The MachineConfig section defines machine-specific configuration options that control how an individual Talos node operates. This includes the node role, installation settings, networking, and kubelet configuration.
Machine Type Defines the role of the machine within the cluster.
controlplane - Control plane node hosting etcd and Kubernetes control plane components (API Server, Controller Manager, Scheduler)worker - Worker node available for scheduling workloads Note: The join value is deprecated but still supported; use worker instead.machine : type : controlplane
Machine Identity The token used by a machine to join the cluster PKI. This token is used to create a certificate signing request (CSR) and obtain an identity certificate. Important: Ensure this token is correct as machine certificates have a short TTL by default.
machine : token : "328hom.uqjzh6jnn2eie9oi"
The root certificate authority of the PKI, composed of base64 encoded crt and key. machine : ca : crt : LS0tLS1CRUdJTi... key : LS0tLS1CRUdJTi...
Additional certificate authorities accepted for authentication, each containing a base64 encoded crt.
Extra Subject Alternative Names (SANs) for the machine’s certificate. By default, all non-loopback interface IPs are automatically added. machine : certSANs : - 10.0.0.10 - 172.16.0.10 - 192.168.0.10
Control Plane Configuration Machine-specific control plane configuration options. Show Control Plane Fields
machine.controlPlane.controllerManager
Controller manager machine-specific configuration. machine.controlPlane.controllerManager.disabled
Disable kube-controller-manager on this node.
machine.controlPlane.scheduler
Scheduler machine-specific configuration. machine.controlPlane.scheduler.disabled
Disable kube-scheduler on this node.
Kubelet Configuration Configuration options for the kubelet. Override the default kubelet container image. machine : kubelet : image : ghcr.io/siderolabs/kubelet:v1.28.0
machine.kubelet.clusterDNS
Override the default kubelet cluster DNS IP list. machine : kubelet : clusterDNS : - 10.96.0.10 - 169.254.2.53
Additional flags to pass to the kubelet. Values can be strings or arrays of strings. machine : kubelet : extraArgs : feature-gates : EphemeralContainers=true allowed-unsafe-sysctls : net.core.somaxconn,net.ipv4.ip_local_port_range
Additional mounts for the kubelet container. Either bind or rbind are required in the options. machine : kubelet : extraMounts : - destination : /var/lib/example type : bind source : /var/lib/example options : - bind - rshared - rw
Kubelet configuration overrides. Some fields are not allowed to be overridden (authentication, authorization, cgroups, ports).
machine.kubelet.registerWithFQDN
Force kubelet to use the node FQDN for registration. Required in some cloud environments like AWS.
Configure the --node-ip flag for kubelet when a node has multiple addresses. machine.kubelet.nodeIP.validSubnets
Networks to pick kubelet node IP from. For dual stack, specify both IPv4 and IPv6 subnets. Use ! for negative matches. machine : kubelet : nodeIP : validSubnets : - 10.0.0.0/8 - '!10.0.1.0/24'
machine.kubelet.skipNodeRegistration
Run kubelet without registering with the apiserver (standalone mode, only runs static pods).
machine.kubelet.disableManifestsDirectory
Disable static pod manifests from /etc/kubernetes/manifests. Use the pods key instead for static pods.
Installation Configuration Installation instructions for the machine. This section is ignored by pre-installed Talos images. Show Installation Options
The disk used for installation. machine : install : disk : /dev/sda
machine.install.diskSelector
Disk selection using attributes like model, size, serial. Has priority over disk. Show Disk Selector Fields
machine.install.diskSelector.size
Disk size condition (e.g., >= 100GB, <= 2TB).
machine.install.diskSelector.model
Disk model from /sys/block/<dev>/device/model.
machine.install.diskSelector.serial
Disk serial number.
machine.install.diskSelector.type
Disk type: ssd, hdd, nvme, or sd.
machine.install.diskSelector.busPath
Disk bus path with wildcard support (e.g., /pci0000:00/*).
machine : install : diskSelector : type : nvme size : '>= 500GB'
The installer image to use. See GitHub releases for available versions. machine : install : image : ghcr.io/siderolabs/installer:v1.6.0
Whether to wipe the installation disk at installation time.
machine.install.legacyBIOSSupport
Mark MBR partition as bootable. Only enable for systems with legacy BIOS that don’t support GPT.
System Configuration Kernel sysctl configuration as key-value pairs. machine : sysctls : kernel.printk : "4 4 1 7" net.ipv4.ip_forward : "1"
Sysfs configuration as key-value pairs. machine : sysfs : devices.system.cpu.cpu0.cpufreq.scaling_governor : performance
Additional files to create on the machine. The op value can be create, overwrite, or append. machine : files : - content : | [Unit] Description=Example Service [Service] Type=oneshot ExecStart=/usr/local/bin/example.sh permissions : 0o644 path : /etc/systemd/system/example.service op : create
Kubernetes node labels for the machine. Note: Worker nodes are restricted from setting labels with certain prefixes (see NodeRestriction ).machine : nodeLabels : rack : rack-1 environment : production
Kubernetes node annotations for the machine. machine : nodeAnnotations : customer.io/rack : r13a25
Kubernetes node taints for the machine. Effect is optional. Note: Worker nodes cannot modify taints by default (see NodeRestriction ).machine : nodeTaints : exampleTaint : exampleTaintValue:NoSchedule
Features Configuration Individual Talos features that can be enabled or disabled. machine : features : rbac : true stableHostname : true kubernetesTalosAPIAccess : enabled : true allowedRoles : - os:reader allowedKubernetesNamespaces : - kube-system
Complete Example version : v1alpha1 kind : Config machine : type : controlplane token : 328hom.uqjzh6jnn2eie9oi ca : crt : LS0tLS1CRUdJTi... key : LS0tLS1CRUdJTi... certSANs : - 10.0.0.10 kubelet : image : ghcr.io/siderolabs/kubelet:v1.28.0 extraArgs : feature-gates : EphemeralContainers=true nodeIP : validSubnets : - 10.0.0.0/8 install : disk : /dev/sda image : ghcr.io/siderolabs/installer:v1.6.0 wipe : true sysctls : net.ipv4.ip_forward : "1" nodeLabels : topology.kubernetes.io/zone : us-east-1a features : rbac : true stableHostname : true
