Role-based access control (RBAC)
Talos v0.11 introduced initial support for role-based access control (RBAC). This guide will explain what that is and how to enable it without losing access to the cluster.
RBAC in Talos
Talos uses certificates to authorize users. The certificate subject’s organization field is used to encode user roles. There is a set of predefined roles that allow access to different API methods:
os:admingrants access to all methods;
os:readergrants access to “safe” methods (for example, that includes the ability to list files, but does not include the ability to read files content);
os:etcd:backupgrants access to
Roles in the current
talosconfig can be checked with the following command (using
$ yq eval '.contexts[.context].crt' talosconfig | base64 -d | openssl x509 -noout -text Certificate: Data: [...] Subject: O = os:reader [...]
RBAC is enabled by default in new clusters created with
talosctl v0.11 and disabled otherwise.
First, both the Talos cluster and
talosctl tool should be upgraded to v0.11.
talosctl config new command should be used to generate a new client configuration with the
Additional configurations and certificates for different roles can be generated by passing
talosctl config new --roles=os:reader reader
That command will create a new client configuration file
reader with a new certificate with
After that, RBAC should be enabled in the machine configuration:
machine: features: rbac: true