1 - API

Talos gRPC API reference.

Table of Contents

Top

common/common.proto

Data

FieldTypeLabelDescription
metadataMetadata
bytesbytes

DataResponse

FieldTypeLabelDescription
messagesDatarepeated

Empty

FieldTypeLabelDescription
metadataMetadata

EmptyResponse

FieldTypeLabelDescription
messagesEmptyrepeated

Error

FieldTypeLabelDescription
codeCode
messagestring
detailsgoogle.protobuf.Anyrepeated

Metadata

Common metadata message nested in all reply message types

FieldTypeLabelDescription
hostnamestringhostname of the server response comes from (injected by proxy)
errorstringerror is set if request failed to the upstream (rest of response is undefined)
statusgoogle.rpc.Statuserror as gRPC Status

NetIP

FieldTypeLabelDescription
ipbytes

NetIPPort

FieldTypeLabelDescription
ipbytes
portint32

NetIPPrefix

FieldTypeLabelDescription
ipbytes
prefix_lengthint32

PEMEncodedCertificate

FieldTypeLabelDescription
crtbytes

PEMEncodedCertificateAndKey

FieldTypeLabelDescription
crtbytes
keybytes

PEMEncodedKey

FieldTypeLabelDescription
keybytes

URL

FieldTypeLabelDescription
full_pathstring

Code

NameNumberDescription
FATAL0
LOCKED1
CANCELED2

ContainerDriver

NameNumberDescription
CONTAINERD0
CRI1

ContainerdNamespace

NameNumberDescription
NS_UNKNOWN0
NS_SYSTEM1
NS_CRI2

File-level Extensions

ExtensionTypeBaseNumberDescription
remove_deprecated_enumstring.google.protobuf.EnumOptions93117Indicates the Talos version when this deprecated enum will be removed from API.
remove_deprecated_enum_valuestring.google.protobuf.EnumValueOptions93117Indicates the Talos version when this deprecated enum value will be removed from API.
remove_deprecated_fieldstring.google.protobuf.FieldOptions93117Indicates the Talos version when this deprecated filed will be removed from API.
remove_deprecated_messagestring.google.protobuf.MessageOptions93117Indicates the Talos version when this deprecated message will be removed from API.
remove_deprecated_methodstring.google.protobuf.MethodOptions93117Indicates the Talos version when this deprecated method will be removed from API.
remove_deprecated_servicestring.google.protobuf.ServiceOptions93117Indicates the Talos version when this deprecated service will be removed from API.

Top

resource/definitions/block/block.proto

DeviceSpec

DeviceSpec is the spec for devices status.

FieldTypeLabelDescription
typestring
majorint64
minorint64
partition_namestring
partition_numberint64
generationint64
device_pathstring
parentstring
secondariesstringrepeated

DiscoveredVolumeSpec

DiscoveredVolumeSpec is the spec for DiscoveredVolumes resource.

FieldTypeLabelDescription
sizeuint64
sector_sizeuint64
io_sizeuint64
namestring
uuidstring
labelstring
block_sizeuint32
filesystem_block_sizeuint32
probed_sizeuint64
partition_uuidstring
partition_typestring
partition_labelstring
partition_indexuint64
typestring
device_pathstring
parentstring
dev_pathstring
parent_dev_pathstring
pretty_sizestring

DiscoveryRefreshRequestSpec

DiscoveryRefreshRequestSpec is the spec for DiscoveryRefreshRequest.

FieldTypeLabelDescription
requestint64

DiscoveryRefreshStatusSpec

DiscoveryRefreshStatusSpec is the spec for DiscoveryRefreshStatus status.

FieldTypeLabelDescription
requestint64

DiskSelector

DiskSelector selects a disk for the volume.

FieldTypeLabelDescription
matchgoogle.api.expr.v1alpha1.CheckedExpr

DiskSpec

DiskSpec is the spec for Disks status.

FieldTypeLabelDescription
sizeuint64
io_sizeuint64
sector_sizeuint64
readonlybool
modelstring
serialstring
modaliasstring
wwidstring
bus_pathstring
sub_systemstring
transportstring
rotationalbool
cdrombool
dev_pathstring
pretty_sizestring
secondary_disksstringrepeated

EncryptionKey

EncryptionKey is the spec for volume encryption key.

FieldTypeLabelDescription
slotint64
typetalos.resource.definitions.enums.BlockEncryptionKeyType
static_passphrasebytes
kms_endpointstring
tpm_check_secureboot_status_on_enrollbool

EncryptionSpec

EncryptionSpec is the spec for volume encryption.

FieldTypeLabelDescription
providertalos.resource.definitions.enums.BlockEncryptionProviderType
keysEncryptionKeyrepeated
cipherstring
key_sizeuint64
block_sizeuint64
perf_optionsstringrepeated

FilesystemSpec

FilesystemSpec is the spec for volume filesystem.

FieldTypeLabelDescription
typetalos.resource.definitions.enums.BlockFilesystemType
labelstring

LocatorSpec

LocatorSpec is the spec for volume locator.

FieldTypeLabelDescription
matchgoogle.api.expr.v1alpha1.CheckedExpr

MountSpec

MountSpec is the spec for volume mount.

FieldTypeLabelDescription
target_pathstring
selinux_labelstring

PartitionSpec

PartitionSpec is the spec for volume partitioning.

FieldTypeLabelDescription
min_sizeuint64
max_sizeuint64
growbool
labelstring
type_uuidstring

ProvisioningSpec

ProvisioningSpec is the spec for volume provisioning.

FieldTypeLabelDescription
disk_selectorDiskSelector
partition_specPartitionSpec
waveint64
filesystem_specFilesystemSpec

SystemDiskSpec

SystemDiskSpec is the spec for SystemDisks resource.

FieldTypeLabelDescription
disk_idstring
dev_pathstring

UserDiskConfigStatusSpec

UserDiskConfigStatusSpec is the spec for UserDiskConfigStatus resource.

FieldTypeLabelDescription
readybool

VolumeConfigSpec

VolumeConfigSpec is the spec for VolumeConfig resource.

FieldTypeLabelDescription
parent_idstring
typetalos.resource.definitions.enums.BlockVolumeType
provisioningProvisioningSpec
locatorLocatorSpec
mountMountSpec
encryptionEncryptionSpec

VolumeStatusSpec

VolumeStatusSpec is the spec for VolumeStatus resource.

FieldTypeLabelDescription
phasetalos.resource.definitions.enums.BlockVolumePhase
locationstring
error_messagestring
uuidstring
partition_uuidstring
pre_fail_phasetalos.resource.definitions.enums.BlockVolumePhase
parent_locationstring
partition_indexint64
sizeuint64
filesystemtalos.resource.definitions.enums.BlockFilesystemType
mount_locationstring
encryption_providertalos.resource.definitions.enums.BlockEncryptionProviderType
pretty_sizestring
encryption_failed_syncsstringrepeated

Top

resource/definitions/cluster/cluster.proto

AffiliateSpec

AffiliateSpec describes Affiliate state.

FieldTypeLabelDescription
node_idstring
addressescommon.NetIPrepeated
hostnamestring
nodenamestring
operating_systemstring
machine_typetalos.resource.definitions.enums.MachineType
kube_spanKubeSpanAffiliateSpec
control_planeControlPlane

ConfigSpec

ConfigSpec describes KubeSpan configuration.

FieldTypeLabelDescription
discovery_enabledbool
registry_kubernetes_enabledbool
registry_service_enabledbool
service_endpointstring
service_endpoint_insecurebool
service_encryption_keybytes
service_cluster_idstring

ControlPlane

ControlPlane describes ControlPlane data if any.

FieldTypeLabelDescription
api_server_portint64

IdentitySpec

IdentitySpec describes status of rendered secrets.

Note: IdentitySpec is persisted on disk in the STATE partition, so YAML serialization should be kept backwards compatible.

FieldTypeLabelDescription
node_idstring

InfoSpec

InfoSpec describes cluster information.

FieldTypeLabelDescription
cluster_idstring
cluster_namestring

KubeSpanAffiliateSpec

KubeSpanAffiliateSpec describes additional information specific for the KubeSpan.

FieldTypeLabelDescription
public_keystring
addresscommon.NetIP
additional_addressescommon.NetIPPrefixrepeated
endpointscommon.NetIPPortrepeated

MemberSpec

MemberSpec describes Member state.

FieldTypeLabelDescription
node_idstring
addressescommon.NetIPrepeated
hostnamestring
machine_typetalos.resource.definitions.enums.MachineType
operating_systemstring
control_planeControlPlane

Top

resource/definitions/cri/cri.proto

ImageCacheConfigSpec

ImageCacheConfigSpec represents the ImageCacheConfig.

FieldTypeLabelDescription
statustalos.resource.definitions.enums.CriImageCacheStatus
rootsstringrepeated
copy_statustalos.resource.definitions.enums.CriImageCacheCopyStatus

RegistriesConfigSpec

RegistriesConfigSpec describes status of rendered secrets.

FieldTypeLabelDescription
registry_mirrorsRegistriesConfigSpec.RegistryMirrorsEntryrepeated
registry_configRegistriesConfigSpec.RegistryConfigEntryrepeated

RegistriesConfigSpec.RegistryConfigEntry

FieldTypeLabelDescription
keystring
valueRegistryConfig

RegistriesConfigSpec.RegistryMirrorsEntry

FieldTypeLabelDescription
keystring
valueRegistryMirrorConfig

RegistryAuthConfig

RegistryAuthConfig specifies authentication configuration for a registry.

FieldTypeLabelDescription
registry_usernamestring
registry_passwordstring
registry_authstring
registry_identity_tokenstring

RegistryConfig

RegistryConfig specifies auth & TLS config per registry.

FieldTypeLabelDescription
registry_tlsRegistryTLSConfig
registry_authRegistryAuthConfig

RegistryMirrorConfig

RegistryMirrorConfig represents mirror configuration for a registry.

FieldTypeLabelDescription
mirror_endpointsstringrepeated
mirror_override_pathbool
mirror_skip_fallbackbool

RegistryTLSConfig

RegistryTLSConfig specifies TLS config for HTTPS registries.

FieldTypeLabelDescription
tls_client_identitycommon.PEMEncodedCertificateAndKey
tlscabytes
tls_insecure_skip_verifybool

SeccompProfileSpec

SeccompProfileSpec represents the SeccompProfile.

FieldTypeLabelDescription
namestring
valuegoogle.protobuf.Struct

Top

resource/definitions/enums/enums.proto

BlockEncryptionKeyType

BlockEncryptionKeyType describes encryption key type.

NameNumberDescription
ENCRYPTION_KEY_STATIC0
ENCRYPTION_KEY_NODE_ID1
ENCRYPTION_KEY_KMS2
ENCRYPTION_KEY_TPM3

BlockEncryptionProviderType

BlockEncryptionProviderType describes encryption provider type.

NameNumberDescription
ENCRYPTION_PROVIDER_NONE0
ENCRYPTION_PROVIDER_LUKS21

BlockFilesystemType

BlockFilesystemType describes filesystem type.

NameNumberDescription
FILESYSTEM_TYPE_NONE0
FILESYSTEM_TYPE_XFS1
FILESYSTEM_TYPE_VFAT2
FILESYSTEM_TYPE_EXT43
FILESYSTEM_TYPE_ISO96604

BlockVolumePhase

BlockVolumePhase describes volume phase.

NameNumberDescription
VOLUME_PHASE_WAITING0
VOLUME_PHASE_FAILED1
VOLUME_PHASE_MISSING2
VOLUME_PHASE_LOCATED3
VOLUME_PHASE_PROVISIONED4
VOLUME_PHASE_PREPARED5
VOLUME_PHASE_READY6
VOLUME_PHASE_CLOSED7

BlockVolumeType

BlockVolumeType describes volume type.

NameNumberDescription
VOLUME_TYPE_PARTITION0
VOLUME_TYPE_DISK1
VOLUME_TYPE_TMPFS2

CriImageCacheCopyStatus

CriImageCacheCopyStatus describes image cache copy status type.

NameNumberDescription
IMAGE_CACHE_COPY_STATUS_UNKNOWN0
IMAGE_CACHE_COPY_STATUS_SKIPPED1
IMAGE_CACHE_COPY_STATUS_PENDING2
IMAGE_CACHE_COPY_STATUS_READY3

CriImageCacheStatus

CriImageCacheStatus describes image cache status type.

NameNumberDescription
IMAGE_CACHE_STATUS_UNKNOWN0
IMAGE_CACHE_STATUS_DISABLED1
IMAGE_CACHE_STATUS_PREPARING2
IMAGE_CACHE_STATUS_READY3

KubespanPeerState

KubespanPeerState is KubeSpan peer current state.

NameNumberDescription
PEER_STATE_UNKNOWN0
PEER_STATE_UP1
PEER_STATE_DOWN2

MachineType

MachineType represents a machine type.

NameNumberDescription
TYPE_UNKNOWN0TypeUnknown represents undefined node type, when there is no machine configuration yet.
TYPE_INIT1TypeInit type designates the first control plane node to come up. You can think of it like a bootstrap node. This node will perform the initial steps to bootstrap the cluster – generation of TLS assets, starting of the control plane, etc.
TYPE_CONTROL_PLANE2TypeControlPlane designates the node as a control plane member. This means it will host etcd along with the Kubernetes controlplane components such as API Server, Controller Manager, Scheduler.
TYPE_WORKER3TypeWorker designates the node as a worker node. This means it will be an available compute node for scheduling workloads.

NethelpersADSelect

NethelpersADSelect is ADSelect.

NameNumberDescription
AD_SELECT_STABLE0
AD_SELECT_BANDWIDTH1
AD_SELECT_COUNT2

NethelpersARPAllTargets

NethelpersARPAllTargets is an ARP targets mode.

NameNumberDescription
ARP_ALL_TARGETS_ANY0
ARP_ALL_TARGETS_ALL1

NethelpersARPValidate

NethelpersARPValidate is an ARP Validation mode.

NameNumberDescription
ARP_VALIDATE_NONE0
ARP_VALIDATE_ACTIVE1
ARP_VALIDATE_BACKUP2
ARP_VALIDATE_ALL3

NethelpersAddressFlag

NethelpersAddressFlag wraps IFF_* constants.

NameNumberDescription
NETHELPERS_ADDRESSFLAG_UNSPECIFIED0
ADDRESS_TEMPORARY1
ADDRESS_NO_DAD2
ADDRESS_OPTIMISTIC4
ADDRESS_DAD_FAILED8
ADDRESS_HOME16
ADDRESS_DEPRECATED32
ADDRESS_TENTATIVE64
ADDRESS_PERMANENT128
ADDRESS_MANAGEMENT_TEMP256
ADDRESS_NO_PREFIX_ROUTE512
ADDRESS_MC_AUTO_JOIN1024
ADDRESS_STABLE_PRIVACY2048

NethelpersAddressSortAlgorithm

NethelpersAddressSortAlgorithm is an internal address sorting algorithm.

NameNumberDescription
ADDRESS_SORT_ALGORITHM_V10
ADDRESS_SORT_ALGORITHM_V21

NethelpersBondMode

NethelpersBondMode is a bond mode.

NameNumberDescription
BOND_MODE_ROUNDROBIN0
BOND_MODE_ACTIVE_BACKUP1
BOND_MODE_XOR2
BOND_MODE_BROADCAST3
BOND_MODE8023_AD4
BOND_MODE_TLB5
BOND_MODE_ALB6

NethelpersBondXmitHashPolicy

NethelpersBondXmitHashPolicy is a bond hash policy.

NameNumberDescription
BOND_XMIT_POLICY_LAYER20
BOND_XMIT_POLICY_LAYER341
BOND_XMIT_POLICY_LAYER232
BOND_XMIT_POLICY_ENCAP233
BOND_XMIT_POLICY_ENCAP344

NethelpersConntrackState

NethelpersConntrackState is a conntrack state.

NameNumberDescription
NETHELPERS_CONNTRACKSTATE_UNSPECIFIED0
CONNTRACK_STATE_NEW8
CONNTRACK_STATE_RELATED4
CONNTRACK_STATE_ESTABLISHED2
CONNTRACK_STATE_INVALID1

NethelpersDuplex

NethelpersDuplex wraps ethtool.Duplex for YAML marshaling.

NameNumberDescription
HALF0
FULL1
UNKNOWN255

NethelpersFailOverMAC

NethelpersFailOverMAC is a MAC failover mode.

NameNumberDescription
FAIL_OVER_MAC_NONE0
FAIL_OVER_MAC_ACTIVE1
FAIL_OVER_MAC_FOLLOW2

NethelpersFamily

NethelpersFamily is a network family.

NameNumberDescription
NETHELPERS_FAMILY_UNSPECIFIED0
FAMILY_INET42
FAMILY_INET610

NethelpersLACPRate

NethelpersLACPRate is a LACP rate.

NameNumberDescription
LACP_RATE_SLOW0
LACP_RATE_FAST1

NethelpersLinkType

NethelpersLinkType is a link type.

NameNumberDescription
LINK_NETROM0
LINK_ETHER1
LINK_EETHER2
LINK_AX253
LINK_PRONET4
LINK_CHAOS5
LINK_IEE8026
LINK_ARCNET7
LINK_ATALK8
LINK_DLCI15
LINK_ATM19
LINK_METRICOM23
LINK_IEEE139424
LINK_EUI6427
LINK_INFINIBAND32
LINK_SLIP256
LINK_CSLIP257
LINK_SLIP6258
LINK_CSLIP6259
LINK_RSRVD260
LINK_ADAPT264
LINK_ROSE270
LINK_X25271
LINK_HWX25272
LINK_CAN280
LINK_PPP512
LINK_CISCO513
LINK_HDLC513
LINK_LAPB516
LINK_DDCMP517
LINK_RAWHDLC518
LINK_TUNNEL768
LINK_TUNNEL6769
LINK_FRAD770
LINK_SKIP771
LINK_LOOPBCK772
LINK_LOCALTLK773
LINK_FDDI774
LINK_BIF775
LINK_SIT776
LINK_IPDDP777
LINK_IPGRE778
LINK_PIMREG779
LINK_HIPPI780
LINK_ASH781
LINK_ECONET782
LINK_IRDA783
LINK_FCPP784
LINK_FCAL785
LINK_FCPL786
LINK_FCFABRIC787
LINK_FCFABRIC1788
LINK_FCFABRIC2789
LINK_FCFABRIC3790
LINK_FCFABRIC4791
LINK_FCFABRIC5792
LINK_FCFABRIC6793
LINK_FCFABRIC7794
LINK_FCFABRIC8795
LINK_FCFABRIC9796
LINK_FCFABRIC10797
LINK_FCFABRIC11798
LINK_FCFABRIC12799
LINK_IEE802TR800
LINK_IEE80211801
LINK_IEE80211PRISM802
LINK_IEE80211_RADIOTAP803
LINK_IEE8021154804
LINK_IEE8021154MONITOR805
LINK_PHONET820
LINK_PHONETPIPE821
LINK_CAIF822
LINK_IP6GRE823
LINK_NETLINK824
LINK6_LOWPAN825
LINK_VOID65535
LINK_NONE65534

NethelpersMatchOperator

NethelpersMatchOperator is a netfilter match operator.

NameNumberDescription
OPERATOR_EQUAL0
OPERATOR_NOT_EQUAL1

NethelpersNfTablesChainHook

NethelpersNfTablesChainHook wraps nftables.ChainHook for YAML marshaling.

NameNumberDescription
CHAIN_HOOK_PREROUTING0
CHAIN_HOOK_INPUT1
CHAIN_HOOK_FORWARD2
CHAIN_HOOK_OUTPUT3
CHAIN_HOOK_POSTROUTING4

NethelpersNfTablesChainPriority

NethelpersNfTablesChainPriority wraps nftables.ChainPriority for YAML marshaling.

NameNumberDescription
NETHELPERS_NFTABLESCHAINPRIORITY_UNSPECIFIED0
CHAIN_PRIORITY_FIRST-2147483648
CHAIN_PRIORITY_CONNTRACK_DEFRAG-400
CHAIN_PRIORITY_RAW-300
CHAIN_PRIORITY_SE_LINUX_FIRST-225
CHAIN_PRIORITY_CONNTRACK-200
CHAIN_PRIORITY_MANGLE-150
CHAIN_PRIORITY_NAT_DEST-100
CHAIN_PRIORITY_FILTER0
CHAIN_PRIORITY_SECURITY50
CHAIN_PRIORITY_NAT_SOURCE100
CHAIN_PRIORITY_SE_LINUX_LAST225
CHAIN_PRIORITY_CONNTRACK_HELPER300
CHAIN_PRIORITY_LAST2147483647

NethelpersNfTablesVerdict

NethelpersNfTablesVerdict wraps nftables.Verdict for YAML marshaling.

NameNumberDescription
VERDICT_DROP0
VERDICT_ACCEPT1

NethelpersOperationalState

NethelpersOperationalState wraps rtnetlink.OperationalState for YAML marshaling.

NameNumberDescription
OPER_STATE_UNKNOWN0
OPER_STATE_NOT_PRESENT1
OPER_STATE_DOWN2
OPER_STATE_LOWER_LAYER_DOWN3
OPER_STATE_TESTING4
OPER_STATE_DORMANT5
OPER_STATE_UP6

NethelpersPort

NethelpersPort wraps ethtool.Port for YAML marshaling.

NameNumberDescription
TWISTED_PAIR0
AUI1
MII2
FIBRE3
BNC4
DIRECT_ATTACH5
NONE239
OTHER255

NethelpersPrimaryReselect

NethelpersPrimaryReselect is an ARP targets mode.

NameNumberDescription
PRIMARY_RESELECT_ALWAYS0
PRIMARY_RESELECT_BETTER1
PRIMARY_RESELECT_FAILURE2

NethelpersProtocol

NethelpersProtocol is a inet protocol.

NameNumberDescription
NETHELPERS_PROTOCOL_UNSPECIFIED0
PROTOCOL_ICMP1
PROTOCOL_TCP6
PROTOCOL_UDP17
PROTOCOL_ICM_PV658

NethelpersRouteFlag

NethelpersRouteFlag wraps RTM_F_* constants.

NameNumberDescription
NETHELPERS_ROUTEFLAG_UNSPECIFIED0
ROUTE_NOTIFY256
ROUTE_CLONED512
ROUTE_EQUALIZE1024
ROUTE_PREFIX2048
ROUTE_LOOKUP_TABLE4096
ROUTE_FIB_MATCH8192
ROUTE_OFFLOAD16384
ROUTE_TRAP32768

NethelpersRouteProtocol

NethelpersRouteProtocol is a routing protocol.

NameNumberDescription
PROTOCOL_UNSPEC0
PROTOCOL_REDIRECT1
PROTOCOL_KERNEL2
PROTOCOL_BOOT3
PROTOCOL_STATIC4
PROTOCOL_RA9
PROTOCOL_MRT10
PROTOCOL_ZEBRA11
PROTOCOL_BIRD12
PROTOCOL_DNROUTED13
PROTOCOL_XORP14
PROTOCOL_NTK15
PROTOCOL_DHCP16
PROTOCOL_MRTD17
PROTOCOL_KEEPALIVED18
PROTOCOL_BABEL42
PROTOCOL_OPENR99
PROTOCOL_BGP186
PROTOCOL_ISIS187
PROTOCOL_OSPF188
PROTOCOL_RIP189
PROTOCOL_EIGRP192

NethelpersRouteType

NethelpersRouteType is a route type.

NameNumberDescription
TYPE_UNSPEC0
TYPE_UNICAST1
TYPE_LOCAL2
TYPE_BROADCAST3
TYPE_ANYCAST4
TYPE_MULTICAST5
TYPE_BLACKHOLE6
TYPE_UNREACHABLE7
TYPE_PROHIBIT8
TYPE_THROW9
TYPE_NAT10
TYPE_X_RESOLVE11

NethelpersRoutingTable

NethelpersRoutingTable is a routing table ID.

NameNumberDescription
TABLE_UNSPEC0
TABLE_DEFAULT253
TABLE_MAIN254
TABLE_LOCAL255

NethelpersScope

NethelpersScope is an address scope.

NameNumberDescription
SCOPE_GLOBAL0
SCOPE_SITE200
SCOPE_LINK253
SCOPE_HOST254
SCOPE_NOWHERE255

NethelpersVLANProtocol

NethelpersVLANProtocol is a VLAN protocol.

NameNumberDescription
NETHELPERS_VLANPROTOCOL_UNSPECIFIED0
VLAN_PROTOCOL8021_Q33024
VLAN_PROTOCOL8021_AD34984

NetworkConfigLayer

NetworkConfigLayer describes network configuration layers, with lowest priority first.

NameNumberDescription
CONFIG_DEFAULT0
CONFIG_CMDLINE1
CONFIG_PLATFORM2
CONFIG_OPERATOR3
CONFIG_MACHINE_CONFIGURATION4

NetworkOperator

NetworkOperator enumerates Talos network operators.

NameNumberDescription
OPERATOR_DHCP40
OPERATOR_DHCP61
OPERATOR_VIP2

RuntimeMachineStage

RuntimeMachineStage describes the stage of the machine boot/run process.

NameNumberDescription
MACHINE_STAGE_UNKNOWN0
MACHINE_STAGE_BOOTING1
MACHINE_STAGE_INSTALLING2
MACHINE_STAGE_MAINTENANCE3
MACHINE_STAGE_RUNNING4
MACHINE_STAGE_REBOOTING5
MACHINE_STAGE_SHUTTING_DOWN6
MACHINE_STAGE_RESETTING7
MACHINE_STAGE_UPGRADING8

Top

resource/definitions/etcd/etcd.proto

ConfigSpec

ConfigSpec describes (some) configuration settings of etcd.

FieldTypeLabelDescription
advertise_valid_subnetsstringrepeated
advertise_exclude_subnetsstringrepeated
imagestring
extra_argsConfigSpec.ExtraArgsEntryrepeated
listen_valid_subnetsstringrepeated
listen_exclude_subnetsstringrepeated

ConfigSpec.ExtraArgsEntry

FieldTypeLabelDescription
keystring
valuestring

MemberSpec

MemberSpec holds information about an etcd member.

FieldTypeLabelDescription
member_idstring

PKIStatusSpec

PKIStatusSpec describes status of rendered secrets.

FieldTypeLabelDescription
readybool
versionstring

SpecSpec

SpecSpec describes (some) Specuration settings of etcd.

FieldTypeLabelDescription
namestring
advertised_addressescommon.NetIPrepeated
imagestring
extra_argsSpecSpec.ExtraArgsEntryrepeated
listen_peer_addressescommon.NetIPrepeated
listen_client_addressescommon.NetIPrepeated

SpecSpec.ExtraArgsEntry

FieldTypeLabelDescription
keystring
valuestring

Top

resource/definitions/extensions/extensions.proto

Compatibility

Compatibility describes extension compatibility.

FieldTypeLabelDescription
talosConstraint

Constraint

Constraint describes compatibility constraint.

FieldTypeLabelDescription
versionstring

Layer

Layer defines overlay mount layer.

FieldTypeLabelDescription
imagestring
metadataMetadata

Metadata

Metadata describes base extension metadata.

FieldTypeLabelDescription
namestring
versionstring
authorstring
descriptionstring
compatibilityCompatibility
extra_infostring

Top

resource/definitions/files/files.proto

EtcFileSpecSpec

EtcFileSpecSpec describes status of rendered secrets.

FieldTypeLabelDescription
contentsbytes
modeuint32
selinux_labelstring

EtcFileStatusSpec

EtcFileStatusSpec describes status of rendered secrets.

FieldTypeLabelDescription
spec_versionstring

Top

resource/definitions/hardware/hardware.proto

MemoryModuleSpec

MemoryModuleSpec represents a single Memory.

FieldTypeLabelDescription
sizeuint32
device_locatorstring
bank_locatorstring
speeduint32
manufacturerstring
serial_numberstring
asset_tagstring
product_namestring

PCIDeviceSpec

PCIDeviceSpec represents a single processor.

FieldTypeLabelDescription
classstring
subclassstring
vendorstring
productstring
class_idstring
subclass_idstring
vendor_idstring
product_idstring

ProcessorSpec

ProcessorSpec represents a single processor.

FieldTypeLabelDescription
socketstring
manufacturerstring
product_namestring
max_speeduint32
boot_speeduint32
statusuint32
serial_numberstring
asset_tagstring
part_numberstring
core_countuint32
core_enableduint32
thread_countuint32

SystemInformationSpec

SystemInformationSpec represents the system information obtained from smbios.

FieldTypeLabelDescription
manufacturerstring
product_namestring
versionstring
serial_numberstring
uuidstring
wake_up_typestring
sku_numberstring

Top

resource/definitions/k8s/k8s.proto

APIServerConfigSpec

APIServerConfigSpec is configuration for kube-apiserver.

FieldTypeLabelDescription
imagestring
cloud_providerstring
control_plane_endpointstring
etcd_serversstringrepeated
local_portint64
service_cid_rsstringrepeated
extra_argsAPIServerConfigSpec.ExtraArgsEntryrepeated
extra_volumesExtraVolumerepeated
environment_variablesAPIServerConfigSpec.EnvironmentVariablesEntryrepeated
pod_security_policy_enabledbool
advertised_addressstring
resourcesResources

APIServerConfigSpec.EnvironmentVariablesEntry

FieldTypeLabelDescription
keystring
valuestring

APIServerConfigSpec.ExtraArgsEntry

FieldTypeLabelDescription
keystring
valuestring

AdmissionControlConfigSpec

AdmissionControlConfigSpec is configuration for kube-apiserver.

FieldTypeLabelDescription
configAdmissionPluginSpecrepeated

AdmissionPluginSpec

AdmissionPluginSpec is a single admission plugin configuration Admission Control plugins.

FieldTypeLabelDescription
namestring
configurationgoogle.protobuf.Struct

AuditPolicyConfigSpec

AuditPolicyConfigSpec is audit policy configuration for kube-apiserver.

FieldTypeLabelDescription
configgoogle.protobuf.Struct

AuthorizationAuthorizersSpec

AuthorizationAuthorizersSpec is a configuration of authorization authorizers.

FieldTypeLabelDescription
typestring
namestring
webhookgoogle.protobuf.Struct

AuthorizationConfigSpec

AuthorizationConfigSpec is authorization configuration for kube-apiserver.

FieldTypeLabelDescription
imagestring
configAuthorizationAuthorizersSpecrepeated

BootstrapManifestsConfigSpec

BootstrapManifestsConfigSpec is configuration for bootstrap manifests.

FieldTypeLabelDescription
serverstring
cluster_domainstring
pod_cid_rsstringrepeated
proxy_enabledbool
proxy_imagestring
proxy_argsstringrepeated
core_dns_enabledbool
core_dns_imagestring
dns_service_ipstring
dns_service_i_pv6string
flannel_enabledbool
flannel_imagestring
pod_security_policy_enabledbool
talos_api_service_enabledbool
flannel_extra_argsstringrepeated
flannel_kube_service_hoststring
flannel_kube_service_portstring

ConfigStatusSpec

ConfigStatusSpec describes status of rendered secrets.

FieldTypeLabelDescription
readybool
versionstring

ControllerManagerConfigSpec

ControllerManagerConfigSpec is configuration for kube-controller-manager.

FieldTypeLabelDescription
enabledbool
imagestring
cloud_providerstring
pod_cid_rsstringrepeated
service_cid_rsstringrepeated
extra_argsControllerManagerConfigSpec.ExtraArgsEntryrepeated
extra_volumesExtraVolumerepeated
environment_variablesControllerManagerConfigSpec.EnvironmentVariablesEntryrepeated
resourcesResources

ControllerManagerConfigSpec.EnvironmentVariablesEntry

FieldTypeLabelDescription
keystring
valuestring

ControllerManagerConfigSpec.ExtraArgsEntry

FieldTypeLabelDescription
keystring
valuestring

EndpointSpec

EndpointSpec describes status of rendered secrets.

FieldTypeLabelDescription
addressescommon.NetIPrepeated

ExtraManifest

ExtraManifest defines a single extra manifest to download.

FieldTypeLabelDescription
namestring
urlstring
prioritystring
extra_headersExtraManifest.ExtraHeadersEntryrepeated
inline_manifeststring

ExtraManifest.ExtraHeadersEntry

FieldTypeLabelDescription
keystring
valuestring

ExtraManifestsConfigSpec

ExtraManifestsConfigSpec is configuration for extra bootstrap manifests.

FieldTypeLabelDescription
extra_manifestsExtraManifestrepeated

ExtraVolume

ExtraVolume is a configuration of extra volume.

FieldTypeLabelDescription
namestring
host_pathstring
mount_pathstring
read_onlybool

KubePrismConfigSpec

KubePrismConfigSpec describes KubePrismConfig data.

FieldTypeLabelDescription
hoststring
portint64
endpointsKubePrismEndpointrepeated

KubePrismEndpoint

KubePrismEndpoint holds data for control plane endpoint.

FieldTypeLabelDescription
hoststring
portuint32

KubePrismEndpointsSpec

KubePrismEndpointsSpec describes KubePrismEndpoints configuration.

FieldTypeLabelDescription
endpointsKubePrismEndpointrepeated

KubePrismStatusesSpec

KubePrismStatusesSpec describes KubePrismStatuses data.

FieldTypeLabelDescription
hoststring
healthybool

KubeletConfigSpec

KubeletConfigSpec holds the source of kubelet configuration.

FieldTypeLabelDescription
imagestring
cluster_dnsstringrepeated
cluster_domainstring
extra_argsKubeletConfigSpec.ExtraArgsEntryrepeated
extra_mountstalos.resource.definitions.proto.Mountrepeated
extra_configgoogle.protobuf.Struct
cloud_provider_externalbool
default_runtime_seccomp_enabledbool
skip_node_registrationbool
static_pod_list_urlstring
disable_manifests_directorybool
enable_fs_quota_monitoringbool
credential_provider_configgoogle.protobuf.Struct
allow_scheduling_on_control_planebool

KubeletConfigSpec.ExtraArgsEntry

FieldTypeLabelDescription
keystring
valuestring

KubeletSpecSpec

KubeletSpecSpec holds the source of kubelet configuration.

FieldTypeLabelDescription
imagestring
argsstringrepeated
extra_mountstalos.resource.definitions.proto.Mountrepeated
expected_nodenamestring
configgoogle.protobuf.Struct
credential_provider_configgoogle.protobuf.Struct

ManifestSpec

ManifestSpec holds the Kubernetes resources spec.

FieldTypeLabelDescription
itemsSingleManifestrepeated

ManifestStatusSpec

ManifestStatusSpec describes manifest application status.

FieldTypeLabelDescription
manifests_appliedstringrepeated

NodeAnnotationSpecSpec

NodeAnnotationSpecSpec represents an annoation that’s attached to a Talos node.

FieldTypeLabelDescription
keystring
valuestring

NodeIPConfigSpec

NodeIPConfigSpec holds the Node IP specification.

FieldTypeLabelDescription
valid_subnetsstringrepeated
exclude_subnetsstringrepeated

NodeIPSpec

NodeIPSpec holds the Node IP specification.

FieldTypeLabelDescription
addressescommon.NetIPrepeated

NodeLabelSpecSpec

NodeLabelSpecSpec represents a label that’s attached to a Talos node.

FieldTypeLabelDescription
keystring
valuestring

NodeStatusSpec

NodeStatusSpec describes Kubernetes NodeStatus.

FieldTypeLabelDescription
nodenamestring
node_readybool
unschedulablebool
labelsNodeStatusSpec.LabelsEntryrepeated
annotationsNodeStatusSpec.AnnotationsEntryrepeated

NodeStatusSpec.AnnotationsEntry

FieldTypeLabelDescription
keystring
valuestring

NodeStatusSpec.LabelsEntry

FieldTypeLabelDescription
keystring
valuestring

NodeTaintSpecSpec

NodeTaintSpecSpec represents a label that’s attached to a Talos node.

FieldTypeLabelDescription
keystring
effectstring
valuestring

NodenameSpec

NodenameSpec describes Kubernetes nodename.

FieldTypeLabelDescription
nodenamestring
hostname_versionstring
skip_node_registrationbool

Resources

Resources is a configuration of cpu and memory resources.

FieldTypeLabelDescription
requestsResources.RequestsEntryrepeated
limitsResources.LimitsEntryrepeated

Resources.LimitsEntry

FieldTypeLabelDescription
keystring
valuestring

Resources.RequestsEntry

FieldTypeLabelDescription
keystring
valuestring

SchedulerConfigSpec

SchedulerConfigSpec is configuration for kube-scheduler.

FieldTypeLabelDescription
enabledbool
imagestring
extra_argsSchedulerConfigSpec.ExtraArgsEntryrepeated
extra_volumesExtraVolumerepeated
environment_variablesSchedulerConfigSpec.EnvironmentVariablesEntryrepeated
resourcesResources
configgoogle.protobuf.Struct

SchedulerConfigSpec.EnvironmentVariablesEntry

FieldTypeLabelDescription
keystring
valuestring

SchedulerConfigSpec.ExtraArgsEntry

FieldTypeLabelDescription
keystring
valuestring

SecretsStatusSpec

SecretsStatusSpec describes status of rendered secrets.

FieldTypeLabelDescription
readybool
versionstring

SingleManifest

SingleManifest is a single manifest.

FieldTypeLabelDescription
objectgoogle.protobuf.Struct

StaticPodServerStatusSpec

StaticPodServerStatusSpec describes static pod spec, it contains marshaled *v1.Pod spec.

FieldTypeLabelDescription
urlstring

StaticPodSpec

StaticPodSpec describes static pod spec, it contains marshaled *v1.Pod spec.

FieldTypeLabelDescription
podgoogle.protobuf.Struct

StaticPodStatusSpec

StaticPodStatusSpec describes kubelet static pod status.

FieldTypeLabelDescription
pod_statusgoogle.protobuf.Struct

Top

resource/definitions/kubeaccess/kubeaccess.proto

ConfigSpec

ConfigSpec describes KubeSpan configuration..

FieldTypeLabelDescription
enabledbool
allowed_api_rolesstringrepeated
allowed_kubernetes_namespacesstringrepeated

Top

resource/definitions/kubespan/kubespan.proto

ConfigSpec

ConfigSpec describes KubeSpan configuration..

FieldTypeLabelDescription
enabledbool
cluster_idstring
shared_secretstring
force_routingbool
advertise_kubernetes_networksbool
mtuuint32
endpoint_filtersstringrepeated
harvest_extra_endpointsbool
extra_endpointscommon.NetIPPortrepeated

EndpointSpec

EndpointSpec describes Endpoint state.

FieldTypeLabelDescription
affiliate_idstring
endpointcommon.NetIPPort

IdentitySpec

IdentitySpec describes KubeSpan keys and address.

Note: IdentitySpec is persisted on disk in the STATE partition, so YAML serialization should be kept backwards compatible.

FieldTypeLabelDescription
addresscommon.NetIPPrefix
subnetcommon.NetIPPrefix
private_keystring
public_keystring

PeerSpecSpec

PeerSpecSpec describes PeerSpec state.

FieldTypeLabelDescription
addresscommon.NetIP
allowed_ipscommon.NetIPPrefixrepeated
endpointscommon.NetIPPortrepeated
labelstring

PeerStatusSpec

PeerStatusSpec describes PeerStatus state.

FieldTypeLabelDescription
endpointcommon.NetIPPort
labelstring
statetalos.resource.definitions.enums.KubespanPeerState
receive_bytesint64
transmit_bytesint64
last_handshake_timegoogle.protobuf.Timestamp
last_used_endpointcommon.NetIPPort
last_endpoint_changegoogle.protobuf.Timestamp

Top

resource/definitions/network/network.proto

AddressSpecSpec

AddressSpecSpec describes status of rendered secrets.

FieldTypeLabelDescription
addresscommon.NetIPPrefix
link_namestring
familytalos.resource.definitions.enums.NethelpersFamily
scopetalos.resource.definitions.enums.NethelpersScope
flagsuint32
announce_with_arpbool
config_layertalos.resource.definitions.enums.NetworkConfigLayer

AddressStatusSpec

AddressStatusSpec describes status of rendered secrets.

FieldTypeLabelDescription
addresscommon.NetIPPrefix
localcommon.NetIP
broadcastcommon.NetIP
anycastcommon.NetIP
multicastcommon.NetIP
link_indexuint32
link_namestring
familytalos.resource.definitions.enums.NethelpersFamily
scopetalos.resource.definitions.enums.NethelpersScope
flagsuint32

BondMasterSpec

BondMasterSpec describes bond settings if Kind == “bond”.

FieldTypeLabelDescription
modetalos.resource.definitions.enums.NethelpersBondMode
hash_policytalos.resource.definitions.enums.NethelpersBondXmitHashPolicy
lacp_ratetalos.resource.definitions.enums.NethelpersLACPRate
arp_validatetalos.resource.definitions.enums.NethelpersARPValidate
arp_all_targetstalos.resource.definitions.enums.NethelpersARPAllTargets
primary_indexuint32
primary_reselecttalos.resource.definitions.enums.NethelpersPrimaryReselect
fail_over_mactalos.resource.definitions.enums.NethelpersFailOverMAC
ad_selecttalos.resource.definitions.enums.NethelpersADSelect
mii_monuint32
up_delayuint32
down_delayuint32
arp_intervaluint32
resend_igmpuint32
min_linksuint32
lp_intervaluint32
packets_per_slaveuint32
num_peer_notiffixed32
tlb_dynamic_lbfixed32
all_slaves_activefixed32
use_carrierbool
ad_actor_sys_priofixed32
ad_user_port_keyfixed32
peer_notify_delayuint32

BondSlave

BondSlave contains a bond’s master name and slave index.

FieldTypeLabelDescription
master_namestring
slave_indexint64

BridgeMasterSpec

BridgeMasterSpec describes bridge settings if Kind == “bridge”.

FieldTypeLabelDescription
stpSTPSpec
vlanBridgeVLANSpec

BridgeSlave

BridgeSlave contains the name of the master bridge of a bridged interface

FieldTypeLabelDescription
master_namestring

BridgeVLANSpec

BridgeVLANSpec describes VLAN settings of a bridge.

FieldTypeLabelDescription
filtering_enabledbool

DHCP4OperatorSpec

DHCP4OperatorSpec describes DHCP4 operator options.

FieldTypeLabelDescription
route_metricuint32
skip_hostname_requestbool

DHCP6OperatorSpec

DHCP6OperatorSpec describes DHCP6 operator options.

FieldTypeLabelDescription
duidstring
route_metricuint32
skip_hostname_requestbool

DNSResolveCacheSpec

DNSResolveCacheSpec describes DNS servers status.

FieldTypeLabelDescription
statusstring

HardwareAddrSpec

HardwareAddrSpec describes spec for the link.

FieldTypeLabelDescription
namestring
hardware_addrbytes

HostDNSConfigSpec

HostDNSConfigSpec describes host DNS config.

FieldTypeLabelDescription
enabledbool
listen_addressescommon.NetIPPortrepeated
service_host_dns_addresscommon.NetIP
resolve_member_namesbool

HostnameSpecSpec

HostnameSpecSpec describes node hostname.

FieldTypeLabelDescription
hostnamestring
domainnamestring
config_layertalos.resource.definitions.enums.NetworkConfigLayer

HostnameStatusSpec

HostnameStatusSpec describes node hostname.

FieldTypeLabelDescription
hostnamestring
domainnamestring

LinkRefreshSpec

LinkRefreshSpec describes status of rendered secrets.

FieldTypeLabelDescription
generationint64

LinkSpecSpec

LinkSpecSpec describes spec for the link.

FieldTypeLabelDescription
namestring
logicalbool
upbool
mtuuint32
kindstring
typetalos.resource.definitions.enums.NethelpersLinkType
parent_namestring
bond_slaveBondSlave
bridge_slaveBridgeSlave
vlanVLANSpec
bond_masterBondMasterSpec
bridge_masterBridgeMasterSpec
wireguardWireguardSpec
config_layertalos.resource.definitions.enums.NetworkConfigLayer

LinkStatusSpec

LinkStatusSpec describes status of rendered secrets.

FieldTypeLabelDescription
indexuint32
typetalos.resource.definitions.enums.NethelpersLinkType
link_indexuint32
flagsuint32
hardware_addrbytes
broadcast_addrbytes
mtuuint32
queue_discstring
master_indexuint32
operational_statetalos.resource.definitions.enums.NethelpersOperationalState
kindstring
slave_kindstring
bus_pathstring
pciidstring
driverstring
driver_versionstring
firmware_versionstring
product_idstring
vendor_idstring
productstring
vendorstring
link_statebool
speed_megabitsint64
porttalos.resource.definitions.enums.NethelpersPort
duplextalos.resource.definitions.enums.NethelpersDuplex
vlanVLANSpec
bridge_masterBridgeMasterSpec
bond_masterBondMasterSpec
wireguardWireguardSpec
permanent_addrbytes
aliasstring
alt_namesstringrepeated

NfTablesAddressMatch

NfTablesAddressMatch describes the match on the IP address.

FieldTypeLabelDescription
include_subnetscommon.NetIPPrefixrepeated
exclude_subnetscommon.NetIPPrefixrepeated
invertbool

NfTablesChainSpec

NfTablesChainSpec describes status of rendered secrets.

FieldTypeLabelDescription
typestring
hooktalos.resource.definitions.enums.NethelpersNfTablesChainHook
prioritytalos.resource.definitions.enums.NethelpersNfTablesChainPriority
rulesNfTablesRulerepeated
policytalos.resource.definitions.enums.NethelpersNfTablesVerdict

NfTablesClampMSS

NfTablesClampMSS describes the TCP MSS clamping operation.

MSS is limited by the MaxMTU so that:

  • IPv4: MSS = MaxMTU - 40
  • IPv6: MSS = MaxMTU - 60.
FieldTypeLabelDescription
mtufixed32

NfTablesConntrackStateMatch

NfTablesConntrackStateMatch describes the match on the connection tracking state.

FieldTypeLabelDescription
statestalos.resource.definitions.enums.NethelpersConntrackStaterepeated

NfTablesIfNameMatch

NfTablesIfNameMatch describes the match on the interface name.

FieldTypeLabelDescription
operatortalos.resource.definitions.enums.NethelpersMatchOperator
interface_namesstringrepeated

NfTablesLayer4Match

NfTablesLayer4Match describes the match on the transport layer protocol.

FieldTypeLabelDescription
protocoltalos.resource.definitions.enums.NethelpersProtocol
match_source_portNfTablesPortMatch
match_destination_portNfTablesPortMatch

NfTablesLimitMatch

NfTablesLimitMatch describes the match on the packet rate.

FieldTypeLabelDescription
packet_rate_per_seconduint64

NfTablesMark

NfTablesMark encodes packet mark match/update operation.

When used as a match computes the following condition: (mark & mask) ^ xor == value

When used as an update computes the following operation: mark = (mark & mask) ^ xor.

FieldTypeLabelDescription
maskuint32
xoruint32
valueuint32

NfTablesPortMatch

NfTablesPortMatch describes the match on the transport layer port.

FieldTypeLabelDescription
rangesPortRangerepeated

NfTablesRule

NfTablesRule describes a single rule in the nftables chain.

FieldTypeLabelDescription
match_o_if_nameNfTablesIfNameMatch
verdicttalos.resource.definitions.enums.NethelpersNfTablesVerdict
match_markNfTablesMark
set_markNfTablesMark
match_source_addressNfTablesAddressMatch
match_destination_addressNfTablesAddressMatch
match_layer4NfTablesLayer4Match
match_i_if_nameNfTablesIfNameMatch
clamp_mssNfTablesClampMSS
match_limitNfTablesLimitMatch
match_conntrack_stateNfTablesConntrackStateMatch
anon_counterbool

NodeAddressFilterSpec

NodeAddressFilterSpec describes a filter for NodeAddresses.

FieldTypeLabelDescription
include_subnetscommon.NetIPPrefixrepeated
exclude_subnetscommon.NetIPPrefixrepeated

NodeAddressSortAlgorithmSpec

NodeAddressSortAlgorithmSpec describes a filter for NodeAddresses.

FieldTypeLabelDescription
algorithmtalos.resource.definitions.enums.NethelpersAddressSortAlgorithm

NodeAddressSpec

NodeAddressSpec describes a set of node addresses.

FieldTypeLabelDescription
addressescommon.NetIPPrefixrepeated
sort_algorithmtalos.resource.definitions.enums.NethelpersAddressSortAlgorithm

OperatorSpecSpec

OperatorSpecSpec describes DNS resolvers.

FieldTypeLabelDescription
operatortalos.resource.definitions.enums.NetworkOperator
link_namestring
require_upbool
dhcp4DHCP4OperatorSpec
dhcp6DHCP6OperatorSpec
vipVIPOperatorSpec
config_layertalos.resource.definitions.enums.NetworkConfigLayer

PortRange

PortRange describes a range of ports.

Range is [lo, hi].

FieldTypeLabelDescription
lofixed32
hifixed32

ProbeSpecSpec

ProbeSpecSpec describes the Probe.

FieldTypeLabelDescription
intervalgoogle.protobuf.Duration
failure_thresholdint64
tcpTCPProbeSpec
config_layertalos.resource.definitions.enums.NetworkConfigLayer

ProbeStatusSpec

ProbeStatusSpec describes the Probe.

FieldTypeLabelDescription
successbool
last_errorstring

ResolverSpecSpec

ResolverSpecSpec describes DNS resolvers.

FieldTypeLabelDescription
dns_serverscommon.NetIPrepeated
config_layertalos.resource.definitions.enums.NetworkConfigLayer
search_domainsstringrepeated

ResolverStatusSpec

ResolverStatusSpec describes DNS resolvers.

FieldTypeLabelDescription
dns_serverscommon.NetIPrepeated
search_domainsstringrepeated

RouteSpecSpec

RouteSpecSpec describes the route.

FieldTypeLabelDescription
familytalos.resource.definitions.enums.NethelpersFamily
destinationcommon.NetIPPrefix
sourcecommon.NetIP
gatewaycommon.NetIP
out_link_namestring
tabletalos.resource.definitions.enums.NethelpersRoutingTable
priorityuint32
scopetalos.resource.definitions.enums.NethelpersScope
typetalos.resource.definitions.enums.NethelpersRouteType
flagsuint32
protocoltalos.resource.definitions.enums.NethelpersRouteProtocol
config_layertalos.resource.definitions.enums.NetworkConfigLayer
mtuuint32

RouteStatusSpec

RouteStatusSpec describes status of rendered secrets.

FieldTypeLabelDescription
familytalos.resource.definitions.enums.NethelpersFamily
destinationcommon.NetIPPrefix
sourcecommon.NetIP
gatewaycommon.NetIP
out_link_indexuint32
out_link_namestring
tabletalos.resource.definitions.enums.NethelpersRoutingTable
priorityuint32
scopetalos.resource.definitions.enums.NethelpersScope
typetalos.resource.definitions.enums.NethelpersRouteType
flagsuint32
protocoltalos.resource.definitions.enums.NethelpersRouteProtocol
mtuuint32

STPSpec

STPSpec describes Spanning Tree Protocol (STP) settings of a bridge.

FieldTypeLabelDescription
enabledbool

StatusSpec

StatusSpec describes network state.

FieldTypeLabelDescription
address_readybool
connectivity_readybool
hostname_readybool
etc_files_readybool

TCPProbeSpec

TCPProbeSpec describes the TCP Probe.

FieldTypeLabelDescription
endpointstring
timeoutgoogle.protobuf.Duration

TimeServerSpecSpec

TimeServerSpecSpec describes NTP servers.

FieldTypeLabelDescription
ntp_serversstringrepeated
config_layertalos.resource.definitions.enums.NetworkConfigLayer

TimeServerStatusSpec

TimeServerStatusSpec describes NTP servers.

FieldTypeLabelDescription
ntp_serversstringrepeated

VIPEquinixMetalSpec

VIPEquinixMetalSpec describes virtual (elastic) IP settings for Equinix Metal.

FieldTypeLabelDescription
project_idstring
device_idstring
api_tokenstring

VIPHCloudSpec

VIPHCloudSpec describes virtual (elastic) IP settings for Hetzner Cloud.

FieldTypeLabelDescription
device_idint64
network_idint64
api_tokenstring

VIPOperatorSpec

VIPOperatorSpec describes virtual IP operator options.

FieldTypeLabelDescription
ipcommon.NetIP
gratuitous_arpbool
equinix_metalVIPEquinixMetalSpec
h_cloudVIPHCloudSpec

VLANSpec

VLANSpec describes VLAN settings if Kind == “vlan”.

FieldTypeLabelDescription
vidfixed32
protocoltalos.resource.definitions.enums.NethelpersVLANProtocol

WireguardPeer

WireguardPeer describes a single peer.

FieldTypeLabelDescription
public_keystring
preshared_keystring
endpointstring
persistent_keepalive_intervalgoogle.protobuf.Duration
allowed_ipscommon.NetIPPrefixrepeated

WireguardSpec

WireguardSpec describes Wireguard settings if Kind == “wireguard”.

FieldTypeLabelDescription
private_keystring
public_keystring
listen_portint64
firewall_markint64
peersWireguardPeerrepeated

Top

resource/definitions/perf/perf.proto

CPUSpec

CPUSpec represents the last CPU stats snapshot.

FieldTypeLabelDescription
cpuCPUStatrepeated
cpu_totalCPUStat
irq_totaluint64
context_switchesuint64
process_createduint64
process_runninguint64
process_blockeduint64
soft_irq_totaluint64

CPUStat

CPUStat represents a single cpu stat.

FieldTypeLabelDescription
userdouble
nicedouble
systemdouble
idledouble
iowaitdouble
irqdouble
soft_irqdouble
stealdouble
guestdouble
guest_nicedouble

MemorySpec

MemorySpec represents the last Memory stats snapshot.

FieldTypeLabelDescription
mem_totaluint64
mem_useduint64
mem_availableuint64
buffersuint64
cacheduint64
swap_cacheduint64
activeuint64
inactiveuint64
active_anonuint64
inactive_anonuint64
active_fileuint64
inactive_fileuint64
unevictableuint64
mlockeduint64
swap_totaluint64
swap_freeuint64
dirtyuint64
writebackuint64
anon_pagesuint64
mappeduint64
shmemuint64
slabuint64
s_reclaimableuint64
s_unreclaimuint64
kernel_stackuint64
page_tablesuint64
nf_sunstableuint64
bounceuint64
writeback_tmpuint64
commit_limituint64
committed_asuint64
vmalloc_totaluint64
vmalloc_useduint64
vmalloc_chunkuint64
hardware_corrupteduint64
anon_huge_pagesuint64
shmem_huge_pagesuint64
shmem_pmd_mappeduint64
cma_totaluint64
cma_freeuint64
huge_pages_totaluint64
huge_pages_freeuint64
huge_pages_rsvduint64
huge_pages_surpuint64
hugepagesizeuint64
direct_map4kuint64
direct_map2muint64
direct_map1guint64

Top

resource/definitions/proto/proto.proto

LinuxIDMapping

LinuxIDMapping specifies UID/GID mappings.

FieldTypeLabelDescription
container_iduint32
host_iduint32
sizeuint32

Mount

Mount specifies a mount for a container.

FieldTypeLabelDescription
destinationstring
typestring
sourcestring
optionsstringrepeated
uid_mappingsLinuxIDMappingrepeated
gid_mappingsLinuxIDMappingrepeated

Top

resource/definitions/runtime/runtime.proto

DevicesStatusSpec

DevicesStatusSpec is the spec for devices status.

FieldTypeLabelDescription
readybool

DiagnosticSpec

DiagnosticSpec is the spec for devices status.

FieldTypeLabelDescription
messagestring
detailsstringrepeated

EventSinkConfigSpec

EventSinkConfigSpec describes configuration of Talos event log streaming.

FieldTypeLabelDescription
endpointstring

ExtensionServiceConfigFile

ExtensionServiceConfigFile describes extensions service config files.

FieldTypeLabelDescription
contentstring
mount_pathstring

ExtensionServiceConfigSpec

ExtensionServiceConfigSpec describes status of rendered extensions service config files.

FieldTypeLabelDescription
filesExtensionServiceConfigFilerepeated
environmentstringrepeated

ExtensionServiceConfigStatusSpec

ExtensionServiceConfigStatusSpec describes status of rendered extensions service config files.

FieldTypeLabelDescription
spec_versionstring

KernelModuleSpecSpec

KernelModuleSpecSpec describes Linux kernel module to load.

FieldTypeLabelDescription
namestring
parametersstringrepeated

KernelParamSpecSpec

KernelParamSpecSpec describes status of the defined sysctls.

FieldTypeLabelDescription
valuestring
ignore_errorsbool

KernelParamStatusSpec

KernelParamStatusSpec describes status of the defined sysctls.

FieldTypeLabelDescription
currentstring
defaultstring
unsupportedbool

KmsgLogConfigSpec

KmsgLogConfigSpec describes configuration for kmsg log streaming.

FieldTypeLabelDescription
destinationscommon.URLrepeated

MachineStatusSpec

MachineStatusSpec describes status of the defined sysctls.

FieldTypeLabelDescription
stagetalos.resource.definitions.enums.RuntimeMachineStage
statusMachineStatusStatus

MachineStatusStatus

MachineStatusStatus describes machine current status at the stage.

FieldTypeLabelDescription
readybool
unmet_conditionsUnmetConditionrepeated

MaintenanceServiceConfigSpec

MaintenanceServiceConfigSpec describes configuration for maintenance service API.

FieldTypeLabelDescription
listen_addressstring
reachable_addressescommon.NetIPrepeated

MetaKeySpec

MetaKeySpec describes status of the defined sysctls.

FieldTypeLabelDescription
valuestring

MetaLoadedSpec

MetaLoadedSpec is the spec for meta loaded. The Done field is always true when resource exists.

FieldTypeLabelDescription
donebool

MountStatusSpec

MountStatusSpec describes status of the defined sysctls.

FieldTypeLabelDescription
sourcestring
targetstring
filesystem_typestring
optionsstringrepeated
encryptedbool
encryption_providersstringrepeated

PlatformMetadataSpec

PlatformMetadataSpec describes platform metadata properties.

FieldTypeLabelDescription
platformstring
hostnamestring
regionstring
zonestring
instance_typestring
instance_idstring
provider_idstring
spotbool
internal_dnsstring
external_dnsstring

SecurityStateSpec

SecurityStateSpec describes the security state resource properties.

FieldTypeLabelDescription
secure_bootbool
uki_signing_key_fingerprintstring
pcr_signing_key_fingerprintstring

UniqueMachineTokenSpec

UniqueMachineTokenSpec is the spec for the machine unique token. Token can be empty if machine wasn’t assigned any.

FieldTypeLabelDescription
tokenstring

UnmetCondition

UnmetCondition is a failure which prevents machine from being ready at the stage.

FieldTypeLabelDescription
namestring
reasonstring

WatchdogTimerConfigSpec

WatchdogTimerConfigSpec describes configuration of watchdog timer.

FieldTypeLabelDescription
devicestring
timeoutgoogle.protobuf.Duration

WatchdogTimerStatusSpec

WatchdogTimerStatusSpec describes configuration of watchdog timer.

FieldTypeLabelDescription
devicestring
timeoutgoogle.protobuf.Duration
feed_intervalgoogle.protobuf.Duration

Top

resource/definitions/secrets/secrets.proto

APICertsSpec

APICertsSpec describes etcd certs secrets.

FieldTypeLabelDescription
clientcommon.PEMEncodedCertificateAndKey
servercommon.PEMEncodedCertificateAndKey
accepted_c_ascommon.PEMEncodedCertificaterepeated

CertSANSpec

CertSANSpec describes fields of the cert SANs.

FieldTypeLabelDescription
i_pscommon.NetIPrepeated
dns_namesstringrepeated
fqdnstring

EtcdCertsSpec

EtcdCertsSpec describes etcd certs secrets.

FieldTypeLabelDescription
etcdcommon.PEMEncodedCertificateAndKey
etcd_peercommon.PEMEncodedCertificateAndKey
etcd_admincommon.PEMEncodedCertificateAndKey
etcd_api_servercommon.PEMEncodedCertificateAndKey

EtcdRootSpec

EtcdRootSpec describes etcd CA secrets.

FieldTypeLabelDescription
etcd_cacommon.PEMEncodedCertificateAndKey

KubeletSpec

KubeletSpec describes root Kubernetes secrets.

FieldTypeLabelDescription
endpointcommon.URL
bootstrap_token_idstring
bootstrap_token_secretstring
accepted_c_ascommon.PEMEncodedCertificaterepeated

KubernetesCertsSpec

KubernetesCertsSpec describes generated Kubernetes certificates.

FieldTypeLabelDescription
scheduler_kubeconfigstring
controller_manager_kubeconfigstring
localhost_admin_kubeconfigstring
admin_kubeconfigstring

KubernetesDynamicCertsSpec

KubernetesDynamicCertsSpec describes generated KubernetesCerts certificates.

FieldTypeLabelDescription
api_servercommon.PEMEncodedCertificateAndKey
api_server_kubelet_clientcommon.PEMEncodedCertificateAndKey
front_proxycommon.PEMEncodedCertificateAndKey

KubernetesRootSpec

KubernetesRootSpec describes root Kubernetes secrets.

FieldTypeLabelDescription
namestring
endpointcommon.URL
local_endpointcommon.URL
cert_sa_nsstringrepeated
dns_domainstring
issuing_cacommon.PEMEncodedCertificateAndKey
service_accountcommon.PEMEncodedKey
aggregator_cacommon.PEMEncodedCertificateAndKey
aescbc_encryption_secretstring
bootstrap_token_idstring
bootstrap_token_secretstring
secretbox_encryption_secretstring
api_server_ipscommon.NetIPrepeated
accepted_c_ascommon.PEMEncodedCertificaterepeated

MaintenanceRootSpec

MaintenanceRootSpec describes maintenance service CA.

FieldTypeLabelDescription
cacommon.PEMEncodedCertificateAndKey

MaintenanceServiceCertsSpec

MaintenanceServiceCertsSpec describes maintenance service certs secrets.

FieldTypeLabelDescription
cacommon.PEMEncodedCertificateAndKey
servercommon.PEMEncodedCertificateAndKey

OSRootSpec

OSRootSpec describes operating system CA.

FieldTypeLabelDescription
issuing_cacommon.PEMEncodedCertificateAndKey
cert_sani_pscommon.NetIPrepeated
cert_sandns_namesstringrepeated
tokenstring
accepted_c_ascommon.PEMEncodedCertificaterepeated

TrustdCertsSpec

TrustdCertsSpec describes etcd certs secrets.

FieldTypeLabelDescription
servercommon.PEMEncodedCertificateAndKey
accepted_c_ascommon.PEMEncodedCertificaterepeated

Top

resource/definitions/siderolink/siderolink.proto

ConfigSpec

ConfigSpec describes Siderolink configuration.

FieldTypeLabelDescription
api_endpointstring
hoststring
join_tokenstring
insecurebool
tunnelbool

StatusSpec

StatusSpec describes Siderolink status.

FieldTypeLabelDescription
hoststring
connectedbool

TunnelSpec

TunnelSpec describes Siderolink GRPC Tunnel configuration.

FieldTypeLabelDescription
api_endpointstring
link_namestring
mtuint64
node_addresscommon.NetIPPort

Top

resource/definitions/time/time.proto

AdjtimeStatusSpec

AdjtimeStatusSpec describes Linux internal adjtime state.

FieldTypeLabelDescription
offsetgoogle.protobuf.Duration
frequency_adjustment_ratiodouble
max_errorgoogle.protobuf.Duration
est_errorgoogle.protobuf.Duration
statusstring
constantint64
sync_statusbool
statestring

StatusSpec

StatusSpec describes time sync state.

FieldTypeLabelDescription
syncedbool
epochint64
sync_disabledbool

Top

resource/definitions/v1alpha1/v1alpha1.proto

ServiceSpec

ServiceSpec describe service state.

FieldTypeLabelDescription
runningbool
healthybool
unknownbool

Top

inspect/inspect.proto

ControllerDependencyEdge

FieldTypeLabelDescription
controller_namestring
edge_typeDependencyEdgeType
resource_namespacestring
resource_typestring
resource_idstring

ControllerRuntimeDependenciesResponse

FieldTypeLabelDescription
messagesControllerRuntimeDependencyrepeated

ControllerRuntimeDependency

The ControllerRuntimeDependency message contains the graph of controller-resource dependencies.

FieldTypeLabelDescription
metadatacommon.Metadata
edgesControllerDependencyEdgerepeated

DependencyEdgeType

NameNumberDescription
OUTPUT_EXCLUSIVE0
OUTPUT_SHARED3
INPUT_STRONG1
INPUT_WEAK2
INPUT_DESTROY_READY4

InspectService

The inspect service definition.

InspectService provides auxiliary API to inspect OS internals.

Method NameRequest TypeResponse TypeDescription
ControllerRuntimeDependencies.google.protobuf.EmptyControllerRuntimeDependenciesResponse

Top

machine/machine.proto

AddressEvent

AddressEvent reports node endpoints aggregated from k8s.Endpoints and network.Hostname.

FieldTypeLabelDescription
hostnamestring
addressesstringrepeated

ApplyConfiguration

ApplyConfigurationResponse describes the response to a configuration request.

FieldTypeLabelDescription
metadatacommon.Metadata
warningsstringrepeatedConfiguration validation warnings.
modeApplyConfigurationRequest.ModeStates which mode was actually chosen.
mode_detailsstringHuman-readable message explaining the result of the apply configuration call.

ApplyConfigurationRequest

rpc applyConfiguration ApplyConfiguration describes a request to assert a new configuration upon a node.

FieldTypeLabelDescription
databytes
modeApplyConfigurationRequest.Mode
dry_runbool
try_mode_timeoutgoogle.protobuf.Duration

ApplyConfigurationResponse

FieldTypeLabelDescription
messagesApplyConfigurationrepeated

BPFInstruction

FieldTypeLabelDescription
opuint32
jtuint32
jfuint32
kuint32

Bootstrap

The bootstrap message containing the bootstrap status.

FieldTypeLabelDescription
metadatacommon.Metadata

BootstrapRequest

rpc Bootstrap

FieldTypeLabelDescription
recover_etcdboolEnable etcd recovery from the snapshot. Snapshot should be uploaded before this call via EtcdRecover RPC.
recover_skip_hash_checkboolSkip hash check on the snapshot (etcd). Enable this when recovering from data directory copy to skip integrity check.

BootstrapResponse

FieldTypeLabelDescription
messagesBootstraprepeated

CNIConfig

FieldTypeLabelDescription
namestring
urlsstringrepeated

CPUFreqStats

FieldTypeLabelDescription
current_frequencyuint64
minimum_frequencyuint64
maximum_frequencyuint64
governorstring

CPUFreqStatsResponse

FieldTypeLabelDescription
messagesCPUsFreqStatsrepeated

CPUInfo

FieldTypeLabelDescription
processoruint32
vendor_idstring
cpu_familystring
modelstring
model_namestring
steppingstring
microcodestring
cpu_mhzdouble
cache_sizestring
physical_idstring
siblingsuint32
core_idstring
cpu_coresuint32
apic_idstring
initial_apic_idstring
fpustring
fpu_exceptionstring
cpu_id_leveluint32
wpstring
flagsstringrepeated
bugsstringrepeated
bogo_mipsdouble
cl_flush_sizeuint32
cache_alignmentuint32
address_sizesstring
power_managementstring

CPUInfoResponse

FieldTypeLabelDescription
messagesCPUsInforepeated

CPUStat

FieldTypeLabelDescription
userdouble
nicedouble
systemdouble
idledouble
iowaitdouble
irqdouble
soft_irqdouble
stealdouble
guestdouble
guest_nicedouble

CPUsFreqStats

FieldTypeLabelDescription
metadatacommon.Metadata
cpu_freq_statsCPUFreqStatsrepeated

CPUsInfo

FieldTypeLabelDescription
metadatacommon.Metadata
cpu_infoCPUInforepeated

ClusterConfig

FieldTypeLabelDescription
namestring
control_planeControlPlaneConfig
cluster_networkClusterNetworkConfig
allow_scheduling_on_control_planesbool

ClusterNetworkConfig

FieldTypeLabelDescription
dns_domainstring
cni_configCNIConfig

ConfigLoadErrorEvent

ConfigLoadErrorEvent is reported when the config loading has failed.

FieldTypeLabelDescription
errorstring

ConfigValidationErrorEvent

ConfigValidationErrorEvent is reported when config validation has failed.

FieldTypeLabelDescription
errorstring

ConnectRecord

FieldTypeLabelDescription
l4protostring
localipstring
localportuint32
remoteipstring
remoteportuint32
stateConnectRecord.State
txqueueuint64
rxqueueuint64
trConnectRecord.TimerActive
timerwhenuint64
retrnsmtuint64
uiduint32
timeoutuint64
inodeuint64
refuint64
pointeruint64
processConnectRecord.Process
netnsstring

ConnectRecord.Process

FieldTypeLabelDescription
piduint32
namestring

Container

The messages message containing the requested containers.

FieldTypeLabelDescription
metadatacommon.Metadata
containersContainerInforepeated

ContainerInfo

The messages message containing the requested containers.

FieldTypeLabelDescription
namespacestring
idstring
uidstring
internal_idstring
imagestring
piduint32
statusstring
pod_idstring
namestring
network_namespacestring

ContainersRequest

FieldTypeLabelDescription
namespacestring
drivercommon.ContainerDriverdriver might be default “containerd” or “cri”

ContainersResponse

FieldTypeLabelDescription
messagesContainerrepeated

ControlPlaneConfig

FieldTypeLabelDescription
endpointstring

CopyRequest

CopyRequest describes a request to copy data out of Talos node

Copy produces .tar.gz archive which is streamed back to the caller

FieldTypeLabelDescription
root_pathstringRoot path to start copying data out, it might be either a file or directory

DHCPOptionsConfig

FieldTypeLabelDescription
route_metricuint32

DiskStat

FieldTypeLabelDescription
namestring
read_completeduint64
read_mergeduint64
read_sectorsuint64
read_time_msuint64
write_completeduint64
write_mergeduint64
write_sectorsuint64
write_time_msuint64
io_in_progressuint64
io_time_msuint64
io_time_weighted_msuint64
discard_completeduint64
discard_mergeduint64
discard_sectorsuint64
discard_time_msuint64

DiskStats

FieldTypeLabelDescription
metadatacommon.Metadata
totalDiskStat
devicesDiskStatrepeated

DiskStatsResponse

FieldTypeLabelDescription
messagesDiskStatsrepeated

DiskUsageInfo

DiskUsageInfo describes a file or directory’s information for du command

FieldTypeLabelDescription
metadatacommon.Metadata
namestringName is the name (including prefixed path) of the file or directory
sizeint64Size indicates the number of bytes contained within the file
errorstringError describes any error encountered while trying to read the file information.
relative_namestringRelativeName is the name of the file or directory relative to the RootPath

DiskUsageRequest

DiskUsageRequest describes a request to list disk usage of directories and regular files

FieldTypeLabelDescription
recursion_depthint32RecursionDepth indicates how many levels of subdirectories should be recursed. The default (0) indicates that no limit should be enforced.
allboolAll write sizes for all files, not just directories.
thresholdint64Threshold exclude entries smaller than SIZE if positive, or entries greater than SIZE if negative.
pathsstringrepeatedDiskUsagePaths is the list of directories to calculate disk usage for.

DmesgRequest

dmesg

FieldTypeLabelDescription
followbool
tailbool

EtcdAlarm

FieldTypeLabelDescription
metadatacommon.Metadata
member_alarmsEtcdMemberAlarmrepeated

EtcdAlarmDisarm

FieldTypeLabelDescription
metadatacommon.Metadata
member_alarmsEtcdMemberAlarmrepeated

EtcdAlarmDisarmResponse

FieldTypeLabelDescription
messagesEtcdAlarmDisarmrepeated

EtcdAlarmListResponse

FieldTypeLabelDescription
messagesEtcdAlarmrepeated

EtcdDefragment

FieldTypeLabelDescription
metadatacommon.Metadata

EtcdDefragmentResponse

FieldTypeLabelDescription
messagesEtcdDefragmentrepeated

EtcdForfeitLeadership

FieldTypeLabelDescription
metadatacommon.Metadata
memberstring

EtcdForfeitLeadershipRequest

EtcdForfeitLeadershipResponse

FieldTypeLabelDescription
messagesEtcdForfeitLeadershiprepeated

EtcdLeaveCluster

FieldTypeLabelDescription
metadatacommon.Metadata

EtcdLeaveClusterRequest

EtcdLeaveClusterResponse

FieldTypeLabelDescription
messagesEtcdLeaveClusterrepeated

EtcdMember

EtcdMember describes a single etcd member.

FieldTypeLabelDescription
iduint64member ID.
hostnamestringhuman-readable name of the member.
peer_urlsstringrepeatedthe list of URLs the member exposes to clients for communication.
client_urlsstringrepeatedthe list of URLs the member exposes to the cluster for communication.
is_learnerboollearner flag

EtcdMemberAlarm

FieldTypeLabelDescription
member_iduint64
alarmEtcdMemberAlarm.AlarmType

EtcdMemberListRequest

FieldTypeLabelDescription
query_localbool

EtcdMemberListResponse

FieldTypeLabelDescription
messagesEtcdMembersrepeated

EtcdMemberStatus

FieldTypeLabelDescription
member_iduint64
protocol_versionstring
db_sizeint64
db_size_in_useint64
leaderuint64
raft_indexuint64
raft_termuint64
raft_applied_indexuint64
errorsstringrepeated
is_learnerbool

EtcdMembers

EtcdMembers contains the list of members registered on the host.

FieldTypeLabelDescription
metadatacommon.Metadata
legacy_membersstringrepeatedlist of member hostnames.
membersEtcdMemberrepeatedthe list of etcd members registered on the node.

EtcdRecover

FieldTypeLabelDescription
metadatacommon.Metadata

EtcdRecoverResponse

FieldTypeLabelDescription
messagesEtcdRecoverrepeated

EtcdRemoveMember

FieldTypeLabelDescription
metadatacommon.Metadata

EtcdRemoveMemberByID

FieldTypeLabelDescription
metadatacommon.Metadata

EtcdRemoveMemberByIDRequest

FieldTypeLabelDescription
member_iduint64

EtcdRemoveMemberByIDResponse

FieldTypeLabelDescription
messagesEtcdRemoveMemberByIDrepeated

EtcdRemoveMemberRequest

FieldTypeLabelDescription
memberstring

EtcdRemoveMemberResponse

FieldTypeLabelDescription
messagesEtcdRemoveMemberrepeated

EtcdSnapshotRequest

EtcdStatus

FieldTypeLabelDescription
metadatacommon.Metadata
member_statusEtcdMemberStatus

EtcdStatusResponse

FieldTypeLabelDescription
messagesEtcdStatusrepeated

Event

FieldTypeLabelDescription
metadatacommon.Metadata
datagoogle.protobuf.Any
idstring
actor_idstring

EventsRequest

FieldTypeLabelDescription
tail_eventsint32
tail_idstring
tail_secondsint32
with_actor_idstring

FeaturesInfo

FeaturesInfo describes individual Talos features that can be switched on or off.

FieldTypeLabelDescription
rbacboolRBAC is true if role-based access control is enabled.

FileInfo

FileInfo describes a file or directory’s information

FieldTypeLabelDescription
metadatacommon.Metadata
namestringName is the name (including prefixed path) of the file or directory
sizeint64Size indicates the number of bytes contained within the file
modeuint32Mode is the bitmap of UNIX mode/permission flags of the file
modifiedint64Modified indicates the UNIX timestamp at which the file was last modified
is_dirboolIsDir indicates that the file is a directory
errorstringError describes any error encountered while trying to read the file information.
linkstringLink is filled with symlink target
relative_namestringRelativeName is the name of the file or directory relative to the RootPath
uiduint32Owner uid
giduint32Owner gid
xattrsXattrrepeatedExtended attributes (if present and requested)

GenerateClientConfiguration

FieldTypeLabelDescription
metadatacommon.Metadata
cabytesPEM-encoded CA certificate.
crtbytesPEM-encoded generated client certificate.
keybytesPEM-encoded generated client key.
talosconfigbytesClient configuration (talosconfig) file content.

GenerateClientConfigurationRequest

FieldTypeLabelDescription
rolesstringrepeatedRoles in the generated client certificate.
crt_ttlgoogle.protobuf.DurationClient certificate TTL.

GenerateClientConfigurationResponse

FieldTypeLabelDescription
messagesGenerateClientConfigurationrepeated

GenerateConfiguration

GenerateConfiguration describes the response to a generate configuration request.

FieldTypeLabelDescription
metadatacommon.Metadata
databytesrepeated
talosconfigbytes

GenerateConfigurationRequest

GenerateConfigurationRequest describes a request to generate a new configuration on a node.

FieldTypeLabelDescription
config_versionstring
cluster_configClusterConfig
machine_configMachineConfig
override_timegoogle.protobuf.Timestamp

GenerateConfigurationResponse

FieldTypeLabelDescription
messagesGenerateConfigurationrepeated

Hostname

FieldTypeLabelDescription
metadatacommon.Metadata
hostnamestring

HostnameResponse

FieldTypeLabelDescription
messagesHostnamerepeated

ImageListRequest

FieldTypeLabelDescription
namespacecommon.ContainerdNamespaceContainerd namespace to use.

ImageListResponse

FieldTypeLabelDescription
metadatacommon.Metadata
namestring
digeststring
sizeint64
created_atgoogle.protobuf.Timestamp

ImagePull

FieldTypeLabelDescription
metadatacommon.Metadata

ImagePullRequest

FieldTypeLabelDescription
namespacecommon.ContainerdNamespaceContainerd namespace to use.
referencestringImage reference to pull.

ImagePullResponse

FieldTypeLabelDescription
messagesImagePullrepeated

InstallConfig

FieldTypeLabelDescription
install_diskstring
install_imagestring

ListRequest

ListRequest describes a request to list the contents of a directory.

FieldTypeLabelDescription
rootstringRoot indicates the root directory for the list. If not indicated, ‘/’ is presumed.
recurseboolRecurse indicates that subdirectories should be recursed.
recursion_depthint32RecursionDepth indicates how many levels of subdirectories should be recursed. The default (0) indicates that no limit should be enforced.
typesListRequest.TyperepeatedTypes indicates what file type should be returned. If not indicated, all files will be returned.
report_xattrsboolReport xattrs

LoadAvg

FieldTypeLabelDescription
metadatacommon.Metadata
load1double
load5double
load15double

LoadAvgResponse

FieldTypeLabelDescription
messagesLoadAvgrepeated

LogsContainer

LogsContainer desribes all avalaible registered log containers.

FieldTypeLabelDescription
metadatacommon.Metadata
idsstringrepeated

LogsContainersResponse

FieldTypeLabelDescription
messagesLogsContainerrepeated

LogsRequest

rpc logs The request message containing the process name.

FieldTypeLabelDescription
namespacestring
idstring
drivercommon.ContainerDriverdriver might be default “containerd” or “cri”
followbool
tail_linesint32

MachineConfig

FieldTypeLabelDescription
typeMachineConfig.MachineType
install_configInstallConfig
network_configNetworkConfig
kubernetes_versionstring

MachineStatusEvent

MachineStatusEvent reports changes to the MachineStatus resource.

FieldTypeLabelDescription
stageMachineStatusEvent.MachineStage
statusMachineStatusEvent.MachineStatus

MachineStatusEvent.MachineStatus

FieldTypeLabelDescription
readybool
unmet_conditionsMachineStatusEvent.MachineStatus.UnmetConditionrepeated

MachineStatusEvent.MachineStatus.UnmetCondition

FieldTypeLabelDescription
namestring
reasonstring

MemInfo

FieldTypeLabelDescription
memtotaluint64
memfreeuint64
memavailableuint64
buffersuint64
cacheduint64
swapcacheduint64
activeuint64
inactiveuint64
activeanonuint64
inactiveanonuint64
activefileuint64
inactivefileuint64
unevictableuint64
mlockeduint64
swaptotaluint64
swapfreeuint64
dirtyuint64
writebackuint64
anonpagesuint64
mappeduint64
shmemuint64
slabuint64
sreclaimableuint64
sunreclaimuint64
kernelstackuint64
pagetablesuint64
nfsunstableuint64
bounceuint64
writebacktmpuint64
commitlimituint64
committedasuint64
vmalloctotaluint64
vmallocuseduint64
vmallocchunkuint64
hardwarecorrupteduint64
anonhugepagesuint64
shmemhugepagesuint64
shmempmdmappeduint64
cmatotaluint64
cmafreeuint64
hugepagestotaluint64
hugepagesfreeuint64
hugepagesrsvduint64
hugepagessurpuint64
hugepagesizeuint64
directmap4kuint64
directmap2muint64
directmap1guint64

Memory

FieldTypeLabelDescription
metadatacommon.Metadata
meminfoMemInfo

MemoryResponse

FieldTypeLabelDescription
messagesMemoryrepeated

MetaDelete

FieldTypeLabelDescription
metadatacommon.Metadata

MetaDeleteRequest

FieldTypeLabelDescription
keyuint32

MetaDeleteResponse

FieldTypeLabelDescription
messagesMetaDeleterepeated

MetaWrite

FieldTypeLabelDescription
metadatacommon.Metadata

MetaWriteRequest

FieldTypeLabelDescription
keyuint32
valuebytes

MetaWriteResponse

FieldTypeLabelDescription
messagesMetaWriterepeated

MountStat

The messages message containing the requested processes.

FieldTypeLabelDescription
filesystemstring
sizeuint64
availableuint64
mounted_onstring

Mounts

The messages message containing the requested df stats.

FieldTypeLabelDescription
metadatacommon.Metadata
statsMountStatrepeated

MountsResponse

FieldTypeLabelDescription
messagesMountsrepeated

NetDev

FieldTypeLabelDescription
namestring
rx_bytesuint64
rx_packetsuint64
rx_errorsuint64
rx_droppeduint64
rx_fifouint64
rx_frameuint64
rx_compresseduint64
rx_multicastuint64
tx_bytesuint64
tx_packetsuint64
tx_errorsuint64
tx_droppeduint64
tx_fifouint64
tx_collisionsuint64
tx_carrieruint64
tx_compresseduint64

Netstat

FieldTypeLabelDescription
metadatacommon.Metadata
connectrecordConnectRecordrepeated

NetstatRequest

FieldTypeLabelDescription
filterNetstatRequest.Filter
featureNetstatRequest.Feature
l4protoNetstatRequest.L4proto
netnsNetstatRequest.NetNS

NetstatRequest.Feature

FieldTypeLabelDescription
pidbool

NetstatRequest.L4proto

FieldTypeLabelDescription
tcpbool
tcp6bool
udpbool
udp6bool
udplitebool
udplite6bool
rawbool
raw6bool

NetstatRequest.NetNS

FieldTypeLabelDescription
hostnetworkbool
netnsstringrepeated
allnetnsbool

NetstatResponse

FieldTypeLabelDescription
messagesNetstatrepeated

NetworkConfig

FieldTypeLabelDescription
hostnamestring
interfacesNetworkDeviceConfigrepeated

NetworkDeviceConfig

FieldTypeLabelDescription
interfacestring
cidrstring
mtuint32
dhcpbool
ignorebool
dhcp_optionsDHCPOptionsConfig
routesRouteConfigrepeated

NetworkDeviceStats

FieldTypeLabelDescription
metadatacommon.Metadata
totalNetDev
devicesNetDevrepeated

NetworkDeviceStatsResponse

FieldTypeLabelDescription
messagesNetworkDeviceStatsrepeated

PacketCaptureRequest

FieldTypeLabelDescription
interfacestringInterface name to perform packet capture on.
promiscuousboolEnable promiscuous mode.
snap_lenuint32Snap length in bytes.
bpf_filterBPFInstructionrepeatedBPF filter.

PhaseEvent

FieldTypeLabelDescription
phasestring
actionPhaseEvent.Action

PlatformInfo

FieldTypeLabelDescription
namestring
modestring

Process

FieldTypeLabelDescription
metadatacommon.Metadata
processesProcessInforepeated

ProcessInfo

FieldTypeLabelDescription
pidint32
ppidint32
statestring
threadsint32
cpu_timedouble
virtual_memoryuint64
resident_memoryuint64
commandstring
executablestring
argsstring
labelstring

ProcessesResponse

rpc processes

FieldTypeLabelDescription
messagesProcessrepeated

ReadRequest

FieldTypeLabelDescription
pathstring

Reboot

The reboot message containing the reboot status.

FieldTypeLabelDescription
metadatacommon.Metadata
actor_idstring

RebootRequest

rpc reboot

FieldTypeLabelDescription
modeRebootRequest.Mode

RebootResponse

FieldTypeLabelDescription
messagesRebootrepeated

Reset

The reset message containing the restart status.

FieldTypeLabelDescription
metadatacommon.Metadata
actor_idstring

ResetPartitionSpec

rpc reset

FieldTypeLabelDescription
labelstring
wipebool

ResetRequest

FieldTypeLabelDescription
gracefulboolGraceful indicates whether node should leave etcd before the upgrade, it also enforces etcd checks before leaving.
rebootboolReboot indicates whether node should reboot or halt after resetting.
system_partitions_to_wipeResetPartitionSpecrepeatedSystem_partitions_to_wipe lists specific system disk partitions to be reset (wiped). If system_partitions_to_wipe is empty, all the partitions are erased.
user_disks_to_wipestringrepeatedUserDisksToWipe lists specific connected block devices to be reset (wiped).
modeResetRequest.WipeModeWipeMode defines which devices should be wiped.

ResetResponse

FieldTypeLabelDescription
messagesResetrepeated

Restart

FieldTypeLabelDescription
metadatacommon.Metadata

RestartEvent

FieldTypeLabelDescription
cmdint64

RestartRequest

rpc restart The request message containing the process to restart.

FieldTypeLabelDescription
namespacestring
idstring
drivercommon.ContainerDriverdriver might be default “containerd” or “cri”

RestartResponse

The messages message containing the restart status.

FieldTypeLabelDescription
messagesRestartrepeated

Rollback

FieldTypeLabelDescription
metadatacommon.Metadata

RollbackRequest

rpc rollback

RollbackResponse

FieldTypeLabelDescription
messagesRollbackrepeated

RouteConfig

FieldTypeLabelDescription
networkstring
gatewaystring
metricuint32

SequenceEvent

rpc events

FieldTypeLabelDescription
sequencestring
actionSequenceEvent.Action
errorcommon.Error

ServiceEvent

FieldTypeLabelDescription
msgstring
statestring
tsgoogle.protobuf.Timestamp

ServiceEvents

FieldTypeLabelDescription
eventsServiceEventrepeated

ServiceHealth

FieldTypeLabelDescription
unknownbool
healthybool
last_messagestring
last_changegoogle.protobuf.Timestamp

ServiceInfo

FieldTypeLabelDescription
idstring
statestring
eventsServiceEvents
healthServiceHealth

ServiceList

rpc servicelist

FieldTypeLabelDescription
metadatacommon.Metadata
servicesServiceInforepeated

ServiceListResponse

FieldTypeLabelDescription
messagesServiceListrepeated

ServiceRestart

FieldTypeLabelDescription
metadatacommon.Metadata
respstring

ServiceRestartRequest

FieldTypeLabelDescription
idstring

ServiceRestartResponse

FieldTypeLabelDescription
messagesServiceRestartrepeated

ServiceStart

FieldTypeLabelDescription
metadatacommon.Metadata
respstring

ServiceStartRequest

rpc servicestart

FieldTypeLabelDescription
idstring

ServiceStartResponse

FieldTypeLabelDescription
messagesServiceStartrepeated

ServiceStateEvent

FieldTypeLabelDescription
servicestring
actionServiceStateEvent.Action
messagestring
healthServiceHealth

ServiceStop

FieldTypeLabelDescription
metadatacommon.Metadata
respstring

ServiceStopRequest

FieldTypeLabelDescription
idstring

ServiceStopResponse

FieldTypeLabelDescription
messagesServiceStoprepeated

Shutdown

rpc shutdown The messages message containing the shutdown status.

FieldTypeLabelDescription
metadatacommon.Metadata
actor_idstring

ShutdownRequest

FieldTypeLabelDescription
forceboolForce indicates whether node should shutdown without first cordening and draining

ShutdownResponse

FieldTypeLabelDescription
messagesShutdownrepeated

SoftIRQStat

FieldTypeLabelDescription
hiuint64
timeruint64
net_txuint64
net_rxuint64
blockuint64
block_io_polluint64
taskletuint64
scheduint64
hrtimeruint64
rcuuint64

Stat

The messages message containing the requested stat.

FieldTypeLabelDescription
namespacestring
idstring
memory_usageuint64
cpu_usageuint64
pod_idstring
namestring

Stats

The messages message containing the requested stats.

FieldTypeLabelDescription
metadatacommon.Metadata
statsStatrepeated

StatsRequest

The request message containing the containerd namespace.

FieldTypeLabelDescription
namespacestring
drivercommon.ContainerDriverdriver might be default “containerd” or “cri”

StatsResponse

FieldTypeLabelDescription
messagesStatsrepeated

SystemStat

FieldTypeLabelDescription
metadatacommon.Metadata
boot_timeuint64
cpu_totalCPUStat
cpuCPUStatrepeated
irq_totaluint64
irquint64repeated
context_switchesuint64
process_createduint64
process_runninguint64
process_blockeduint64
soft_irq_totaluint64
soft_irqSoftIRQStat

SystemStatResponse

FieldTypeLabelDescription
messagesSystemStatrepeated

TaskEvent

FieldTypeLabelDescription
taskstring
actionTaskEvent.Action

Upgrade

FieldTypeLabelDescription
metadatacommon.Metadata
ackstring
actor_idstring

UpgradeRequest

rpc upgrade

FieldTypeLabelDescription
imagestring
preservebool
stagebool
forcebool
reboot_modeUpgradeRequest.RebootMode

UpgradeResponse

FieldTypeLabelDescription
messagesUpgraderepeated

Version

FieldTypeLabelDescription
metadatacommon.Metadata
versionVersionInfo
platformPlatformInfo
featuresFeaturesInfoFeatures describe individual Talos features that can be switched on or off.

VersionInfo

FieldTypeLabelDescription
tagstring
shastring
builtstring
go_versionstring
osstring
archstring

VersionResponse

FieldTypeLabelDescription
messagesVersionrepeated

Xattr

FieldTypeLabelDescription
namestring
databytes

ApplyConfigurationRequest.Mode

NameNumberDescription
REBOOT0
AUTO1
NO_REBOOT2
STAGED3
TRY4

ConnectRecord.State

NameNumberDescription
RESERVED0
ESTABLISHED1
SYN_SENT2
SYN_RECV3
FIN_WAIT14
FIN_WAIT25
TIME_WAIT6
CLOSE7
CLOSEWAIT8
LASTACK9
LISTEN10
CLOSING11

ConnectRecord.TimerActive

NameNumberDescription
OFF0
ON1
KEEPALIVE2
TIMEWAIT3
PROBE4

EtcdMemberAlarm.AlarmType

NameNumberDescription
NONE0
NOSPACE1
CORRUPT2

ListRequest.Type

File type.

NameNumberDescription
REGULAR0Regular file (not directory, symlink, etc).
DIRECTORY1Directory.
SYMLINK2Symbolic link.

MachineConfig.MachineType

NameNumberDescription
TYPE_UNKNOWN0
TYPE_INIT1
TYPE_CONTROL_PLANE2
TYPE_WORKER3

MachineStatusEvent.MachineStage

NameNumberDescription
UNKNOWN0
BOOTING1
INSTALLING2
MAINTENANCE3
RUNNING4
REBOOTING5
SHUTTING_DOWN6
RESETTING7
UPGRADING8

NetstatRequest.Filter

NameNumberDescription
ALL0
CONNECTED1
LISTENING2

PhaseEvent.Action

NameNumberDescription
START0
STOP1

RebootRequest.Mode

NameNumberDescription
DEFAULT0
POWERCYCLE1

ResetRequest.WipeMode

NameNumberDescription
ALL0
SYSTEM_DISK1
USER_DISKS2

SequenceEvent.Action

NameNumberDescription
NOOP0
START1
STOP2

ServiceStateEvent.Action

NameNumberDescription
INITIALIZED0
PREPARING1
WAITING2
RUNNING3
STOPPING4
FINISHED5
FAILED6
SKIPPED7
STARTING8

TaskEvent.Action

NameNumberDescription
START0
STOP1

UpgradeRequest.RebootMode

NameNumberDescription
DEFAULT0
POWERCYCLE1

MachineService

The machine service definition.

Method NameRequest TypeResponse TypeDescription
ApplyConfigurationApplyConfigurationRequestApplyConfigurationResponse
BootstrapBootstrapRequestBootstrapResponseBootstrap method makes control plane node enter etcd bootstrap mode. Node aborts etcd join sequence and creates single-node etcd cluster. If recover_etcd argument is specified, etcd is recovered from a snapshot uploaded with EtcdRecover.
ContainersContainersRequestContainersResponse
CopyCopyRequest.common.Data stream
CPUFreqStats.google.protobuf.EmptyCPUFreqStatsResponse
CPUInfo.google.protobuf.EmptyCPUInfoResponse
DiskStats.google.protobuf.EmptyDiskStatsResponse
DmesgDmesgRequest.common.Data stream
EventsEventsRequestEvent stream
EtcdMemberListEtcdMemberListRequestEtcdMemberListResponse
EtcdRemoveMemberByIDEtcdRemoveMemberByIDRequestEtcdRemoveMemberByIDResponseEtcdRemoveMemberByID removes a member from the etcd cluster identified by member ID. This API should be used to remove members which don’t have an associated Talos node anymore. To remove a member with a running Talos node, use EtcdLeaveCluster API on the node to be removed.
EtcdLeaveClusterEtcdLeaveClusterRequestEtcdLeaveClusterResponse
EtcdForfeitLeadershipEtcdForfeitLeadershipRequestEtcdForfeitLeadershipResponse
EtcdRecover.common.Data streamEtcdRecoverResponseEtcdRecover method uploads etcd data snapshot created with EtcdSnapshot to the node. Snapshot can be later used to recover the cluster via Bootstrap method.
EtcdSnapshotEtcdSnapshotRequest.common.Data streamEtcdSnapshot method creates etcd data snapshot (backup) from the local etcd instance and streams it back to the client. This method is available only on control plane nodes (which run etcd).
EtcdAlarmList.google.protobuf.EmptyEtcdAlarmListResponseEtcdAlarmList lists etcd alarms for the current node. This method is available only on control plane nodes (which run etcd).
EtcdAlarmDisarm.google.protobuf.EmptyEtcdAlarmDisarmResponseEtcdAlarmDisarm disarms etcd alarms for the current node. This method is available only on control plane nodes (which run etcd).
EtcdDefragment.google.protobuf.EmptyEtcdDefragmentResponseEtcdDefragment defragments etcd data directory for the current node. Defragmentation is a resource-heavy operation, so it should only run on a specific node. This method is available only on control plane nodes (which run etcd).
EtcdStatus.google.protobuf.EmptyEtcdStatusResponseEtcdStatus returns etcd status for the current member. This method is available only on control plane nodes (which run etcd).
GenerateConfigurationGenerateConfigurationRequestGenerateConfigurationResponse
Hostname.google.protobuf.EmptyHostnameResponse
Kubeconfig.google.protobuf.Empty.common.Data stream
ListListRequestFileInfo stream
DiskUsageDiskUsageRequestDiskUsageInfo stream
LoadAvg.google.protobuf.EmptyLoadAvgResponse
LogsLogsRequest.common.Data stream
LogsContainers.google.protobuf.EmptyLogsContainersResponse
Memory.google.protobuf.EmptyMemoryResponse
Mounts.google.protobuf.EmptyMountsResponse
NetworkDeviceStats.google.protobuf.EmptyNetworkDeviceStatsResponse
Processes.google.protobuf.EmptyProcessesResponse
ReadReadRequest.common.Data stream
RebootRebootRequestRebootResponse
RestartRestartRequestRestartResponse
RollbackRollbackRequestRollbackResponse
ResetResetRequestResetResponse
ServiceList.google.protobuf.EmptyServiceListResponse
ServiceRestartServiceRestartRequestServiceRestartResponse
ServiceStartServiceStartRequestServiceStartResponse
ServiceStopServiceStopRequestServiceStopResponse
ShutdownShutdownRequestShutdownResponse
StatsStatsRequestStatsResponse
SystemStat.google.protobuf.EmptySystemStatResponse
UpgradeUpgradeRequestUpgradeResponse
Version.google.protobuf.EmptyVersionResponse
GenerateClientConfigurationGenerateClientConfigurationRequestGenerateClientConfigurationResponseGenerateClientConfiguration generates talosctl client configuration (talosconfig).
PacketCapturePacketCaptureRequest.common.Data streamPacketCapture performs packet capture and streams back pcap file.
NetstatNetstatRequestNetstatResponseNetstat provides information about network connections.
MetaWriteMetaWriteRequestMetaWriteResponseMetaWrite writes a META key-value pair.
MetaDeleteMetaDeleteRequestMetaDeleteResponseMetaDelete deletes a META key.
ImageListImageListRequestImageListResponse streamImageList lists images in the CRI.
ImagePullImagePullRequestImagePullResponseImagePull pulls an image into the CRI.

Top

security/security.proto

CertificateRequest

The request message containing the certificate signing request.

FieldTypeLabelDescription
csrbytesCertificate Signing Request in PEM format.

CertificateResponse

The response message containing signed certificate.

FieldTypeLabelDescription
cabytesCertificate of the CA that signed the requested certificate in PEM format.
crtbytesSigned X.509 requested certificate in PEM format.

SecurityService

The security service definition.

Method NameRequest TypeResponse TypeDescription
CertificateCertificateRequestCertificateResponse

Top

storage/storage.proto

BlockDeviceWipe

FieldTypeLabelDescription
metadatacommon.Metadata

BlockDeviceWipeDescriptor

BlockDeviceWipeDescriptor represents a single block device to be wiped.

The device can be either a full disk (e.g. vda) or a partition (vda5). The device should not be used in any of active volumes. The device should not be used as a secondary (e.g. part of LVM).

FieldTypeLabelDescription
devicestringDevice name to wipe (e.g. sda or sda5).

The name should be submitted without /dev/ prefix. | | method | BlockDeviceWipeDescriptor.Method | | Wipe method to use. | | skip_volume_check | bool | | Skip the volume in use check. |

BlockDeviceWipeRequest

FieldTypeLabelDescription
devicesBlockDeviceWipeDescriptorrepeated

BlockDeviceWipeResponse

FieldTypeLabelDescription
messagesBlockDeviceWiperepeated

Disk

Disk represents a disk.

FieldTypeLabelDescription
sizeuint64Size indicates the disk size in bytes.
modelstringModel idicates the disk model.
device_namestringDeviceName indicates the disk name (e.g. sda).
namestringName as in /sys/block/<dev>/device/name.
serialstringSerial as in /sys/block/<dev>/device/serial.
modaliasstringModalias as in /sys/block/<dev>/device/modalias.
uuidstringUuid as in /sys/block/<dev>/device/uuid.
wwidstringWwid as in /sys/block/<dev>/device/wwid.
typeDisk.DiskTypeType is a type of the disk: nvme, ssd, hdd, sd card.
bus_pathstringBusPath is the bus path of the disk.
system_diskboolSystemDisk indicates that the disk is used as Talos system disk.
subsystemstringSubsystem is the symlink path in the /sys/block/<dev>/subsystem.
readonlyboolReadonly specifies if the disk is read only.

Disks

DisksResponse represents the response of the Disks RPC.

FieldTypeLabelDescription
metadatacommon.Metadata
disksDiskrepeated

DisksResponse

FieldTypeLabelDescription
messagesDisksrepeated

BlockDeviceWipeDescriptor.Method

NameNumberDescription
FAST0Fast wipe - wipe only filesystem signatures.
ZEROES1Zeroes wipe - wipe by overwriting with zeroes (might be slow depending on the disk size and available hardware features).

Disk.DiskType

NameNumberDescription
UNKNOWN0
SSD1
HDD2
NVME3
SD4
CD5

StorageService

StorageService represents the storage service.

Method NameRequest TypeResponse TypeDescription
Disks.google.protobuf.EmptyDisksResponse
BlockDeviceWipeBlockDeviceWipeRequestBlockDeviceWipeResponseBlockDeviceWipe performs a wipe of the blockdevice (partition or disk).

The method doesn’t require a reboot, and it can only wipe blockdevices which are not being used as volumes at the moment. Wiping of volumes requires a different API. |

Top

time/time.proto

Time

FieldTypeLabelDescription
metadatacommon.Metadata
serverstring
localtimegoogle.protobuf.Timestamp
remotetimegoogle.protobuf.Timestamp

TimeRequest

The response message containing the ntp server

FieldTypeLabelDescription
serverstring

TimeResponse

The response message containing the ntp server, time, and offset

FieldTypeLabelDescription
messagesTimerepeated

TimeService

The time service definition.

Method NameRequest TypeResponse TypeDescription
Time.google.protobuf.EmptyTimeResponse
TimeCheckTimeRequestTimeResponse

Scalar Value Types

.proto TypeNotesC++JavaPythonGoC#PHPRuby
doubledoubledoublefloatfloat64doublefloatFloat
floatfloatfloatfloatfloat32floatfloatFloat
int32Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead.int32intintint32intintegerBignum or Fixnum (as required)
int64Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead.int64longint/longint64longinteger/stringBignum
uint32Uses variable-length encoding.uint32intint/longuint32uintintegerBignum or Fixnum (as required)
uint64Uses variable-length encoding.uint64longint/longuint64ulonginteger/stringBignum or Fixnum (as required)
sint32Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s.int32intintint32intintegerBignum or Fixnum (as required)
sint64Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s.int64longint/longint64longinteger/stringBignum
fixed32Always four bytes. More efficient than uint32 if values are often greater than 2^28.uint32intintuint32uintintegerBignum or Fixnum (as required)
fixed64Always eight bytes. More efficient than uint64 if values are often greater than 2^56.uint64longint/longuint64ulonginteger/stringBignum
sfixed32Always four bytes.int32intintint32intintegerBignum or Fixnum (as required)
sfixed64Always eight bytes.int64longint/longint64longinteger/stringBignum
boolboolbooleanbooleanboolboolbooleanTrueClass/FalseClass
stringA string must always contain UTF-8 encoded or 7-bit ASCII text.stringStringstr/unicodestringstringstringString (UTF-8)
bytesMay contain any arbitrary sequence of bytes.stringByteStringstr[]byteByteStringstringString (ASCII-8BIT)

2 - CLI

Talosctl CLI tool reference.

talosctl apply-config

Apply a new configuration to a node

talosctl apply-config [flags]

Options

      --cert-fingerprint strings                                 list of server certificate fingeprints to accept (defaults to no check)
  -p, --config-patch stringArray                                 the list of config patches to apply to the local config file before sending it to the node
      --dry-run                                                  check how the config change will be applied in dry-run mode
  -f, --file string                                              the filename of the updated configuration
  -h, --help                                                     help for apply-config
  -i, --insecure                                                 apply the config using the insecure (encrypted with no auth) maintenance service
  -m, --mode auto, interactive, no-reboot, reboot, staged, try   apply config mode (default auto)
      --timeout duration                                         the config will be rolled back after specified timeout (if try mode is selected) (default 1m0s)

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl bootstrap

Bootstrap the etcd cluster on the specified node.

Synopsis

When Talos cluster is created etcd service on control plane nodes enter the join loop waiting to join etcd peers from other control plane nodes. One node should be picked as the boostrap node. When boostrap command is issued, the node aborts join process and bootstraps etcd cluster as a single node cluster. Other control plane nodes will join etcd cluster once Kubernetes is boostrapped on the bootstrap node.

This command should not be used when “init” type node are used.

Talos etcd cluster can be recovered from a known snapshot with ‘–recover-from=’ flag.

talosctl bootstrap [flags]

Options

  -h, --help                      help for bootstrap
      --recover-from string       recover etcd cluster from the snapshot
      --recover-skip-hash-check   skip integrity check when recovering etcd (use when recovering from data directory copy)

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl cgroups

Retrieve cgroups usage information

Synopsis

The cgroups command fetches control group v2 (cgroupv2) usage details from the machine. Several presets are available to focus on specific cgroup subsystems:

  • cpu
  • cpuset
  • io
  • memory
  • process
  • swap

You can specify the preset using the –preset flag.

Alternatively, a custom schema can be provided using the –schema-file flag. To see schema examples, refer to https://github.com/siderolabs/talos/tree/main/cmd/talosctl/cmd/talos/cgroupsprinter/schemas.

talosctl cgroups [flags]

Options

  -h, --help                 help for cgroups
      --preset string        preset name (one of: [cpu cpuset io memory process swap])
      --schema-file string   path to the columns schema file

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl cluster create

Creates a local docker-based or QEMU-based kubernetes cluster

talosctl cluster create [flags]

Options

      --arch string                              cluster architecture (default "amd64")
      --bad-rtc                                  launch VM with bad RTC state (QEMU only)
      --cidr string                              CIDR of the cluster network (IPv4, ULA network for IPv6 is derived in automated way) (default "10.5.0.0/24")
      --cni-bin-path strings                     search path for CNI binaries (VM only) (default [/home/user/.talos/cni/bin])
      --cni-bundle-url string                    URL to download CNI bundle from (VM only) (default "https://github.com/siderolabs/talos/releases/download/v1.9.0-alpha.3/talosctl-cni-bundle-${ARCH}.tar.gz")
      --cni-cache-dir string                     CNI cache directory path (VM only) (default "/home/user/.talos/cni/cache")
      --cni-conf-dir string                      CNI config directory path (VM only) (default "/home/user/.talos/cni/conf.d")
      --config-injection-method string           a method to inject machine config: default is HTTP server, 'metal-iso' to mount an ISO (QEMU only)
      --config-patch stringArray                 patch generated machineconfigs (applied to all node types), use @file to read a patch from file
      --config-patch-control-plane stringArray   patch generated machineconfigs (applied to 'init' and 'controlplane' types)
      --config-patch-worker stringArray          patch generated machineconfigs (applied to 'worker' type)
      --control-plane-port int                   control plane port (load balancer and local API port, QEMU only) (default 6443)
      --controlplanes int                        the number of controlplanes to create (default 1)
      --cpus string                              the share of CPUs as fraction (each control plane/VM) (default "2.0")
      --cpus-workers string                      the share of CPUs as fraction (each worker/VM) (default "2.0")
      --custom-cni-url string                    install custom CNI from the URL (Talos cluster)
      --disable-dhcp-hostname                    skip announcing hostname via DHCP (QEMU only)
      --disk int                                 default limit on disk size in MB (each VM) (default 6144)
      --disk-encryption-key-types stringArray    encryption key types to use for disk encryption (uuid, kms) (default [uuid])
      --disk-image-path string                   disk image to use
      --disk-preallocate                         whether disk space should be preallocated (default true)
      --dns-domain string                        the dns domain to use for cluster (default "cluster.local")
      --docker-disable-ipv6                      skip enabling IPv6 in containers (Docker only)
      --docker-host-ip string                    Host IP to forward exposed ports to (Docker provisioner only) (default "0.0.0.0")
      --encrypt-ephemeral                        enable ephemeral partition encryption
      --encrypt-state                            enable state partition encryption
      --endpoint string                          use endpoint instead of provider defaults
  -p, --exposed-ports string                     Comma-separated list of ports/protocols to expose on init node. Ex -p <hostPort>:<containerPort>/<protocol (tcp or udp)> (Docker provisioner only)
      --extra-boot-kernel-args string            add extra kernel args to the initial boot from vmlinuz and initramfs (QEMU only)
      --extra-disks int                          number of extra disks to create for each worker VM
      --extra-disks-drivers strings              driver for each extra disk (virtio, ide, ahci, scsi, nvme)
      --extra-disks-size int                     default limit on disk size in MB (each VM) (default 5120)
      --extra-uefi-search-paths strings          additional search paths for UEFI firmware (only applies when UEFI is enabled)
  -h, --help                                     help for create
      --image string                             the image to use (default "ghcr.io/siderolabs/talos:latest")
      --init-node-as-endpoint                    use init node as endpoint instead of any load balancer endpoint
      --initrd-path string                       initramfs image to use (default "_out/initramfs-${ARCH}.xz")
  -i, --input-dir string                         location of pre-generated config files
      --install-image string                     the installer image to use (default "ghcr.io/siderolabs/installer:latest")
      --ipv4                                     enable IPv4 network in the cluster (default true)
      --ipv6                                     enable IPv6 network in the cluster (QEMU provisioner only)
      --ipxe-boot-script string                  iPXE boot script (URL) to use
      --iso-path string                          the ISO path to use for the initial boot (VM only)
      --kubeprism-port int                       KubePrism port (set to 0 to disable) (default 7445)
      --kubernetes-version string                desired kubernetes version to run (default "1.32.0")
      --memory int                               the limit on memory usage in MB (each control plane/VM) (default 2048)
      --memory-workers int                       the limit on memory usage in MB (each worker/VM) (default 2048)
      --mount mount                              attach a mount to the container (Docker only)
      --mtu int                                  MTU of the cluster network (default 1500)
      --nameservers strings                      list of nameservers to use (default [8.8.8.8,1.1.1.1,2001:4860:4860::8888,2606:4700:4700::1111])
      --no-masquerade-cidrs strings              list of CIDRs to exclude from NAT (QEMU provisioner only)
      --registry-insecure-skip-verify strings    list of registry hostnames to skip TLS verification for
      --registry-mirror strings                  list of registry mirrors to use in format: <registry host>=<mirror URL>
      --skip-injecting-config                    skip injecting config from embedded metadata server, write config files to current directory
      --skip-k8s-node-readiness-check            skip k8s node readiness checks
      --skip-kubeconfig                          skip merging kubeconfig from the created cluster
      --talos-version string                     the desired Talos version to generate config for (if not set, defaults to image version)
      --talosconfig string                       The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.
      --usb-path string                          the USB stick image path to use for the initial boot (VM only)
      --use-vip                                  use a virtual IP for the controlplane endpoint instead of the loadbalancer
      --user-disk strings                        list of disks to create for each VM in format: <mount_point1>:<size1>:<mount_point2>:<size2>
      --vmlinuz-path string                      the compressed kernel image to use (default "_out/vmlinuz-${ARCH}")
      --wait                                     wait for the cluster to be ready before returning (default true)
      --wait-timeout duration                    timeout to wait for the cluster to be ready (default 20m0s)
      --wireguard-cidr string                    CIDR of the wireguard network
      --with-apply-config                        enable apply config when the VM is starting in maintenance mode
      --with-bootloader                          enable bootloader to load kernel and initramfs from disk image after install (default true)
      --with-cluster-discovery                   enable cluster discovery (default true)
      --with-debug                               enable debug in Talos config to send service logs to the console
      --with-firewall string                     inject firewall rules into the cluster, value is default policy - accept/block (QEMU only)
      --with-init-node                           create the cluster with an init node
      --with-json-logs                           enable JSON logs receiver and configure Talos to send logs there
      --with-kubespan                            enable KubeSpan system
      --with-network-bandwidth int               specify bandwidth restriction (in kbps) on the bridge interface when creating a qemu cluster
      --with-network-chaos                       enable to use network chaos parameters when creating a qemu cluster
      --with-network-jitter duration             specify jitter on the bridge interface when creating a qemu cluster
      --with-network-latency duration            specify latency on the bridge interface when creating a qemu cluster
      --with-network-packet-corrupt float        specify percent of corrupt packets on the bridge interface when creating a qemu cluster. e.g. 50% = 0.50 (default: 0.0)
      --with-network-packet-loss float           specify percent of packet loss on the bridge interface when creating a qemu cluster. e.g. 50% = 0.50 (default: 0.0)
      --with-network-packet-reorder float        specify percent of reordered packets on the bridge interface when creating a qemu cluster. e.g. 50% = 0.50 (default: 0.0)
      --with-siderolink true                     enables the use of siderolink agent as configuration apply mechanism. true or `wireguard` enables the agent, `tunnel` enables the agent with grpc tunneling (default none)
      --with-tpm2                                enable TPM2 emulation support using swtpm
      --with-uefi                                enable UEFI on x86_64 architecture (default true)
      --with-uuid-hostnames                      use machine UUIDs as default hostnames (QEMU only)
      --workers int                              the number of workers to create (default 1)

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
      --name string          the name of the cluster (default "talos-default")
  -n, --nodes strings        target the specified nodes
      --provisioner string   Talos cluster provisioner to use (default "docker")
      --state string         directory path to store cluster state (default "/home/user/.talos/clusters")

SEE ALSO

  • talosctl cluster - A collection of commands for managing local docker-based or QEMU-based clusters

talosctl cluster destroy

Destroys a local docker-based or firecracker-based kubernetes cluster

talosctl cluster destroy [flags]

Options

  -f, --force                                   force deletion of cluster directory if there were errors
  -h, --help                                    help for destroy
      --save-cluster-logs-archive-path string   save cluster logs archive to the specified file on destroy
      --save-support-archive-path string        save support archive to the specified file on destroy

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
      --name string          the name of the cluster (default "talos-default")
  -n, --nodes strings        target the specified nodes
      --provisioner string   Talos cluster provisioner to use (default "docker")
      --state string         directory path to store cluster state (default "/home/user/.talos/clusters")
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl cluster - A collection of commands for managing local docker-based or QEMU-based clusters

talosctl cluster show

Shows info about a local provisioned kubernetes cluster

talosctl cluster show [flags]

Options

  -h, --help   help for show

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
      --name string          the name of the cluster (default "talos-default")
  -n, --nodes strings        target the specified nodes
      --provisioner string   Talos cluster provisioner to use (default "docker")
      --state string         directory path to store cluster state (default "/home/user/.talos/clusters")
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl cluster - A collection of commands for managing local docker-based or QEMU-based clusters

talosctl cluster

A collection of commands for managing local docker-based or QEMU-based clusters

Options

  -h, --help                 help for cluster
      --name string          the name of the cluster (default "talos-default")
      --provisioner string   Talos cluster provisioner to use (default "docker")
      --state string         directory path to store cluster state (default "/home/user/.talos/clusters")

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl completion

Output shell completion code for the specified shell (bash, fish or zsh)

Synopsis

Output shell completion code for the specified shell (bash, fish or zsh). The shell code must be evaluated to provide interactive completion of talosctl commands. This can be done by sourcing it from the .bash_profile.

Note for zsh users: [1] zsh completions are only supported in versions of zsh >= 5.2

talosctl completion SHELL [flags]

Examples

# Installing bash completion on macOS using homebrew
## If running Bash 3.2 included with macOS
	brew install bash-completion
## or, if running Bash 4.1+
	brew install bash-completion@2
## If talosctl is installed via homebrew, this should start working immediately.
## If you've installed via other means, you may need add the completion to your completion directory
	talosctl completion bash > $(brew --prefix)/etc/bash_completion.d/talosctl

# Installing bash completion on Linux
## If bash-completion is not installed on Linux, please install the 'bash-completion' package
## via your distribution's package manager.
## Load the talosctl completion code for bash into the current shell
	source <(talosctl completion bash)
## Write bash completion code to a file and source if from .bash_profile
	talosctl completion bash > ~/.talos/completion.bash.inc
	printf "
		# talosctl shell completion
		source '$HOME/.talos/completion.bash.inc'
		" >> $HOME/.bash_profile
	source $HOME/.bash_profile
# Load the talosctl completion code for fish[1] into the current shell
	talosctl completion fish | source
# Set the talosctl completion code for fish[1] to autoload on startup
    talosctl completion fish > ~/.config/fish/completions/talosctl.fish
# Load the talosctl completion code for zsh[1] into the current shell
	source <(talosctl completion zsh)
# Set the talosctl completion code for zsh[1] to autoload on startup
    talosctl completion zsh > "${fpath[1]}/_talosctl"

Options

  -h, --help   help for completion

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl config add

Add a new context

talosctl config add <context> [flags]

Options

      --ca string    the path to the CA certificate
      --crt string   the path to the certificate
  -h, --help         help for add
      --key string   the path to the key

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl config context

Set the current context

talosctl config context <context> [flags]

Options

  -h, --help   help for context

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl config contexts

List defined contexts

talosctl config contexts [flags]

Options

  -h, --help   help for contexts

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl config endpoint

Set the endpoint(s) for the current context

talosctl config endpoint <endpoint>... [flags]

Options

  -h, --help   help for endpoint

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl config info

Show information about the current context

talosctl config info [flags]

Options

  -h, --help            help for info
  -o, --output string   output format (json|yaml|text). Default text. (default "text")

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl config merge

Merge additional contexts from another client configuration file

Synopsis

Contexts with the same name are renamed while merging configs.

talosctl config merge <from> [flags]

Options

  -h, --help   help for merge

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl config new

Generate a new client configuration file

talosctl config new [<path>] [flags]

Options

      --crt-ttl duration   certificate TTL (default 8760h0m0s)
  -h, --help               help for new
      --roles strings      roles (default [os:admin])

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl config node

Set the node(s) for the current context

talosctl config node <endpoint>... [flags]

Options

  -h, --help   help for node

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl config remove

Remove contexts

talosctl config remove <context> [flags]

Options

      --dry-run     dry run
  -h, --help        help for remove
  -y, --noconfirm   do not ask for confirmation

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl config

Manage the client configuration file (talosconfig)

Options

  -h, --help   help for config

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl conformance kubernetes

Run Kubernetes conformance tests

talosctl conformance kubernetes [flags]

Options

  -h, --help          help for kubernetes
      --mode string   conformance test mode: [fast, certified] (default "fast")

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl conformance

Run conformance tests

Options

  -h, --help   help for conformance

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl containers

List containers

talosctl containers [flags]

Options

  -h, --help         help for containers
  -k, --kubernetes   use the k8s.io containerd namespace

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl copy

Copy data out from the node

Synopsis

Creates an .tar.gz archive at the node starting at and streams it back to the client.

If ‘-’ is given for , archive is written to stdout. Otherwise archive is extracted to which should be an empty directory or talosctl creates a directory if doesn’t exist. Command doesn’t preserve ownership and access mode for the files in extract mode, while streamed .tar archive captures ownership and permission bits.

talosctl copy <src-path> -|<local-path> [flags]

Options

  -h, --help   help for copy

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl dashboard

Cluster dashboard with node overview, logs and real-time metrics

Synopsis

Provide a text-based UI to navigate node overview, logs and real-time metrics.

Keyboard shortcuts:

  • h, <Left> - switch one node to the left
  • l, <Right> - switch one node to the right
  • j, <Down> - scroll logs/process list down
  • k, <Up> - scroll logs/process list up
  • <C-d> - scroll logs/process list half page down
  • <C-u> - scroll logs/process list half page up
  • <C-f> - scroll logs/process list one page down
  • <C-b> - scroll logs/process list one page up
talosctl dashboard [flags]

Options

  -h, --help                       help for dashboard
  -d, --update-interval duration   interval between updates (default 3s)

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl dmesg

Retrieve kernel logs

talosctl dmesg [flags]

Options

  -f, --follow   specify if the kernel log should be streamed
  -h, --help     help for dmesg
      --tail     specify if only new messages should be sent (makes sense only when combined with --follow)

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl edit

Edit a resource from the default editor.

Synopsis

The edit command allows you to directly edit any API resource you can retrieve via the command line tools.

It will open the editor defined by your TALOS_EDITOR, or EDITOR environment variables, or fall back to ‘vi’ for Linux or ’notepad’ for Windows.

talosctl edit <type> [<id>] [flags]

Options

      --dry-run                                     do not apply the change after editing and print the change summary instead
  -h, --help                                        help for edit
  -m, --mode auto, no-reboot, reboot, staged, try   apply config mode (default auto)
      --namespace string                            resource namespace (default is to use default namespace per resource)
      --timeout duration                            the config will be rolled back after specified timeout (if try mode is selected) (default 1m0s)

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl etcd alarm disarm

Disarm the etcd alarms for the node.

talosctl etcd alarm disarm [flags]

Options

  -h, --help   help for disarm

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl etcd alarm list

List the etcd alarms for the node.

talosctl etcd alarm list [flags]

Options

  -h, --help   help for list

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl etcd alarm

Manage etcd alarms

Options

  -h, --help   help for alarm

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl etcd defrag

Defragment etcd database on the node

Synopsis

Defragmentation is a maintenance operation that releases unused space from the etcd database file. Defragmentation is a resource heavy operation and should be performed only when necessary on a single node at a time.

talosctl etcd defrag [flags]

Options

  -h, --help   help for defrag

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl etcd forfeit-leadership

Tell node to forfeit etcd cluster leadership

talosctl etcd forfeit-leadership [flags]

Options

  -h, --help   help for forfeit-leadership

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl etcd leave

Tell nodes to leave etcd cluster

talosctl etcd leave [flags]

Options

  -h, --help   help for leave

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl etcd members

Get the list of etcd cluster members

talosctl etcd members [flags]

Options

  -h, --help   help for members

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl etcd remove-member

Remove the node from etcd cluster

Synopsis

Use this command only if you want to remove a member which is in broken state. If there is no access to the node, or the node can’t access etcd to call etcd leave. Always prefer etcd leave over this command.

talosctl etcd remove-member <member ID> [flags]

Options

  -h, --help   help for remove-member

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl etcd snapshot

Stream snapshot of the etcd node to the path.

talosctl etcd snapshot <path> [flags]

Options

  -h, --help   help for snapshot

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl etcd status

Get the status of etcd cluster member

Synopsis

Returns the status of etcd member on the node, use multiple nodes to get status of all members.

talosctl etcd status [flags]

Options

  -h, --help   help for status

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl etcd

Manage etcd

Options

  -h, --help   help for etcd

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl events

Stream runtime events

talosctl events [flags]

Options

      --actor-id string     filter events by the specified actor ID (default is no filter)
      --duration duration   show events for the past duration interval (one second resolution, default is to show no history)
  -h, --help                help for events
      --since string        show events after the specified event ID (default is to show no history)
      --tail int32          show specified number of past events (use -1 to show full history, default is to show no history)

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl gen ca

Generates a self-signed X.509 certificate authority

talosctl gen ca [flags]

Options

  -h, --help                  help for ca
      --hours int             the hours from now on which the certificate validity period ends (default 87600)
      --organization string   X.509 distinguished name for the Organization
      --rsa                   generate in RSA format

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -f, --force                will overwrite existing files
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl gen config

Generates a set of configuration files for Talos cluster

Synopsis

The cluster endpoint is the URL for the Kubernetes API. If you decide to use a control plane node, common in a single node control plane setup, use port 6443 as this is the port that the API server binds to on every control plane node. For an HA setup, usually involving a load balancer, use the IP and port of the load balancer.

talosctl gen config <cluster name> <cluster endpoint> [flags]

Options

      --additional-sans strings                  additional Subject-Alt-Names for the APIServer certificate
      --config-patch stringArray                 patch generated machineconfigs (applied to all node types), use @file to read a patch from file
      --config-patch-control-plane stringArray   patch generated machineconfigs (applied to 'init' and 'controlplane' types)
      --config-patch-worker stringArray          patch generated machineconfigs (applied to 'worker' type)
      --dns-domain string                        the dns domain to use for cluster (default "cluster.local")
  -h, --help                                     help for config
      --install-disk string                      the disk to install to (default "/dev/sda")
      --install-image string                     the image used to perform an installation (default "ghcr.io/siderolabs/installer:latest")
      --kubernetes-version string                desired kubernetes version to run (default "1.32.0")
  -o, --output string                            destination to output generated files. when multiple output types are specified, it must be a directory. for a single output type, it must either be a file path, or "-" for stdout
  -t, --output-types strings                     types of outputs to be generated. valid types are: ["controlplane" "worker" "talosconfig"] (default [controlplane,worker,talosconfig])
  -p, --persist                                  the desired persist value for configs (default true)
      --registry-mirror strings                  list of registry mirrors to use in format: <registry host>=<mirror URL>
      --talos-version string                     the desired Talos version to generate config for (backwards compatibility, e.g. v0.8)
      --version string                           the desired machine config version to generate (default "v1alpha1")
      --with-cluster-discovery                   enable cluster discovery feature (default true)
      --with-docs                                renders all machine configs adding the documentation for each field (default true)
      --with-examples                            renders all machine configs with the commented examples (default true)
      --with-kubespan                            enable KubeSpan feature
      --with-secrets string                      use a secrets file generated using 'gen secrets'

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -f, --force                will overwrite existing files
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl gen crt

Generates an X.509 Ed25519 certificate

talosctl gen crt [flags]

Options

      --ca string     path to the PEM encoded CERTIFICATE
      --csr string    path to the PEM encoded CERTIFICATE REQUEST
  -h, --help          help for crt
      --hours int     the hours from now on which the certificate validity period ends (default 24)
      --name string   the basename of the generated file

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -f, --force                will overwrite existing files
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl gen csr

Generates a CSR using an Ed25519 private key

talosctl gen csr [flags]

Options

  -h, --help            help for csr
      --ip string       generate the certificate for this IP address
      --key string      path to the PEM encoded EC or RSA PRIVATE KEY
      --roles strings   roles (default [os:admin])

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -f, --force                will overwrite existing files
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl gen key

Generates an Ed25519 private key

talosctl gen key [flags]

Options

  -h, --help          help for key
      --name string   the basename of the generated file

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -f, --force                will overwrite existing files
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl gen keypair

Generates an X.509 Ed25519 key pair

talosctl gen keypair [flags]

Options

  -h, --help                  help for keypair
      --ip string             generate the certificate for this IP address
      --organization string   X.509 distinguished name for the Organization

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -f, --force                will overwrite existing files
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl gen secrets

Generates a secrets bundle file which can later be used to generate a config

talosctl gen secrets [flags]

Options

      --from-controlplane-config string     use the provided controlplane Talos machine configuration as input
  -p, --from-kubernetes-pki string          use a Kubernetes PKI directory (e.g. /etc/kubernetes/pki) as input
  -h, --help                                help for secrets
  -t, --kubernetes-bootstrap-token string   use the provided bootstrap token as input
  -o, --output-file string                  path of the output file (default "secrets.yaml")
      --talos-version string                the desired Talos version to generate secrets bundle for (backwards compatibility, e.g. v0.8)

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -f, --force                will overwrite existing files
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl gen secureboot database

Generates a UEFI database to enroll the signing certificate

talosctl gen secureboot database [flags]

Options

      --enrolled-certificate string     path to the certificate to enroll (default "_out/uki-signing-cert.pem")
  -h, --help                            help for database
      --include-well-known-uefi-certs   include well-known UEFI (Microsoft) certificates in the database
      --signing-certificate string      path to the certificate used to sign the database (default "_out/uki-signing-cert.pem")
      --signing-key string              path to the key used to sign the database (default "_out/uki-signing-key.pem")

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -f, --force                will overwrite existing files
  -n, --nodes strings        target the specified nodes
  -o, --output string        path to the directory storing the generated files (default "_out")
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl gen secureboot pcr

Generates a key which is used to sign TPM PCR values

talosctl gen secureboot pcr [flags]

Options

  -h, --help   help for pcr

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -f, --force                will overwrite existing files
  -n, --nodes strings        target the specified nodes
  -o, --output string        path to the directory storing the generated files (default "_out")
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl gen secureboot uki

Generates a certificate which is used to sign boot assets (UKI)

talosctl gen secureboot uki [flags]

Options

      --common-name string   common name for the certificate (default "Test UKI Signing Key")
  -h, --help                 help for uki

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -f, --force                will overwrite existing files
  -n, --nodes strings        target the specified nodes
  -o, --output string        path to the directory storing the generated files (default "_out")
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl gen secureboot

Generates secrets for the SecureBoot process

Options

  -h, --help            help for secureboot
  -o, --output string   path to the directory storing the generated files (default "_out")

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -f, --force                will overwrite existing files
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl gen

Generate CAs, certificates, and private keys

Options

  -f, --force   will overwrite existing files
  -h, --help    help for gen

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl get

Get a specific resource or list of resources (use ’talosctl get rd’ to see all available resource types).

Synopsis

Similar to ‘kubectl get’, ’talosctl get’ returns a set of resources from the OS. To get a list of all available resource definitions, issue ’talosctl get rd’

talosctl get <type> [<id>] [flags]

Options

  -h, --help               help for get
  -i, --insecure           get resources using the insecure (encrypted with no auth) maintenance service
      --namespace string   resource namespace (default is to use default namespace per resource)
  -o, --output string      output mode (json, table, yaml, jsonpath) (default "table")
  -w, --watch              watch resource changes

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl health

Check cluster health

talosctl health [flags]

Options

      --control-plane-nodes strings   specify IPs of control plane nodes
  -h, --help                          help for health
      --init-node string              specify IPs of init node
      --k8s-endpoint string           use endpoint instead of kubeconfig default
      --run-e2e                       run Kubernetes e2e test
      --server                        run server-side check (default true)
      --wait-timeout duration         timeout to wait for the cluster to be ready (default 20m0s)
      --worker-nodes strings          specify IPs of worker nodes

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl image cache-create

Create a cache of images in OCI format into a directory

Synopsis

Create a cache of images in OCI format into a directory

talosctl image cache-create [flags]

Examples

talosctl images cache-create --images=ghcr.io/siderolabs/kubelet:1.32.0 --image-cache-path=/tmp/talos-image-cache

Alternatively, stdin can be piped to the command:
talosctl images default | talosctl images cache-create --image-cache-path=/tmp/talos-image-cache --images=-

Options

      --force                           force overwrite of existing image cache
  -h, --help                            help for cache-create
      --image-cache-path string         directory to save the image cache in OCI format
      --image-layer-cache-path string   directory to save the image layer cache
      --images strings                  images to cache
      --insecure                        allow insecure registries
      --platform string                 platform to use for the cache (default "linux/amd64")

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
      --namespace system     namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri")
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl image default

List the default images used by Talos

talosctl image default [flags]

Options

  -h, --help   help for default

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
      --namespace system     namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri")
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl image list

List CRI images

talosctl image list [flags]

Options

  -h, --help   help for list

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
      --namespace system     namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri")
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl image pull

Pull an image into CRI

talosctl image pull <image> [flags]

Options

  -h, --help   help for pull

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
      --namespace system     namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri")
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl image

Manage CRI container images

Options

  -h, --help               help for image
      --namespace system   namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri")

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl inject serviceaccount

Inject Talos API ServiceAccount into Kubernetes manifests

talosctl inject serviceaccount [--roles='<ROLE_1>,<ROLE_2>'] -f <manifest.yaml> [flags]

Examples

talosctl inject serviceaccount --roles="os:admin" -f deployment.yaml > deployment-injected.yaml

Alternatively, stdin can be piped to the command:
cat deployment.yaml | talosctl inject serviceaccount --roles="os:admin" -f - > deployment-injected.yaml

Options

  -f, --file string     file with Kubernetes manifests to be injected with ServiceAccount
  -h, --help            help for serviceaccount
  -r, --roles strings   roles to add to the generated ServiceAccount manifests (default [os:reader])

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl inject

Inject Talos API resources into Kubernetes manifests

Options

  -h, --help   help for inject

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl inspect dependencies

Inspect controller-resource dependencies as graphviz graph.

Synopsis

Inspect controller-resource dependencies as graphviz graph.

Pipe the output of the command through the “dot” program (part of graphviz package) to render the graph:

talosctl inspect dependencies | dot -Tpng > graph.png
talosctl inspect dependencies [flags]

Options

  -h, --help             help for dependencies
      --with-resources   display live resource information with dependencies

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl inspect

Inspect internals of Talos

Options

  -h, --help   help for inspect

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl kubeconfig

Download the admin kubeconfig from the node

Synopsis

Download the admin kubeconfig from the node. If merge flag is defined, config will be merged with ~/.kube/config or [local-path] if specified. Otherwise kubeconfig will be written to PWD or [local-path] if specified.

talosctl kubeconfig [local-path] [flags]

Options

  -f, --force                       Force overwrite of kubeconfig if already present, force overwrite on kubeconfig merge
      --force-context-name string   Force context name for kubeconfig merge
  -h, --help                        help for kubeconfig
  -m, --merge                       Merge with existing kubeconfig (default true)

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl list

Retrieve a directory listing

talosctl list [path] [flags]

Options

  -d, --depth int32    maximum recursion depth (default 1)
  -h, --help           help for list
  -H, --humanize       humanize size and time in the output
  -l, --long           display additional file details
  -r, --recurse        recurse into subdirectories
  -t, --type strings   filter by specified types:
                       f	regular file
                       d	directory
                       l, L	symbolic link

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl logs

Retrieve logs for a service

talosctl logs <service name> [flags]

Options

  -f, --follow       specify if the logs should be streamed
  -h, --help         help for logs
  -k, --kubernetes   use the k8s.io containerd namespace
      --tail int32   lines of log file to display (default is to show from the beginning) (default -1)

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl machineconfig gen

Generates a set of configuration files for Talos cluster

Synopsis

The cluster endpoint is the URL for the Kubernetes API. If you decide to use a control plane node, common in a single node control plane setup, use port 6443 as this is the port that the API server binds to on every control plane node. For an HA setup, usually involving a load balancer, use the IP and port of the load balancer.

talosctl machineconfig gen <cluster name> <cluster endpoint> [flags]

Options

  -h, --help   help for gen

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl machineconfig patch

Patch a machine config

talosctl machineconfig patch <machineconfig-file> [flags]

Options

  -h, --help                help for patch
  -o, --output string       output destination. if not specified, output will be printed to stdout
  -p, --patch stringArray   patch generated machineconfigs (applied to all node types), use @file to read a patch from file

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl machineconfig

Machine config related commands

Options

  -h, --help   help for machineconfig

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl memory

Show memory usage

talosctl memory [flags]

Options

  -h, --help      help for memory
  -v, --verbose   display extended memory statistics

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl meta delete

Delete a key from the META partition.

talosctl meta delete key [flags]

Options

  -h, --help   help for delete

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -i, --insecure             write|delete meta using the insecure (encrypted with no auth) maintenance service
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl meta write

Write a key-value pair to the META partition.

talosctl meta write key value [flags]

Options

  -h, --help   help for write

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -i, --insecure             write|delete meta using the insecure (encrypted with no auth) maintenance service
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl meta

Write and delete keys in the META partition

Options

  -h, --help       help for meta
  -i, --insecure   write|delete meta using the insecure (encrypted with no auth) maintenance service

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl mounts

List mounts

talosctl mounts [flags]

Options

  -h, --help   help for mounts

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl netstat

Show network connections and sockets

Synopsis

Show network connections and sockets.

You can pass an optional argument to view a specific pod’s connections. To do this, format the argument as “namespace/pod”. Note that only pods with a pod network namespace are allowed. If you don’t pass an argument, the command will show host connections.

talosctl netstat [flags]

Options

  -a, --all         display all sockets states (default: connected)
  -x, --extend      show detailed socket information
  -h, --help        help for netstat
  -4, --ipv4        display only ipv4 sockets
  -6, --ipv6        display only ipv6 sockets
  -l, --listening   display listening server sockets
  -k, --pods        show sockets used by Kubernetes pods
  -p, --programs    show process using socket
  -w, --raw         display only RAW sockets
  -t, --tcp         display only TCP sockets
  -o, --timers      display timers
  -u, --udp         display only UDP sockets
  -U, --udplite     display only UDPLite sockets
  -v, --verbose     display sockets of all supported transport protocols

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl patch

Update field(s) of a resource using a JSON patch.

talosctl patch <type> [<id>] [flags]

Options

      --dry-run                                     print the change summary and patch preview without applying the changes
  -h, --help                                        help for patch
  -m, --mode auto, no-reboot, reboot, staged, try   apply config mode (default auto)
      --namespace string                            resource namespace (default is to use default namespace per resource)
  -p, --patch stringArray                           the patch to be applied to the resource file, use @file to read a patch from file.
      --patch-file string                           a file containing a patch to be applied to the resource.
      --timeout duration                            the config will be rolled back after specified timeout (if try mode is selected) (default 1m0s)

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl pcap

Capture the network packets from the node.

Synopsis

The command launches packet capture on the node and streams back the packets as raw pcap file.

Default behavior is to decode the packets with internal decoder to stdout:

talosctl pcap -i eth0

Raw pcap file can be saved with --output flag:

talosctl pcap -i eth0 --output eth0.pcap

Output can be piped to tcpdump:

talosctl pcap -i eth0 -o - | tcpdump -vvv -r -

BPF filter can be applied, but it has to compiled to BPF instructions first using tcpdump. Correct link type should be specified for the tcpdump: EN10MB for Ethernet links and RAW for e.g. Wireguard tunnels:

talosctl pcap -i eth0 --bpf-filter "$(tcpdump -dd -y EN10MB 'tcp and dst port 80')"

talosctl pcap -i kubespan --bpf-filter "$(tcpdump -dd -y RAW 'port 50000')"

As packet capture is transmitted over the network, it is recommended to filter out the Talos API traffic, e.g. by excluding packets with the port 50000.

talosctl pcap [flags]

Options

      --bpf-filter string   bpf filter to apply, tcpdump -dd format
      --duration duration   duration of the capture
  -h, --help                help for pcap
  -i, --interface string    interface name to capture packets on (default "eth0")
  -o, --output string       if not set, decode packets to stdout; if set write raw pcap data to a file, use '-' for stdout
      --promiscuous         put interface into promiscuous mode

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl processes

List running processes

talosctl processes [flags]

Options

  -h, --help          help for processes
  -s, --sort string   Column to sort output by. [rss|cpu] (default "rss")
  -w, --watch         Stream running processes

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl read

Read a file on the machine

talosctl read <path> [flags]

Options

  -h, --help   help for read

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl reboot

Reboot a node

talosctl reboot [flags]

Options

      --debug              debug operation from kernel logs. --wait is set to true when this flag is set
  -h, --help               help for reboot
  -m, --mode string        select the reboot mode: "default", "powercycle" (skips kexec) (default "default")
      --timeout duration   time to wait for the operation is complete if --debug or --wait is set (default 30m0s)
      --wait               wait for the operation to complete, tracking its progress. always set to true when --debug is set (default true)

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl reset

Reset a node

talosctl reset [flags]

Options

      --debug                                    debug operation from kernel logs. --wait is set to true when this flag is set
      --graceful                                 if true, attempt to cordon/drain node and leave etcd (if applicable) (default true)
  -h, --help                                     help for reset
      --insecure                                 reset using the insecure (encrypted with no auth) maintenance service
      --reboot                                   if true, reboot the node after resetting instead of shutting down
      --system-labels-to-wipe strings            if set, just wipe selected system disk partitions by label but keep other partitions intact
      --timeout duration                         time to wait for the operation is complete if --debug or --wait is set (default 30m0s)
      --user-disks-to-wipe strings               if set, wipes defined devices in the list
      --wait                                     wait for the operation to complete, tracking its progress. always set to true when --debug is set (default true)
      --wipe-mode all, system-disk, user-disks   disk reset mode (default all)

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl restart

Restart a process

talosctl restart <id> [flags]

Options

  -h, --help         help for restart
  -k, --kubernetes   use the k8s.io containerd namespace

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl rollback

Rollback a node to the previous installation

talosctl rollback [flags]

Options

  -h, --help   help for rollback

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl rotate-ca

Rotate cluster CAs (Talos and Kubernetes APIs).

Synopsis

The command can rotate both Talos and Kubernetes root CAs (for the API). By default both CAs are rotated, but you can choose to rotate just one or another. The command starts by generating new CAs, and gracefully applying it to the cluster.

For Kubernetes, the command only rotates the API server issuing CA, and other Kubernetes PKI can be rotated by applying machine config changes to the controlplane nodes.

talosctl rotate-ca [flags]

Options

      --control-plane-nodes strings   specify IPs of control plane nodes
      --dry-run                       dry-run mode (no changes to the cluster) (default true)
  -h, --help                          help for rotate-ca
      --init-node string              specify IPs of init node
      --k8s-endpoint string           use endpoint instead of kubeconfig default
      --kubernetes                    rotate Kubernetes API CA (default true)
  -o, --output talosconfig            path to the output new talosconfig (default "talosconfig")
      --talos                         rotate Talos API CA (default true)
      --with-docs                     patch all machine configs adding the documentation for each field (default true)
      --with-examples                 patch all machine configs with the commented examples (default true)
      --worker-nodes strings          specify IPs of worker nodes

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl service

Retrieve the state of a service (or all services), control service state

Synopsis

Service control command. If run without arguments, lists all the services and their state. If service ID is specified, default action ‘status’ is executed which shows status of a single list service. With actions ‘start’, ‘stop’, ‘restart’, service state is updated respectively.

talosctl service [<id> [start|stop|restart|status]] [flags]

Options

  -h, --help   help for service

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl shutdown

Shutdown a node

talosctl shutdown [flags]

Options

      --debug              debug operation from kernel logs. --wait is set to true when this flag is set
      --force              if true, force a node to shutdown without a cordon/drain
  -h, --help               help for shutdown
      --timeout duration   time to wait for the operation is complete if --debug or --wait is set (default 30m0s)
      --wait               wait for the operation to complete, tracking its progress. always set to true when --debug is set (default true)

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl stats

Get container stats

talosctl stats [flags]

Options

  -h, --help         help for stats
  -k, --kubernetes   use the k8s.io containerd namespace

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl support

Dump debug information about the cluster

Synopsis

Generated bundle contains the following debug information:

  • For each node:

    • Kernel logs.
    • All Talos internal services logs.
    • All kube-system pods logs.
    • Talos COSI resources without secrets.
    • COSI runtime state graph.
    • Processes snapshot.
    • IO pressure snapshot.
    • Mounts list.
    • PCI devices info.
    • Talos version.
  • For the cluster:

    • Kubernetes nodes and kube-system pods manifests.
talosctl support [flags]

Options

  -h, --help              help for support
  -w, --num-workers int   number of workers per node (default 1)
  -O, --output string     output file to write support archive to
  -v, --verbose           verbose output

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl time

Gets current server time

talosctl time [--check server] [flags]

Options

  -c, --check string   checks server time against specified ntp server
  -h, --help           help for time

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl upgrade

Upgrade Talos on the target node

talosctl upgrade [flags]

Options

      --debug                debug operation from kernel logs. --wait is set to true when this flag is set
  -f, --force                force the upgrade (skip checks on etcd health and members, might lead to data loss)
  -h, --help                 help for upgrade
  -i, --image string         the container image to use for performing the install (default "ghcr.io/siderolabs/installer:v1.9.0-alpha.3")
      --insecure             upgrade using the insecure (encrypted with no auth) maintenance service
  -m, --reboot-mode string   select the reboot mode during upgrade. Mode "powercycle" bypasses kexec. Valid values are: ["default" "powercycle"]. (default "default")
  -s, --stage                stage the upgrade to perform it after a reboot
      --timeout duration     time to wait for the operation is complete if --debug or --wait is set (default 30m0s)
      --wait                 wait for the operation to complete, tracking its progress. always set to true when --debug is set (default true)

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl upgrade-k8s

Upgrade Kubernetes control plane in the Talos cluster.

Synopsis

Command runs upgrade of Kubernetes control plane components between specified versions.

talosctl upgrade-k8s [flags]

Options

      --apiserver-image string            kube-apiserver image to use (default "registry.k8s.io/kube-apiserver")
      --controller-manager-image string   kube-controller-manager image to use (default "registry.k8s.io/kube-controller-manager")
      --dry-run                           skip the actual upgrade and show the upgrade plan instead
      --endpoint string                   the cluster control plane endpoint
      --from string                       the Kubernetes control plane version to upgrade from
  -h, --help                              help for upgrade-k8s
      --kubelet-image string              kubelet image to use (default "ghcr.io/siderolabs/kubelet")
      --pre-pull-images                   pre-pull images before upgrade (default true)
      --proxy-image string                kube-proxy image to use (default "registry.k8s.io/kube-proxy")
      --scheduler-image string            kube-scheduler image to use (default "registry.k8s.io/kube-scheduler")
      --to string                         the Kubernetes control plane version to upgrade to (default "1.32.0")
      --upgrade-kubelet                   upgrade kubelet service (default true)
      --with-docs                         patch all machine configs adding the documentation for each field (default true)
      --with-examples                     patch all machine configs with the commented examples (default true)

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl usage

Retrieve a disk usage

talosctl usage [path1] [path2] ... [pathN] [flags]

Options

  -a, --all             write counts for all files, not just directories
  -d, --depth int32     maximum recursion depth
  -h, --help            help for usage
  -H, --humanize        humanize size and time in the output
  -t, --threshold int   threshold exclude entries smaller than SIZE if positive, or entries greater than SIZE if negative

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl validate

Validate config

talosctl validate [flags]

Options

  -c, --config string   the path of the config file
  -h, --help            help for validate
  -m, --mode string     the mode to validate the config for (valid values are metal, cloud, and container)
      --strict          treat validation warnings as errors

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl version

Prints the version

talosctl version [flags]

Options

      --client     Print client version only
  -h, --help       help for version
  -i, --insecure   use Talos maintenance mode API
      --short      Print the short version

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos

talosctl wipe disk

Wipe a block device (disk or partition) which is not used as a volume

Synopsis

Wipe a block device (disk or partition) which is not used as a volume.

Use device names as arguments, for example: vda or sda5.

talosctl wipe disk <device names>... [flags]

Options

  -h, --help            help for disk
      --method string   wipe method to use [FAST ZEROES] (default "FAST")

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

talosctl wipe

Wipe block device or volumes

Options

  -h, --help   help for wipe

Options inherited from parent commands

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

  • talosctl - A CLI for out-of-band management of Kubernetes nodes created by Talos
  • talosctl wipe disk - Wipe a block device (disk or partition) which is not used as a volume

talosctl

A CLI for out-of-band management of Kubernetes nodes created by Talos

Options

      --cluster string       Cluster to connect to if a proxy endpoint is used.
      --context string       Context to be used in command
  -e, --endpoints strings    override default endpoints in Talos configuration
  -h, --help                 help for talosctl
  -n, --nodes strings        target the specified nodes
      --talosconfig string   The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order.

SEE ALSO

3 - Configuration

Talos Linux machine configuration reference.

Talos Linux machine is fully configured via a single YAML file called machine configuration.

The file might contain one or more configuration documents separated by --- (three dashes) lines. At the moment, majority of the configuration options are within the v1alpha1 document, so this is the only mandatory document in the configuration file.

Configuration documents might be named (contain a name: field) or unnamed. Unnamed documents can be supplied to the machine configuration file only once, while named documents can be supplied multiple times with unique names.

The v1alpha1 document has its own (legacy) structure, while every other document has the following set of fields:

apiVersion: v1alpha1 # version of the document
kind: NetworkRuleConfig # type of document
name: rule1 # only for named documents

This section contains the configuration reference, to learn more about Talos Linux machine configuration management, please see:

3.1 - block

Package block provides block device and volume configuration documents.

3.1.1 - VolumeConfig

VolumeConfig is a volume configuration document.
apiVersion: v1alpha1
kind: VolumeConfig
name: EPHEMERAL # Name of the volume.
# The provisioning describes how the volume is provisioned.
provisioning:
    # The disk selector expression.
    diskSelector:
        match: disk.transport == "nvme" # The Common Expression Language (CEL) expression to match the disk.
    maxSize: 50GiB # The maximum size of the volume, if not specified the volume can grow to the size of the

    # # The minimum size of the volume.
    # minSize: 2.5GiB
FieldTypeDescriptionValue(s)
namestringName of the volume.
provisioningProvisioningSpecThe provisioning describes how the volume is provisioned.

provisioning

ProvisioningSpec describes how the volume is provisioned.

FieldTypeDescriptionValue(s)
diskSelectorDiskSelectorThe disk selector expression.
growboolShould the volume grow to the size of the disk (if possible).
minSizeByteSize
The minimum size of the volume.
Size is specified in bytes, but can be expressed in human readable format, e.g. 100MB.
Show example(s)
minSize: 2.5GiB
maxSizeByteSize
The maximum size of the volume, if not specified the volume can grow to the size of thedisk.

Size is specified in bytes, but can be expressed in human readable format, e.g. 100MB.
Show example(s)
maxSize: 50GiB

diskSelector

DiskSelector selects a disk for the volume.

FieldTypeDescriptionValue(s)
matchExpressionThe Common Expression Language (CEL) expression to match the disk.
Show example(s)
match: disk.size > 120u * GB && disk.size < 1u * TB
match: disk.transport == "sata" && !disk.rotational && !system_disk

3.2 - extensions

Package extensions provides extensions config documents.

3.2.1 - ExtensionServiceConfig

ExtensionServiceConfig is a extensionserviceconfig document.
apiVersion: v1alpha1
kind: ExtensionServiceConfig
name: nut-client # Name of the extension service.
# The config files for the extension service.
configFiles:
    - content: MONITOR ${upsmonHost} 1 remote username password # The content of the extension service config file.
      mountPath: /usr/local/etc/nut/upsmon.conf # The mount path of the extension service config file.
# The environment for the extension service.
environment:
    - NUT_UPS=upsname
FieldTypeDescriptionValue(s)
namestringName of the extension service.
configFiles[]ConfigFileThe config files for the extension service.
environment[]stringThe environment for the extension service.

configFiles[]

ConfigFile is a config file for extension services.

FieldTypeDescriptionValue(s)
contentstringThe content of the extension service config file.
mountPathstringThe mount path of the extension service config file.

3.3 - network

Package network provides network machine configuration documents.

3.3.1 - KubeSpanEndpointsConfig

KubeSpanEndpointsConfig is a config document to configure KubeSpan endpoints.
apiVersion: v1alpha1
kind: KubeSpanEndpointsConfig
# A list of extra Wireguard endpoints to announce from this machine.
extraAnnouncedEndpoints:
    - 192.168.13.46:52000
FieldTypeDescriptionValue(s)
extraAnnouncedEndpoints[]AddrPort
A list of extra Wireguard endpoints to announce from this machine.
Talos automatically adds endpoints based on machine addresses, public IP, etc.
This field allows to add extra endpoints which are managed outside of Talos, e.g. NAT mapping.

3.3.2 - NetworkDefaultActionConfig

NetworkDefaultActionConfig is a ingress firewall default action configuration document.
apiVersion: v1alpha1
kind: NetworkDefaultActionConfig
ingress: accept # Default action for all not explicitly configured ingress traffic: accept or block.
FieldTypeDescriptionValue(s)
ingressDefaultActionDefault action for all not explicitly configured ingress traffic: accept or block.accept
block

3.3.3 - NetworkRuleConfig

NetworkRuleConfig is a network firewall rule config document.
apiVersion: v1alpha1
kind: NetworkRuleConfig
name: ingress-apid # Name of the config document.
# Port selector defines which ports and protocols on the host are affected by the rule.
portSelector:
    # Ports defines a list of port ranges or single ports.
    ports:
        - 50000
    protocol: tcp # Protocol defines traffic protocol (e.g. TCP or UDP).
# Ingress defines which source subnets are allowed to access the host ports/protocols defined by the `portSelector`.
ingress:
    - subnet: 192.168.0.0/16 # Subnet defines a source subnet.
FieldTypeDescriptionValue(s)
namestringName of the config document.
portSelectorRulePortSelectorPort selector defines which ports and protocols on the host are affected by the rule.
ingress[]IngressRuleIngress defines which source subnets are allowed to access the host ports/protocols defined by the portSelector.

portSelector

RulePortSelector is a port selector for the network rule.

FieldTypeDescriptionValue(s)
portsPortRanges
Ports defines a list of port ranges or single ports.The port ranges are inclusive, and should not overlap.
Show example(s)
ports:
    - 80
    - 443
ports:
    - 1200-1299
    - 8080
protocolProtocolProtocol defines traffic protocol (e.g. TCP or UDP).tcp
udp
icmp
icmpv6

ingress[]

IngressRule is a ingress rule.

FieldTypeDescriptionValue(s)
subnetPrefixSubnet defines a source subnet.
Show example(s)
subnet: 10.3.4.0/24
subnet: 2001:db8::/32
subnet: 1.3.4.5/32
exceptPrefixExcept defines a source subnet to exclude from the rule, it gets excluded from the subnet.

3.4 - runtime

Package runtime provides runtime machine configuration documents.

3.4.1 - EventSinkConfig

EventSinkConfig is a event sink config document.
apiVersion: v1alpha1
kind: EventSinkConfig
endpoint: 192.168.10.3:3247 # The endpoint for the event sink as 'host:port'.
FieldTypeDescriptionValue(s)
endpointstringThe endpoint for the event sink as ‘host:port’.
Show example(s)
endpoint: 10.3.7.3:2810

3.4.2 - KmsgLogConfig

KmsgLogConfig is a event sink config document.
apiVersion: v1alpha1
kind: KmsgLogConfig
name: remote-log # Name of the config document.
url: tcp://192.168.3.7:3478/ # The URL encodes the log destination.
FieldTypeDescriptionValue(s)
namestringName of the config document.
urlURL
The URL encodes the log destination.The scheme must be tcp:// or udp://.
The path must be empty.
The port is required.
Show example(s)
url: udp://10.3.7.3:2810

3.4.3 - WatchdogTimerConfig

WatchdogTimerConfig is a watchdog timer config document.
apiVersion: v1alpha1
kind: WatchdogTimerConfig
device: /dev/watchdog0 # Path to the watchdog device.
timeout: 2m0s # Timeout for the watchdog.
FieldTypeDescriptionValue(s)
devicestringPath to the watchdog device.
Show example(s)
device: /dev/watchdog0
timeoutDuration
Timeout for the watchdog.
If Talos is unresponsive for this duration, the watchdog will reset the system.

Default value is 1 minute, minimum value is 10 seconds.

3.5 - security

Package security provides security-related machine configuration documents.

3.5.1 - TrustedRootsConfig

TrustedRootsConfig allows to configure additional trusted CA roots.
apiVersion: v1alpha1
kind: TrustedRootsConfig
name: my-enterprise-ca # Name of the config document.
certificates: | # List of additional trusted certificate authorities (as PEM-encoded certificates).
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
FieldTypeDescriptionValue(s)
namestringName of the config document.
certificatesstring
List of additional trusted certificate authorities (as PEM-encoded certificates).
Multiple certificates can be provided in a single config document, separated by newline characters.

3.6 - siderolink

Package siderolink provides SideroLink machine configuration documents.

3.6.1 - SideroLinkConfig

SideroLinkConfig is a SideroLink connection machine configuration document.
apiVersion: v1alpha1
kind: SideroLinkConfig
apiUrl: https://siderolink.api/join?token=secret # SideroLink API URL to connect to.
FieldTypeDescriptionValue(s)
apiUrlURLSideroLink API URL to connect to.
Show example(s)
apiUrl: https://siderolink.api/join?token=secret

3.7 - v1alpha1

Package v1alpha1 contains definition of the v1alpha1 configuration document.

Even though the machine configuration in Talos Linux is multi-document, at the moment this configuration document contains most of the configuration options.

It is expected that new configuration options will be added as new documents, and existing ones migrated to their own documents.

3.7.1 - Config

Config defines the v1alpha1.Config Talos machine configuration document.
version: v1alpha1
machine: # ...
cluster: # ...
FieldTypeDescriptionValue(s)
versionstringIndicates the schema used to decode the contents.v1alpha1
debugbool
Enable verbose logging to the console.All system containers logs will flow into serial console.

Note: To avoid breaking Talos bootstrap flow enable this option only if serial console can handle high message throughput.
true
yes
false
no
machineMachineConfigProvides machine specific configuration options.
clusterClusterConfigProvides cluster specific configuration options.

machine

MachineConfig represents the machine-specific config values.

machine:
    type: controlplane
    # InstallConfig represents the installation options for preparing a node.
    install:
        disk: /dev/sda # The disk used for installations.
        # Allows for supplying extra kernel args via the bootloader.
        extraKernelArgs:
            - console=ttyS1
            - panic=10
        image: ghcr.io/siderolabs/installer:latest # Allows for supplying the image used to perform the installation.
        wipe: false # Indicates if the installation disk should be wiped at installation time.

        # # Look up disk using disk attributes like model, size, serial and others.
        # diskSelector:
        #     size: 4GB # Disk size.
        #     model: WDC* # Disk model `/sys/block/<dev>/device/model`.
        #     busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path.

        # # Allows for supplying additional system extension images to install on top of base Talos image.
        # extensions:
        #     - image: ghcr.io/siderolabs/gvisor:20220117.0-v1.0.0 # System extension image.
FieldTypeDescriptionValue(s)
typestring
Defines the role of the machine within the cluster.
Control Plane

Control Plane node type designates the node as a control plane member.
This means it will host etcd along with the Kubernetes controlplane components such as API Server, Controller Manager, Scheduler.

Worker

Worker node type designates the node as a worker node.
This means it will be an available compute node for scheduling workloads.

This node type was previously known as “join”; that value is still supported but deprecated.
controlplane
worker
tokenstring
The token is used by a machine to join the PKI of the cluster.Using this token, a machine will create a certificate signing request (CSR), and request a certificate that will be used as its’ identity.
Show example(s)
token: 328hom.uqjzh6jnn2eie9oi
caPEMEncodedCertificateAndKey
The root certificate authority of the PKI.It is composed of a base64 encoded crt and key.
Show example(s)
ca:
    crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
    key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
acceptedCAs[]PEMEncodedCertificate
The certificates issued by certificate authorities are accepted in addition to issuing ‘ca’.It is composed of a base64 encoded `crt``.
certSANs[]string
Extra certificate subject alternative names for the machine’s certificate.By default, all non-loopback interface IPs are automatically added to the certificate’s SANs.
Show example(s)
certSANs:
    - 10.0.0.10
    - 172.16.0.10
    - 192.168.0.10
controlPlaneMachineControlPlaneConfigProvides machine specific control plane configuration options.
Show example(s)
controlPlane:
    # Controller manager machine specific configuration options.
    controllerManager:
        disabled: false # Disable kube-controller-manager on the node.
    # Scheduler machine specific configuration options.
    scheduler:
        disabled: true # Disable kube-scheduler on the node.
kubeletKubeletConfigUsed to provide additional options to the kubelet.
Show example(s)
kubelet:
    image: ghcr.io/siderolabs/kubelet:v1.32.0 # The `image` field is an optional reference to an alternative kubelet image.
    # The `extraArgs` field is used to provide additional flags to the kubelet.
    extraArgs:
        feature-gates: ServerSideApply=true

    # # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list.
    # clusterDNS:
    #     - 10.96.0.10
    #     - 169.254.2.53

    # # The `extraMounts` field is used to add additional mounts to the kubelet container.
    # extraMounts:
    #     - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container.
    #       type: bind # Type specifies the mount kind.
    #       source: /var/lib/example # Source specifies the source path of the mount.
    #       # Options are fstab style mount options.
    #       options:
    #         - bind
    #         - rshared
    #         - rw

    # # The `extraConfig` field is used to provide kubelet configuration overrides.
    # extraConfig:
    #     serverTLSBootstrap: true

    # # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration.
    # credentialProviderConfig:
    #     apiVersion: kubelet.config.k8s.io/v1
    #     kind: CredentialProviderConfig
    #     providers:
    #         - apiVersion: credentialprovider.kubelet.k8s.io/v1
    #           defaultCacheDuration: 12h
    #           matchImages:
    #             - '*.dkr.ecr.*.amazonaws.com'
    #             - '*.dkr.ecr.*.amazonaws.com.cn'
    #             - '*.dkr.ecr-fips.*.amazonaws.com'
    #             - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov'
    #             - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov'
    #           name: ecr-credential-provider

    # # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet.
    # nodeIP:
    #     # The `validSubnets` field configures the networks to pick kubelet node IP from.
    #     validSubnets:
    #         - 10.0.0.0/8
    #         - '!10.0.0.3/32'
    #         - fdc7::/16
pods[]Unstructured
Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver.
Static pods can be used to run components which should be started before the Kubernetes control plane is up.
Talos doesn’t validate the pod definition.
Updates to this field can be applied without a reboot.

See https://kubernetes.io/docs/tasks/configure-pod-container/static-pod/.
Show example(s)
pods:
    - apiVersion: v1
      kind: pod
      metadata:
        name: nginx
      spec:
        containers:
            - image: nginx
              name: nginx
networkNetworkConfigProvides machine specific network configuration options.
Show example(s)
network:
    hostname: worker-1 # Used to statically set the hostname for the machine.
    # `interfaces` is used to define the network interface configuration.
    interfaces:
        - interface: enp0s1 # The interface name.
          # Assigns static IP addresses to the interface.
          addresses:
            - 192.168.2.0/24
          # A list of routes associated with the interface.
          routes:
            - network: 0.0.0.0/0 # The route's network (destination).
              gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route).
              metric: 1024 # The optional metric for the route.
          mtu: 1500 # The interface's MTU.

          # # Picks a network device using the selector.

          # # select a device with bus prefix 00:*.
          # deviceSelector:
          #     busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
          # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
          # deviceSelector:
          #     hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
          #     driver: virtio_net # Kernel driver, supports matching by wildcard.
          # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
          # deviceSelector:
          #     - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
          #     - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
          #       driver: virtio_net # Kernel driver, supports matching by wildcard.

          # # Bond specific options.
          # bond:
          #     # The interfaces that make up the bond.
          #     interfaces:
          #         - enp2s0
          #         - enp2s1
          #     # Picks a network device using the selector.
          #     deviceSelectors:
          #         - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
          #         - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
          #           driver: virtio_net # Kernel driver, supports matching by wildcard.
          #     mode: 802.3ad # A bond option.
          #     lacpRate: fast # A bond option.

          # # Bridge specific options.
          # bridge:
          #     # The interfaces that make up the bridge.
          #     interfaces:
          #         - enxda4042ca9a51
          #         - enxae2a6774c259
          #     # Enable STP on this bridge.
          #     stp:
          #         enabled: true # Whether Spanning Tree Protocol (STP) is enabled.

          # # Configure this device as a bridge port.
          # bridgePort:
          #     master: br0 # The name of the bridge master interface

          # # Indicates if DHCP should be used to configure the interface.
          # dhcp: true

          # # DHCP specific options.
          # dhcpOptions:
          #     routeMetric: 1024 # The priority of all routes received via DHCP.

          # # Wireguard specific configuration.

          # # wireguard server example
          # wireguard:
          #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
          #     listenPort: 51111 # Specifies a device's listening port.
          #     # Specifies a list of peer configurations to apply to a device.
          #     peers:
          #         - publicKey: ABCDEF... # Specifies the public key of this peer.
          #           endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
          #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
          #           allowedIPs:
          #             - 192.168.1.0/24
          # # wireguard peer example
          # wireguard:
          #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
          #     # Specifies a list of peer configurations to apply to a device.
          #     peers:
          #         - publicKey: ABCDEF... # Specifies the public key of this peer.
          #           endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
          #           persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
          #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
          #           allowedIPs:
          #             - 192.168.1.0/24

          # # Virtual (shared) IP address configuration.

          # # layer2 vip example
          # vip:
          #     ip: 172.16.199.55 # Specifies the IP address to be used.
    # Used to statically set the nameservers for the machine.
    nameservers:
        - 9.8.7.6
        - 8.7.6.5
    # Used to statically set arbitrary search domains.
    searchDomains:
        - example.org
        - example.com

    # # Allows for extra entries to be added to the `/etc/hosts` file
    # extraHostEntries:
    #     - ip: 192.168.1.100 # The IP of the host.
    #       # The host alias.
    #       aliases:
    #         - example
    #         - example.domain.tld

    # # Configures KubeSpan feature.
    # kubespan:
    #     enabled: true # Enable the KubeSpan feature.
disks[]MachineDisk
Used to partition, format and mount additional disks.Since the rootfs is read only with the exception of /var, mounts are only valid if they are under /var.
Note that the partitioning and formatting is done only once, if and only if no existing XFS partitions are found.
If size: is omitted, the partition is sized to occupy the full disk.
Show example(s)
disks:
    - device: /dev/sdb # The name of the disk to use.
      # A list of partitions to create on the disk.
      partitions:
        - mountpoint: /var/mnt/extra # Where to mount the partition.

          # # The size of partition: either bytes or human readable representation. If `size:` is omitted, the partition is sized to occupy the full disk.

          # # Human readable representation.
          # size: 100 MB
          # # Precise value in bytes.
          # size: 1073741824
installInstallConfig
Used to provide instructions for installations.
Note that this configuration section gets silently ignored by Talos images that are considered pre-installed.
To make sure Talos installs according to the provided configuration, Talos should be booted with ISO or PXE-booted.
Show example(s)
install:
    disk: /dev/sda # The disk used for installations.
    # Allows for supplying extra kernel args via the bootloader.
    extraKernelArgs:
        - console=ttyS1
        - panic=10
    image: ghcr.io/siderolabs/installer:latest # Allows for supplying the image used to perform the installation.
    wipe: false # Indicates if the installation disk should be wiped at installation time.

    # # Look up disk using disk attributes like model, size, serial and others.
    # diskSelector:
    #     size: 4GB # Disk size.
    #     model: WDC* # Disk model `/sys/block/<dev>/device/model`.
    #     busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path.

    # # Allows for supplying additional system extension images to install on top of base Talos image.
    # extensions:
    #     - image: ghcr.io/siderolabs/gvisor:20220117.0-v1.0.0 # System extension image.
files[]MachineFile
Allows the addition of user specified files.The value of op can be create, overwrite, or append.
In the case of create, path must not exist.
In the case of overwrite, and append, path must be a valid file.
If an op value of append is used, the existing file will be appended.
Note that the file contents are not required to be base64 encoded.
Show example(s)
files:
    - content: '...' # The contents of the file.
      permissions: 0o666 # The file's permissions in octal.
      path: /tmp/file.txt # The path of the file.
      op: append # The operation to use
envEnv
The env field allows for the addition of environment variables.All environment variables are set on PID 1 in addition to every service.
Show example(s)
env:
    GRPC_GO_LOG_SEVERITY_LEVEL: info
    GRPC_GO_LOG_VERBOSITY_LEVEL: "99"
    https_proxy: http://SERVER:PORT/
env:
    GRPC_GO_LOG_SEVERITY_LEVEL: error
    https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/
env:
    https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/
GRPC_GO_LOG_VERBOSITY_LEVEL
GRPC_GO_LOG_SEVERITY_LEVEL
http_proxy
https_proxy
no_proxy
timeTimeConfigUsed to configure the machine’s time settings.
Show example(s)
time:
    disabled: false # Indicates if the time service is disabled for the machine.
    # description: |
    servers:
        - time.cloudflare.com
    bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence.
sysctlsmap[string]stringUsed to configure the machine’s sysctls.
Show example(s)
sysctls:
    kernel.domainname: talos.dev
    net.ipv4.ip_forward: "0"
    net/ipv6/conf/eth0.100/disable_ipv6: "1"
sysfsmap[string]stringUsed to configure the machine’s sysfs.
Show example(s)
sysfs:
    devices.system.cpu.cpu0.cpufreq.scaling_governor: performance
registriesRegistriesConfig
Used to configure the machine’s container image registry mirrors.
Automatically generates matching CRI configuration for registry mirrors.

The mirrors section allows to redirect requests for images to a non-default registry,
which might be a local registry or a caching mirror.

The config section provides a way to authenticate to the registry with TLS client
identity, provide registry CA, or authentication information.
Authentication information has same meaning with the corresponding field in .docker/config.json.

See also matching configuration for CRI containerd plugin.
Show example(s)
registries:
    # Specifies mirror configuration for each registry host namespace.
    mirrors:
        docker.io:
            # List of endpoints (URLs) for registry mirrors to use.
            endpoints:
                - https://registry.local
    # Specifies TLS & auth configuration for HTTPS image registries.
    config:
        registry.local:
            # The TLS configuration for the registry.
            tls:
                # Enable mutual TLS authentication with the registry.
                clientIdentity:
                    crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
                    key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
            # The auth configuration for this registry.
            auth:
                username: username # Optional registry authentication.
                password: password # Optional registry authentication.
systemDiskEncryptionSystemDiskEncryptionConfig
Machine system disk encryption configuration.Defines each system partition encryption parameters.
Show example(s)
systemDiskEncryption:
    # Ephemeral partition encryption.
    ephemeral:
        provider: luks2 # Encryption provider to use for the encryption.
        # Defines the encryption keys generation and storage method.
        keys:
            - # Deterministically generated key from the node UUID and PartitionLabel.
              nodeID: {}
              slot: 0 # Key slot number for LUKS2 encryption.

              # # KMS managed encryption key.
              # kms:
              #     endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.

        # # Cipher kind to use for the encryption. Depends on the encryption provider.
        # cipher: aes-xts-plain64

        # # Defines the encryption sector size.
        # blockSize: 4096

        # # Additional --perf parameters for the LUKS2 encryption.
        # options:
        #     - no_read_workqueue
        #     - no_write_workqueue
featuresFeaturesConfigFeatures describe individual Talos features that can be switched on or off.
Show example(s)
features:
    rbac: true # Enable role-based access control (RBAC).

    # # Configure Talos API access from Kubernetes pods.
    # kubernetesTalosAPIAccess:
    #     enabled: true # Enable Talos API access from Kubernetes pods.
    #     # The list of Talos API roles which can be granted for access from Kubernetes pods.
    #     allowedRoles:
    #         - os:reader
    #     # The list of Kubernetes namespaces Talos API access is available from.
    #     allowedKubernetesNamespaces:
    #         - kube-system
udevUdevConfigConfigures the udev system.
Show example(s)
udev:
    # List of udev rules to apply to the udev system
    rules:
        - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660"
loggingLoggingConfigConfigures the logging system.
Show example(s)
logging:
    # Logging destination.
    destinations:
        - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp".
          format: json_lines # Logs format.
kernelKernelConfigConfigures the kernel.
Show example(s)
kernel:
    # Kernel modules to load.
    modules:
        - name: brtfs # Module name.
seccompProfiles[]MachineSeccompProfileConfigures the seccomp profiles for the machine.
Show example(s)
seccompProfiles:
    - name: audit.json # The `name` field is used to provide the file name of the seccomp profile.
      # The `value` field is used to provide the seccomp profile.
      value:
        defaultAction: SCMP_ACT_LOG
baseRuntimeSpecOverridesUnstructured
Override (patch) settings in the default OCI runtime spec for CRI containers.
It can be used to set some default container settings which are not configurable in Kubernetes,
for example default ulimits.
Note: this change applies to all newly created containers, and it requires a reboot to take effect.
Show example(s)
baseRuntimeSpecOverrides:
    process:
        rlimits:
            - hard: 1024
              soft: 1024
              type: RLIMIT_NOFILE
nodeLabelsmap[string]string
Configures the node labels for the machine.
Note: In the default Kubernetes configuration, worker nodes are restricted to set
labels with some prefixes (see NodeRestriction admission plugin).
Show example(s)
nodeLabels:
    exampleLabel: exampleLabelValue
nodeAnnotationsmap[string]stringConfigures the node annotations for the machine.
Show example(s)
nodeAnnotations:
    customer.io/rack: r13a25
nodeTaintsmap[string]string
Configures the node taints for the machine. Effect is optional.
Note: In the default Kubernetes configuration, worker nodes are not allowed to
modify the taints (see NodeRestriction admission plugin).
Show example(s)
nodeTaints:
    exampleTaint: exampleTaintValue:NoSchedule

controlPlane

MachineControlPlaneConfig machine specific configuration options.

machine:
    controlPlane:
        # Controller manager machine specific configuration options.
        controllerManager:
            disabled: false # Disable kube-controller-manager on the node.
        # Scheduler machine specific configuration options.
        scheduler:
            disabled: true # Disable kube-scheduler on the node.
FieldTypeDescriptionValue(s)
controllerManagerMachineControllerManagerConfigController manager machine specific configuration options.
schedulerMachineSchedulerConfigScheduler machine specific configuration options.

controllerManager

MachineControllerManagerConfig represents the machine specific ControllerManager config values.

FieldTypeDescriptionValue(s)
disabledboolDisable kube-controller-manager on the node.

scheduler

MachineSchedulerConfig represents the machine specific Scheduler config values.

FieldTypeDescriptionValue(s)
disabledboolDisable kube-scheduler on the node.

kubelet

KubeletConfig represents the kubelet config values.

machine:
    kubelet:
        image: ghcr.io/siderolabs/kubelet:v1.32.0 # The `image` field is an optional reference to an alternative kubelet image.
        # The `extraArgs` field is used to provide additional flags to the kubelet.
        extraArgs:
            feature-gates: ServerSideApply=true

        # # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list.
        # clusterDNS:
        #     - 10.96.0.10
        #     - 169.254.2.53

        # # The `extraMounts` field is used to add additional mounts to the kubelet container.
        # extraMounts:
        #     - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container.
        #       type: bind # Type specifies the mount kind.
        #       source: /var/lib/example # Source specifies the source path of the mount.
        #       # Options are fstab style mount options.
        #       options:
        #         - bind
        #         - rshared
        #         - rw

        # # The `extraConfig` field is used to provide kubelet configuration overrides.
        # extraConfig:
        #     serverTLSBootstrap: true

        # # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration.
        # credentialProviderConfig:
        #     apiVersion: kubelet.config.k8s.io/v1
        #     kind: CredentialProviderConfig
        #     providers:
        #         - apiVersion: credentialprovider.kubelet.k8s.io/v1
        #           defaultCacheDuration: 12h
        #           matchImages:
        #             - '*.dkr.ecr.*.amazonaws.com'
        #             - '*.dkr.ecr.*.amazonaws.com.cn'
        #             - '*.dkr.ecr-fips.*.amazonaws.com'
        #             - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov'
        #             - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov'
        #           name: ecr-credential-provider

        # # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet.
        # nodeIP:
        #     # The `validSubnets` field configures the networks to pick kubelet node IP from.
        #     validSubnets:
        #         - 10.0.0.0/8
        #         - '!10.0.0.3/32'
        #         - fdc7::/16
FieldTypeDescriptionValue(s)
imagestringThe image field is an optional reference to an alternative kubelet image.
Show example(s)
image: ghcr.io/siderolabs/kubelet:v1.32.0
clusterDNS[]stringThe ClusterDNS field is an optional reference to an alternative kubelet clusterDNS ip list.
Show example(s)
clusterDNS:
    - 10.96.0.10
    - 169.254.2.53
extraArgsmap[string]stringThe extraArgs field is used to provide additional flags to the kubelet.
Show example(s)
extraArgs:
    key: value
extraMounts[]ExtraMount
The extraMounts field is used to add additional mounts to the kubelet container.Note that either bind or rbind are required in the options.
Show example(s)
extraMounts:
    - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container.
      type: bind # Type specifies the mount kind.
      source: /var/lib/example # Source specifies the source path of the mount.
      # Options are fstab style mount options.
      options:
        - bind
        - rshared
        - rw
extraConfigUnstructured
The extraConfig field is used to provide kubelet configuration overrides.
Some fields are not allowed to be overridden: authentication and authorization, cgroups
configuration, ports, etc.
Show example(s)
extraConfig:
    serverTLSBootstrap: true
credentialProviderConfigUnstructuredThe KubeletCredentialProviderConfig field is used to provide kubelet credential configuration.
Show example(s)
credentialProviderConfig:
    apiVersion: kubelet.config.k8s.io/v1
    kind: CredentialProviderConfig
    providers:
        - apiVersion: credentialprovider.kubelet.k8s.io/v1
          defaultCacheDuration: 12h
          matchImages:
            - '*.dkr.ecr.*.amazonaws.com'
            - '*.dkr.ecr.*.amazonaws.com.cn'
            - '*.dkr.ecr-fips.*.amazonaws.com'
            - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov'
            - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov'
          name: ecr-credential-provider
defaultRuntimeSeccompProfileEnabledboolEnable container runtime default Seccomp profile.true
yes
false
no
registerWithFQDNbool
The registerWithFQDN field is used to force kubelet to use the node FQDN for registration.This is required in clouds like AWS.
true
yes
false
no
nodeIPKubeletNodeIPConfig
The nodeIP field is used to configure --node-ip flag for the kubelet.This is used when a node has multiple addresses to choose from.
Show example(s)
nodeIP:
    # The `validSubnets` field configures the networks to pick kubelet node IP from.
    validSubnets:
        - 10.0.0.0/8
        - '!10.0.0.3/32'
        - fdc7::/16
skipNodeRegistrationbool
The skipNodeRegistration is used to run the kubelet without registering with the apiserver.This runs kubelet as standalone and only runs static pods.
true
yes
false
no
disableManifestsDirectorybool
The disableManifestsDirectory field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.It’s recommended to configure static pods with the “pods” key instead.
true
yes
false
no

extraMounts[]

ExtraMount wraps OCI Mount specification.

machine:
    kubelet:
        extraMounts:
            - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container.
              type: bind # Type specifies the mount kind.
              source: /var/lib/example # Source specifies the source path of the mount.
              # Options are fstab style mount options.
              options:
                - bind
                - rshared
                - rw
FieldTypeDescriptionValue(s)
destinationstringDestination is the absolute path where the mount will be placed in the container.
typestringType specifies the mount kind.
sourcestringSource specifies the source path of the mount.
options[]stringOptions are fstab style mount options.
uidMappings[]LinuxIDMapping
UID/GID mappings used for changing file owners w/o calling chown, fs should support it.
Every mount point could have its own mapping.
gidMappings[]LinuxIDMapping
UID/GID mappings used for changing file owners w/o calling chown, fs should support it.
Every mount point could have its own mapping.
uidMappings[]

LinuxIDMapping represents the Linux ID mapping.

FieldTypeDescriptionValue(s)
containerIDuint32ContainerID is the starting UID/GID in the container.
hostIDuint32HostID is the starting UID/GID on the host to be mapped to ‘ContainerID’.
sizeuint32Size is the number of IDs to be mapped.
gidMappings[]

LinuxIDMapping represents the Linux ID mapping.

FieldTypeDescriptionValue(s)
containerIDuint32ContainerID is the starting UID/GID in the container.
hostIDuint32HostID is the starting UID/GID on the host to be mapped to ‘ContainerID’.
sizeuint32Size is the number of IDs to be mapped.

nodeIP

KubeletNodeIPConfig represents the kubelet node IP configuration.

machine:
    kubelet:
        nodeIP:
            # The `validSubnets` field configures the networks to pick kubelet node IP from.
            validSubnets:
                - 10.0.0.0/8
                - '!10.0.0.3/32'
                - fdc7::/16
FieldTypeDescriptionValue(s)
validSubnets[]string
The validSubnets field configures the networks to pick kubelet node IP from.For dual stack configuration, there should be two subnets: one for IPv4, another for IPv6.
IPs can be excluded from the list by using negative match with !, e.g !10.0.0.0/8.
Negative subnet matches should be specified last to filter out IPs picked by positive matches.
If not specified, node IP is picked based on cluster podCIDRs: IPv4/IPv6 address or both.

network

NetworkConfig represents the machine’s networking config values.

machine:
    network:
        hostname: worker-1 # Used to statically set the hostname for the machine.
        # `interfaces` is used to define the network interface configuration.
        interfaces:
            - interface: enp0s1 # The interface name.
              # Assigns static IP addresses to the interface.
              addresses:
                - 192.168.2.0/24
              # A list of routes associated with the interface.
              routes:
                - network: 0.0.0.0/0 # The route's network (destination).
                  gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route).
                  metric: 1024 # The optional metric for the route.
              mtu: 1500 # The interface's MTU.

              # # Picks a network device using the selector.

              # # select a device with bus prefix 00:*.
              # deviceSelector:
              #     busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
              # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
              # deviceSelector:
              #     hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
              #     driver: virtio_net # Kernel driver, supports matching by wildcard.
              # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
              # deviceSelector:
              #     - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
              #     - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
              #       driver: virtio_net # Kernel driver, supports matching by wildcard.

              # # Bond specific options.
              # bond:
              #     # The interfaces that make up the bond.
              #     interfaces:
              #         - enp2s0
              #         - enp2s1
              #     # Picks a network device using the selector.
              #     deviceSelectors:
              #         - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
              #         - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
              #           driver: virtio_net # Kernel driver, supports matching by wildcard.
              #     mode: 802.3ad # A bond option.
              #     lacpRate: fast # A bond option.

              # # Bridge specific options.
              # bridge:
              #     # The interfaces that make up the bridge.
              #     interfaces:
              #         - enxda4042ca9a51
              #         - enxae2a6774c259
              #     # Enable STP on this bridge.
              #     stp:
              #         enabled: true # Whether Spanning Tree Protocol (STP) is enabled.

              # # Configure this device as a bridge port.
              # bridgePort:
              #     master: br0 # The name of the bridge master interface

              # # Indicates if DHCP should be used to configure the interface.
              # dhcp: true

              # # DHCP specific options.
              # dhcpOptions:
              #     routeMetric: 1024 # The priority of all routes received via DHCP.

              # # Wireguard specific configuration.

              # # wireguard server example
              # wireguard:
              #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
              #     listenPort: 51111 # Specifies a device's listening port.
              #     # Specifies a list of peer configurations to apply to a device.
              #     peers:
              #         - publicKey: ABCDEF... # Specifies the public key of this peer.
              #           endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
              #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
              #           allowedIPs:
              #             - 192.168.1.0/24
              # # wireguard peer example
              # wireguard:
              #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
              #     # Specifies a list of peer configurations to apply to a device.
              #     peers:
              #         - publicKey: ABCDEF... # Specifies the public key of this peer.
              #           endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
              #           persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
              #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
              #           allowedIPs:
              #             - 192.168.1.0/24

              # # Virtual (shared) IP address configuration.

              # # layer2 vip example
              # vip:
              #     ip: 172.16.199.55 # Specifies the IP address to be used.
        # Used to statically set the nameservers for the machine.
        nameservers:
            - 9.8.7.6
            - 8.7.6.5
        # Used to statically set arbitrary search domains.
        searchDomains:
            - example.org
            - example.com

        # # Allows for extra entries to be added to the `/etc/hosts` file
        # extraHostEntries:
        #     - ip: 192.168.1.100 # The IP of the host.
        #       # The host alias.
        #       aliases:
        #         - example
        #         - example.domain.tld

        # # Configures KubeSpan feature.
        # kubespan:
        #     enabled: true # Enable the KubeSpan feature.
FieldTypeDescriptionValue(s)
hostnamestringUsed to statically set the hostname for the machine.
interfaces[]Device
interfaces is used to define the network interface configuration.By default all network interfaces will attempt a DHCP discovery.
This can be further tuned through this configuration parameter.
Show example(s)
interfaces:
    - interface: enp0s1 # The interface name.
      # Assigns static IP addresses to the interface.
      addresses:
        - 192.168.2.0/24
      # A list of routes associated with the interface.
      routes:
        - network: 0.0.0.0/0 # The route's network (destination).
          gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route).
          metric: 1024 # The optional metric for the route.
      mtu: 1500 # The interface's MTU.

      # # Picks a network device using the selector.

      # # select a device with bus prefix 00:*.
      # deviceSelector:
      #     busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
      # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
      # deviceSelector:
      #     hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
      #     driver: virtio_net # Kernel driver, supports matching by wildcard.
      # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
      # deviceSelector:
      #     - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
      #     - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
      #       driver: virtio_net # Kernel driver, supports matching by wildcard.

      # # Bond specific options.
      # bond:
      #     # The interfaces that make up the bond.
      #     interfaces:
      #         - enp2s0
      #         - enp2s1
      #     # Picks a network device using the selector.
      #     deviceSelectors:
      #         - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
      #         - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
      #           driver: virtio_net # Kernel driver, supports matching by wildcard.
      #     mode: 802.3ad # A bond option.
      #     lacpRate: fast # A bond option.

      # # Bridge specific options.
      # bridge:
      #     # The interfaces that make up the bridge.
      #     interfaces:
      #         - enxda4042ca9a51
      #         - enxae2a6774c259
      #     # Enable STP on this bridge.
      #     stp:
      #         enabled: true # Whether Spanning Tree Protocol (STP) is enabled.

      # # Configure this device as a bridge port.
      # bridgePort:
      #     master: br0 # The name of the bridge master interface

      # # Indicates if DHCP should be used to configure the interface.
      # dhcp: true

      # # DHCP specific options.
      # dhcpOptions:
      #     routeMetric: 1024 # The priority of all routes received via DHCP.

      # # Wireguard specific configuration.

      # # wireguard server example
      # wireguard:
      #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
      #     listenPort: 51111 # Specifies a device's listening port.
      #     # Specifies a list of peer configurations to apply to a device.
      #     peers:
      #         - publicKey: ABCDEF... # Specifies the public key of this peer.
      #           endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
      #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
      #           allowedIPs:
      #             - 192.168.1.0/24
      # # wireguard peer example
      # wireguard:
      #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
      #     # Specifies a list of peer configurations to apply to a device.
      #     peers:
      #         - publicKey: ABCDEF... # Specifies the public key of this peer.
      #           endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
      #           persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
      #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
      #           allowedIPs:
      #             - 192.168.1.0/24

      # # Virtual (shared) IP address configuration.

      # # layer2 vip example
      # vip:
      #     ip: 172.16.199.55 # Specifies the IP address to be used.
nameservers[]string
Used to statically set the nameservers for the machine.Defaults to 1.1.1.1 and 8.8.8.8
Show example(s)
nameservers:
    - 8.8.8.8
    - 1.1.1.1
searchDomains[]stringUsed to statically set arbitrary search domains.
Show example(s)
searchDomains:
    - example.org
    - example.com
extraHostEntries[]ExtraHostAllows for extra entries to be added to the /etc/hosts file
Show example(s)
extraHostEntries:
    - ip: 192.168.1.100 # The IP of the host.
      # The host alias.
      aliases:
        - example
        - example.domain.tld
kubespanNetworkKubeSpanConfigures KubeSpan feature.
Show example(s)
kubespan:
    enabled: true # Enable the KubeSpan feature.
disableSearchDomainbool
Disable generating a default search domain in /etc/resolv.confbased on the machine hostname.
Defaults to false.
true
yes
false
no

interfaces[]

Device represents a network interface.

machine:
    network:
        interfaces:
            - interface: enp0s1 # The interface name.
              # Assigns static IP addresses to the interface.
              addresses:
                - 192.168.2.0/24
              # A list of routes associated with the interface.
              routes:
                - network: 0.0.0.0/0 # The route's network (destination).
                  gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route).
                  metric: 1024 # The optional metric for the route.
              mtu: 1500 # The interface's MTU.

              # # Picks a network device using the selector.

              # # select a device with bus prefix 00:*.
              # deviceSelector:
              #     busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
              # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
              # deviceSelector:
              #     hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
              #     driver: virtio_net # Kernel driver, supports matching by wildcard.
              # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
              # deviceSelector:
              #     - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
              #     - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
              #       driver: virtio_net # Kernel driver, supports matching by wildcard.

              # # Bond specific options.
              # bond:
              #     # The interfaces that make up the bond.
              #     interfaces:
              #         - enp2s0
              #         - enp2s1
              #     # Picks a network device using the selector.
              #     deviceSelectors:
              #         - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
              #         - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
              #           driver: virtio_net # Kernel driver, supports matching by wildcard.
              #     mode: 802.3ad # A bond option.
              #     lacpRate: fast # A bond option.

              # # Bridge specific options.
              # bridge:
              #     # The interfaces that make up the bridge.
              #     interfaces:
              #         - enxda4042ca9a51
              #         - enxae2a6774c259
              #     # Enable STP on this bridge.
              #     stp:
              #         enabled: true # Whether Spanning Tree Protocol (STP) is enabled.

              # # Configure this device as a bridge port.
              # bridgePort:
              #     master: br0 # The name of the bridge master interface

              # # Indicates if DHCP should be used to configure the interface.
              # dhcp: true

              # # DHCP specific options.
              # dhcpOptions:
              #     routeMetric: 1024 # The priority of all routes received via DHCP.

              # # Wireguard specific configuration.

              # # wireguard server example
              # wireguard:
              #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
              #     listenPort: 51111 # Specifies a device's listening port.
              #     # Specifies a list of peer configurations to apply to a device.
              #     peers:
              #         - publicKey: ABCDEF... # Specifies the public key of this peer.
              #           endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
              #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
              #           allowedIPs:
              #             - 192.168.1.0/24
              # # wireguard peer example
              # wireguard:
              #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
              #     # Specifies a list of peer configurations to apply to a device.
              #     peers:
              #         - publicKey: ABCDEF... # Specifies the public key of this peer.
              #           endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
              #           persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
              #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
              #           allowedIPs:
              #             - 192.168.1.0/24

              # # Virtual (shared) IP address configuration.

              # # layer2 vip example
              # vip:
              #     ip: 172.16.199.55 # Specifies the IP address to be used.
FieldTypeDescriptionValue(s)
interfacestring
The interface name.Mutually exclusive with deviceSelector.
Show example(s)
interface: enp0s3
deviceSelectorNetworkDeviceSelector
Picks a network device using the selector.Mutually exclusive with interface.
Supports partial match using wildcard syntax.
Show example(s)
deviceSelector:
    busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
deviceSelector:
    hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
    driver: virtio_net # Kernel driver, supports matching by wildcard.
addresses[]string
Assigns static IP addresses to the interface.An address can be specified either in proper CIDR notation or as a standalone address (netmask of all ones is assumed).
Show example(s)
addresses:
    - 10.5.0.0/16
    - 192.168.3.7
routes[]Route
A list of routes associated with the interface.If used in combination with DHCP, these routes will be appended to routes returned by DHCP server.
Show example(s)
routes:
    - network: 0.0.0.0/0 # The route's network (destination).
      gateway: 10.5.0.1 # The route's gateway (if empty, creates link scope route).
    - network: 10.2.0.0/16 # The route's network (destination).
      gateway: 10.2.0.1 # The route's gateway (if empty, creates link scope route).
bondBondBond specific options.
Show example(s)
bond:
    # The interfaces that make up the bond.
    interfaces:
        - enp2s0
        - enp2s1
    mode: 802.3ad # A bond option.
    lacpRate: fast # A bond option.

    # # Picks a network device using the selector.

    # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
    # deviceSelectors:
    #     - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
    #     - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
    #       driver: virtio_net # Kernel driver, supports matching by wildcard.
bridgeBridgeBridge specific options.
Show example(s)
bridge:
    # The interfaces that make up the bridge.
    interfaces:
        - enxda4042ca9a51
        - enxae2a6774c259
    # Enable STP on this bridge.
    stp:
        enabled: true # Whether Spanning Tree Protocol (STP) is enabled.
bridgePortBridgePort
Configure this device as a bridge port.This can be used to dynamically assign network interfaces to a bridge.
Show example(s)
bridgePort:
    master: br0 # The name of the bridge master interface
vlans[]VlanVLAN specific options.
mtuint
The interface’s MTU.If used in combination with DHCP, this will override any MTU settings returned from DHCP server.
dhcpbool
Indicates if DHCP should be used to configure the interface.The following DHCP options are supported:

- OptionClasslessStaticRoute
- OptionDomainNameServer
- OptionDNSDomainSearchList
- OptionHostName
Show example(s)
dhcp: true
ignoreboolIndicates if the interface should be ignored (skips configuration).
dummybool
Indicates if the interface is a dummy interface.dummy is used to specify that this interface should be a virtual-only, dummy interface.
dhcpOptionsDHCPOptions
DHCP specific options.dhcp must be set to true for these to take effect.
Show example(s)
dhcpOptions:
    routeMetric: 1024 # The priority of all routes received via DHCP.
wireguardDeviceWireguardConfig
Wireguard specific configuration.Includes things like private key, listen port, peers.
Show example(s)
wireguard:
    privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
    listenPort: 51111 # Specifies a device's listening port.
    # Specifies a list of peer configurations to apply to a device.
    peers:
        - publicKey: ABCDEF... # Specifies the public key of this peer.
          endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
          # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
          allowedIPs:
            - 192.168.1.0/24
wireguard:
    privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
    # Specifies a list of peer configurations to apply to a device.
    peers:
        - publicKey: ABCDEF... # Specifies the public key of this peer.
          endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
          persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
          # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
          allowedIPs:
            - 192.168.1.0/24
vipDeviceVIPConfigVirtual (shared) IP address configuration.
Show example(s)
vip:
    ip: 172.16.199.55 # Specifies the IP address to be used.
deviceSelector

NetworkDeviceSelector struct describes network device selector.

machine:
    network:
        interfaces:
            - deviceSelector:
                busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
machine:
    network:
        interfaces:
            - deviceSelector:
                hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
                driver: virtio_net # Kernel driver, supports matching by wildcard.
machine:
    network:
        interfaces:
            - deviceSelector:
                - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
                - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
                  driver: virtio_net # Kernel driver, supports matching by wildcard.
FieldTypeDescriptionValue(s)
busPathstringPCI, USB bus prefix, supports matching by wildcard.
hardwareAddrstringDevice hardware (MAC) address, supports matching by wildcard.
permanentAddrstring
Device permanent hardware address, supports matching by wildcard.The permanent address doesn’t change when the link is enslaved to a bond,
so it’s recommended to use this field for bond members.
pciIDstringPCI ID (vendor ID, product ID), supports matching by wildcard.
driverstringKernel driver, supports matching by wildcard.
physicalboolSelect only physical devices.
routes[]

Route represents a network route.

machine:
    network:
        interfaces:
            - routes:
                - network: 0.0.0.0/0 # The route's network (destination).
                  gateway: 10.5.0.1 # The route's gateway (if empty, creates link scope route).
                - network: 10.2.0.0/16 # The route's network (destination).
                  gateway: 10.2.0.1 # The route's gateway (if empty, creates link scope route).
FieldTypeDescriptionValue(s)
networkstringThe route’s network (destination).
gatewaystringThe route’s gateway (if empty, creates link scope route).
sourcestringThe route’s source address (optional).
metricuint32The optional metric for the route.
mtuuint32The optional MTU for the route.
bond

Bond contains the various options for configuring a bonded interface.

machine:
    network:
        interfaces:
            - bond:
                # The interfaces that make up the bond.
                interfaces:
                    - enp2s0
                    - enp2s1
                mode: 802.3ad # A bond option.
                lacpRate: fast # A bond option.

                # # Picks a network device using the selector.

                # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
                # deviceSelectors:
                #     - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
                #     - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
                #       driver: virtio_net # Kernel driver, supports matching by wildcard.
FieldTypeDescriptionValue(s)
interfaces[]stringThe interfaces that make up the bond.
deviceSelectors[]NetworkDeviceSelector
Picks a network device using the selector.Mutually exclusive with interfaces.
Supports partial match using wildcard syntax.
Show example(s)
deviceSelectors:
    - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
    - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
      driver: virtio_net # Kernel driver, supports matching by wildcard.
arpIPTarget[]string
A bond option.Please see the official kernel documentation.
Not supported at the moment.
modestring
A bond option.Please see the official kernel documentation.
xmitHashPolicystring
A bond option.Please see the official kernel documentation.
lacpRatestring
A bond option.Please see the official kernel documentation.
adActorSystemstring
A bond option.Please see the official kernel documentation.
Not supported at the moment.
arpValidatestring
A bond option.Please see the official kernel documentation.
arpAllTargetsstring
A bond option.Please see the official kernel documentation.
primarystring
A bond option.Please see the official kernel documentation.
primaryReselectstring
A bond option.Please see the official kernel documentation.
failOverMacstring
A bond option.Please see the official kernel documentation.
adSelectstring
A bond option.Please see the official kernel documentation.
miimonuint32
A bond option.Please see the official kernel documentation.
updelayuint32
A bond option.Please see the official kernel documentation.
downdelayuint32
A bond option.Please see the official kernel documentation.
arpIntervaluint32
A bond option.Please see the official kernel documentation.
resendIgmpuint32
A bond option.Please see the official kernel documentation.
minLinksuint32
A bond option.Please see the official kernel documentation.
lpIntervaluint32
A bond option.Please see the official kernel documentation.
packetsPerSlaveuint32
A bond option.Please see the official kernel documentation.
numPeerNotifuint8
A bond option.Please see the official kernel documentation.
tlbDynamicLbuint8
A bond option.Please see the official kernel documentation.
allSlavesActiveuint8
A bond option.Please see the official kernel documentation.
useCarrierbool
A bond option.Please see the official kernel documentation.
adActorSysPriouint16
A bond option.Please see the official kernel documentation.
adUserPortKeyuint16
A bond option.Please see the official kernel documentation.
peerNotifyDelayuint32
A bond option.Please see the official kernel documentation.
deviceSelectors[]

NetworkDeviceSelector struct describes network device selector.

machine:
    network:
        interfaces:
            - bond:
                deviceSelectors:
                    busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
machine:
    network:
        interfaces:
            - bond:
                deviceSelectors:
                    hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
                    driver: virtio_net # Kernel driver, supports matching by wildcard.
machine:
    network:
        interfaces:
            - bond:
                deviceSelectors:
                    - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
                    - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
                      driver: virtio_net # Kernel driver, supports matching by wildcard.
FieldTypeDescriptionValue(s)
busPathstringPCI, USB bus prefix, supports matching by wildcard.
hardwareAddrstringDevice hardware (MAC) address, supports matching by wildcard.
permanentAddrstring
Device permanent hardware address, supports matching by wildcard.The permanent address doesn’t change when the link is enslaved to a bond,
so it’s recommended to use this field for bond members.
pciIDstringPCI ID (vendor ID, product ID), supports matching by wildcard.
driverstringKernel driver, supports matching by wildcard.
physicalboolSelect only physical devices.
bridge

Bridge contains the various options for configuring a bridge interface.

machine:
    network:
        interfaces:
            - bridge:
                # The interfaces that make up the bridge.
                interfaces:
                    - enxda4042ca9a51
                    - enxae2a6774c259
                # Enable STP on this bridge.
                stp:
                    enabled: true # Whether Spanning Tree Protocol (STP) is enabled.
FieldTypeDescriptionValue(s)
interfaces[]stringThe interfaces that make up the bridge.
stpSTP
Enable STP on this bridge.Please see the official kernel documentation.
vlanBridgeVLAN
Enable VLAN-awareness on this bridge.Please see the official kernel documentation.
stp

STP contains the various options for configuring the STP properties of a bridge interface.

FieldTypeDescriptionValue(s)
enabledboolWhether Spanning Tree Protocol (STP) is enabled.
vlan

BridgeVLAN contains the various options for configuring the VLAN properties of a bridge interface.

FieldTypeDescriptionValue(s)
vlanFilteringboolWhether VLAN filtering is enabled.
bridgePort

BridgePort contains settings for assigning a link to a bridge interface.

machine:
    network:
        interfaces:
            - bridgePort:
                master: br0 # The name of the bridge master interface
FieldTypeDescriptionValue(s)
masterstringThe name of the bridge master interface
vlans[]

Vlan represents vlan settings for a device.

FieldTypeDescriptionValue(s)
addresses[]stringThe addresses in CIDR notation or as plain IPs to use.
routes[]RouteA list of routes associated with the VLAN.
dhcpboolIndicates if DHCP should be used.
vlanIduint16The VLAN’s ID.
mtuuint32The VLAN’s MTU.
vipDeviceVIPConfigThe VLAN’s virtual IP address configuration.
dhcpOptionsDHCPOptions
DHCP specific options.dhcp must be set to true for these to take effect.
routes[]

Route represents a network route.

machine:
    network:
        interfaces:
            - vlans:
                - routes:
                    - network: 0.0.0.0/0 # The route's network (destination).
                      gateway: 10.5.0.1 # The route's gateway (if empty, creates link scope route).
                    - network: 10.2.0.0/16 # The route's network (destination).
                      gateway: 10.2.0.1 # The route's gateway (if empty, creates link scope route).
FieldTypeDescriptionValue(s)
networkstringThe route’s network (destination).
gatewaystringThe route’s gateway (if empty, creates link scope route).
sourcestringThe route’s source address (optional).
metricuint32The optional metric for the route.
mtuuint32The optional MTU for the route.
vip

DeviceVIPConfig contains settings for configuring a Virtual Shared IP on an interface.

machine:
    network:
        interfaces:
            - vlans:
                - vip:
                    ip: 172.16.199.55 # Specifies the IP address to be used.
FieldTypeDescriptionValue(s)
ipstringSpecifies the IP address to be used.
equinixMetalVIPEquinixMetalConfigSpecifies the Equinix Metal API settings to assign VIP to the node.
hcloudVIPHCloudConfigSpecifies the Hetzner Cloud API settings to assign VIP to the node.
equinixMetal

VIPEquinixMetalConfig contains settings for Equinix Metal VIP management.

FieldTypeDescriptionValue(s)
apiTokenstringSpecifies the Equinix Metal API Token.
hcloud

VIPHCloudConfig contains settings for Hetzner Cloud VIP management.

FieldTypeDescriptionValue(s)
apiTokenstringSpecifies the Hetzner Cloud API Token.
dhcpOptions

DHCPOptions contains options for configuring the DHCP settings for a given interface.

machine:
    network:
        interfaces:
            - vlans:
                - dhcpOptions:
                    routeMetric: 1024 # The priority of all routes received via DHCP.
FieldTypeDescriptionValue(s)
routeMetricuint32The priority of all routes received via DHCP.
ipv4boolEnables DHCPv4 protocol for the interface (default is enabled).
ipv6boolEnables DHCPv6 protocol for the interface (default is disabled).
duidv6stringSet client DUID (hex string).
dhcpOptions

DHCPOptions contains options for configuring the DHCP settings for a given interface.

machine:
    network:
        interfaces:
            - dhcpOptions:
                routeMetric: 1024 # The priority of all routes received via DHCP.
FieldTypeDescriptionValue(s)
routeMetricuint32The priority of all routes received via DHCP.
ipv4boolEnables DHCPv4 protocol for the interface (default is enabled).
ipv6boolEnables DHCPv6 protocol for the interface (default is disabled).
duidv6stringSet client DUID (hex string).
wireguard

DeviceWireguardConfig contains settings for configuring Wireguard network interface.

machine:
    network:
        interfaces:
            - wireguard:
                privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
                listenPort: 51111 # Specifies a device's listening port.
                # Specifies a list of peer configurations to apply to a device.
                peers:
                    - publicKey: ABCDEF... # Specifies the public key of this peer.
                      endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
                      # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
                      allowedIPs:
                        - 192.168.1.0/24
machine:
    network:
        interfaces:
            - wireguard:
                privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
                # Specifies a list of peer configurations to apply to a device.
                peers:
                    - publicKey: ABCDEF... # Specifies the public key of this peer.
                      endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
                      persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
                      # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
                      allowedIPs:
                        - 192.168.1.0/24
FieldTypeDescriptionValue(s)
privateKeystring
Specifies a private key configuration (base64 encoded).Can be generated by wg genkey.
listenPortintSpecifies a device’s listening port.
firewallMarkintSpecifies a device’s firewall mark.
peers[]DeviceWireguardPeerSpecifies a list of peer configurations to apply to a device.
peers[]

DeviceWireguardPeer a WireGuard device peer configuration.

FieldTypeDescriptionValue(s)
publicKeystring
Specifies the public key of this peer.Can be extracted from private key by running wg pubkey < private.key > public.key && cat public.key.
endpointstringSpecifies the endpoint of this peer entry.
persistentKeepaliveIntervalDuration
Specifies the persistent keepalive interval for this peer.Field format accepts any Go time.Duration format (‘1h’ for one hour, ‘10m’ for ten minutes).
allowedIPs[]stringAllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
vip

DeviceVIPConfig contains settings for configuring a Virtual Shared IP on an interface.

machine:
    network:
        interfaces:
            - vip:
                ip: 172.16.199.55 # Specifies the IP address to be used.
FieldTypeDescriptionValue(s)
ipstringSpecifies the IP address to be used.
equinixMetalVIPEquinixMetalConfigSpecifies the Equinix Metal API settings to assign VIP to the node.
hcloudVIPHCloudConfigSpecifies the Hetzner Cloud API settings to assign VIP to the node.
equinixMetal

VIPEquinixMetalConfig contains settings for Equinix Metal VIP management.

FieldTypeDescriptionValue(s)
apiTokenstringSpecifies the Equinix Metal API Token.
hcloud

VIPHCloudConfig contains settings for Hetzner Cloud VIP management.

FieldTypeDescriptionValue(s)
apiTokenstringSpecifies the Hetzner Cloud API Token.

extraHostEntries[]

ExtraHost represents a host entry in /etc/hosts.

machine:
    network:
        extraHostEntries:
            - ip: 192.168.1.100 # The IP of the host.
              # The host alias.
              aliases:
                - example
                - example.domain.tld
FieldTypeDescriptionValue(s)
ipstringThe IP of the host.
aliases[]stringThe host alias.

kubespan

NetworkKubeSpan struct describes KubeSpan configuration.

machine:
    network:
        kubespan:
            enabled: true # Enable the KubeSpan feature.
FieldTypeDescriptionValue(s)
enabledbool
Enable the KubeSpan feature.Cluster discovery should be enabled with .cluster.discovery.enabled for KubeSpan to be enabled.
advertiseKubernetesNetworksbool
Control whether Kubernetes pod CIDRs are announced over KubeSpan from the node.If disabled, CNI handles encapsulating pod-to-pod traffic into some node-to-node tunnel,
and KubeSpan handles the node-to-node traffic.
If enabled, KubeSpan will take over pod-to-pod traffic and send it over KubeSpan directly.
When enabled, KubeSpan should have a way to detect complete pod CIDRs of the node which
is not always the case with CNIs not relying on Kubernetes for IPAM.
allowDownPeerBypassbool
Skip sending traffic via KubeSpan if the peer connection state is not up.This provides configurable choice between connectivity and security: either traffic is always
forced to go via KubeSpan (even if Wireguard peer connection is not up), or traffic can go directly
to the peer if Wireguard connection can’t be established.
harvestExtraEndpointsbool
KubeSpan can collect and publish extra endpoints for each member of the clusterbased on Wireguard endpoint information for each peer.
This feature is disabled by default, don’t enable it
with high number of peers (>50) in the KubeSpan network (performance issues).
mtuuint32
KubeSpan link MTU size.Default value is 1420.
filtersKubeSpanFilters
KubeSpan advanced filtering of network addresses .
Settings in this section are optional, and settings apply only to the node.
filters

KubeSpanFilters struct describes KubeSpan advanced network addresses filtering.

FieldTypeDescriptionValue(s)
endpoints[]string
Filter node addresses which will be advertised as KubeSpan endpoints for peer-to-peer Wireguard connections.
By default, all addresses are advertised, and KubeSpan cycles through all endpoints until it finds one that works.

Default value: no filtering.
Show example(s)
endpoints:
    - 0.0.0.0/0
    - '!192.168.0.0/16'
    - ::/0

disks[]

MachineDisk represents the options available for partitioning, formatting, and mounting extra disks.

machine:
    disks:
        - device: /dev/sdb # The name of the disk to use.
          # A list of partitions to create on the disk.
          partitions:
            - mountpoint: /var/mnt/extra # Where to mount the partition.

              # # The size of partition: either bytes or human readable representation. If `size:` is omitted, the partition is sized to occupy the full disk.

              # # Human readable representation.
              # size: 100 MB
              # # Precise value in bytes.
              # size: 1073741824
FieldTypeDescriptionValue(s)
devicestringThe name of the disk to use.
partitions[]DiskPartitionA list of partitions to create on the disk.

partitions[]

DiskPartition represents the options for a disk partition.

FieldTypeDescriptionValue(s)
sizeDiskSizeThe size of partition: either bytes or human readable representation. If size: is omitted, the partition is sized to occupy the full disk.
Show example(s)
size: 100 MB
size: 1073741824
mountpointstringWhere to mount the partition.

install

InstallConfig represents the installation options for preparing a node.

machine:
    install:
        disk: /dev/sda # The disk used for installations.
        # Allows for supplying extra kernel args via the bootloader.
        extraKernelArgs:
            - console=ttyS1
            - panic=10
        image: ghcr.io/siderolabs/installer:latest # Allows for supplying the image used to perform the installation.
        wipe: false # Indicates if the installation disk should be wiped at installation time.

        # # Look up disk using disk attributes like model, size, serial and others.
        # diskSelector:
        #     size: 4GB # Disk size.
        #     model: WDC* # Disk model `/sys/block/<dev>/device/model`.
        #     busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path.

        # # Allows for supplying additional system extension images to install on top of base Talos image.
        # extensions:
        #     - image: ghcr.io/siderolabs/gvisor:20220117.0-v1.0.0 # System extension image.
FieldTypeDescriptionValue(s)
diskstringThe disk used for installations.
Show example(s)
disk: /dev/sda
disk: /dev/nvme0
diskSelectorInstallDiskSelector
Look up disk using disk attributes like model, size, serial and others.Always has priority over disk.
Show example(s)
diskSelector:
    size: '>= 1TB' # Disk size.
    model: WDC* # Disk model `/sys/block/<dev>/device/model`.

    # # Disk bus path.
    # busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0
    # busPath: /pci0000:00/*
extraKernelArgs[]string
Allows for supplying extra kernel args via the bootloader.Existing kernel args can be removed by prefixing the argument with a -.
For example -console removes all console=<value> arguments, whereas -console=tty0 removes the console=tty0 default argument.
Show example(s)
extraKernelArgs:
    - talos.platform=metal
    - reboot=k
imagestring
Allows for supplying the image used to perform the installation.Image reference for each Talos release can be found on
GitHub releases page.
Show example(s)
image: ghcr.io/siderolabs/installer:latest
extensions[]InstallExtensionConfigAllows for supplying additional system extension images to install on top of base Talos image.
Show example(s)
extensions:
    - image: ghcr.io/siderolabs/gvisor:20220117.0-v1.0.0 # System extension image.
wipebool
Indicates if the installation disk should be wiped at installation time.Defaults to true.
true
yes
false
no
legacyBIOSSupportbool
Indicates if MBR partition should be marked as bootable (active).Should be enabled only for the systems with legacy BIOS that doesn’t support GPT partitioning scheme.

diskSelector

InstallDiskSelector represents a disk query parameters for the install disk lookup.

machine:
    install:
        diskSelector:
            size: '>= 1TB' # Disk size.
            model: WDC* # Disk model `/sys/block/<dev>/device/model`.

            # # Disk bus path.
            # busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0
            # busPath: /pci0000:00/*
FieldTypeDescriptionValue(s)
sizeInstallDiskSizeMatcherDisk size.
Show example(s)
size: 4GB
size: '> 1TB'
size: <= 2TB
namestringDisk name /sys/block/<dev>/device/name.
modelstringDisk model /sys/block/<dev>/device/model.
serialstringDisk serial number /sys/block/<dev>/serial.
modaliasstringDisk modalias /sys/block/<dev>/device/modalias.
uuidstringDisk UUID /sys/block/<dev>/uuid.
wwidstringDisk WWID /sys/block/<dev>/wwid.
typeInstallDiskTypeDisk Type.ssd
hdd
nvme
sd
busPathstringDisk bus path.
Show example(s)
busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0
busPath: /pci0000:00/*

extensions[]

InstallExtensionConfig represents a configuration for a system extension.

machine:
    install:
        extensions:
            - image: ghcr.io/siderolabs/gvisor:20220117.0-v1.0.0 # System extension image.
FieldTypeDescriptionValue(s)
imagestringSystem extension image.

files[]

MachineFile represents a file to write to disk.

machine:
    files:
        - content: '...' # The contents of the file.
          permissions: 0o666 # The file's permissions in octal.
          path: /tmp/file.txt # The path of the file.
          op: append # The operation to use
FieldTypeDescriptionValue(s)
contentstringThe contents of the file.
permissionsFileModeThe file’s permissions in octal.
pathstringThe path of the file.
opstringThe operation to usecreate
append
overwrite

time

TimeConfig represents the options for configuring time on a machine.

machine:
    time:
        disabled: false # Indicates if the time service is disabled for the machine.
        # description: |
        servers:
            - time.cloudflare.com
        bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence.
FieldTypeDescriptionValue(s)
disabledbool
Indicates if the time service is disabled for the machine.Defaults to false.
servers[]string
description:
Specifies time (NTP) servers to use for setting the system time.
Defaults to time.cloudflare.com.

Talos can also sync to the PTP time source (e.g provided by the hypervisor),
provide the path to the PTP device as “/dev/ptp0” or “/dev/ptp_kvm”.
bootTimeoutDuration
Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence.NTP sync will be still running in the background.
Defaults to “infinity” (waiting forever for time sync)

registries

RegistriesConfig represents the image pull options.

machine:
    registries:
        # Specifies mirror configuration for each registry host namespace.
        mirrors:
            docker.io:
                # List of endpoints (URLs) for registry mirrors to use.
                endpoints:
                    - https://registry.local
        # Specifies TLS & auth configuration for HTTPS image registries.
        config:
            registry.local:
                # The TLS configuration for the registry.
                tls:
                    # Enable mutual TLS authentication with the registry.
                    clientIdentity:
                        crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
                        key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
                # The auth configuration for this registry.
                auth:
                    username: username # Optional registry authentication.
                    password: password # Optional registry authentication.
FieldTypeDescriptionValue(s)
mirrorsmap[string]RegistryMirrorConfig
Specifies mirror configuration for each registry host namespace.This setting allows to configure local pull-through caching registires,
air-gapped installations, etc.

For example, when pulling an image with the reference example.com:123/image:v1,
the example.com:123 key will be used to lookup the mirror configuration.

Optionally the * key can be used to configure a fallback mirror.

Registry name is the first segment of image identifier, with ‘docker.io’
being default one.
Show example(s)
mirrors:
    ghcr.io:
        # List of endpoints (URLs) for registry mirrors to use.
        endpoints:
            - https://registry.insecure
            - https://ghcr.io/v2/
configmap[string]RegistryConfig
Specifies TLS & auth configuration for HTTPS image registries.Mutual TLS can be enabled with ‘clientIdentity’ option.

The full hostname and port (if not using a default port 443)
should be used as the key.
The fallback key * can’t be used for TLS configuration.

TLS configuration can be skipped if registry has trusted
server certificate.
Show example(s)
config:
    registry.insecure:
        # The TLS configuration for the registry.
        tls:
            insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).

            # # Enable mutual TLS authentication with the registry.
            # clientIdentity:
            #     crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
            #     key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==

        # # The auth configuration for this registry.
        # auth:
        #     username: username # Optional registry authentication.
        #     password: password # Optional registry authentication.

mirrors.*

RegistryMirrorConfig represents mirror configuration for a registry.

machine:
    registries:
        mirrors:
            ghcr.io:
                # List of endpoints (URLs) for registry mirrors to use.
                endpoints:
                    - https://registry.insecure
                    - https://ghcr.io/v2/
FieldTypeDescriptionValue(s)
endpoints[]string
List of endpoints (URLs) for registry mirrors to use.Endpoint configures HTTP/HTTPS access mode, host name,
port and path (if path is not set, it defaults to /v2).
overridePathbool
Use the exact path specified for the endpoint (don’t append /v2/).This setting is often required for setting up multiple mirrors
on a single instance of a registry.
skipFallbackbool
Skip fallback to the upstream endpoint, for example the mirror configurationfor docker.io will not fallback to registry-1.docker.io.

config.*

RegistryConfig specifies auth & TLS config per registry.

machine:
    registries:
        config:
            registry.insecure:
                # The TLS configuration for the registry.
                tls:
                    insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).

                    # # Enable mutual TLS authentication with the registry.
                    # clientIdentity:
                    #     crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
                    #     key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==

                # # The auth configuration for this registry.
                # auth:
                #     username: username # Optional registry authentication.
                #     password: password # Optional registry authentication.
FieldTypeDescriptionValue(s)
tlsRegistryTLSConfigThe TLS configuration for the registry.
Show example(s)
tls:
    # Enable mutual TLS authentication with the registry.
    clientIdentity:
        crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
        key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
tls:
    insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).

    # # Enable mutual TLS authentication with the registry.
    # clientIdentity:
    #     crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
    #     key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
authRegistryAuthConfig
The auth configuration for this registry.Note: changes to the registry auth will not be picked up by the CRI containerd plugin without a reboot.
Show example(s)
auth:
    username: username # Optional registry authentication.
    password: password # Optional registry authentication.
tls

RegistryTLSConfig specifies TLS config for HTTPS registries.

machine:
    registries:
        config:
            example.com:
                tls:
                    # Enable mutual TLS authentication with the registry.
                    clientIdentity:
                        crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
                        key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
machine:
    registries:
        config:
            example.com:
                tls:
                    insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).

                    # # Enable mutual TLS authentication with the registry.
                    # clientIdentity:
                    #     crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
                    #     key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
FieldTypeDescriptionValue(s)
clientIdentityPEMEncodedCertificateAndKey
Enable mutual TLS authentication with the registry.Client certificate and key should be base64-encoded.
Show example(s)
clientIdentity:
    crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
    key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
caBase64Bytes
CA registry certificate to add the list of trusted certificates.Certificate should be base64-encoded.
insecureSkipVerifyboolSkip TLS server certificate verification (not recommended).
auth

RegistryAuthConfig specifies authentication configuration for a registry.

machine:
    registries:
        config:
            example.com:
                auth:
                    username: username # Optional registry authentication.
                    password: password # Optional registry authentication.
FieldTypeDescriptionValue(s)
usernamestring
Optional registry authentication.The meaning of each field is the same with the corresponding field in .docker/config.json.
passwordstring
Optional registry authentication.The meaning of each field is the same with the corresponding field in .docker/config.json.
authstring
Optional registry authentication.The meaning of each field is the same with the corresponding field in .docker/config.json.
identityTokenstring
Optional registry authentication.The meaning of each field is the same with the corresponding field in .docker/config.json.

systemDiskEncryption

SystemDiskEncryptionConfig specifies system disk partitions encryption settings.

machine:
    systemDiskEncryption:
        # Ephemeral partition encryption.
        ephemeral:
            provider: luks2 # Encryption provider to use for the encryption.
            # Defines the encryption keys generation and storage method.
            keys:
                - # Deterministically generated key from the node UUID and PartitionLabel.
                  nodeID: {}
                  slot: 0 # Key slot number for LUKS2 encryption.

                  # # KMS managed encryption key.
                  # kms:
                  #     endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.

            # # Cipher kind to use for the encryption. Depends on the encryption provider.
            # cipher: aes-xts-plain64

            # # Defines the encryption sector size.
            # blockSize: 4096

            # # Additional --perf parameters for the LUKS2 encryption.
            # options:
            #     - no_read_workqueue
            #     - no_write_workqueue
FieldTypeDescriptionValue(s)
stateEncryptionConfigState partition encryption.
ephemeralEncryptionConfigEphemeral partition encryption.

state

EncryptionConfig represents partition encryption settings.

FieldTypeDescriptionValue(s)
providerstringEncryption provider to use for the encryption.
Show example(s)
provider: luks2
keys[]EncryptionKeyDefines the encryption keys generation and storage method.
cipherstringCipher kind to use for the encryption. Depends on the encryption provider.
Show example(s)
cipher: aes-xts-plain64
aes-xts-plain64
xchacha12,aes-adiantum-plain64
xchacha20,aes-adiantum-plain64
keySizeuintDefines the encryption key length.
blockSizeuint64Defines the encryption sector size.
Show example(s)
blockSize: 4096
options[]stringAdditional –perf parameters for the LUKS2 encryption.
Show example(s)
options:
    - no_read_workqueue
    - no_write_workqueue
no_read_workqueue
no_write_workqueue
same_cpu_crypt
keys[]

EncryptionKey represents configuration for disk encryption key.

FieldTypeDescriptionValue(s)
staticEncryptionKeyStaticKey which value is stored in the configuration file.
nodeIDEncryptionKeyNodeIDDeterministically generated key from the node UUID and PartitionLabel.
kmsEncryptionKeyKMSKMS managed encryption key.
Show example(s)
kms:
    endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
slotintKey slot number for LUKS2 encryption.
tpmEncryptionKeyTPMEnable TPM based disk encryption.
static

EncryptionKeyStatic represents throw away key type.

FieldTypeDescriptionValue(s)
passphrasestringDefines the static passphrase value.
nodeID

EncryptionKeyNodeID represents deterministically generated key from the node UUID and PartitionLabel.

kms

EncryptionKeyKMS represents a key that is generated and then sealed/unsealed by the KMS server.

machine:
    systemDiskEncryption:
        state:
            keys:
                - kms:
                    endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
FieldTypeDescriptionValue(s)
endpointstringKMS endpoint to Seal/Unseal the key.
tpm

EncryptionKeyTPM represents a key that is generated and then sealed/unsealed by the TPM.

FieldTypeDescriptionValue(s)
checkSecurebootStatusOnEnrollbool
Check that Secureboot is enabled in the EFI firmware.If Secureboot is not enabled, the enrollment of the key will fail. As the TPM key is anyways bound to the value of PCR 7, changing Secureboot status or configuration after the initial enrollment will make the key unusable.

ephemeral

EncryptionConfig represents partition encryption settings.

FieldTypeDescriptionValue(s)
providerstringEncryption provider to use for the encryption.
Show example(s)
provider: luks2
keys[]EncryptionKeyDefines the encryption keys generation and storage method.
cipherstringCipher kind to use for the encryption. Depends on the encryption provider.
Show example(s)
cipher: aes-xts-plain64
aes-xts-plain64
xchacha12,aes-adiantum-plain64
xchacha20,aes-adiantum-plain64
keySizeuintDefines the encryption key length.
blockSizeuint64Defines the encryption sector size.
Show example(s)
blockSize: 4096
options[]stringAdditional –perf parameters for the LUKS2 encryption.
Show example(s)
options:
    - no_read_workqueue
    - no_write_workqueue
no_read_workqueue
no_write_workqueue
same_cpu_crypt
keys[]

EncryptionKey represents configuration for disk encryption key.

FieldTypeDescriptionValue(s)
staticEncryptionKeyStaticKey which value is stored in the configuration file.
nodeIDEncryptionKeyNodeIDDeterministically generated key from the node UUID and PartitionLabel.
kmsEncryptionKeyKMSKMS managed encryption key.
Show example(s)
kms:
    endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
slotintKey slot number for LUKS2 encryption.
tpmEncryptionKeyTPMEnable TPM based disk encryption.
static

EncryptionKeyStatic represents throw away key type.

FieldTypeDescriptionValue(s)
passphrasestringDefines the static passphrase value.
nodeID

EncryptionKeyNodeID represents deterministically generated key from the node UUID and PartitionLabel.

kms

EncryptionKeyKMS represents a key that is generated and then sealed/unsealed by the KMS server.

machine:
    systemDiskEncryption:
        ephemeral:
            keys:
                - kms:
                    endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
FieldTypeDescriptionValue(s)
endpointstringKMS endpoint to Seal/Unseal the key.
tpm

EncryptionKeyTPM represents a key that is generated and then sealed/unsealed by the TPM.

FieldTypeDescriptionValue(s)
checkSecurebootStatusOnEnrollbool
Check that Secureboot is enabled in the EFI firmware.If Secureboot is not enabled, the enrollment of the key will fail. As the TPM key is anyways bound to the value of PCR 7, changing Secureboot status or configuration after the initial enrollment will make the key unusable.

features

FeaturesConfig describes individual Talos features that can be switched on or off.

machine:
    features:
        rbac: true # Enable role-based access control (RBAC).

        # # Configure Talos API access from Kubernetes pods.
        # kubernetesTalosAPIAccess:
        #     enabled: true # Enable Talos API access from Kubernetes pods.
        #     # The list of Talos API roles which can be granted for access from Kubernetes pods.
        #     allowedRoles:
        #         - os:reader
        #     # The list of Kubernetes namespaces Talos API access is available from.
        #     allowedKubernetesNamespaces:
        #         - kube-system
FieldTypeDescriptionValue(s)
rbacboolEnable role-based access control (RBAC).
stableHostnameboolEnable stable default hostname.
kubernetesTalosAPIAccessKubernetesTalosAPIAccessConfig
Configure Talos API access from Kubernetes pods.
This feature is disabled if the feature config is not specified.
Show example(s)
kubernetesTalosAPIAccess:
    enabled: true # Enable Talos API access from Kubernetes pods.
    # The list of Talos API roles which can be granted for access from Kubernetes pods.
    allowedRoles:
        - os:reader
    # The list of Kubernetes namespaces Talos API access is available from.
    allowedKubernetesNamespaces:
        - kube-system
apidCheckExtKeyUsageboolEnable checks for extended key usage of client certificates in apid.
diskQuotaSupportbool
Enable XFS project quota support for EPHEMERAL partition and user disks.Also enables kubelet tracking of ephemeral disk usage in the kubelet via quota.
kubePrismKubePrism
KubePrism - local proxy/load balancer on defined port that will distributerequests to all API servers in the cluster.
hostDNSHostDNSConfigConfigures host DNS caching resolver.
imageCacheImageCacheConfigEnable Image Cache feature.
nodeAddressSortAlgorithmstring
Select the node address sort algorithm.The ‘v1’ algorithm sorts addresses by the address itself.
The ‘v2’ algorithm prefers more specific prefixes.
If unset, defaults to ‘v1’.

kubernetesTalosAPIAccess

KubernetesTalosAPIAccessConfig describes the configuration for the Talos API access from Kubernetes pods.

machine:
    features:
        kubernetesTalosAPIAccess:
            enabled: true # Enable Talos API access from Kubernetes pods.
            # The list of Talos API roles which can be granted for access from Kubernetes pods.
            allowedRoles:
                - os:reader
            # The list of Kubernetes namespaces Talos API access is available from.
            allowedKubernetesNamespaces:
                - kube-system
FieldTypeDescriptionValue(s)
enabledboolEnable Talos API access from Kubernetes pods.
allowedRoles[]string
The list of Talos API roles which can be granted for access from Kubernetes pods.
Empty list means that no roles can be granted, so access is blocked.
allowedKubernetesNamespaces[]stringThe list of Kubernetes namespaces Talos API access is available from.

kubePrism

KubePrism describes the configuration for the KubePrism load balancer.

FieldTypeDescriptionValue(s)
enabledboolEnable KubePrism support - will start local load balancing proxy.
portintKubePrism port.

hostDNS

HostDNSConfig describes the configuration for the host DNS resolver.

FieldTypeDescriptionValue(s)
enabledboolEnable host DNS caching resolver.
forwardKubeDNSToHostbool
Use the host DNS resolver as upstream for Kubernetes CoreDNS pods.
When enabled, CoreDNS pods use host DNS server as the upstream DNS (instead of
using configured upstream DNS resolvers directly).
resolveMemberNamesbool
Resolve member hostnames using the host DNS resolver.
When enabled, cluster member hostnames and node names are resolved using the host DNS resolver.
This requires service discovery to be enabled.

imageCache

ImageCacheConfig describes the configuration for the Image Cache feature.

FieldTypeDescriptionValue(s)
localEnabledboolEnable local image cache.

udev

UdevConfig describes how the udev system should be configured.

machine:
    udev:
        # List of udev rules to apply to the udev system
        rules:
            - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660"
FieldTypeDescriptionValue(s)
rules[]stringList of udev rules to apply to the udev system

logging

LoggingConfig struct configures Talos logging.

machine:
    logging:
        # Logging destination.
        destinations:
            - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp".
              format: json_lines # Logs format.
FieldTypeDescriptionValue(s)
destinations[]LoggingDestinationLogging destination.

destinations[]

LoggingDestination struct configures Talos logging destination.

FieldTypeDescriptionValue(s)
endpointEndpointWhere to send logs. Supported protocols are “tcp” and “udp”.
Show example(s)
endpoint: udp://127.0.0.1:12345
endpoint: tcp://1.2.3.4:12345
formatstringLogs format.json_lines
extraTagsmap[string]stringExtra tags (key-value) pairs to attach to every log message sent.
endpoint

Endpoint represents the endpoint URL parsed out of the machine config.

machine:
    logging:
        destinations:
            - endpoint: https://1.2.3.4:6443
machine:
    logging:
        destinations:
            - endpoint: https://cluster1.internal:6443
machine:
    logging:
        destinations:
            - endpoint: udp://127.0.0.1:12345
machine:
    logging:
        destinations:
            - endpoint: tcp://1.2.3.4:12345
FieldTypeDescriptionValue(s)

kernel

KernelConfig struct configures Talos Linux kernel.

machine:
    kernel:
        # Kernel modules to load.
        modules:
            - name: brtfs # Module name.
FieldTypeDescriptionValue(s)
modules[]KernelModuleConfigKernel modules to load.

modules[]

KernelModuleConfig struct configures Linux kernel modules to load.

FieldTypeDescriptionValue(s)
namestringModule name.
parameters[]stringModule parameters, changes applied after reboot.

seccompProfiles[]

MachineSeccompProfile defines seccomp profiles for the machine.

machine:
    seccompProfiles:
        - name: audit.json # The `name` field is used to provide the file name of the seccomp profile.
          # The `value` field is used to provide the seccomp profile.
          value:
            defaultAction: SCMP_ACT_LOG
FieldTypeDescriptionValue(s)
namestringThe name field is used to provide the file name of the seccomp profile.
valueUnstructuredThe value field is used to provide the seccomp profile.

cluster

ClusterConfig represents the cluster-wide config values.

cluster:
    # ControlPlaneConfig represents the control plane configuration options.
    controlPlane:
        endpoint: https://1.2.3.4 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
        localAPIServerPort: 443 # The port that the API server listens on internally.
    clusterName: talos.local
    # ClusterNetworkConfig represents kube networking configuration options.
    network:
        # The CNI used.
        cni:
            name: flannel # Name of CNI to use.
        dnsDomain: cluster.local # The domain used by Kubernetes DNS.
        # The pod subnet CIDR.
        podSubnets:
            - 10.244.0.0/16
        # The service subnet CIDR.
        serviceSubnets:
            - 10.96.0.0/12
FieldTypeDescriptionValue(s)
idstringGlobally unique identifier for this cluster (base64 encoded random 32 bytes).
secretstring
Shared secret of cluster (base64 encoded random 32 bytes).This secret is shared among cluster members but should never be sent over the network.
controlPlaneControlPlaneConfigProvides control plane specific configuration options.
Show example(s)
controlPlane:
    endpoint: https://1.2.3.4 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
    localAPIServerPort: 443 # The port that the API server listens on internally.
clusterNamestringConfigures the cluster’s name.
networkClusterNetworkConfigProvides cluster specific network configuration options.
Show example(s)
network:
    # The CNI used.
    cni:
        name: flannel # Name of CNI to use.
    dnsDomain: cluster.local # The domain used by Kubernetes DNS.
    # The pod subnet CIDR.
    podSubnets:
        - 10.244.0.0/16
    # The service subnet CIDR.
    serviceSubnets:
        - 10.96.0.0/12
tokenstringThe bootstrap token used to join the cluster.
Show example(s)
token: wlzjyw.bei2zfylhs2by0wd
aescbcEncryptionSecretstring
A key used for the encryption of secret data at rest.Enables encryption with AESCBC.
Show example(s)
aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
secretboxEncryptionSecretstring
A key used for the encryption of secret data at rest.Enables encryption with secretbox.
Secretbox has precedence over AESCBC.
Show example(s)
secretboxEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
caPEMEncodedCertificateAndKeyThe base64 encoded root certificate authority used by Kubernetes.
Show example(s)
ca:
    crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
    key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
acceptedCAs[]PEMEncodedCertificateThe list of base64 encoded accepted certificate authorities used by Kubernetes.
aggregatorCAPEMEncodedCertificateAndKey
The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation.
This CA can be self-signed.
Show example(s)
aggregatorCA:
    crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
    key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
serviceAccountPEMEncodedKeyThe base64 encoded private key for service account token generation.
Show example(s)
serviceAccount:
    key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
apiServerAPIServerConfigAPI server specific configuration options.
Show example(s)
apiServer:
    image: registry.k8s.io/kube-apiserver:v1.32.0 # The container image used in the API server manifest.
    # Extra arguments to supply to the API server.
    extraArgs:
        feature-gates: ServerSideApply=true
        http2-max-streams-per-connection: "32"
    # Extra certificate subject alternative names for the API server's certificate.
    certSANs:
        - 1.2.3.4
        - 4.5.6.7

    # # Configure the API server admission plugins.
    # admissionControl:
    #     - name: PodSecurity # Name is the name of the admission controller.
    #       # Configuration is an embedded configuration object to be used as the plugin's
    #       configuration:
    #         apiVersion: pod-security.admission.config.k8s.io/v1alpha1
    #         defaults:
    #             audit: restricted
    #             audit-version: latest
    #             enforce: baseline
    #             enforce-version: latest
    #             warn: restricted
    #             warn-version: latest
    #         exemptions:
    #             namespaces:
    #                 - kube-system
    #             runtimeClasses: []
    #             usernames: []
    #         kind: PodSecurityConfiguration

    # # Configure the API server audit policy.
    # auditPolicy:
    #     apiVersion: audit.k8s.io/v1
    #     kind: Policy
    #     rules:
    #         - level: Metadata

    # # Configure the API server authorization config. Node and RBAC authorizers are always added irrespective of the configuration.
    # authorizationConfig:
    #     - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
    #       name: webhook # Name is used to describe the authorizer.
    #       # webhook is the configuration for the webhook authorizer.
    #       webhook:
    #         connectionInfo:
    #             type: InClusterConfig
    #         failurePolicy: Deny
    #         matchConditionSubjectAccessReviewVersion: v1
    #         matchConditions:
    #             - expression: has(request.resourceAttributes)
    #             - expression: '!(\''system:serviceaccounts:kube-system\'' in request.groups)'
    #         subjectAccessReviewVersion: v1
    #         timeout: 3s
    #     - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
    #       name: in-cluster-authorizer # Name is used to describe the authorizer.
    #       # webhook is the configuration for the webhook authorizer.
    #       webhook:
    #         connectionInfo:
    #             type: InClusterConfig
    #         failurePolicy: NoOpinion
    #         matchConditionSubjectAccessReviewVersion: v1
    #         subjectAccessReviewVersion: v1
    #         timeout: 3s
controllerManagerControllerManagerConfigController manager server specific configuration options.
Show example(s)
controllerManager:
    image: registry.k8s.io/kube-controller-manager:v1.32.0 # The container image used in the controller manager manifest.
    # Extra arguments to supply to the controller manager.
    extraArgs:
        feature-gates: ServerSideApply=true
proxyProxyConfigKube-proxy server-specific configuration options
Show example(s)
proxy:
    image: registry.k8s.io/kube-proxy:v1.32.0 # The container image used in the kube-proxy manifest.
    mode: ipvs # proxy mode of kube-proxy.
    # Extra arguments to supply to kube-proxy.
    extraArgs:
        proxy-mode: iptables

    # # Disable kube-proxy deployment on cluster bootstrap.
    # disabled: false
schedulerSchedulerConfigScheduler server specific configuration options.
Show example(s)
scheduler:
    image: registry.k8s.io/kube-scheduler:v1.32.0 # The container image used in the scheduler manifest.
    # Extra arguments to supply to the scheduler.
    extraArgs:
        feature-gates: AllBeta=true
discoveryClusterDiscoveryConfigConfigures cluster member discovery.
Show example(s)
discovery:
    enabled: true # Enable the cluster membership discovery feature.
    # Configure registries used for cluster member discovery.
    registries:
        # Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information
        kubernetes: {}
        # Service registry is using an external service to push and pull information about cluster members.
        service:
            endpoint: https://discovery.talos.dev/ # External service endpoint.
etcdEtcdConfigEtcd specific configuration options.
Show example(s)
etcd:
    image: gcr.io/etcd-development/etcd:v3.5.17 # The container image used to create the etcd service.
    # The `ca` is the root certificate authority of the PKI.
    ca:
        crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
        key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
    # Extra arguments to supply to etcd.
    extraArgs:
        election-timeout: "5000"

    # # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from.
    # advertisedSubnets:
    #     - 10.0.0.0/8
coreDNSCoreDNSCore DNS specific configuration options.
Show example(s)
coreDNS:
    image: registry.k8s.io/coredns/coredns:v1.12.0 # The `image` field is an override to the default coredns image.
externalCloudProviderExternalCloudProviderConfigExternal cloud provider configuration.
Show example(s)
externalCloudProvider:
    enabled: true # Enable external cloud provider.
    # A list of urls that point to additional manifests for an external cloud provider.
    manifests:
        - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml
        - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml
extraManifests[]string
A list of urls that point to additional manifests.These will get automatically deployed as part of the bootstrap.
Show example(s)
extraManifests:
    - https://www.example.com/manifest1.yaml
    - https://www.example.com/manifest2.yaml
extraManifestHeadersmap[string]stringA map of key value pairs that will be added while fetching the extraManifests.
Show example(s)
extraManifestHeaders:
    Token: "1234567"
    X-ExtraInfo: info
inlineManifests[]ClusterInlineManifest
A list of inline Kubernetes manifests.These will get automatically deployed as part of the bootstrap.
Show example(s)
inlineManifests:
    - name: namespace-ci # Name of the manifest.
      contents: |- # Manifest contents as a string.
        apiVersion: v1
        kind: Namespace
        metadata:
        	name: ci
adminKubeconfigAdminKubeconfigConfig
Settings for admin kubeconfig generation.Certificate lifetime can be configured.
Show example(s)
adminKubeconfig:
    certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year).
allowSchedulingOnControlPlanesboolAllows running workload on control-plane nodes.
Show example(s)
allowSchedulingOnControlPlanes: true
true
yes
false
no

controlPlane

ControlPlaneConfig represents the control plane configuration options.

cluster:
    controlPlane:
        endpoint: https://1.2.3.4 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
        localAPIServerPort: 443 # The port that the API server listens on internally.
FieldTypeDescriptionValue(s)
endpointEndpoint
Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.It is single-valued, and may optionally include a port number.
Show example(s)
endpoint: https://1.2.3.4:6443
endpoint: https://cluster1.internal:6443
localAPIServerPortint
The port that the API server listens on internally.This may be different than the port portion listed in the endpoint field above.
The default is 6443.

endpoint

Endpoint represents the endpoint URL parsed out of the machine config.

cluster:
    controlPlane:
        endpoint: https://1.2.3.4:6443
cluster:
    controlPlane:
        endpoint: https://cluster1.internal:6443
cluster:
    controlPlane:
        endpoint: udp://127.0.0.1:12345
cluster:
    controlPlane:
        endpoint: tcp://1.2.3.4:12345
FieldTypeDescriptionValue(s)

network

ClusterNetworkConfig represents kube networking configuration options.

cluster:
    network:
        # The CNI used.
        cni:
            name: flannel # Name of CNI to use.
        dnsDomain: cluster.local # The domain used by Kubernetes DNS.
        # The pod subnet CIDR.
        podSubnets:
            - 10.244.0.0/16
        # The service subnet CIDR.
        serviceSubnets:
            - 10.96.0.0/12
FieldTypeDescriptionValue(s)
cniCNIConfig
The CNI used.Composed of “name” and “urls”.
The “name” key supports the following options: “flannel”, “custom”, and “none”.
“flannel” uses Talos-managed Flannel CNI, and that’s the default option.
“custom” uses custom manifests that should be provided in “urls”.
“none” indicates that Talos will not manage any CNI installation.
Show example(s)
cni:
    name: custom # Name of CNI to use.
    # URLs containing manifests to apply for the CNI.
    urls:
        - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml
dnsDomainstring
The domain used by Kubernetes DNS.The default is cluster.local
Show example(s)
dnsDomain: cluser.local
podSubnets[]stringThe pod subnet CIDR.
Show example(s)
podSubnets:
    - 10.244.0.0/16
serviceSubnets[]stringThe service subnet CIDR.
Show example(s)
serviceSubnets:
    - 10.96.0.0/12

cni

CNIConfig represents the CNI configuration options.

cluster:
    network:
        cni:
            name: custom # Name of CNI to use.
            # URLs containing manifests to apply for the CNI.
            urls:
                - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml
FieldTypeDescriptionValue(s)
namestringName of CNI to use.flannel
custom
none
urls[]string
URLs containing manifests to apply for the CNI.Should be present for “custom”, must be empty for “flannel” and “none”.
flannelFlannelCNIConfig
description:
Flannel configuration options.
flannel

FlannelCNIConfig represents the Flannel CNI configuration options.

FieldTypeDescriptionValue(s)
extraArgs[]stringExtra arguments for ‘flanneld’.
Show example(s)
extraArgs:
    - --iface-can-reach=192.168.1.1

apiServer

APIServerConfig represents the kube apiserver configuration options.

cluster:
    apiServer:
        image: registry.k8s.io/kube-apiserver:v1.32.0 # The container image used in the API server manifest.
        # Extra arguments to supply to the API server.
        extraArgs:
            feature-gates: ServerSideApply=true
            http2-max-streams-per-connection: "32"
        # Extra certificate subject alternative names for the API server's certificate.
        certSANs:
            - 1.2.3.4
            - 4.5.6.7

        # # Configure the API server admission plugins.
        # admissionControl:
        #     - name: PodSecurity # Name is the name of the admission controller.
        #       # Configuration is an embedded configuration object to be used as the plugin's
        #       configuration:
        #         apiVersion: pod-security.admission.config.k8s.io/v1alpha1
        #         defaults:
        #             audit: restricted
        #             audit-version: latest
        #             enforce: baseline
        #             enforce-version: latest
        #             warn: restricted
        #             warn-version: latest
        #         exemptions:
        #             namespaces:
        #                 - kube-system
        #             runtimeClasses: []
        #             usernames: []
        #         kind: PodSecurityConfiguration

        # # Configure the API server audit policy.
        # auditPolicy:
        #     apiVersion: audit.k8s.io/v1
        #     kind: Policy
        #     rules:
        #         - level: Metadata

        # # Configure the API server authorization config. Node and RBAC authorizers are always added irrespective of the configuration.
        # authorizationConfig:
        #     - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
        #       name: webhook # Name is used to describe the authorizer.
        #       # webhook is the configuration for the webhook authorizer.
        #       webhook:
        #         connectionInfo:
        #             type: InClusterConfig
        #         failurePolicy: Deny
        #         matchConditionSubjectAccessReviewVersion: v1
        #         matchConditions:
        #             - expression: has(request.resourceAttributes)
        #             - expression: '!(\''system:serviceaccounts:kube-system\'' in request.groups)'
        #         subjectAccessReviewVersion: v1
        #         timeout: 3s
        #     - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
        #       name: in-cluster-authorizer # Name is used to describe the authorizer.
        #       # webhook is the configuration for the webhook authorizer.
        #       webhook:
        #         connectionInfo:
        #             type: InClusterConfig
        #         failurePolicy: NoOpinion
        #         matchConditionSubjectAccessReviewVersion: v1
        #         subjectAccessReviewVersion: v1
        #         timeout: 3s
FieldTypeDescriptionValue(s)
imagestringThe container image used in the API server manifest.
Show example(s)
image: registry.k8s.io/kube-apiserver:v1.32.0
extraArgsmap[string]stringExtra arguments to supply to the API server.
extraVolumes[]VolumeMountConfigExtra volumes to mount to the API server static pod.
envEnvThe env field allows for the addition of environment variables for the control plane component.
certSANs[]stringExtra certificate subject alternative names for the API server’s certificate.
disablePodSecurityPolicyboolDisable PodSecurityPolicy in the API server and default manifests.
admissionControl[]AdmissionPluginConfigConfigure the API server admission plugins.
Show example(s)
admissionControl:
    - name: PodSecurity # Name is the name of the admission controller.
      # Configuration is an embedded configuration object to be used as the plugin's
      configuration:
        apiVersion: pod-security.admission.config.k8s.io/v1alpha1
        defaults:
            audit: restricted
            audit-version: latest
            enforce: baseline
            enforce-version: latest
            warn: restricted
            warn-version: latest
        exemptions:
            namespaces:
                - kube-system
            runtimeClasses: []
            usernames: []
        kind: PodSecurityConfiguration
auditPolicyUnstructuredConfigure the API server audit policy.
Show example(s)
auditPolicy:
    apiVersion: audit.k8s.io/v1
    kind: Policy
    rules:
        - level: Metadata
resourcesResourcesConfigConfigure the API server resources.
authorizationConfig[]AuthorizationConfigAuthorizerConfigConfigure the API server authorization config. Node and RBAC authorizers are always added irrespective of the configuration.
Show example(s)
authorizationConfig:
    - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
      name: webhook # Name is used to describe the authorizer.
      # webhook is the configuration for the webhook authorizer.
      webhook:
        connectionInfo:
            type: InClusterConfig
        failurePolicy: Deny
        matchConditionSubjectAccessReviewVersion: v1
        matchConditions:
            - expression: has(request.resourceAttributes)
            - expression: '!(\''system:serviceaccounts:kube-system\'' in request.groups)'
        subjectAccessReviewVersion: v1
        timeout: 3s
    - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
      name: in-cluster-authorizer # Name is used to describe the authorizer.
      # webhook is the configuration for the webhook authorizer.
      webhook:
        connectionInfo:
            type: InClusterConfig
        failurePolicy: NoOpinion
        matchConditionSubjectAccessReviewVersion: v1
        subjectAccessReviewVersion: v1
        timeout: 3s

extraVolumes[]

VolumeMountConfig struct describes extra volume mount for the static pods.

FieldTypeDescriptionValue(s)
hostPathstringPath on the host.
Show example(s)
hostPath: /var/lib/auth
mountPathstringPath in the container.
Show example(s)
mountPath: /etc/kubernetes/auth
readonlyboolMount the volume read only.
Show example(s)
readonly: true

admissionControl[]

AdmissionPluginConfig represents the API server admission plugin configuration.

cluster:
    apiServer:
        admissionControl:
            - name: PodSecurity # Name is the name of the admission controller.
              # Configuration is an embedded configuration object to be used as the plugin's
              configuration:
                apiVersion: pod-security.admission.config.k8s.io/v1alpha1
                defaults:
                    audit: restricted
                    audit-version: latest
                    enforce: baseline
                    enforce-version: latest
                    warn: restricted
                    warn-version: latest
                exemptions:
                    namespaces:
                        - kube-system
                    runtimeClasses: []
                    usernames: []
                kind: PodSecurityConfiguration
FieldTypeDescriptionValue(s)
namestring
Name is the name of the admission controller.It must match the registered admission plugin name.
configurationUnstructured
Configuration is an embedded configuration object to be used as the plugin’sconfiguration.

resources

ResourcesConfig represents the pod resources.

FieldTypeDescriptionValue(s)
requestsUnstructuredRequests configures the reserved cpu/memory resources.
Show example(s)
requests:
    cpu: 1
    memory: 1Gi
limitsUnstructuredLimits configures the maximum cpu/memory resources a container can use.
Show example(s)
limits:
    cpu: 2
    memory: 2500Mi

authorizationConfig[]

AuthorizationConfigAuthorizerConfig represents the API server authorization config authorizer configuration.

cluster:
    apiServer:
        authorizationConfig:
            - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
              name: webhook # Name is used to describe the authorizer.
              # webhook is the configuration for the webhook authorizer.
              webhook:
                connectionInfo:
                    type: InClusterConfig
                failurePolicy: Deny
                matchConditionSubjectAccessReviewVersion: v1
                matchConditions:
                    - expression: has(request.resourceAttributes)
                    - expression: '!(\''system:serviceaccounts:kube-system\'' in request.groups)'
                subjectAccessReviewVersion: v1
                timeout: 3s
            - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
              name: in-cluster-authorizer # Name is used to describe the authorizer.
              # webhook is the configuration for the webhook authorizer.
              webhook:
                connectionInfo:
                    type: InClusterConfig
                failurePolicy: NoOpinion
                matchConditionSubjectAccessReviewVersion: v1
                subjectAccessReviewVersion: v1
                timeout: 3s
FieldTypeDescriptionValue(s)
typestringType is the name of the authorizer. Allowed values are Node, RBAC, and Webhook.
namestringName is used to describe the authorizer.
webhookUnstructuredwebhook is the configuration for the webhook authorizer.

controllerManager

ControllerManagerConfig represents the kube controller manager configuration options.

cluster:
    controllerManager:
        image: registry.k8s.io/kube-controller-manager:v1.32.0 # The container image used in the controller manager manifest.
        # Extra arguments to supply to the controller manager.
        extraArgs:
            feature-gates: ServerSideApply=true
FieldTypeDescriptionValue(s)
imagestringThe container image used in the controller manager manifest.
Show example(s)
image: registry.k8s.io/kube-controller-manager:v1.32.0
extraArgsmap[string]stringExtra arguments to supply to the controller manager.
extraVolumes[]VolumeMountConfigExtra volumes to mount to the controller manager static pod.
envEnvThe env field allows for the addition of environment variables for the control plane component.
resourcesResourcesConfigConfigure the controller manager resources.

extraVolumes[]

VolumeMountConfig struct describes extra volume mount for the static pods.

FieldTypeDescriptionValue(s)
hostPathstringPath on the host.
Show example(s)
hostPath: /var/lib/auth
mountPathstringPath in the container.
Show example(s)
mountPath: /etc/kubernetes/auth
readonlyboolMount the volume read only.
Show example(s)
readonly: true

resources

ResourcesConfig represents the pod resources.

FieldTypeDescriptionValue(s)
requestsUnstructuredRequests configures the reserved cpu/memory resources.
Show example(s)
requests:
    cpu: 1
    memory: 1Gi
limitsUnstructuredLimits configures the maximum cpu/memory resources a container can use.
Show example(s)
limits:
    cpu: 2
    memory: 2500Mi

proxy

ProxyConfig represents the kube proxy configuration options.

cluster:
    proxy:
        image: registry.k8s.io/kube-proxy:v1.32.0 # The container image used in the kube-proxy manifest.
        mode: ipvs # proxy mode of kube-proxy.
        # Extra arguments to supply to kube-proxy.
        extraArgs:
            proxy-mode: iptables

        # # Disable kube-proxy deployment on cluster bootstrap.
        # disabled: false
FieldTypeDescriptionValue(s)
disabledboolDisable kube-proxy deployment on cluster bootstrap.
Show example(s)
disabled: false
imagestringThe container image used in the kube-proxy manifest.
Show example(s)
image: registry.k8s.io/kube-proxy:v1.32.0
modestring
proxy mode of kube-proxy.The default is ‘iptables’.
extraArgsmap[string]stringExtra arguments to supply to kube-proxy.

scheduler

SchedulerConfig represents the kube scheduler configuration options.

cluster:
    scheduler:
        image: registry.k8s.io/kube-scheduler:v1.32.0 # The container image used in the scheduler manifest.
        # Extra arguments to supply to the scheduler.
        extraArgs:
            feature-gates: AllBeta=true
FieldTypeDescriptionValue(s)
imagestringThe container image used in the scheduler manifest.
Show example(s)
image: registry.k8s.io/kube-scheduler:v1.32.0
extraArgsmap[string]stringExtra arguments to supply to the scheduler.
extraVolumes[]VolumeMountConfigExtra volumes to mount to the scheduler static pod.
envEnvThe env field allows for the addition of environment variables for the control plane component.
resourcesResourcesConfigConfigure the scheduler resources.
configUnstructuredSpecify custom kube-scheduler configuration.

extraVolumes[]

VolumeMountConfig struct describes extra volume mount for the static pods.

FieldTypeDescriptionValue(s)
hostPathstringPath on the host.
Show example(s)
hostPath: /var/lib/auth
mountPathstringPath in the container.
Show example(s)
mountPath: /etc/kubernetes/auth
readonlyboolMount the volume read only.
Show example(s)
readonly: true

resources

ResourcesConfig represents the pod resources.

FieldTypeDescriptionValue(s)
requestsUnstructuredRequests configures the reserved cpu/memory resources.
Show example(s)
requests:
    cpu: 1
    memory: 1Gi
limitsUnstructuredLimits configures the maximum cpu/memory resources a container can use.
Show example(s)
limits:
    cpu: 2
    memory: 2500Mi

discovery

ClusterDiscoveryConfig struct configures cluster membership discovery.

cluster:
    discovery:
        enabled: true # Enable the cluster membership discovery feature.
        # Configure registries used for cluster member discovery.
        registries:
            # Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information
            kubernetes: {}
            # Service registry is using an external service to push and pull information about cluster members.
            service:
                endpoint: https://discovery.talos.dev/ # External service endpoint.
FieldTypeDescriptionValue(s)
enabledbool
Enable the cluster membership discovery feature.Cluster discovery is based on individual registries which are configured under the registries field.
registriesDiscoveryRegistriesConfigConfigure registries used for cluster member discovery.

registries

DiscoveryRegistriesConfig struct configures cluster membership discovery.

FieldTypeDescriptionValue(s)
kubernetesRegistryKubernetesConfig
Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional informationas annotations on the Node resources.
serviceRegistryServiceConfigService registry is using an external service to push and pull information about cluster members.
kubernetes

RegistryKubernetesConfig struct configures Kubernetes discovery registry.

FieldTypeDescriptionValue(s)
disabledboolDisable Kubernetes discovery registry.
service

RegistryServiceConfig struct configures Kubernetes discovery registry.

FieldTypeDescriptionValue(s)
disabledboolDisable external service discovery registry.
endpointstringExternal service endpoint.
Show example(s)
endpoint: https://discovery.talos.dev/

etcd

EtcdConfig represents the etcd configuration options.

cluster:
    etcd:
        image: gcr.io/etcd-development/etcd:v3.5.17 # The container image used to create the etcd service.
        # The `ca` is the root certificate authority of the PKI.
        ca:
            crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
            key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
        # Extra arguments to supply to etcd.
        extraArgs:
            election-timeout: "5000"

        # # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from.
        # advertisedSubnets:
        #     - 10.0.0.0/8
FieldTypeDescriptionValue(s)
imagestringThe container image used to create the etcd service.
Show example(s)
image: gcr.io/etcd-development/etcd:v3.5.17
caPEMEncodedCertificateAndKey
The ca is the root certificate authority of the PKI.It is composed of a base64 encoded crt and key.
Show example(s)
ca:
    crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
    key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
extraArgsmap[string]string
Extra arguments to supply to etcd.Note that the following args are not allowed:

- name
- data-dir
- initial-cluster-state
- listen-peer-urls
- listen-client-urls
- cert-file
- key-file
- trusted-ca-file
- peer-client-cert-auth
- peer-cert-file
- peer-trusted-ca-file
- peer-key-file
advertisedSubnets[]string
The advertisedSubnets field configures the networks to pick etcd advertised IP from.
IPs can be excluded from the list by using negative match with !, e.g !10.0.0.0/8.
Negative subnet matches should be specified last to filter out IPs picked by positive matches.
If not specified, advertised IP is selected as the first routable address of the node.
Show example(s)
advertisedSubnets:
    - 10.0.0.0/8
listenSubnets[]string
The listenSubnets field configures the networks for the etcd to listen for peer and client connections.
If listenSubnets is not set, but advertisedSubnets is set, listenSubnets defaults to
advertisedSubnets.

If neither advertisedSubnets nor listenSubnets is set, listenSubnets defaults to listen on all addresses.

IPs can be excluded from the list by using negative match with !, e.g !10.0.0.0/8.
Negative subnet matches should be specified last to filter out IPs picked by positive matches.
If not specified, advertised IP is selected as the first routable address of the node.

coreDNS

CoreDNS represents the CoreDNS config values.

cluster:
    coreDNS:
        image: registry.k8s.io/coredns/coredns:v1.12.0 # The `image` field is an override to the default coredns image.
FieldTypeDescriptionValue(s)
disabledboolDisable coredns deployment on cluster bootstrap.
imagestringThe image field is an override to the default coredns image.

externalCloudProvider

ExternalCloudProviderConfig contains external cloud provider configuration.

cluster:
    externalCloudProvider:
        enabled: true # Enable external cloud provider.
        # A list of urls that point to additional manifests for an external cloud provider.
        manifests:
            - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml
            - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml
FieldTypeDescriptionValue(s)
enabledboolEnable external cloud provider.true
yes
false
no
manifests[]string
A list of urls that point to additional manifests for an external cloud provider.These will get automatically deployed as part of the bootstrap.
Show example(s)
manifests:
    - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml
    - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml

inlineManifests[]

ClusterInlineManifest struct describes inline bootstrap manifests for the user.

cluster:
    inlineManifests:
        - name: namespace-ci # Name of the manifest.
          contents: |- # Manifest contents as a string.
            apiVersion: v1
            kind: Namespace
            metadata:
            	name: ci
FieldTypeDescriptionValue(s)
namestring
Name of the manifest.Name should be unique.
Show example(s)
name: csi
contentsstringManifest contents as a string.
Show example(s)
contents: /etc/kubernetes/auth

adminKubeconfig

AdminKubeconfigConfig contains admin kubeconfig settings.

cluster:
    adminKubeconfig:
        certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year).
FieldTypeDescriptionValue(s)
certLifetimeDuration
Admin kubeconfig certificate lifetime (default is 1 year).Field format accepts any Go time.Duration format (‘1h’ for one hour, ‘10m’ for ten minutes).

4 - Kernel

Linux kernel reference.

Commandline Parameters

Talos supports a number of kernel commandline parameters. Some are required for it to operate. Others are optional and useful in certain circumstances.

Several of these are enforced by the Kernel Self Protection Project KSPP.

Required parameters:

  • talos.platform: can be one of akamai, aws, azure, container, digitalocean, equinixMetal, gcp, hcloud, metal, nocloud, openstack, oracle, scaleway, upcloud, vmware or vultr
  • slab_nomerge: required by KSPP
  • pti=on: required by KSPP

Recommended parameters:

  • init_on_alloc=1: advised by KSPP, enabled by default in kernel config
  • init_on_free=1: advised by KSPP, enabled by default in kernel config

Available Talos-specific parameters

ip

Initial configuration of the interface, routes, DNS, NTP servers (multiple ip= kernel parameters are accepted).

Full documentation is available in the Linux kernel docs.

ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>

Talos will use the configuration supplied via the kernel parameter as the initial network configuration. This parameter is useful in the environments where DHCP doesn’t provide IP addresses or when default DNS and NTP servers should be overridden before loading machine configuration. Partial configuration can be applied as well, e.g. ip=:::::::<dns0-ip>:<dns1-ip>:<ntp0-ip> sets only the DNS and NTP servers.

IPv6 addresses can be specified by enclosing them in the square brackets, e.g. ip=[2001:db8::a]:[2001:db8::b]:[fe80::1]::controlplane1:eth1::[2001:4860:4860::6464]:[2001:4860:4860::64]:[2001:4860:4806::].

<netmask> can use either an IP address notation (IPv4: 255.255.255.0, IPv6: [ffff:ffff:ffff:ffff::0]), or simply a number of one bits in the netmask (24).

<device> can be traditional interface naming scheme eth0, eth1 or enx<MAC>, example: enx78e7d1ea46da

DHCP can be enabled by setting <autoconf> to dhcp, example: ip=:::::eth0.3:dhcp. Alternative syntax is ip=eth0.3:dhcp.

bond

Bond interface configuration.

Full documentation is available in the Dracut kernel docs.

bond=<bondname>:<bondslaves>:<options>:<mtu>

Talos will use the bond= kernel parameter if supplied to set the initial bond configuration. This parameter is useful in environments where the switch ports are suspended if the machine doesn’t setup a LACP bond.

If only the bond name is supplied, the bond will be created with eth0 and eth1 as slaves and bond mode set as balance-rr

All these below configurations are equivalent:

  • bond=bond0
  • bond=bond0:
  • bond=bond0::
  • bond=bond0:::
  • bond=bond0:eth0,eth1
  • bond=bond0:eth0,eth1:balance-rr

An example of a bond configuration with all options specified:

bond=bond1:eth3,eth4:mode=802.3ad,xmit_hash_policy=layer2+3:1450

This will create a bond interface named bond1 with eth3 and eth4 as slaves and set the bond mode to 802.3ad, the transmit hash policy to layer2+3 and bond interface MTU to 1450.

vlan

The interface vlan configuration.

Full documentation is available in the Dracut kernel docs.

Talos will use the vlan= kernel parameter if supplied to set the initial vlan configuration. This parameter is useful in environments where the switch ports are VLAN tagged with no native VLAN.

Only one vlan can be configured at this stage.

An example of a vlan configuration including static ip configuration:

vlan=eth0.100:eth0 ip=172.20.0.2::172.20.0.1:255.255.255.0::eth0.100:::::

This will create a vlan interface named eth0.100 with eth0 as the underlying interface and set the vlan id to 100 with static IP 172.20.0.2/24 and 172.20.0.1 as default gateway.

net.ifnames=0

Disable the predictable network interface names by specifying net.ifnames=0 on the kernel command line.

panic

The amount of time to wait after a panic before a reboot is issued.

Talos will always reboot if it encounters an unrecoverable error. However, when collecting debug information, it may reboot too quickly for humans to read the logs. This option allows the user to delay the reboot to give time to collect debug information from the console screen.

A value of 0 disables automatic rebooting entirely.

talos.config

The URL at which the machine configuration data may be found (only for metal platform, with the kernel parameter talos.platform=metal).

This parameter supports variable substitution inside URL query values for the following case-insensitive placeholders:

  • ${uuid} the SMBIOS UUID
  • ${serial} the SMBIOS Serial Number
  • ${mac} the MAC address of the first network interface attaining link state up
  • ${hostname} the hostname of the machine

The following example

http://example.com/metadata?h=${hostname}&m=${mac}&s=${serial}&u=${uuid}

may translate to

http://example.com/metadata?h=myTestHostname&m=52%3A2f%3Afd%3Adf%3Afc%3Ac0&s=0OCZJ19N65&u=40dcbd19-3b10-444e-bfff-aaee44a51fda

For backwards compatibility we insert the system UUID into the query parameter uuid if its value is empty. As in http://example.com/metadata?uuid= => http://example.com/metadata?uuid=40dcbd19-3b10-444e-bfff-aaee44a51fda

metal-iso

When the kernel parameter talos.config=metal-iso is set, Talos will attempt to load the machine configuration from any block device with a filesystem label of metal-iso. Talos will look for a file named config.yaml in the root of the filesystem.

For example, such ISO filesystem can be created with:

mkdir iso/
cp config.yaml iso/
mkisofs -joliet -rock -volid 'metal-iso' -output config.iso iso/

talos.config.auth.*

Kernel parameters prefixed with talos.config.auth. are used to configure OAuth2 authentication for the machine configuration.

talos.config.inline

The kernel parameter talos.config.inline can be used to provide initial minimal machine configuration directly on the kernel command line, when other means of providing the configuration are not available. The machine configuration should be zstd compressed and base64-encoded to be passed as a kernel parameter.

Note: The kernel command line has a limited size (4096 bytes), so this method is only suitable for small configuration documents.

One such example is to provide a custom CA certificate via TrustedRootsConfig in the machine configuration:

cat config.yaml | zstd --compress --ultra -22 | base64 -w 0

talos.platform

The platform name on which Talos will run.

Valid options are:

  • akamai
  • aws
  • azure
  • container
  • digitalocean
  • equinixMetal
  • gcp
  • hcloud
  • metal
  • nocloud
  • openstack
  • oracle
  • scaleway
  • upcloud
  • vmware
  • vultr

talos.board

The board name, if Talos is being used on an ARM64 SBC.

Supported boards are:

  • bananapi_m64: Banana Pi M64
  • libretech_all_h3_cc_h5: Libre Computer ALL-H3-CC
  • rock64: Pine64 Rock64

talos.hostname

The hostname to be used. The hostname is generally specified in the machine config. However, in some cases, the DHCP server needs to know the hostname before the machine configuration has been acquired.

Unless specifically required, the machine configuration should be used instead.

talos.shutdown

The type of shutdown to use when Talos is told to shutdown.

Valid options are:

  • halt
  • poweroff

talos.network.interface.ignore

A network interface which should be ignored and not configured by Talos.

Before a configuration is applied (early on each boot), Talos attempts to configure each network interface by DHCP. If there are many network interfaces on the machine which have link but no DHCP server, this can add significant boot delays.

This option may be specified multiple times for multiple network interfaces.

talos.experimental.wipe

Resets the disk before starting up the system.

Valid options are:

  • system resets system disk.
  • system:EPHEMERAL,STATE resets ephemeral and state partitions. Doing this reverts Talos into maintenance mode.

talos.unified_cgroup_hierarchy

Deprecated: From the 1.10 release it is planned that cgroupsv1 will only be supported in the container mode.

Talos defaults to always using the unified cgroup hierarchy (cgroupsv2), but cgroupsv1 can be forced with talos.unified_cgroup_hierarchy=0.

Note: cgroupsv1 is deprecated and it should be used only for compatibility with workloads which don’t support cgroupsv2 yet.

talos.dashboard.disabled

By default, Talos redirects kernel logs to virtual console /dev/tty1 and starts the dashboard on /dev/tty2, then switches to the dashboard tty.

If you set talos.dashboard.disabled=1, this behavior will be disabled. Kernel logs will be sent to the currently active console and the dashboard will not be started.

It is set to be 1 by default on SBCs.

talos.environment

Each value of the argument sets a default environment variable. The expected format is key=value.

Example:

talos.environment=http_proxy=http://proxy.example.com:8080 talos.environment=https_proxy=http://proxy.example.com:8080

talos.device.settle_time

The time in Go duration format to wait for devices to settle before starting the boot process. By default, Talos waits for udevd to scan and settle, but with some RAID controllers udevd might report settled devices before they are actually ready. Adding this kernel argument provides extra settle time on top of udevd settle time. The maximum value is 10m (10 minutes).

Example:

talos.device.settle_time=3m

talos.halt_if_installed

If set to 1, Talos will pause the boot sequence and keeps printing a message until the boot timeout is reached if it detects that it is already installed. This is useful if booting from ISO/PXE and you want to prevent the machine accidentally booting from the ISO/PXE after installation to the disk.