The ClusterConfig section defines cluster-wide configuration that applies to all nodes in the cluster. This includes the control plane endpoint, Kubernetes component settings, and cluster networking.
Cluster Identity Globally unique identifier for the cluster (base64 encoded random 32 bytes). Automatically generated during cluster creation.
Shared secret of the cluster (base64 encoded random 32 bytes). This secret is shared among cluster members but should never be sent over the network.
The name of the cluster. cluster : clusterName : production-cluster
Control Plane Configuration Control plane endpoint configuration. Show Control Plane Fields
cluster.controlPlane.endpoint
The canonical control plane endpoint, which can be an IP address or DNS hostname with optional port. This is a single-valued endpoint. cluster : controlPlane : endpoint : https://1.2.3.4:6443
cluster : controlPlane : endpoint : https://cluster.example.com:6443
cluster.controlPlane.localAPIServerPort
The port that the API server listens on internally. May differ from the port in the endpoint field.
Cluster Networking Cluster-specific network configuration. The CNI configuration. CNI name. Options: flannel, custom, or none.
flannel - Talos-managed Flannel CNI (default)custom - Custom manifests provided in urlsnone - No CNI management by Talos URLs containing CNI manifests to apply. Required for custom, must be empty for flannel and none.
cluster.network.cni.flannel
Flannel-specific configuration. Extra arguments for flanneld. cluster : network : cni : name : flannel flannel : extraArgs : - --iface-can-reach=192.168.1.1
cluster.network.cni.flannel.kubeNetworkPoliciesEnabled
Deploy kube-network-policies with Flannel to enable Kubernetes Network Policies.
cluster.network.dnsDomain
string
default: "cluster.local"
The domain used by Kubernetes DNS.
cluster.network.podSubnets
array
default: "[\"10.244.0.0/16\"]"
The pod subnet CIDR(s). cluster : network : podSubnets : - 10.244.0.0/16
cluster.network.serviceSubnets
array
default: "[\"10.96.0.0/12\"]"
The service subnet CIDR(s). cluster : network : serviceSubnets : - 10.96.0.0/12
Bootstrap Token The bootstrap token used to join the cluster. cluster : token : wlzjyw.bei2zfylhs2by0wd
Encryption Configuration cluster.aescbcEncryptionSecret
cluster.secretboxEncryptionSecret
Certificate Authorities The base64 encoded root certificate authority used by Kubernetes. cluster : ca : crt : LS0tLS1CRUdJTi... key : LS0tLS1CRUdJTi...
List of base64 encoded accepted certificate authorities used by Kubernetes.
The base64 encoded aggregator certificate authority for Kubernetes front-proxy certificate generation. Can be self-signed.
The base64 encoded private key for service account token generation.
Kubernetes Components API Server API server configuration. Container image for the API server. cluster : apiServer : image : registry.k8s.io/kube-apiserver:v1.28.0
Extra arguments for the API server. cluster : apiServer : extraArgs : feature-gates : EphemeralContainers=true audit-log-path : /var/log/kubernetes/audit.log
Extra volumes to mount to the API server static pod.
Environment variables for the API server.
cluster.apiServer.certSANs
Extra certificate subject alternative names for the API server’s certificate. cluster : apiServer : certSANs : - api.example.com - 10.0.0.10
cluster.apiServer.admissionControl
API server admission plugin configuration. cluster : apiServer : admissionControl : - name : PodSecurity configuration : apiVersion : pod-security.admission.config.k8s.io/v1alpha1 kind : PodSecurityConfiguration defaults : enforce : baseline
cluster.apiServer.auditPolicy
API server audit policy configuration.
cluster.apiServer.resources
API server resource requests and limits.
Controller Manager cluster.controllerManager
Controller manager configuration. Show Controller Manager Options
cluster.controllerManager.image
Container image for the controller manager.
Extra arguments for the controller manager.
Extra volumes to mount to the controller manager static pod.
cluster.controllerManager.env
Environment variables for the controller manager.
cluster.controllerManager.resources
Controller manager resource requests and limits.
Scheduler Scheduler configuration. Container image for the scheduler.
Extra arguments for the scheduler.
Extra volumes to mount to the scheduler static pod.
Environment variables for the scheduler.
cluster.scheduler.resources
Scheduler resource requests and limits.
Custom kube-scheduler configuration.
Proxy Kube-proxy configuration. Disable kube-proxy deployment on cluster bootstrap.
Container image for kube-proxy.
Proxy mode for kube-proxy.
Extra arguments for kube-proxy.
Etcd Configuration Etcd cluster configuration. Container image for etcd. cluster : etcd : image : gcr.io/etcd-development/etcd:v3.5.9
Root certificate authority of the etcd PKI (base64 encoded crt and key).
Extra arguments for etcd. Some arguments are not allowed (name, data-dir, listen URLs, cert files).
cluster.etcd.advertisedSubnets
Networks to pick etcd advertised IP from. Use ! for negative matches. cluster : etcd : advertisedSubnets : - 10.0.0.0/8
cluster.etcd.listenSubnets
Networks for etcd to listen for peer and client connections.
CoreDNS CoreDNS configuration. Disable CoreDNS deployment on cluster bootstrap.
Override the default CoreDNS image.
Manifests URLs pointing to additional manifests to deploy during bootstrap. cluster : extraManifests : - https://www.example.com/manifest1.yaml - https://www.example.com/manifest2.yaml
Key-value pairs added as headers when fetching extra manifests. cluster : extraManifestHeaders : Token : "1234567" X-ExtraInfo : "info"
Inline Kubernetes manifests to deploy during bootstrap. cluster : inlineManifests : - name : namespace-example contents : | apiVersion: v1 kind: Namespace metadata: name: example
Scheduling cluster.allowSchedulingOnControlPlanes
Allow running workloads on control plane nodes. cluster : allowSchedulingOnControlPlanes : true
Discovery Cluster member discovery configuration. cluster : discovery : enabled : true registries : kubernetes : disabled : false service : disabled : false
Complete Example version : v1alpha1 kind : Config cluster : id : YYhNzVNMSU0TA== secret : cSfCJL1EZAYt== clusterName : production-k8s controlPlane : endpoint : https://api.example.com:6443 localAPIServerPort : 6443 network : cni : name : flannel dnsDomain : cluster.local podSubnets : - 10.244.0.0/16 serviceSubnets : - 10.96.0.0/12 token : wlzjyw.bei2zfylhs2by0wd ca : crt : LS0tLS1CRUdJTi... key : LS0tLS1CRUdJTi... apiServer : image : registry.k8s.io/kube-apiserver:v1.28.0 certSANs : - api.example.com extraArgs : feature-gates : EphemeralContainers=true controllerManager : image : registry.k8s.io/kube-controller-manager:v1.28.0 scheduler : image : registry.k8s.io/kube-scheduler:v1.28.0 etcd : image : gcr.io/etcd-development/etcd:v3.5.9 advertisedSubnets : - 10.0.0.0/8 allowSchedulingOnControlPlanes : false
