Configuration

Config

Package config contains all the options available for configuring a Talos cluster.

Field	Type	Description	Default Value
`clusterName`	string	Configures the cluster's name. Show example `clusterName: my-cluster`	`""`
`endpoint`	string	Configures the cluster's controlplane endpoint. Can be an IP address or a DNS hostname Show example `endpoint: https://192.168.200.10:6443`	`""`
`nodes`	[]Node	List of nodes configurations Show example `nodes: - hostname: kmaster1 ipAddress: 192.168.200.11 controlPlane: true installDiskSelector: size: 128GB - hostname: kworker1 ipAddress: 192.168.200.12 controlPlane: false installDisk: /dev/sda networkInterfaces: - interface: eth0 dhcp: true`	`[]`
`talosVersion`	string	Talos version to perform the installation. Image reference for each Talos release can be found on Talos GitHub release page Show example `talosVersion: v1.5.2`	`"latest"`
`kubernetesVersion`	string	Allows for supplying the Kubernetes version to use. Show example `kubernetesVersion: v1.28.1`	`""`
`domain`	string	Allows for supplying the domain used by Kubernetes DNS. Show example `domain: mycluster.com`	`"cluster.local"`
`allowSchedulingOnMasters`	bool	Whether to allow running workload on controlplane nodes. Show example `allowSchedulingOnMasters: true`	`false`
`allowSchedulingOnControlPlanes`	bool	Whether to allow running workload on controlplane nodes. It is an alias to `allowSchedulingOnMasters` Show example `allowSchedulingOnControlPlanes: true`	`false`
`additionalMachineCertSans`	[]string	DEPRECATED! Use node/node groups `certSANs`. Extra certificate SANs for the machine's certificate. Show example `additionalMachineCertSans: - 10.0.0.10 - 172.16.0.10 - 192.168.0.10`	`[]`
`additionalApiServerCertSans`	[]string	Extra certificate SANs for the API server's certificate. Show example `additionalApiServerCertSans: - 1.2.3.4 - 4.5.6.7 - mycluster.local`	`[]`
`clusterPodNets`	[]string	The pod subnet CIDR list. Show example `clusterPodNets: - 10.244.0.0/16`	`nil`
`clusterSvcNets`	[]string	The service subnet CIDR list. Show example `clusterSvcNets: - 10.96.0.0/12`	`[]`
`cniConfig`	CNIConfig	The CNI to be used for the cluster's network. Show example `cniConfig: name: custom urls: - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml`	`[]`
`imageFactory`	ImageFactory	Configures selfhosted image factory. Show example `imageFactory: registryURL: myfactory.com schematicEndpoint: /schematics protocol: https installerURLTmpl: {{.RegistryURL}}/installer/{{.ID}}:{{.Version}} ImageURLTmpl: {{.Protocol}}://{{.RegistryURL}}/image/{{.ID}}/{{.Version}}/{{.Mode}}/{{.Arch}}.iso`	`nil`
`patches`	[]string	Patches to be applied to all nodes. List of strings containing RFC6902 (deprecated) JSON patches, strategic merge patches, or a file containing them Show example `patches: - \|- machine: env: MYENV: value - "@./a-patch.yaml"`	`[]`
`inlineManifests`	[]InlineManifest	A list of inline Kubernetes manifests for the cluster. Show example `inlineManifests: - name: namespace-ci contents: \|- apiVersion: v1 kind: Namespace metadata: name: ci`	`[]`
`controlPlane`	NodeConfigs	Configurations targetted for all controlplane nodes. Show example `controlPlane: kernelModules: - name: br_netfilter parameters: - nf_conntrack_max=131072 patches: - \|- machine: env: MYENV: value - "@./a-patch.yaml"`	`nil`
`worker`	NodeConfigs	Configurations targetted for all worker nodes. Show example `worker: kernelModules: - name: br_netfilter parameters: - nf_conntrack_max=131072 patches: - \|- machine: env: MYENV: value - "@./a-patch.yaml"`	`nil`

Node

Node defines machine configurations for each node.

Field	Type	Description	Default Value
`hostname`	string	Configures the hostname of a node. Show example `hostname: kmaster1`	`""`
`ipAddress`	string	IP address where the node can be reached, can be IP or comma separated list of IPs. Needed for endpoint and node address inside `talosconfig`. Show example `ipAddress: 192.168.200.11`	`""`
`installDisk`	string	The disk used for installation. Show example `installDisk: /dev/sda`	`""`
`installDiskSelector`	InstallDiskSelector	Look up disk used for installation. Required if `installDisk` is not specified. Show example `installDiskSelector: size: 128GB model: WDC* name: /sys/block/sda/device/name busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0`	`nil`
`controlPlane`	bool	Whether the node is a controlplane. Show example `controlPlane: true`	`false`
`ignoreHostname`	bool	Whether to set `machine.network.hostname` to the generated config file. It will also set stable hostname to `true` when enabled. Show example `ignoreHostname: true`	`false`
`overridePatches`	bool	Whether `patches` defined here should override the one defined in node group. By default they will get appended instead. Show example `overridePatches: true`	`false`
`overrideExtraManifests`	bool	Whether `extraManifests` defined here should override the one defined in node group. By default they will get appended instead. Show example `overrideExtraManifests: true`	`false`
`overrideMachineCertSANs`	bool	Whether `certSANs` defined here should override the one defined in node group. By default they will get appended instead. Show example `overrideMachineCertSANs: true`	`false`
-	NodeConfigs	Node specific configurations that will override node group configurations. Show example `talosImageURL: factory.talos.dev/installer/e9c7ef96884d4fbc8c0a1304ccca4bb0287d766a8b4125997cb9dbe84262144e nodeLabels: rack: rack1a nodeTaints: exampleTaint: exampletaintValue:NoSchedule disableSearchDomain: true`	`nil`

NodeConfigs

NodeConfigs defines machine configurations.

Field	Type	Description	Default Value
`talosImageURL`	string	Allows for supplying the node level image used to perform the installation. Show example `talosImageURL: factory.talos.dev/installer/e9c7ef96884d4fbc8c0a1304ccca4bb0287d766a8b4125997cb9dbe84262144e`	`""`
`machineSpec`	MachineSpec	Machine hardware specification for the node. Only used for `genurl image` subcommand. Show example `machineSpec: mode: metal arch: arm64 bootMethod: disk-image imageSuffix: raw.xz`	`nil`
`filenameTmpl`	string	Go template for generated filename. Available placeholders: `ClusterName`,`Hostname`,`IPAddress`, `Role` Show example `filenameTmpl: "{{.ClusterName}}-{{.Role}}-{{.Hostname}}.yaml"`	`{{.ClusterName}}-{{.Hostname}}.yaml`
`ingressFirewall`	IngressFirewall	Machine firewall specification for the node. Show example `ingressFirewall: defaultAction: block rules: - name: kubelet-ingress portSelector: ports: - 10250 protocol: tcp ingress: - subnet: 172.20.0.0/24 except: 172.20.0.1/32`	`nil`
`extensionServices`	[]ExtensionService	Machine extension services specification for the node. Show example `extensionServices: - name: nut-client configFiles: - content: MONITOR upsmonHost 1 remote pass password mountPath: /usr/local/etc/nut/upsmon.conf environment: - UPS_NAME=ups`	`nil`
`volumes`	[]Volume	Machine volume configs specification. Show example `volumes: - name: EPHEMERAL provisioning: diskSelector: match: disk.transport == "nvme" maxSize: 50GiB encryption: keys: - kms: endpoint: https://192.168.88.21:4443`	`nil`
`userVolumes`	[]UserVolume	Machine user volume configs specification. Show example `userVolumes: - name: ceph-data provisioning: diskSelector: match: disk.transport == "nvme" maxSize: 50GiB filesystem: type: xfs encryption: provider: luks2 keys: - slot: 0 tpm: {}`	`nil`
`nodeLabels`	map[string]string	Labels to be added to the node. Show example `rack: rack1a`	`false`
`nodeAnnotations`	map[string]string	Annotations to be added to the node. Show example `rack: rack1a`	`false`
`nodeTaints`	map[string]string	Node taints for the node. Show example `exampleTaint: exampleTaintValue:NoSchedule`	`false`
`disableSearchDomain`	bool	Whether to disable generating default search domain. Show example `disableSearchDomain: true`	`false`
`machineDisks`	[]MachineDisk	DEPRECATED: use `userVolumes` instead. Show example `machineDisks: - device: /dev/disk/by-id/ata-CT500MX500SSD1_2149E5EC1D9D partitions: - mountpoint: /var/mnt/sata`	`[]`
`noSchematicValidate`	bool	Whether to skip schematic validation. Show example `noSchematicValidate: true`	`false`
`machineFiles`	[]MachineFile	List of additional files to create inside the node. Show example `machineFiles: - content: \| TS_AUTHKEY=123456 permissions: 0o644 path: /var/etc/tailscale/auth.env op: create`	`[]`
`schematic`	Schematic	Configure Talos image customization to be used in the installer image Show example `schematic: customization: extraKernelArgs: - net.ifnames=0 systemExtensions: officialExtensions: - siderolabs/intel-ucode`	`nil`
`imageSchematic`	Schematic	Configure Talos image customization to be used for ISO or boot image Show example `imageSchematic: customization: extraKernelArgs: - net.ifnames=0 systemExtensions: officialExtensions: - siderolabs/intel-ucode`	`nil`
`kernelModules`	[]KernelModuleConfig	List of additional kernel modules to load. Show example `kernelModules: - name: br_netfilter parameters: - nf_conntrack_max=131072`	`[]`
`nameservers`	[]string	List of nameservers for the node. Show example `nameservers: - 8.8.8.8 - 1.1.1.1`	`[]`
`networkInterfaces`	[]Device	List of network interface configurations for the node. Show example `networkInterfaces: - interface: enp0s1 addresses: - 192.168.2.0/24 routes: - network: 0.0.0.0/0 gateway: 192.168.2.1 metric: 1024 mtu: 1500`	`[]`
`extraManifests`	[]string	DEPRECATED! Use `patches` instead.List of manifest files to be added for the node. Show example `extraManifests: - etcd-firewall.yaml - kubelet-firewall.yaml`	`[]`
`certSANs`	[]string	Extra SANs in the machine's certificate. Show example `certSANs: - example.org - 172.16.0.10 - 192.168.0.10`	`[]`
`patches`	[]string	Patches to be applied to the node. List of strings containing RFC6902 (deprecated) JSON patches, strategic merge patches, or a file containing them. Show example `patches: - \|- machine: env: MYENV: value - "@./a-patch.yaml"`	`[]`

ImageFactory

ImageFactory defines configuration for selfhosted image-factory.

Field	Type	Description	Default Value
`registryURL`	string	Registry URL of the factory. Show example `registryURL: myfactory.com`	`"factory.talos.dev"`
`protocol`	string	Protocol the registry is listening to. Show example `protocol: http`	`https`
`schematicEndpoint`	string	Path to do HTTP POST request to the registry. Show example `schematicEndpoint: /schematics`	`/schematics`
`installerURLTmpl`	string	Go template to parse the full installer URL. Available placeholders: `RegistryURL`,`ID`,`Version`, `Secureboot`, `Mode` Show example `installerURLTmpl: "{{.RegistryURL}}/installer/{{.ID}}:{{.Version}}"`	`{{.RegistryURL}}/{{.Mode}}-installer{{if .Secureboot}}-secureboot{{end}}/{{.ID}}:{{.Version}}`
`ImageURLTmpl`	string	Go template to parse the full ISO or boot image URL. Available placeholders: `Protocol`,`RegistryURL`,`ID`,`Version`,`Mode`,`Arch`, `Secureboot`, `UseUKI`, `BootMethod`, `Suffix` Show example `ImageURLTmpl: "{{.Protocol}}://{{.RegistryURL}}/image/{{.ID}}/{{.Version}}/{{.Mode}}-{{.Arch}}.iso"`	`{{.Protocol}}://{{.RegistryURL}}/image/{{.ID}}/{{.Version}}/{{.Mode}}-{{.Arch}}{{if .Secureboot}}-secureboot{{end}}{{if and .Secureboot .UseUKI}}-uki.efi{{else}}{{.Suffix}}{{end}}`

MachineSpec

MachineSpec defines machine hardware configurations for a node.

Field	Type	Description	Default Value
`mode`	string	Machine mode. Show example `mode: metal`	`"metal"`
`arch`	string	Machine architecture. Show example `arch: arm64`	`amd64`
`secureboot`	bool	Whether to enable Secure Boot. Show example `secureboot: true`	`false`
`useUKI`	bool	Whether to use UKI if Secure Boot is enabled. Show example `useUKI: true`	`false`
`bootMethod`	string	Boot method for the node. Can be "disk-image", "iso" or "pxe". Show example `bootMethod: disk-image`	`iso`
`imageSuffix`	string	The image file extension. Will be automatically defined by specified `bootMethod`, e.g: `raw.xz`, `raw.tar.gz`, `qcow2`. Show example `imageSuffix: raw.xz`	`""`

IngressFirewall

IngressFirewall defines machine firewall configuration for a node.

Field	Type	Description	Default Value	Required
`defaultAction`	`string`	Default action for all not explicitly configured traffic. Can be "accept" or "block" Show example `defaultAction: accept`	`nil`
`rules`	[]NetworkRule	List of matching network rules to allow or block against the defaultAction. If `defaultAction` is set to block, matching rules will be allowed vice versa. Show example `rules: - name: kubelet-ingress portSelector: ports: - 10250 protocol: tcp ingress: - subnet: 172.20.0.0/24 except: 172.20.0.1/32`	`nil`

ExtensionService

ExtensionService defines machine extension service configuration for a node.

Field	Type	Description	Default Value
`name`	`string`	Name of the extension service config. Show example `name: nut-client`	`nil`
`configFiles`	[]ConfigFile	The config files for the extension service. Show example `configFiles: - content: MONITOR upsmonHost 1 remote pass password mountPath: /usr/local/etc/nut/upsmon.conf`	`nil`
`environment`	[]string	The environment for the extension service. Show example `environment: - UPS_NAME=ups`	`nil`

Volume

Volume defines machine volume configuration for a node.

Field	Type	Description	Default Value
`name`	`string`	Name of the volume config. Show example `name: EPHEMERAL`	`nil`
`provisioning`	ProvisioningSpec	Provisioning spec of the volume config. Show example `provisioning: diskSelector: match: disk.transport == "nvme" maxSize: 50GiB`	`nil`
`encryption`	EncryptionSpec	Encryption spec of the volume config. Show example `encryption: keys: - kms: endpoint: https://192.168.88.21:4443`	`nil`

UserVolume

UserVolume defines machine user volume configuration for a node.

Field	Type	Description	Default Value
`name`	`string`	Name of the volume config. Show example `name: ceph-data`	`nil`
`provisioning`	ProvisioningSpec	Provisioning spec of the volume config. Show example `provisioning: diskSelector: match: disk.transport == "nvme" maxSize: 50GiB`	`nil`
`filesystem`	FilesystemSpec	Filesystem spec of the volume config. Show example `filesystem: type: xfs`	`nil`
`encryption`	EncryptionSpec	Encryption spec of the volume config. Show example `encryption: provider: luks2 keys: - slot: 0 tpm: {}`	`nil`

NetworkRule

NetworkRule defines the firewall rules to match.

Field	Type	Description	Default Value
`name`	`string`	Name of the rule. Show example `name: kubelet-ingress`	`nil`
`portSelector`	PortSelector	Ports and protocols on the host affected by the rule. Show example `portSelector: ports: - 10250 protocol: tcp`	`nil`
`ingress`	[]IngressConfig	List of source subnets allowed to access the host ports/protocols. Show example `ingress: - subnet: 172.20.0.0/24 except: 172.20.0.1/32`	`nil`

CNIConfig

CNIConfig is type of upstream Talos v1alpha1.CNIConfig

InstallDiskSelector

InstallDiskSelector is type of upstream Talos v1alpha1.InstallDiskSelector.

InlineManifest

InlineManifest is type of upstream Talos v1alpha1.ClusterInlineManifest

In addition to this, there's also a skipEnvsubst key that can be set to true to skip doing envsubst (only for file outside of talconfig.yaml)

MachineDisk

MachineDisk is type of upstream Talos v1alpha1.MachineDisk

MachineFile

MachineFile is type of upstream Talos v1alpha1.MachineFile

In addition to this, there's also a skipEnvsubst key that can be set to true to skip doing envsubst (only for file outside of talconfig.yaml)

InstallExtensionConfig

InstallExtensionConfig is type of upstream Talos v1alpha1.InstallExtensionConfig

Schematic

Schematic is type of upstream Talos Image Factory schematic.Schematic

KernelModuleConfig

KernelModuleConfig is type of upstream Talos v1alpha1.KernelModuleConfig

Device

Device is type of upstream Talos v1alpha1.Device

PortSelector

PortSelector is type of upstream Talos network.RulePortSelector

IngressConfig

IngressConfig is type of upstream Talos network.IngressConfig

ConfigFile

ConfigFile is type of upstream Talos extensions.ConfigFile

ProvisioningSpec

ProvisioningSpec is type of upstream Talos block.ProvisioningSpec

FilesystemSpec

FilesystemSpec is type of upstream Talos block.ProvisioningSpec

EncryptionSpec

Encryption is type of upstream Talos block.EncryptionSpec