Configuration
Package v1alpha1 configuration file contains all the options available for configuring a machine.
We can generate the files using talosctl
.
This configuration is enough to get started in most cases, however it can be customized as needed.
talosctl config generate --version v1alpha1 <cluster name> <cluster endpoint>
This will generate a machine config for each node type, and a talosconfig.
The following is an example of an init.yaml
:
version: v1alpha1
machine:
type: init
token: 5dt69c.npg6duv71zwqhzbg
ca:
crt: <base64 encoded Ed25519 certificate>
key: <base64 encoded Ed25519 key>
certSANs: []
kubelet: {}
network: {}
install:
disk: /dev/sda
image: docker.io/autonomy/installer:latest
bootloader: true
wipe: false
force: false
cluster:
controlPlane:
endpoint: https://1.2.3.4
clusterName: example
network:
cni: ""
dnsDomain: cluster.local
podSubnets:
- 10.244.0.0/16
serviceSubnets:
- 10.96.0.0/12
token: wlzjyw.bei2zfylhs2by0wd
certificateKey: 20d9aafb46d6db4c0958db5b3fc481c8c14fc9b1abd8ac43194f4246b77131be
aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
ca:
crt: <base64 encoded RSA certificate>
key: <base64 encoded RSA key>
apiServer: {}
controllerManager: {}
scheduler: {}
etcd:
ca:
crt: <base64 encoded RSA certificate>
key: <base64 encoded RSA key>
Config
version
Indicates the schema used to decode the contents.
Type: string
Valid Values:
v1alpha1
debug
Enable verbose logging.
Type: bool
Valid Values:
true
yes
false
no
persist
Indicates whether to pull the machine config upon every boot.
Type: bool
Valid Values:
true
yes
false
no
machine
Provides machine specific configuration options.
Type: MachineConfig
cluster
Provides cluster specific configuration options.
Type: ClusterConfig
MachineConfig
type
Defines the role of the machine within the cluster.
Init
Init node type designates the first control plane node to come up. You can think of it like a bootstrap node. This node will perform the initial steps to bootstrap the cluster – generation of TLS assets, starting of the control plane, etc.
Control Plane
Control Plane node type designates the node as a control plane member. This means it will host etcd along with the Kubernetes master components such as API Server, Controller Manager, Scheduler.
Worker
Worker node type designates the node as a worker node. This means it will be an available compute node for scheduling workloads.
Type: string
Valid Values:
init
controlplane
join
token
The token
is used by a machine to join the PKI of the cluster.
Using this token, a machine will create a certificate signing request (CSR), and request a certificate that will be used as its’ identity.
Type: string
Examples:
token: 328hom.uqjzh6jnn2eie9oi
Warning: It is important to ensure that this token is correct since a machine’s certificate has a short TTL by default
ca
The root certificate authority of the PKI.
It is composed of a base64 encoded crt
and key
.
Type: PEMEncodedCertificateAndKey
Examples:
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJIekNCMHF...
key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM...
certSANs
Extra certificate subject alternative names for the machine’s certificate. By default, all non-loopback interface IPs are automatically added to the certificate’s SANs.
Type: array
Examples:
certSANs:
- 10.0.0.10
- 172.16.0.10
- 192.168.0.10
kubelet
Used to provide additional options to the kubelet.
Type: KubeletConfig
Examples:
kubelet:
image:
extraArgs:
key: value
network
Used to configure the machine’s network.
Type: NetworkConfig
Examples:
network:
hostname: worker-1
interfaces:
nameservers:
- 9.8.7.6
- 8.7.6.5
disks
Used to partition, format and mount additional disks.
Since the rootfs is read only with the exception of /var
, mounts are only valid if they are under /var
.
Note that the partitioning and formating is done only once, if and only if no existing partitions are found.
If size:
is omitted, the partition is sized to occupy full disk.
Type: array
Examples:
disks:
- device: /dev/sdb
partitions:
- mountpoint: /var/lib/extra
size: 10000000000
Note:
size
is in units of bytes.
install
Used to provide instructions for bare-metal installations.
Type: InstallConfig
Examples:
install:
disk: /dev/sda
extraKernelArgs:
- option=value
image: docker.io/autonomy/installer:latest
bootloader: true
wipe: false
force: false
files
Allows the addition of user specified files.
The value of op
can be create
, overwrite
, or append
.
In the case of create
, path
must not exist.
In the case of overwrite
, and append
, path
must be a valid file.
If an op
value of append
is used, the existing file will be appended.
Note that the file contents are not required to be base64 encoded.
Type: array
Examples:
files:
- content: |
...
permissions: 0666
path: /tmp/file.txt
op: append
Note: The specified
path
is relative to/var
.
env
The env
field allows for the addition of environment variables to a machine.
All environment variables are set on the machine in addition to every service.
Type: Env
Valid Values:
GRPC_GO_LOG_VERBOSITY_LEVEL
GRPC_GO_LOG_SEVERITY_LEVEL
http_proxy
https_proxy
no_proxy
Examples:
env:
GRPC_GO_LOG_VERBOSITY_LEVEL: "99"
GRPC_GO_LOG_SEVERITY_LEVEL: info
https_proxy: http://SERVER:PORT/
env:
GRPC_GO_LOG_SEVERITY_LEVEL: error
https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/
env:
https_proxy: http://DOMAIN\\USERNAME:PASSWORD@SERVER:PORT/
time
Used to configure the machine’s time settings.
Type: TimeConfig
Examples:
time:
servers:
- time.cloudflare.com
sysctls
Used to configure the machine’s sysctls.
Type: map
Examples:
sysctls:
kernel.domainname: talos.dev
net.ipv4.ip_forward: "0"
registries
Used to configure the machine’s container image registry mirrors.
Automatically generates matching CRI configuration for registry mirrors.
Section mirrors
allows to redirect requests for images to non-default registry,
which might be local registry or caching mirror.
Section config
provides a way to authenticate to the registry with TLS client
identity, provide registry CA, or authentication information.
Authentication information has same meaning with the corresponding field in .docker/config.json
.
See also matching configuration for CRI containerd plugin.
Type: RegistriesConfig
Examples:
registries:
mirrors:
docker.io:
endpoints:
- https://registry-1.docker.io
'*':
endpoints:
- http://some.host:123/
config:
"some.host:123":
tls:
CA: ... # base64-encoded CA certificate in PEM format
clientIdentity:
cert: ... # base64-encoded client certificate in PEM format
key: ... # base64-encoded client key in PEM format
auth:
username: ...
password: ...
auth: ...
identityToken: ...
ClusterConfig
controlPlane
Provides control plane specific configuration options.
Type: ControlPlaneConfig
Examples:
controlPlane:
endpoint: https://1.2.3.4
localAPIServerPort: 443
clusterName
Configures the cluster’s name.
Type: string
network
Provides cluster network configuration.
Type: ClusterNetworkConfig
Examples:
network:
cni:
name: flannel
dnsDomain: cluster.local
podSubnets:
- 10.244.0.0/16
serviceSubnets:
- 10.96.0.0/12
token
The bootstrap token.
Type: string
Examples:
wlzjyw.bei2zfylhs2by0wd
aescbcEncryptionSecret
The key used for the encryption of secret data at rest.
Type: string
Examples:
z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
ca
The base64 encoded root certificate authority used by Kubernetes.
Type: PEMEncodedCertificateAndKey
Examples:
ca:
crt: LS0tLS1CRUdJTiBDRV...
key: LS0tLS1CRUdJTiBSU0...
apiServer
API server specific configuration options.
Type: APIServerConfig
Examples:
apiServer:
image: ...
extraArgs:
key: value
certSANs:
- 1.2.3.4
- 5.6.7.8
controllerManager
Controller manager server specific configuration options.
Type: ControllerManagerConfig
Examples:
controllerManager:
image: ...
extraArgs:
key: value
proxy
Kube-proxy server-specific configuration options
Type: ProxyConfig
Examples:
proxy:
mode: ipvs
extraArgs:
key: value
scheduler
Scheduler server specific configuration options.
Type: SchedulerConfig
Examples:
scheduler:
image: ...
extraArgs:
key: value
etcd
Etcd specific configuration options.
Type: EtcdConfig
Examples:
etcd:
ca:
crt: LS0tLS1CRUdJTiBDRV...
key: LS0tLS1CRUdJTiBSU0...
image: ...
podCheckpointer
Pod Checkpointer specific configuration options.
Type: PodCheckpointer
Examples:
podCheckpointer:
image: ...
coreDNS
Core DNS specific configuration options.
Type: CoreDNS
Examples:
coreDNS:
image: ...
extraManifests
A list of urls that point to additional manifests. These will get automatically deployed by bootkube.
Type: array
Examples:
extraManifests:
- "https://www.mysweethttpserver.com/manifest1.yaml"
- "https://www.mysweethttpserver.com/manifest2.yaml"
extraManifestHeaders
A map of key value pairs that will be added while fetching the ExtraManifests.
Type: map
Examples:
extraManifestHeaders:
Token: "1234567"
X-ExtraInfo: info
adminKubeconfig
Settings for admin kubeconfig generation. Certificate lifetime can be configured.
Type: AdminKubeconfigConfig
Examples:
adminKubeconfig:
certLifetime: 1h
KubeletConfig
image
The image
field is an optional reference to an alternative kubelet image.
Type: string
Examples:
image: docker.io/<org>/kubelet:latest
extraArgs
The extraArgs
field is used to provide additional flags to the kubelet.
Type: map
Examples:
extraArgs:
key: value
extraMounts
The extraMounts
field is used to add additional mounts to the kubelet container.
Type: array
Examples:
extraMounts:
- source: /var/lib/example
destination: /var/lib/example
type: bind
options:
- rshared
- ro
NetworkConfig
hostname
Used to statically set the hostname for the host.
Type: string
interfaces
interfaces
is used to define the network interface configuration.
By default all network interfaces will attempt a DHCP discovery.
This can be further tuned through this configuration parameter.
machine.network.interfaces.interface
This is the interface name that should be configured.
machine.network.interfaces.cidr
cidr
is used to specify a static IP address to the interface.
This should be in proper CIDR notation ( 192.168.2.5/24
).
Note: This option is mutually exclusive with DHCP.
machine.network.interfaces.dhcp
dhcp
is used to specify that this device should be configured via DHCP.
The following DHCP options are supported:
OptionClasslessStaticRoute
OptionDomainNameServer
OptionDNSDomainSearchList
OptionHostName
Note: This option is mutually exclusive with CIDR.
machine.network.interfaces.ignore
ignore
is used to exclude a specific interface from configuration.
This parameter is optional.
machine.network.interfaces.dummy
dummy
is used to specify that this interface should be a virtual-only, dummy interface.
This parameter is optional.
machine.network.interfaces.routes
routes
is used to specify static routes that may be necessary.
This parameter is optional.
Routes can be repeated and includes a Network
and Gateway
field.
Type: array
nameservers
Used to statically set the nameservers for the host.
Defaults to 1.1.1.1
and 8.8.8.8
Type: array
extraHostEntries
Allows for extra entries to be added to /etc/hosts file
Type: array
Examples:
extraHostEntries:
- ip: 192.168.1.100
aliases:
- test
- test.domain.tld
InstallConfig
disk
The disk used to install the bootloader, and ephemeral partitions.
Type: string
Examples:
/dev/sda
/dev/nvme0
extraKernelArgs
Allows for supplying extra kernel args to the bootloader config.
Type: array
Examples:
extraKernelArgs:
- a=b
image
Allows for supplying the image used to perform the installation.
Type: string
Examples:
image: docker.io/<org>/installer:latest
bootloader
Indicates if a bootloader should be installed.
Type: bool
Valid Values:
true
yes
false
no
wipe
Indicates if zeroes should be written to the disk
before performing and installation.
Defaults to true
.
Type: bool
Valid Values:
true
yes
false
no
force
Indicates if filesystems should be forcefully created.
Type: bool
Valid Values:
true
yes
false
no
TimeConfig
servers
Specifies time (ntp) servers to use for setting system time.
Defaults to pool.ntp.org
Note: This parameter only supports a single time server
Type: array
RegistriesConfig
mirrors
Specifies mirror configuration for each registry. This setting allows to use local pull-through caching registires, air-gapped installations, etc.
Registry name is the first segment of image identifier, with ‘docker.io’ being default one. Name ‘*’ catches any registry names not specified explicitly.
Type: map
config
Specifies TLS & auth configuration for HTTPS image registries. Mutual TLS can be enabled with ‘clientIdentity’ option.
TLS configuration can be skipped if registry has trusted server certificate.
Type: map
PodCheckpointer
image
The image
field is an override to the default pod-checkpointer image.
Type: string
CoreDNS
image
The image
field is an override to the default coredns image.
Type: string
Endpoint
ControlPlaneConfig
endpoint
Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname. It is single-valued, and may optionally include a port number.
Type: Endpoint
Examples:
https://1.2.3.4:443
localAPIServerPort
The port that the API server listens on internally. This may be different than the port portion listed in the endpoint field above. The default is 6443.
Type: int
APIServerConfig
image
The container image used in the API server manifest.
Type: string
extraArgs
Extra arguments to supply to the API server.
Type: map
certSANs
Extra certificate subject alternative names for the API server’s certificate.
Type: array
ControllerManagerConfig
image
The container image used in the controller manager manifest.
Type: string
extraArgs
Extra arguments to supply to the controller manager.
Type: map
ProxyConfig
image
The container image used in the kube-proxy manifest.
Type: string
mode
proxy mode of kube-proxy. By default, this is ‘iptables’.
Type: string
extraArgs
Extra arguments to supply to kube-proxy.
Type: map
SchedulerConfig
image
The container image used in the scheduler manifest.
Type: string
extraArgs
Extra arguments to supply to the scheduler.
Type: map
EtcdConfig
image
The container image used to create the etcd service.
Type: string
ca
The ca
is the root certificate authority of the PKI.
It is composed of a base64 encoded crt
and key
.
Type: PEMEncodedCertificateAndKey
Examples:
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJIekNCMHF...
key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM...
extraArgs
Extra arguments to supply to etcd. Note that the following args are not allowed:
name
data-dir
initial-cluster-state
listen-peer-urls
listen-client-urls
cert-file
key-file
trusted-ca-file
peer-client-cert-auth
peer-cert-file
peer-trusted-ca-file
peer-key-file
Type: map
Examples:
extraArgs:
initial-cluster: https://1.2.3.4:2380
advertise-client-urls: https://1.2.3.4:2379
ClusterNetworkConfig
cni
The CNI used. Composed of “name” and “url”. The “name” key only supports upstream bootkube options of “flannel” or “custom”. URLs is only used if name is equal to “custom”. URLs should point to a single yaml file that will get deployed. Empty struct or any other name will default to bootkube’s flannel.
Type: CNIConfig
Examples:
cni:
name: "custom"
urls:
- "https://www.mysweethttpserver.com/supersecretcni.yaml"
dnsDomain
The domain used by Kubernetes DNS.
The default is cluster.local
Type: string
Examples:
cluser.local
podSubnets
The pod subnet CIDR.
Type: array
Examples:
podSubnets:
- 10.244.0.0/16
serviceSubnets
The service subnet CIDR.
Type: array
Examples:
serviceSubnets:
- 10.96.0.0/12
CNIConfig
name
Name of CNI to use.
Type: string
urls
URLs containing manifests to apply for CNI.
Type: array
AdminKubeconfigConfig
certLifetime
Admin kubeconfig certificate lifetime (default is 1 year). Field format accepts any Go time.Duration format (‘1h’ for one hour, ‘10m’ for ten minutes).
Type: Duration
MachineDisk
device
The name of the disk to use.
Type: string
partitions
A list of partitions to create on the disk.
Type: array
DiskPartition
size
The size of the partition in bytes. If size:
is omitted, the partition is sized to occupy the full disk.
Type: uint
mountpoint
Where to mount the partition.
Type: string
MachineFile
content
The contents of file.
Type: string
permissions
The file’s permissions in octal.
Type: FileMode
path
The path of the file.
Type: string
op
The operation to use
Type: string
Valid Values:
create
append
ExtraHost
ip
The IP of the host.
Type: string
aliases
The host alias.
Type: array
Device
interface
The interface name.
Type: string
cidr
The CIDR to use.
Type: string
routes
A list of routes associated with the interface.
Type: array
bond
Bond specific options.
Type: Bond
vlans
VLAN specific options.
Type: array
mtu
The interface’s MTU.
Type: int
dhcp
Indicates if DHCP should be used.
Type: bool
ignore
Indicates if the interface should be ignored.
Type: bool
dummy
Indicates if the interface is a dummy interface.
Type: bool
Bond
interfaces
The interfaces that make up the bond.
Type: array
arpIPTarget
A bond option. Please see the official kernel documentation.
Type: array
mode
A bond option. Please see the official kernel documentation.
Type: string
xmitHashPolicy
A bond option. Please see the official kernel documentation.
Type: string
lacpRate
A bond option. Please see the official kernel documentation.
Type: string
adActorSystem
A bond option. Please see the official kernel documentation.
Type: string
arpValidate
A bond option. Please see the official kernel documentation.
Type: string
arpAllTargets
A bond option. Please see the official kernel documentation.
Type: string
primary
A bond option. Please see the official kernel documentation.
Type: string
primaryReselect
A bond option. Please see the official kernel documentation.
Type: string
failOverMac
A bond option. Please see the official kernel documentation.
Type: string
adSelect
A bond option. Please see the official kernel documentation.
Type: string
miimon
A bond option. Please see the official kernel documentation.
Type: uint32
updelay
A bond option. Please see the official kernel documentation.
Type: uint32
downdelay
A bond option. Please see the official kernel documentation.
Type: uint32
arpInterval
A bond option. Please see the official kernel documentation.
Type: uint32
resendIgmp
A bond option. Please see the official kernel documentation.
Type: uint32
minLinks
A bond option. Please see the official kernel documentation.
Type: uint32
lpInterval
A bond option. Please see the official kernel documentation.
Type: uint32
packetsPerSlave
A bond option. Please see the official kernel documentation.
Type: uint32
numPeerNotif
A bond option. Please see the official kernel documentation.
Type: uint8
tlbDynamicLb
A bond option. Please see the official kernel documentation.
Type: uint8
allSlavesActive
A bond option. Please see the official kernel documentation.
Type: uint8
useCarrier
A bond option. Please see the official kernel documentation.
Type: bool
adActorSysPrio
A bond option. Please see the official kernel documentation.
Type: uint16
adUserPortKey
A bond option. Please see the official kernel documentation.
Type: uint16
peerNotifyDelay
A bond option. Please see the official kernel documentation.
Type: uint32
Vlan
cidr
The CIDR to use.
Type: string
routes
A list of routes associated with the VLAN.
Type: array
dhcp
Indicates if DHCP should be used.
Type: bool
vlanId
The VLAN’s ID.
Type: uint16
Route
network
The route’s network.
Type: string
gateway
The route’s gateway.
Type: string
RegistryMirrorConfig
endpoints
List of endpoints (URLs) for registry mirrors to use.
Endpoint configures HTTP/HTTPS access mode, host name,
port and path (if path is not set, it defaults to /v2
).
Type: array
RegistryConfig
tls
The TLS configuration for this registry.
Type: RegistryTLSConfig
auth
The auth configuration for this registry.
Type: RegistryAuthConfig
RegistryAuthConfig
username
Optional registry authentication. The meaning of each field is the same with the corresponding field in .docker/config.json.
Type: string
password
Optional registry authentication. The meaning of each field is the same with the corresponding field in .docker/config.json.
Type: string
auth
Optional registry authentication. The meaning of each field is the same with the corresponding field in .docker/config.json.
Type: string
identityToken
Optional registry authentication. The meaning of each field is the same with the corresponding field in .docker/config.json.
Type: string
RegistryTLSConfig
clientIdentity
Enable mutual TLS authentication with the registry. Client certificate and key should be base64-encoded.
Type: PEMEncodedCertificateAndKey
Examples:
clientIdentity:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJIekNCMHF...
key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM...
ca
CA registry certificate to add the list of trusted certificates. Certificate should be base64-encoded.
Type: array
insecureSkipVerify
Skip TLS server certificate verification (not recommended).
Type: bool