scope route).
| Field | Type | Description | Value(s) |
|---|
network | string | The route’s network (destination). | |
gateway | string | The route’s gateway (if empty, creates link scope route). | |
source | string | The route’s source address (optional). | |
metric | uint32 | The optional metric for the route. | |
mtu | uint32 | The optional MTU for the route. | |
bond
Bond contains the various options for configuring a bonded interface.
machine:
network:
interfaces:
- bond:
# The interfaces that make up the bond.
interfaces:
- enp2s0
- enp2s1
mode: 802.3ad # A bond option.
lacpRate: fast # A bond option.
# # Picks a network device using the selector.
# # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
# deviceSelectors:
# - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# - hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
# driver: virtio # Kernel driver, supports matching by wildcard.
| Field | Type | Description | Value(s) |
|---|
interfaces | []string | The interfaces that make up the bond. | |
deviceSelectors | NetworkDeviceSelector | | |
arpIPTarget | []string | | |
mode | string | | |
xmitHashPolicy | string | | |
lacpRate | string | | |
adActorSystem | string | | |
arpValidate | string | | |
arpAllTargets | string | | |
primary | string | | |
primaryReselect | string | | |
failOverMac | string | | |
adSelect | string | | |
miimon | uint32 | | |
updelay | uint32 | | |
downdelay | uint32 | | |
arpInterval | uint32 | | |
resendIgmp | uint32 | | |
minLinks | uint32 | | |
lpInterval | uint32 | | |
packetsPerSlave | uint32 | | |
numPeerNotif | uint8 | | |
tlbDynamicLb | uint8 | | |
allSlavesActive | uint8 | | |
useCarrier | bool | | |
adActorSysPrio | uint16 | | |
adUserPortKey | uint16 | | |
peerNotifyDelay | uint32 | | |
deviceSelectors[]
NetworkDeviceSelector struct describes network device selector.
machine:
network:
interfaces:
- bond:
deviceSelectors:
busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
machine:
network:
interfaces:
- bond:
deviceSelectors:
hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
driver: virtio # Kernel driver, supports matching by wildcard.
machine:
network:
interfaces:
- bond:
deviceSelectors:
- busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
- hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
driver: virtio # Kernel driver, supports matching by wildcard.
| Field | Type | Description | Value(s) |
|---|
busPath | string | PCI, USB bus prefix, supports matching by wildcard. | |
hardwareAddr | string | Device hardware address, supports matching by wildcard. | |
pciID | string | PCI ID (vendor ID, product ID), supports matching by wildcard. | |
driver | string | Kernel driver, supports matching by wildcard. | |
physical | bool | Select only physical devices. | |
bridge
Bridge contains the various options for configuring a bridge interface.
machine:
network:
interfaces:
- bridge:
# The interfaces that make up the bridge.
interfaces:
- enxda4042ca9a51
- enxae2a6774c259
# A bridge option.
stp:
enabled: true # Whether Spanning Tree Protocol (STP) is enabled.
| Field | Type | Description | Value(s) |
|---|
interfaces | []string | The interfaces that make up the bridge. | |
stp | STP | | |
stp
STP contains the various options for configuring the STP properties of a bridge interface.
| Field | Type | Description | Value(s) |
|---|
enabled | bool | Whether Spanning Tree Protocol (STP) is enabled. | |
vlans[]
Vlan represents vlan settings for a device.
| Field | Type | Description | Value(s) |
|---|
addresses | []string | The addresses in CIDR notation or as plain IPs to use. | |
routes | Route | A list of routes associated with the VLAN. | |
dhcp | bool | Indicates if DHCP should be used. | |
vlanId | uint16 | The VLAN’s ID. | |
mtu | uint32 | The VLAN’s MTU. | |
vip | DeviceVIPConfig | The VLAN’s virtual IP address configuration. | |
dhcpOptions | DHCPOptions | | |
routes[]
Route represents a network route.
machine:
network:
interfaces:
- vlans:
- routes:
- network: 0.0.0.0/0 # The route's network (destination).
gateway: 10.5.0.1 # The route's gateway (if empty, creates link scope route).
- network: 10.2.0.0/16 # The route's network (destination).
gateway: 10.2.0.1 # The route's gateway (if empty, creates link scope route).
| Field | Type | Description | Value(s) |
|---|
network | string | The route’s network (destination). | |
gateway | string | The route’s gateway (if empty, creates link scope route). | |
source | string | The route’s source address (optional). | |
metric | uint32 | The optional metric for the route. | |
mtu | uint32 | The optional MTU for the route. | |
vip
DeviceVIPConfig contains settings for configuring a Virtual Shared IP on an interface.
machine:
network:
interfaces:
- vlans:
- vip:
ip: 172.16.199.55 # Specifies the IP address to be used.
| Field | Type | Description | Value(s) |
|---|
ip | string | Specifies the IP address to be used. | |
equinixMetal | VIPEquinixMetalConfig | Specifies the Equinix Metal API settings to assign VIP to the node. | |
hcloud | VIPHCloudConfig | Specifies the Hetzner Cloud API settings to assign VIP to the node. | |
equinixMetal
VIPEquinixMetalConfig contains settings for Equinix Metal VIP management.
| Field | Type | Description | Value(s) |
|---|
apiToken | string | Specifies the Equinix Metal API Token. | |
hcloud
VIPHCloudConfig contains settings for Hetzner Cloud VIP management.
| Field | Type | Description | Value(s) |
|---|
apiToken | string | Specifies the Hetzner Cloud API Token. | |
dhcpOptions
DHCPOptions contains options for configuring the DHCP settings for a given interface.
machine:
network:
interfaces:
- vlans:
- dhcpOptions:
routeMetric: 1024 # The priority of all routes received via DHCP.
| Field | Type | Description | Value(s) |
|---|
routeMetric | uint32 | The priority of all routes received via DHCP. | |
ipv4 | bool | Enables DHCPv4 protocol for the interface (default is enabled). | |
ipv6 | bool | Enables DHCPv6 protocol for the interface (default is disabled). | |
duidv6 | string | Set client DUID (hex string). | |
dhcpOptions
DHCPOptions contains options for configuring the DHCP settings for a given interface.
machine:
network:
interfaces:
- dhcpOptions:
routeMetric: 1024 # The priority of all routes received via DHCP.
| Field | Type | Description | Value(s) |
|---|
routeMetric | uint32 | The priority of all routes received via DHCP. | |
ipv4 | bool | Enables DHCPv4 protocol for the interface (default is enabled). | |
ipv6 | bool | Enables DHCPv6 protocol for the interface (default is disabled). | |
duidv6 | string | Set client DUID (hex string). | |
wireguard
DeviceWireguardConfig contains settings for configuring Wireguard network interface.
machine:
network:
interfaces:
- wireguard:
privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
listenPort: 51111 # Specifies a device's listening port.
# Specifies a list of peer configurations to apply to a device.
peers:
- publicKey: ABCDEF... # Specifies the public key of this peer.
endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
# AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
allowedIPs:
- 192.168.1.0/24
machine:
network:
interfaces:
- wireguard:
privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
# Specifies a list of peer configurations to apply to a device.
peers:
- publicKey: ABCDEF... # Specifies the public key of this peer.
endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
# AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
allowedIPs:
- 192.168.1.0/24
| Field | Type | Description | Value(s) |
|---|
privateKey | string | | |
listenPort | int | Specifies a device’s listening port. | |
firewallMark | int | Specifies a device’s firewall mark. | |
peers | DeviceWireguardPeer | Specifies a list of peer configurations to apply to a device. | |
peers[]
DeviceWireguardPeer a WireGuard device peer configuration.
| Field | Type | Description | Value(s) |
|---|
publicKey | string | | |
endpoint | string | Specifies the endpoint of this peer entry. | |
persistentKeepaliveInterval | Duration | | |
allowedIPs | []string | AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer. | |
vip
DeviceVIPConfig contains settings for configuring a Virtual Shared IP on an interface.
machine:
network:
interfaces:
- vip:
ip: 172.16.199.55 # Specifies the IP address to be used.
| Field | Type | Description | Value(s) |
|---|
ip | string | Specifies the IP address to be used. | |
equinixMetal | VIPEquinixMetalConfig | Specifies the Equinix Metal API settings to assign VIP to the node. | |
hcloud | VIPHCloudConfig | Specifies the Hetzner Cloud API settings to assign VIP to the node. | |
equinixMetal
VIPEquinixMetalConfig contains settings for Equinix Metal VIP management.
| Field | Type | Description | Value(s) |
|---|
apiToken | string | Specifies the Equinix Metal API Token. | |
hcloud
VIPHCloudConfig contains settings for Hetzner Cloud VIP management.
| Field | Type | Description | Value(s) |
|---|
apiToken | string | Specifies the Hetzner Cloud API Token. | |
ExtraHost represents a host entry in /etc/hosts.
machine:
network:
extraHostEntries:
- ip: 192.168.1.100 # The IP of the host.
# The host alias.
aliases:
- example
- example.domain.tld
| Field | Type | Description | Value(s) |
|---|
ip | string | The IP of the host. | |
aliases | []string | The host alias. | |
kubespan
NetworkKubeSpan struct describes KubeSpan configuration.
machine:
network:
kubespan:
enabled: true # Enable the KubeSpan feature.
| Field | Type | Description | Value(s) |
|---|
enabled | bool | | |
advertiseKubernetesNetworks | bool | | |
allowDownPeerBypass | bool | | |
harvestExtraEndpoints | bool | | |
mtu | uint32 | | |
filters | KubeSpanFilters | | |
filters
KubeSpanFilters struct describes KubeSpan advanced network addresses filtering.
| Field | Type | Description | Value(s) |
|---|
endpoints | []string | | |
disks[]
MachineDisk represents the options available for partitioning, formatting, and
mounting extra disks.
machine:
disks:
- device: /dev/sdb # The name of the disk to use.
# A list of partitions to create on the disk.
partitions:
- mountpoint: /var/mnt/extra # Where to mount the partition.
# # The size of partition: either bytes or human readable representation. If `size:` is omitted, the partition is sized to occupy the full disk.
# # Human readable representation.
# size: 100 MB
# # Precise value in bytes.
# size: 1073741824
| Field | Type | Description | Value(s) |
|---|
device | string | The name of the disk to use. | |
partitions | DiskPartition | A list of partitions to create on the disk. | |
partitions[]
DiskPartition represents the options for a disk partition.
| Field | Type | Description | Value(s) |
|---|
size | DiskSize | The size of partition: either bytes or human readable representation. If size: is omitted, the partition is sized to occupy the full disk. | |
mountpoint | string | Where to mount the partition. | |
install
InstallConfig represents the installation options for preparing a node.
machine:
install:
disk: /dev/sda # The disk used for installations.
# Allows for supplying extra kernel args via the bootloader.
extraKernelArgs:
- console=ttyS1
- panic=10
image: ghcr.io/siderolabs/installer:latest # Allows for supplying the image used to perform the installation.
wipe: false # Indicates if the installation disk should be wiped at installation time.
# # Look up disk using disk attributes like model, size, serial and others.
# diskSelector:
# size: 4GB # Disk size.
# model: WDC* # Disk model `/sys/block/{"<"}dev{">"}/device/model`.
# busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path.
# # Allows for supplying additional system extension images to install on top of base Talos image.
# extensions:
# - image: ghcr.io/siderolabs/gvisor:20220117.0-v1.0.0 # System extension image.
| Field | Type | Description | Value(s) |
|---|
disk | string | The disk used for installations. | |
diskSelector | InstallDiskSelector | | |
extraKernelArgs | []string | | |
image | string | | |
extensions | InstallExtensionConfig | Allows for supplying additional system extension images to install on top of base Talos image. | |
wipe | bool | | true
yes
false
no
|
legacyBIOSSupport | bool | | |
diskSelector
InstallDiskSelector represents a disk query parameters for the install disk lookup.
machine:
install:
diskSelector:
size: '>= 1TB' # Disk size.
model: WDC* # Disk model `/sys/block/{"<"}dev{">"}/device/model`.
# # Disk bus path.
# busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0
# busPath: /pci0000:00/*
| Field | Type | Description | Value(s) |
|---|
size | InstallDiskSizeMatcher | Disk size. | |
name | string | Disk name /sys/block/{"<"}dev{">"}/device/name. | |
model | string | Disk model /sys/block/{"<"}dev{">"}/device/model. | |
serial | string | Disk serial number /sys/block/{"<"}dev{">"}/serial. | |
modalias | string | Disk modalias /sys/block/{"<"}dev{">"}/device/modalias. | |
uuid | string | Disk UUID /sys/block/{"<"}dev{">"}/uuid. | |
wwid | string | Disk WWID /sys/block/{"<"}dev{">"}/wwid. | |
type | InstallDiskType | Disk Type. | ssd
hdd
nvme
sd
|
busPath | string | Disk bus path. | |
extensions[]
InstallExtensionConfig represents a configuration for a system extension.
machine:
install:
extensions:
- image: ghcr.io/siderolabs/gvisor:20220117.0-v1.0.0 # System extension image.
| Field | Type | Description | Value(s) |
|---|
image | string | System extension image. | |
files[]
MachineFile represents a file to write to disk.
machine:
files:
- content: '...' # The contents of the file.
permissions: 0o666 # The file's permissions in octal.
path: /tmp/file.txt # The path of the file.
op: append # The operation to use
| Field | Type | Description | Value(s) |
|---|
content | string | The contents of the file. | |
permissions | FileMode | The file’s permissions in octal. | |
path | string | The path of the file. | |
op | string | The operation to use | create
append
overwrite
|
time
TimeConfig represents the options for configuring time on a machine.
machine:
time:
disabled: false # Indicates if the time service is disabled for the machine.
# description: |
servers:
- time.cloudflare.com
bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence.
| Field | Type | Description | Value(s) |
|---|
disabled | bool | | |
servers | []string | | |
bootTimeout | Duration | | |
registries
RegistriesConfig represents the image pull options.
machine:
registries:
# Specifies mirror configuration for each registry host namespace.
mirrors:
docker.io:
# List of endpoints (URLs) for registry mirrors to use.
endpoints:
- https://registry.local
# Specifies TLS & auth configuration for HTTPS image registries.
config:
registry.local:
# The TLS configuration for the registry.
tls:
# Enable mutual TLS authentication with the registry.
clientIdentity:
crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
# The auth configuration for this registry.
auth:
username: username # Optional registry authentication.
password: password # Optional registry authentication.
mirrors.*
RegistryMirrorConfig represents mirror configuration for a registry.
machine:
registries:
mirrors:
ghcr.io:
# List of endpoints (URLs) for registry mirrors to use.
endpoints:
- https://registry.insecure
- https://ghcr.io/v2/
| Field | Type | Description | Value(s) |
|---|
endpoints | []string | | |
overridePath | bool | | |
config.*
RegistryConfig specifies auth & TLS config per registry.
machine:
registries:
config:
registry.insecure:
# The TLS configuration for the registry.
tls:
insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).
# # Enable mutual TLS authentication with the registry.
# clientIdentity:
# crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
# key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
# # The auth configuration for this registry.
# auth:
# username: username # Optional registry authentication.
# password: password # Optional registry authentication.
tls
RegistryTLSConfig specifies TLS config for HTTPS registries.
machine:
registries:
config:
example.com:
tls:
# Enable mutual TLS authentication with the registry.
clientIdentity:
crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
machine:
registries:
config:
example.com:
tls:
insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).
# # Enable mutual TLS authentication with the registry.
# clientIdentity:
# crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
# key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
| Field | Type | Description | Value(s) |
|---|
clientIdentity | PEMEncodedCertificateAndKey | | |
ca | Base64Bytes | | |
insecureSkipVerify | bool | Skip TLS server certificate verification (not recommended). | |
auth
RegistryAuthConfig specifies authentication configuration for a registry.
machine:
registries:
config:
example.com:
auth:
username: username # Optional registry authentication.
password: password # Optional registry authentication.
| Field | Type | Description | Value(s) |
|---|
username | string | | |
password | string | | |
auth | string | | |
identityToken | string | | |
systemDiskEncryption
SystemDiskEncryptionConfig specifies system disk partitions encryption settings.
machine:
systemDiskEncryption:
# Ephemeral partition encryption.
ephemeral:
provider: luks2 # Encryption provider to use for the encryption.
# Defines the encryption keys generation and storage method.
keys:
- # Deterministically generated key from the node UUID and PartitionLabel.
nodeID: {}
slot: 0 # Key slot number for LUKS2 encryption.
# # KMS managed encryption key.
# kms:
# endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
# # Cipher kind to use for the encryption. Depends on the encryption provider.
# cipher: aes-xts-plain64
# # Defines the encryption sector size.
# blockSize: 4096
# # Additional --perf parameters for the LUKS2 encryption.
# options:
# - no_read_workqueue
# - no_write_workqueue
state
EncryptionConfig represents partition encryption settings.
| Field | Type | Description | Value(s) |
|---|
provider | string | Encryption provider to use for the encryption. | |
keys | EncryptionKey | Defines the encryption keys generation and storage method. | |
cipher | string | Cipher kind to use for the encryption. Depends on the encryption provider. | aes-xts-plain64
xchacha12,aes-adiantum-plain64
xchacha20,aes-adiantum-plain64
|
keySize | uint | Defines the encryption key length. | |
blockSize | uint64 | Defines the encryption sector size. | |
options | []string | Additional —perf parameters for the LUKS2 encryption. | no_read_workqueue
no_write_workqueue
same_cpu_crypt
|
keys[]
EncryptionKey represents configuration for disk encryption key.
static
EncryptionKeyStatic represents throw away key type.
| Field | Type | Description | Value(s) |
|---|
passphrase | string | Defines the static passphrase value. | |
nodeID
EncryptionKeyNodeID represents deterministically generated key from the node UUID and PartitionLabel.
kms
EncryptionKeyKMS represents a key that is generated and then sealed/unsealed by the KMS server.
machine:
systemDiskEncryption:
state:
keys:
- kms:
endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
| Field | Type | Description | Value(s) |
|---|
endpoint | string | KMS endpoint to Seal/Unseal the key. | |
tpm
EncryptionKeyTPM represents a key that is generated and then sealed/unsealed by the TPM.
| Field | Type | Description | Value(s) |
|---|
checkSecurebootStatusOnEnroll | bool | | |
ephemeral
EncryptionConfig represents partition encryption settings.
| Field | Type | Description | Value(s) |
|---|
provider | string | Encryption provider to use for the encryption. | |
keys | EncryptionKey | Defines the encryption keys generation and storage method. | |
cipher | string | Cipher kind to use for the encryption. Depends on the encryption provider. | aes-xts-plain64
xchacha12,aes-adiantum-plain64
xchacha20,aes-adiantum-plain64
|
keySize | uint | Defines the encryption key length. | |
blockSize | uint64 | Defines the encryption sector size. | |
options | []string | Additional —perf parameters for the LUKS2 encryption. | no_read_workqueue
no_write_workqueue
same_cpu_crypt
|
keys[]
EncryptionKey represents configuration for disk encryption key.
static
EncryptionKeyStatic represents throw away key type.
| Field | Type | Description | Value(s) |
|---|
passphrase | string | Defines the static passphrase value. | |
nodeID
EncryptionKeyNodeID represents deterministically generated key from the node UUID and PartitionLabel.
kms
EncryptionKeyKMS represents a key that is generated and then sealed/unsealed by the KMS server.
machine:
systemDiskEncryption:
ephemeral:
keys:
- kms:
endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
| Field | Type | Description | Value(s) |
|---|
endpoint | string | KMS endpoint to Seal/Unseal the key. | |
tpm
EncryptionKeyTPM represents a key that is generated and then sealed/unsealed by the TPM.
| Field | Type | Description | Value(s) |
|---|
checkSecurebootStatusOnEnroll | bool | | |
features
FeaturesConfig describes individual Talos features that can be switched on or off.
machine:
features:
rbac: true # Enable role-based access control (RBAC).
# # Configure Talos API access from Kubernetes pods.
# kubernetesTalosAPIAccess:
# enabled: true # Enable Talos API access from Kubernetes pods.
# # The list of Talos API roles which can be granted for access from Kubernetes pods.
# allowedRoles:
# - os:reader
# # The list of Kubernetes namespaces Talos API access is available from.
# allowedKubernetesNamespaces:
# - kube-system
| Field | Type | Description | Value(s) |
|---|
rbac | bool | Enable role-based access control (RBAC). | |
stableHostname | bool | Enable stable default hostname. | |
kubernetesTalosAPIAccess | KubernetesTalosAPIAccessConfig | | |
apidCheckExtKeyUsage | bool | Enable checks for extended key usage of client certificates in apid. | |
diskQuotaSupport | bool | | |
kubePrism | KubePrism | | |
hostDNS | HostDNSConfig | Configures host DNS caching resolver. | |
kubernetesTalosAPIAccess
KubernetesTalosAPIAccessConfig describes the configuration for the Talos API access from Kubernetes pods.
machine:
features:
kubernetesTalosAPIAccess:
enabled: true # Enable Talos API access from Kubernetes pods.
# The list of Talos API roles which can be granted for access from Kubernetes pods.
allowedRoles:
- os:reader
# The list of Kubernetes namespaces Talos API access is available from.
allowedKubernetesNamespaces:
- kube-system
| Field | Type | Description | Value(s) |
|---|
enabled | bool | Enable Talos API access from Kubernetes pods. | |
allowedRoles | []string | | |
allowedKubernetesNamespaces | []string | The list of Kubernetes namespaces Talos API access is available from. | |
kubePrism
KubePrism describes the configuration for the KubePrism load balancer.
| Field | Type | Description | Value(s) |
|---|
enabled | bool | Enable KubePrism support - will start local load balancing proxy. | |
port | int | KubePrism port. | |
hostDNS
HostDNSConfig describes the configuration for the host DNS resolver.
| Field | Type | Description | Value(s) |
|---|
enabled | bool | Enable host DNS caching resolver. | |
forwardKubeDNSToHost | bool | | |
resolveMemberNames | bool | | |
udev
UdevConfig describes how the udev system should be configured.
machine:
udev:
# List of udev rules to apply to the udev system
rules:
- SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660"
| Field | Type | Description | Value(s) |
|---|
rules | []string | List of udev rules to apply to the udev system | |
logging
LoggingConfig struct configures Talos logging.
machine:
logging:
# Logging destination.
destinations:
- endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp".
format: json_lines # Logs format.
destinations[]
LoggingDestination struct configures Talos logging destination.
| Field | Type | Description | Value(s) |
|---|
endpoint | Endpoint | Where to send logs. Supported protocols are “tcp” and “udp”. | |
format | string | Logs format. | json_lines
|
extraTags | map[string]string | Extra tags (key-value) pairs to attach to every log message sent. | |
endpoint
Endpoint represents the endpoint URL parsed out of the machine config.
machine:
logging:
destinations:
- endpoint: https://1.2.3.4:6443
machine:
logging:
destinations:
- endpoint: https://cluster1.internal:6443
machine:
logging:
destinations:
- endpoint: udp://127.0.0.1:12345
machine:
logging:
destinations:
- endpoint: tcp://1.2.3.4:12345
| Field | Type | Description | Value(s) |
|---|
kernel
KernelConfig struct configures Talos Linux kernel.
machine:
kernel:
# Kernel modules to load.
modules:
- name: brtfs # Module name.
modules[]
KernelModuleConfig struct configures Linux kernel modules to load.
| Field | Type | Description | Value(s) |
|---|
name | string | Module name. | |
parameters | []string | Module parameters, changes applied after reboot. | |
seccompProfiles[]
MachineSeccompProfile defines seccomp profiles for the machine.
machine:
seccompProfiles:
- name: audit.json # The `name` field is used to provide the file name of the seccomp profile.
# The `value` field is used to provide the seccomp profile.
value:
defaultAction: SCMP_ACT_LOG
| Field | Type | Description | Value(s) |
|---|
name | string | The name field is used to provide the file name of the seccomp profile. | |
value | Unstructured | The value field is used to provide the seccomp profile. | |
cluster
ClusterConfig represents the cluster-wide config values.
cluster:
# ControlPlaneConfig represents the control plane configuration options.
controlPlane:
endpoint: https://1.2.3.4 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
localAPIServerPort: 443 # The port that the API server listens on internally.
clusterName: talos.local
# ClusterNetworkConfig represents kube networking configuration options.
network:
# The CNI used.
cni:
name: flannel # Name of CNI to use.
dnsDomain: cluster.local # The domain used by Kubernetes DNS.
# The pod subnet CIDR.
podSubnets:
- 10.244.0.0/16
# The service subnet CIDR.
serviceSubnets:
- 10.96.0.0/12
| Field | Type | Description | Value(s) |
|---|
id | string | Globally unique identifier for this cluster (base64 encoded random 32 bytes). | |
secret | string | | |
controlPlane | ControlPlaneConfig | Provides control plane specific configuration options. | |
clusterName | string | Configures the cluster’s name. | |
network | ClusterNetworkConfig | Provides cluster specific network configuration options. | |
token | string | The bootstrap token used to join the cluster. | |
aescbcEncryptionSecret | string | | |
secretboxEncryptionSecret | string | | |
ca | PEMEncodedCertificateAndKey | The base64 encoded root certificate authority used by Kubernetes. | |
acceptedCAs | []PEMEncodedCertificate | The list of base64 encoded accepted certificate authorities used by Kubernetes. | |
aggregatorCA | PEMEncodedCertificateAndKey | | |
serviceAccount | PEMEncodedKey | The base64 encoded private key for service account token generation. | |
apiServer | APIServerConfig | API server specific configuration options. | |
controllerManager | ControllerManagerConfig | Controller manager server specific configuration options. | |
proxy | ProxyConfig | Kube-proxy server-specific configuration options | |
scheduler | SchedulerConfig | Scheduler server specific configuration options. | |
discovery | ClusterDiscoveryConfig | Configures cluster member discovery. | |
etcd | EtcdConfig | Etcd specific configuration options. | |
coreDNS | CoreDNS | Core DNS specific configuration options. | |
externalCloudProvider | ExternalCloudProviderConfig | External cloud provider configuration. | |
extraManifests | []string | | |
extraManifestHeaders | map[string]string | A map of key value pairs that will be added while fetching the extraManifests. | |
inlineManifests | ClusterInlineManifest | | |
adminKubeconfig | AdminKubeconfigConfig | | |
allowSchedulingOnControlPlanes | bool | Allows running workload on control-plane nodes. | true
yes
false
no
|
controlPlane
ControlPlaneConfig represents the control plane configuration options.
cluster:
controlPlane:
endpoint: https://1.2.3.4 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
localAPIServerPort: 443 # The port that the API server listens on internally.
| Field | Type | Description | Value(s) |
|---|
endpoint | Endpoint | | |
localAPIServerPort | int | | |
endpoint
Endpoint represents the endpoint URL parsed out of the machine config.
cluster:
controlPlane:
endpoint: https://1.2.3.4:6443
cluster:
controlPlane:
endpoint: https://cluster1.internal:6443
cluster:
controlPlane:
endpoint: udp://127.0.0.1:12345
cluster:
controlPlane:
endpoint: tcp://1.2.3.4:12345
| Field | Type | Description | Value(s) |
|---|
network
ClusterNetworkConfig represents kube networking configuration options.
cluster:
network:
# The CNI used.
cni:
name: flannel # Name of CNI to use.
dnsDomain: cluster.local # The domain used by Kubernetes DNS.
# The pod subnet CIDR.
podSubnets:
- 10.244.0.0/16
# The service subnet CIDR.
serviceSubnets:
- 10.96.0.0/12
| Field | Type | Description | Value(s) |
|---|
cni | CNIConfig | | |
dnsDomain | string | | |
podSubnets | []string | The pod subnet CIDR. | |
serviceSubnets | []string | The service subnet CIDR. | |
cni
CNIConfig represents the CNI configuration options.
cluster:
network:
cni:
name: custom # Name of CNI to use.
# URLs containing manifests to apply for the CNI.
urls:
- https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml
| Field | Type | Description | Value(s) |
|---|
name | string | Name of CNI to use. | flannel
custom
none
|
urls | []string | | |
flannel | FlannelCNIConfig | | |
flannel
FlannelCNIConfig represents the Flannel CNI configuration options.
| Field | Type | Description | Value(s) |
|---|
extraArgs | []string | Extra arguments for ‘flanneld’. | |
apiServer
APIServerConfig represents the kube apiserver configuration options.
cluster:
apiServer:
image: registry.k8s.io/kube-apiserver:v1.30.5 # The container image used in the API server manifest.
# Extra arguments to supply to the API server.
extraArgs:
feature-gates: ServerSideApply=true
http2-max-streams-per-connection: "32"
# Extra certificate subject alternative names for the API server's certificate.
certSANs:
- 1.2.3.4
- 4.5.6.7
# # Configure the API server admission plugins.
# admissionControl:
# - name: PodSecurity # Name is the name of the admission controller.
# # Configuration is an embedded configuration object to be used as the plugin's
# configuration:
# apiVersion: pod-security.admission.config.k8s.io/v1alpha1
# defaults:
# audit: restricted
# audit-version: latest
# enforce: baseline
# enforce-version: latest
# warn: restricted
# warn-version: latest
# exemptions:
# namespaces:
# - kube-system
# runtimeClasses: []
# usernames: []
# kind: PodSecurityConfiguration
# # Configure the API server audit policy.
# auditPolicy:
# apiVersion: audit.k8s.io/v1
# kind: Policy
# rules:
# - level: Metadata
| Field | Type | Description | Value(s) |
|---|
image | string | The container image used in the API server manifest. | |
extraArgs | map[string]string | Extra arguments to supply to the API server. | |
extraVolumes | VolumeMountConfig | Extra volumes to mount to the API server static pod. | |
env | Env | The env field allows for the addition of environment variables for the control plane component. | |
certSANs | []string | Extra certificate subject alternative names for the API server’s certificate. | |
disablePodSecurityPolicy | bool | Disable PodSecurityPolicy in the API server and default manifests. | |
admissionControl | AdmissionPluginConfig | Configure the API server admission plugins. | |
auditPolicy | Unstructured | Configure the API server audit policy. | |
resources | ResourcesConfig | Configure the API server resources. | |
VolumeMountConfig struct describes extra volume mount for the static pods.
| Field | Type | Description | Value(s) |
|---|
hostPath | string | Path on the host. | |
mountPath | string | Path in the container. | |
readonly | bool | Mount the volume read only. | |
admissionControl[]
AdmissionPluginConfig represents the API server admission plugin configuration.
cluster:
apiServer:
admissionControl:
- name: PodSecurity # Name is the name of the admission controller.
# Configuration is an embedded configuration object to be used as the plugin's
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1alpha1
defaults:
audit: restricted
audit-version: latest
enforce: baseline
enforce-version: latest
warn: restricted
warn-version: latest
exemptions:
namespaces:
- kube-system
runtimeClasses: []
usernames: []
kind: PodSecurityConfiguration
| Field | Type | Description | Value(s) |
|---|
name | string | | |
configuration | Unstructured | | |
resources
ResourcesConfig represents the pod resources.
| Field | Type | Description | Value(s) |
|---|
requests | Unstructured | Requests configures the reserved cpu/memory resources. | |
limits | Unstructured | Limits configures the maximum cpu/memory resources a container can use. | |
controllerManager
ControllerManagerConfig represents the kube controller manager configuration options.
cluster:
controllerManager:
image: registry.k8s.io/kube-controller-manager:v1.30.5 # The container image used in the controller manager manifest.
# Extra arguments to supply to the controller manager.
extraArgs:
feature-gates: ServerSideApply=true
| Field | Type | Description | Value(s) |
|---|
image | string | The container image used in the controller manager manifest. | |
extraArgs | map[string]string | Extra arguments to supply to the controller manager. | |
extraVolumes | VolumeMountConfig | Extra volumes to mount to the controller manager static pod. | |
env | Env | The env field allows for the addition of environment variables for the control plane component. | |
resources | ResourcesConfig | Configure the controller manager resources. | |
VolumeMountConfig struct describes extra volume mount for the static pods.
| Field | Type | Description | Value(s) |
|---|
hostPath | string | Path on the host. | |
mountPath | string | Path in the container. | |
readonly | bool | Mount the volume read only. | |
resources
ResourcesConfig represents the pod resources.
| Field | Type | Description | Value(s) |
|---|
requests | Unstructured | Requests configures the reserved cpu/memory resources. | |
limits | Unstructured | Limits configures the maximum cpu/memory resources a container can use. | |
proxy
ProxyConfig represents the kube proxy configuration options.
cluster:
proxy:
image: registry.k8s.io/kube-proxy:v1.30.5 # The container image used in the kube-proxy manifest.
mode: ipvs # proxy mode of kube-proxy.
# Extra arguments to supply to kube-proxy.
extraArgs:
proxy-mode: iptables
# # Disable kube-proxy deployment on cluster bootstrap.
# disabled: false
| Field | Type | Description | Value(s) |
|---|
disabled | bool | Disable kube-proxy deployment on cluster bootstrap. | |
image | string | The container image used in the kube-proxy manifest. | |
mode | string | | |
extraArgs | map[string]string | Extra arguments to supply to kube-proxy. | |
scheduler
SchedulerConfig represents the kube scheduler configuration options.
cluster:
scheduler:
image: registry.k8s.io/kube-scheduler:v1.30.5 # The container image used in the scheduler manifest.
# Extra arguments to supply to the scheduler.
extraArgs:
feature-gates: AllBeta=true
| Field | Type | Description | Value(s) |
|---|
image | string | The container image used in the scheduler manifest. | |
extraArgs | map[string]string | Extra arguments to supply to the scheduler. | |
extraVolumes | VolumeMountConfig | Extra volumes to mount to the scheduler static pod. | |
env | Env | The env field allows for the addition of environment variables for the control plane component. | |
resources | ResourcesConfig | Configure the scheduler resources. | |
config | Unstructured | Specify custom kube-scheduler configuration. | |
VolumeMountConfig struct describes extra volume mount for the static pods.
| Field | Type | Description | Value(s) |
|---|
hostPath | string | Path on the host. | |
mountPath | string | Path in the container. | |
readonly | bool | Mount the volume read only. | |
resources
ResourcesConfig represents the pod resources.
| Field | Type | Description | Value(s) |
|---|
requests | Unstructured | Requests configures the reserved cpu/memory resources. | |
limits | Unstructured | Limits configures the maximum cpu/memory resources a container can use. | |
discovery
ClusterDiscoveryConfig struct configures cluster membership discovery.
cluster:
discovery:
enabled: true # Enable the cluster membership discovery feature.
# Configure registries used for cluster member discovery.
registries:
# Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information
kubernetes: {}
# Service registry is using an external service to push and pull information about cluster members.
service:
endpoint: https://discovery.talos.dev/ # External service endpoint.
| Field | Type | Description | Value(s) |
|---|
enabled | bool | | |
registries | DiscoveryRegistriesConfig | Configure registries used for cluster member discovery. | |
registries
DiscoveryRegistriesConfig struct configures cluster membership discovery.
kubernetes
RegistryKubernetesConfig struct configures Kubernetes discovery registry.
| Field | Type | Description | Value(s) |
|---|
disabled | bool | Disable Kubernetes discovery registry. | |
service
RegistryServiceConfig struct configures Kubernetes discovery registry.
| Field | Type | Description | Value(s) |
|---|
disabled | bool | Disable external service discovery registry. | |
endpoint | string | External service endpoint. | |
etcd
EtcdConfig represents the etcd configuration options.
cluster:
etcd:
image: gcr.io/etcd-development/etcd:v3.5.13 # The container image used to create the etcd service.
# The `ca` is the root certificate authority of the PKI.
ca:
crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
# Extra arguments to supply to etcd.
extraArgs:
election-timeout: "5000"
# # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from.
# advertisedSubnets:
# - 10.0.0.0/8
| Field | Type | Description | Value(s) |
|---|
image | string | The container image used to create the etcd service. | |
ca | PEMEncodedCertificateAndKey | | |
extraArgs | map[string]string | | |
advertisedSubnets | []string | | |
listenSubnets | []string | | |
coreDNS
CoreDNS represents the CoreDNS config values.
cluster:
coreDNS:
image: registry.k8s.io/coredns/coredns:v1.11.1 # The `image` field is an override to the default coredns image.
| Field | Type | Description | Value(s) |
|---|
disabled | bool | Disable coredns deployment on cluster bootstrap. | |
image | string | The image field is an override to the default coredns image. | |
externalCloudProvider
ExternalCloudProviderConfig contains external cloud provider configuration.
cluster:
externalCloudProvider:
enabled: true # Enable external cloud provider.
# A list of urls that point to additional manifests for an external cloud provider.
manifests:
- https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml
- https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml
| Field | Type | Description | Value(s) |
|---|
enabled | bool | Enable external cloud provider. | true
yes
false
no
|
manifests | []string | | |
inlineManifests[]
ClusterInlineManifest struct describes inline bootstrap manifests for the user.
cluster:
inlineManifests:
- name: namespace-ci # Name of the manifest.
contents: |- # Manifest contents as a string.
apiVersion: v1
kind: Namespace
metadata:
name: ci
| Field | Type | Description | Value(s) |
|---|
name | string | | |
contents | string | Manifest contents as a string. | |
adminKubeconfig
AdminKubeconfigConfig contains admin kubeconfig settings.
cluster:
adminKubeconfig:
certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year).
| Field | Type | Description | Value(s) |
|---|
certLifetime | Duration | | |
Talos
Omni
Kubernetes Guides