version: v1alpha1 # Indicates the schema used to decode the contents. debug: false # Enable verbose logging to the console. persist: true # Provides machine specific configuration options. machine: type: controlplane # Defines the role of the machine within the cluster. token: 3uidom.1vcwkierii21gxy7 # The `token` is used by a machine to join the PKI of the cluster. # The root certificate authority of the PKI. ca: crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBc2NKK2QydlFtaFRSZFZGdTBydzdoVEFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qVXdOVEF4TVRBeE16QTJXaGNOTXpVd05ESTVNVEF4TXpBMldqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQUIvZ3lFSHlMRDNJTzZTazdwaUZva0Jwc21obkxwckJMTll3Cno3K1pMbXdlbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkozUFM4YTR2NEtHd2srbQpOb0V0elpEcTlaYmFNQVVHQXl0bGNBTkJBTFo2SGZPS3A5c3kzbkcxL1Z1bVhuM2hWQjd1bGpZeW95Mkh3Qm5QClpLNFo3Sk1Yb3NEMVJOY05KdGUxQUp2Tm5NaElxbVMvamhXbjZQdCtLN1YxbWcwPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJSXZLSWJITXBNNDU4SDgvY2lHUG9MRWxWdlRhV2VrNHBzM3lCYkVoUkt5WgotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K # Extra certificate subject alternative names for the machine's certificate. certSANs: [] # # Uncomment this to enable SANs. # - 10.0.0.10 # - 172.16.0.10 # - 192.168.0.10 # Used to provide additional options to the kubelet. kubelet: image: ghcr.io/siderolabs/kubelet:v1.32.0 # The `image` field is an optional reference to an alternative kubelet image. defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile. disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory. # # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list. # clusterDNS: # - 10.96.0.10 # - 169.254.2.53 # # The `extraArgs` field is used to provide additional flags to the kubelet. # extraArgs: # key: value # # The `extraMounts` field is used to add additional mounts to the kubelet container. # extraMounts: # - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container. # type: bind # Type specifies the mount kind. # source: /var/lib/example # Source specifies the source path of the mount. # # Options are fstab style mount options. # options: # - bind # - rshared # - rw # # The `extraConfig` field is used to provide kubelet configuration overrides. # extraConfig: # serverTLSBootstrap: true # # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration. # credentialProviderConfig: # apiVersion: kubelet.config.k8s.io/v1 # kind: CredentialProviderConfig # providers: # - apiVersion: credentialprovider.kubelet.k8s.io/v1 # defaultCacheDuration: 12h # matchImages: # - '*.dkr.ecr.*.amazonaws.com' # - '*.dkr.ecr.*.amazonaws.com.cn' # - '*.dkr.ecr-fips.*.amazonaws.com' # - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov' # - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov' # name: ecr-credential-provider # # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet. # nodeIP: # # The `validSubnets` field configures the networks to pick kubelet node IP from. # validSubnets: # - 10.0.0.0/8 # - '!10.0.0.3/32' # - fdc7::/16 # Provides machine specific network configuration options. network: {} # # `interfaces` is used to define the network interface configuration. # interfaces: # - interface: enp0s1 # The interface name. # # Assigns static IP addresses to the interface. # addresses: # - 192.168.2.0/24 # # A list of routes associated with the interface. # routes: # - network: 0.0.0.0/0 # The route's network (destination). # gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route). # metric: 1024 # The optional metric for the route. # mtu: 1500 # The interface's MTU. # # # # Picks a network device using the selector. # # # select a device with bus prefix 00:*. # # deviceSelector: # # busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard. # # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver. # # deviceSelector: # # hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard. # # driver: virtio_net # Kernel driver, supports matching by wildcard. # # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver. # # deviceSelector: # # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard. # # - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard. # # driver: virtio_net # Kernel driver, supports matching by wildcard. # # # Bond specific options. # # bond: # # # The interfaces that make up the bond. # # interfaces: # # - enp2s0 # # - enp2s1 # # # Picks a network device using the selector. # # deviceSelectors: # # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard. # # - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard. # # driver: virtio_net # Kernel driver, supports matching by wildcard. # # mode: 802.3ad # A bond option. # # lacpRate: fast # A bond option. # # # Bridge specific options. # # bridge: # # # The interfaces that make up the bridge. # # interfaces: # # - enxda4042ca9a51 # # - enxae2a6774c259 # # # Enable STP on this bridge. # # stp: # # enabled: true # Whether Spanning Tree Protocol (STP) is enabled. # # # Configure this device as a bridge port. # # bridgePort: # # master: br0 # The name of the bridge master interface # # # Indicates if DHCP should be used to configure the interface. # # dhcp: true # # # DHCP specific options. # # dhcpOptions: # # routeMetric: 1024 # The priority of all routes received via DHCP. # # # Wireguard specific configuration. # # # wireguard server example # # wireguard: # # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded). # # listenPort: 51111 # Specifies a device's listening port. # # # Specifies a list of peer configurations to apply to a device. # # peers: # # - publicKey: ABCDEF... # Specifies the public key of this peer. # # endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry. # # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer. # # allowedIPs: # # - 192.168.1.0/24 # # # wireguard peer example # # wireguard: # # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded). # # # Specifies a list of peer configurations to apply to a device. # # peers: # # - publicKey: ABCDEF... # Specifies the public key of this peer. # # endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry. # # persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer. # # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer. # # allowedIPs: # # - 192.168.1.0/24 # # # Virtual (shared) IP address configuration. # # # layer2 vip example # # vip: # # ip: 172.16.199.55 # Specifies the IP address to be used. # # Used to statically set the nameservers for the machine. # nameservers: # - 8.8.8.8 # - 1.1.1.1 # # Used to statically set arbitrary search domains. # searchDomains: # - example.org # - example.com # # Allows for extra entries to be added to the `/etc/hosts` file # extraHostEntries: # - ip: 192.168.1.100 # The IP of the host. # # The host alias. # aliases: # - example # - example.domain.tld # # Configures KubeSpan feature. # kubespan: # enabled: true # Enable the KubeSpan feature. # Used to provide instructions for installations. install: # disk: /dev/sda # The disk used for installations. image: ghcr.io/siderolabs/installer:v1.9.0 # Allows for supplying the image used to perform the installation. wipe: true # Indicates if the installation disk should be wiped at installation time. # # Look up disk using disk attributes like model, size, serial and others. diskSelector: size: <= 1TiB # Disk size. type: ssd # model: WDC* # Disk model `/sys/block//device/model`. # busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path. # # Allows for supplying extra kernel args via the bootloader. # extraKernelArgs: # - talos.platform=metal # - reboot=k # # Allows for supplying additional system extension images to install on top of base Talos image. # extensions: # - image: ghcr.io/siderolabs/gvisor:20220117.0-v1.0.0 # System extension image. # Used to configure the machine's container image registry mirrors. registries: {} # # Specifies mirror configuration for each registry host namespace. # mirrors: # ghcr.io: # # List of endpoints (URLs) for registry mirrors to use. # endpoints: # - https://registry.insecure # - https://ghcr.io/v2/ # # Specifies TLS & auth configuration for HTTPS image registries. # config: # registry.insecure: # # The TLS configuration for the registry. # tls: # insecureSkipVerify: true # Skip TLS server certificate verification (not recommended). # # # # Enable mutual TLS authentication with the registry. # # clientIdentity: # # crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t # # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ== # # # # The auth configuration for this registry. # # auth: # # username: username # Optional registry authentication. # # password: password # Optional registry authentication. # Features describe individual Talos features that can be switched on or off. features: rbac: true # Enable role-based access control (RBAC). stableHostname: true # Enable stable default hostname. apidCheckExtKeyUsage: true # Enable checks for extended key usage of client certificates in apid. diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks. # KubePrism - local proxy/load balancer on defined port that will distribute kubePrism: enabled: true # Enable KubePrism support - will start local load balancing proxy. port: 7445 # KubePrism port. # Configures host DNS caching resolver. hostDNS: enabled: true # Enable host DNS caching resolver. forwardKubeDNSToHost: true # Use the host DNS resolver as upstream for Kubernetes CoreDNS pods. # # Configure Talos API access from Kubernetes pods. # kubernetesTalosAPIAccess: # enabled: true # Enable Talos API access from Kubernetes pods. # # The list of Talos API roles which can be granted for access from Kubernetes pods. # allowedRoles: # - os:reader # # The list of Kubernetes namespaces Talos API access is available from. # allowedKubernetesNamespaces: # - kube-system # Configures the node labels for the machine. nodeLabels: node.kubernetes.io/exclude-from-external-load-balancers: "" # # Provides machine specific control plane configuration options. # # ControlPlane definition example. # controlPlane: # # Controller manager machine specific configuration options. # controllerManager: # disabled: false # Disable kube-controller-manager on the node. # # Scheduler machine specific configuration options. # scheduler: # disabled: true # Disable kube-scheduler on the node. # # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver. # # nginx static pod. # pods: # - apiVersion: v1 # kind: pod # metadata: # name: nginx # spec: # containers: # - image: nginx # name: nginx # # Used to partition, format and mount additional disks. # # MachineDisks list example. # disks: # - device: /dev/sdb # The name of the disk to use. # # A list of partitions to create on the disk. # partitions: # - mountpoint: /var/mnt/extra # Where to mount the partition. # # # # The size of partition: either bytes or human readable representation. If `size:` is omitted, the partition is sized to occupy the full disk. # # # Human readable representation. # # size: 100 MB # # # Precise value in bytes. # # size: 1073741824 # # Allows the addition of user specified files. # # MachineFiles usage example. # files: # - content: '...' # The contents of the file. # permissions: 0o666 # The file's permissions in octal. # path: /tmp/file.txt # The path of the file. # op: append # The operation to use # # The `env` field allows for the addition of environment variables. # # Environment variables definition examples. # env: # GRPC_GO_LOG_SEVERITY_LEVEL: info # GRPC_GO_LOG_VERBOSITY_LEVEL: "99" # https_proxy: http://SERVER:PORT/ # env: # GRPC_GO_LOG_SEVERITY_LEVEL: error # https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/ # env: # https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/ # # Used to configure the machine's time settings. # # Example configuration for cloudflare ntp server. # time: # disabled: false # Indicates if the time service is disabled for the machine. # # description: | # servers: # - time.cloudflare.com # bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence. # # Used to configure the machine's sysctls. # # MachineSysctls usage example. # sysctls: # kernel.domainname: talos.dev # net.ipv4.ip_forward: "0" # net/ipv6/conf/eth0.100/disable_ipv6: "1" # # Used to configure the machine's sysfs. # # MachineSysfs usage example. # sysfs: # devices.system.cpu.cpu0.cpufreq.scaling_governor: performance # # Machine system disk encryption configuration. # systemDiskEncryption: # # Ephemeral partition encryption. # ephemeral: # provider: luks2 # Encryption provider to use for the encryption. # # Defines the encryption keys generation and storage method. # keys: # - # Deterministically generated key from the node UUID and PartitionLabel. # nodeID: {} # slot: 0 # Key slot number for LUKS2 encryption. # # # # KMS managed encryption key. # # kms: # # endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key. # # # # Cipher kind to use for the encryption. Depends on the encryption provider. # # cipher: aes-xts-plain64 # # # Defines the encryption sector size. # # blockSize: 4096 # # # Additional --perf parameters for the LUKS2 encryption. # # options: # # - no_read_workqueue # # - no_write_workqueue # # Configures the udev system. # udev: # # List of udev rules to apply to the udev system # rules: # - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660" # # Configures the logging system. # logging: # # Logging destination. # destinations: # - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp". # format: json_lines # Logs format. # # Configures the kernel. # kernel: # # Kernel modules to load. # modules: # - name: brtfs # Module name. # # Configures the seccomp profiles for the machine. # seccompProfiles: # - name: audit.json # The `name` field is used to provide the file name of the seccomp profile. # # The `value` field is used to provide the seccomp profile. # value: # defaultAction: SCMP_ACT_LOG # # Override (patch) settings in the default OCI runtime spec for CRI containers. # # override default open file limit # baseRuntimeSpecOverrides: # process: # rlimits: # - hard: 1024 # soft: 1024 # type: RLIMIT_NOFILE # # Configures the node annotations for the machine. # # node annotations example. # nodeAnnotations: # customer.io/rack: r13a25 # # Configures the node taints for the machine. Effect is optional. # # node taints example. # nodeTaints: # exampleTaint: exampleTaintValue:NoSchedule # Provides cluster specific configuration options. cluster: id: 2nhlmlYevQvBg_85ycRHU6k13EQuzD7E23appM63huk= # Globally unique identifier for this cluster (base64 encoded random 32 bytes). secret: Vp2u9OUmz+tAUBbMk0PKrL0QTLHZpKny5AD4L4l7RYw= # Shared secret of cluster (base64 encoded random 32 bytes). # Provides control plane specific configuration options. controlPlane: endpoint: https://192.168.0.10:6443 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname. clusterName: veda # Configures the cluster's name. # Provides cluster specific network configuration options. network: dnsDomain: cluster.local # The domain used by Kubernetes DNS. # The pod subnet CIDR. podSubnets: - 10.244.0.0/16 # The service subnet CIDR. serviceSubnets: - 10.96.0.0/12 # # The CNI used. # cni: # name: custom # Name of CNI to use. # # URLs containing manifests to apply for the CNI. # urls: # - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml token: qsuvb3.2y1ty21ec140yl45 # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster. secretboxEncryptionSecret: ojT/PNT9XPneOWP6udTll98G8z3OjHqMlfGlWNYnQmw= # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). # The base64 encoded root certificate authority used by Kubernetes. ca: crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpRENDQVMrZ0F3SUJBZ0lRWlBiRENCZUdHVWN1T08zR3FaSzE4REFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSTFNRFV3TVRFd01UTXdObG9YRFRNMU1EUXlPVEV3TVRNdwpObG93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCSE9SS0IxYjhUaWpNSnQzdmpuN0lhUWNsWXRpVjZuY1lrRkZ6emFqNEQ4d09pUmszNXlvam5mRDVDWDkKMGhqSThNUXA3ZzhxZ1BRSTJjQXpoaUJyVWNDallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVVWTUl3TnRCN3VhSWFhaXc5RlFnbXgvbU5TaFF3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnY3R1NGxsUHgKOXFpR2VVK280bCsrME45emY4MVdFNXh6cjh5MUhQR25wSFFDSUFYMW13RFFRYS9Sd2tCMitwQXNnS2hFRlE0ZQo3Z1BmTXBrVWtiMDZ4VmZwCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFreEkrLzVpM09CSU9mYzVKSGFSVEh4R1JLZklRRTh4N3JUVFluR2dpaTFvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFYzVFb0hWdnhPS013bTNlK09mc2hwQnlWaTJKWHFkeGlRVVhQTnFQZ1B6QTZKR1RmbktpTwpkOFBrSmYzU0dNand4Q251RHlxQTlBalp3RE9HSUd0UndBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= # The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation. aggregatorCA: crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZVENDQVFhZ0F3SUJBZ0lSQUo3aDdWVFRrWSsyT2wrUmxrbkRSZ1l3Q2dZSUtvWkl6ajBFQXdJd0FEQWUKRncweU5UQTFNREV4TURFek1EWmFGdzB6TlRBME1qa3hNREV6TURaYU1BQXdXVEFUQmdjcWhrak9QUUlCQmdncQpoa2pPUFFNQkJ3TkNBQVJPWDBjMkxPSzBLOUE0OEN1alorN3dFV0pyZFBmd1ZDY3E2aTlVVE9oTGtRc1YzWW44Cmw3SzMzK1diRWVVcU9KTGUrWXNhRkhiQ3RnTXo0ZHkzOUtDdm8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXcKSFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4dwpIUVlEVlIwT0JCWUVGTVN4K1FuRkwrWmdkbVAvaWtQRjV0Z1hjRjIwTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDCklRRGRyWlpCc0FodEY1M3RFa2F1aWNld05ZSHdPWmpuV284YXdyR3BPaml2bXdJaEFPLzc5NVBJeTNmdDRsQVQKWSt5QW5kc1hrWWtmU0tDcnBja00yREViRGFuNQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUdNbFgzOGNDbFhsRzRrMU1jeDdDUEN2TG5JTHFpVy9oZE9WcFd2WXI3OVpvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFVGw5SE5peml0Q3ZRT1BBcm8yZnU4QkZpYTNUMzhGUW5LdW92VkV6b1M1RUxGZDJKL0pleQp0OS9sbXhIbEtqaVMzdm1MR2hSMndyWURNK0hjdC9TZ3J3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= # The base64 encoded private key for service account token generation. serviceAccount: key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBN083YlVLRXg4Vyt1RENscTd6OG5LRUdMS0Jxb3lZdTc5NUJiVkp6bzYvWE1Od210ClFvVTRhM3htb0VKYk1MWVZLOWdEQldVU01pTk9FZHF1SjQ3WEVWc1RoRzRRQ1VsVy9oUkJ3a1FwZUh2Ykwyd2cKWXd5QkhvOXFTN2RPQUdNNjJncUl4S1dMOEw2SlZCZ2N6elhyTmt3eHBxaXhOZktIS21ERkdMWXdiTU9LbHpQdAp1alAzT00xQ0ludlhRb2hqWmNmTGRveUtCQXUxOUZkbmtGejg4WWxhNVlMR3NsaW0xaFJodXVSa2dsZlBnYzRqCmFlVGREM3c5R0lIWjFDdGVrSGhxVjFBK0lWcUV4dktpL05wVmI0eDhVQnA0cSt4MHlDNExhRldaTHphc2xhRGkKMkZaYUtXZ1Bxa25SQTZuU2VUdFlKRXJXL3Z5aVQ2QVVSbW5oemRJT3dUY0ZmNXdqa1hLc3RqV01ndnRqdnpYRApGZklSd1k5MUNrTUZtcTZxbVVabzRIZkduNWFqWHZBUlFUWkxxRWZvVXNkeURMV3k0ZEZ1ajQ3OUhKR3AvSmtMCi9xZjFqMEZpayt0NFUxZ1VFVEtzTWZhSTlvUUdLeHVhVmsvVUF0NEl2UWdvcndEUml6WUw0cjR4KzR3WjVwTnkKRDBYSGt3Z1VUbE13OGpqa09KVVZVRnBPV1VTbTJwQVAvUGVveXVuWHFqNlhmTWU3dTdjNEZ1c0k5YUpuUGxibwpRTDlWNEh2ZVZCSmhRajVIc0NCTEgyR1JDM2pxZzM5UDY4M2pHNW9QUGQ5eE5tTGpuaGxPaWFibHhRQ1VkQUFKClYzMU16QzZNbXpBc0NRS2YrVEFiK0NEcUpNQitYK0xaUTBMeWkxUXoraThjbnJQNU5MVGNQZU5UTmJVQ0F3RUEKQVFLQ0FnQUxWMCtXSjNFZGptdjFWeEl3UzRTVFQ3ZmFmcFF2dVltUXl3OGtHTEtwZ01WNnFQTHJLVGRQSmRBLwp3WTFkNG9sVzVPc1lHZ05wOVBpcXNCMy85TDFrcmtoYjRXelJGUHFlQk5nMDlWQkszUnJieFVBem5ZaWNydDYyCnF4cUh1RGc3OFo4a1VveEZSTW1NQmU5ekY3Q2ZrN3dZcnlCMFpaeUVzY2NkYkxNYXNhMXptVis2dHZ3UmN2bkUKYnNzWit5OU8wdVp4VVQ3Vi9MMkQ2WjhpY09FR3FyMTRHTzlyNEFSMFlOdGd0OGY3MlRvc2kzSjBnaWoyc2NxMgozcGhQcUpmSk1JcGVqWSs3eHZwdUQzVXZ4eitwckQ3VEVzRk44VzZSbW1xZlh1R0xPZ0crMDhtbjgxSXpnekNrCnhRM0ZNQjdNQU1ReVVJYkVBOUc5SC90NGQxOEFoSVNKbUYrTnlSMGJtalpBMmdOMlM0bDBzWGV3ckpxcVRPZWQKNnN2bGdRNEdiUFZzZnFIY3ZDMzFuRFFyNDlPZzFBSnNlb29PNy90ZUw5d3NOWmFNa2Z0UkJRYXJJd1V0OU50TwppTlk4cDE0M0xmWVE5YUJQL2J5d2cyNGZlS0RDZGZHWUJpNHhUNFcwZzNYaU5mRUZYdWdHVTdLUjNGNU0veUhICjc2NmpLSnN2L3lKU2J0TTR2RXd5d2RteDF4U2U2WnpZUTVPN1QwOTBWakVNSFlZUXo1M29lZGE1ekhJdUl0bkYKVW9pVnVQTDFaS2REbW80TG1zbHR3OUZ0OWVnUTNYTDQvam5lRUpLdHRZcnpQNVZaQm9iaEZUNFhWZWVGWU1HMApXKzV2bzlueE50UzVPSitDMHFVVWhLdU9sdHhWVGIyRmxZdmtZazRMNkU5bitreHNZUUtDQVFFQS9PeExKb1FuCkZYdlI4UjJlQ0pSeDJRUjd4SzY4bTdJbjZCNTJmS2cvaWQwM2syT0QrLzJvUGNwczcyYi9RUWl1S0YvRitsSW0KbWJOaVh6c0F0N0ZsS0hQMFZFclBwL3JOb1pub1BkY3FuZUtNYlZ6Z3JHUHVDWGFBNGdWaG1uUUlqKzN3Z0t6QwptbS9oSE1FVlVWUnpiMXB6WHJBQjFRRFh2b2hXOTlLREdDNE5jQ1gwdExUek5DN0ZPTmZ0aG96emJRNSsxSzV1CmNpWCtJeHNoN0tpZGRUWWdxOTB6VC96V0NBdDVFd1RNTkVzQ0V6d01aYThvcWJyZlF6MWN6Qnkzc0NtZmFuK0sKSUt1Y2RIa01PbmszNjh2a3R2bjVDb3dGSEFhcnBBYS9qRkx3ZUNUVk1odHRtUlV0N093Q21ZNG04TnFFRFFSQQozTFdTczlOaTFRZDZpUUtDQVFFQTc5RERoRFlYYmxoZU5IUFZKNk9VTWREc05lSW1Pa1htNDMweEZDYW5zZHRnCjkxYUYyb0JPYXYweUlkQ3Z6UHk5N1ZNanNlZmd1RlRZTnl1aTc0MTZmVGJFUXlYZmRYZWR5NytVa21ROWtib3EKUVNzc0dpTkUzUlloMmJsSFpYYVRWM3dvaExFWFJFVEYxTitaSVRKMWJpaTBHeVJYeWdwdmNIM0MySmFYcXBrNwpDQVV1cTJ2bDVraXFXYlkvMmxmOGhJN3BtcllraHlPdTZ4TU92QmpVYUdFc3RGUnlTV2NIbC91bEI5c1gvQTd1CmpVcDJlaWdOL2pCVXVzcXVaZWQxcVhEaXFlc0ovUjV3eGloQmovU3o3NmtDZ1FjcFBiaHVRdjJrcVlwdXU1NTQKM1ZpbThhK0JYTW9oYWpYSG10OWNJOHJKWGNyWWo2ajRqei9WeG9mbXpRS0NBUUVBNGxrcHpEZDZydHhYLzN2dApBV3F3RkhMUnZTeFArTnJRb2dnWksraDZySXZBZi9RUW0wVGYreVNjcHdlN0tsMTFWd2FYTERXMis5aXhFZDdBCi9xUVFqc3B1Lzd6UDZGb3BDeFdzNVNNWnJhQ2c0Z0s3d3l2UFRNSzBCeEtmemRWSUVGNzEzSUkveW15VHZ1TUIKaS82VExEVjdpR0xsME5WblBzblBZd3dQYkdWU2UycE1mQ2h3ZXVQY2RzbXZkYm5RNUdtVGtnemxKTnpoZWxOKwo0Y2ZvMm92dFkwR2IrVnFoeFNOWFlIRHJ1MlRoWDR0ZTRPV0g4NVljMXBVazVqcFJIYU95V21IM29OTlVPbHhXCldFSkJqSkcxaHhkaERGSlJCRXJuOHV4aklsYmJnL29hbmpRenVrdGRCV29Well5TlJ3R1lLZm9EZmtJMUh4L3YKbEF5VVdRS0NBUUFTRTU1cFBOcVBTc0h2R2p3YS9NMlM0N2lxWngyU2p1cFVnMzlMa1k1YWJicmxhZlExQUM3cApDYVRadjYxQXVseG1vem14azFUeEVCUXNOSEhYdE1aaTRkbnhaYzF1UVZIM3BiMUJPNlVZY3Z2MFpaaXhiNjhsCkt5SHFFM2s2UUxIaWlrMVRrelc1dzZWVjRuVGNkNzA2VEg4bS9KcFJkRy9wL3RETkdxemNBeWpiOWVnS3E5dHMKZkZXNjVXM3l1MmNoWnRSZEFSWEh5ZnpKWTJwYzYxSTNlL3V1ckI3aFFZN2srZWI2ckowbU5zbnNoSXhoc05zOQpLYzk1TlFYb1VJWWgrNHhhV29rcU56MHc4cC9laGdkNkxUY3ZHcWNWSyszRHh2SytoTnpMNzZvVXBUWVFTYlpxCmxDSG9xNTBjSTNJQ2tLcVZFMUUzb3ZqNWMwcGQ2S2lSQW9JQkFRREo4WEJ0RWJOQWM2T0VDSVNUbXFHZjFHUkkKck55NlJjNjVPdGlRNlpFZGQ5cS9DZE8wdHF1dHcwbjBpU3RsN3ZiSjJOdzhFTmIvem9WSnZGbWVCeVo1ZUlzMApTVzdrUXJuc1cvZmNCS3ZLMnk0dEJoMmsyMzY4d3AxWW1VLzZRelhPTDRqakhLKzlPOTQyT1VsbW1teVJlRWV2CjY4V09UWGQybFl3dDZhLzVGUElLZU1aYVZXemRUcjIyVHlURmlhWXF5Z3Zuc1I3YzZLWStIYmZKNmY5TVh5eUwKMUdHMWllTmNZK21tYiswM1JLUjZETVk1aHEwTjU5VFc3a3QxTG5BcHpQdlVPdVB2RnVlMTNjV1FNWUh1YjdIRQpSSTBLNk9SdzB2SmNGQngvNytJcnorOHF1bVpaUnJGM2hUSENRVlNjQXYyaVpBYXRUbFJDdS9JbXBxZUsKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K # API server specific configuration options. apiServer: image: registry.k8s.io/kube-apiserver:v1.32.0 # The container image used in the API server manifest. # Extra certificate subject alternative names for the API server's certificate. certSANs: - 192.168.0.10 disablePodSecurityPolicy: true # Disable PodSecurityPolicy in the API server and default manifests. # Configure the API server admission plugins. admissionControl: - name: PodSecurity # Name is the name of the admission controller. # Configuration is an embedded configuration object to be used as the plugin's configuration: apiVersion: pod-security.admission.config.k8s.io/v1alpha1 defaults: audit: restricted audit-version: latest enforce: baseline enforce-version: latest warn: restricted warn-version: latest exemptions: namespaces: - kube-system runtimeClasses: [] usernames: [] kind: PodSecurityConfiguration # Configure the API server audit policy. auditPolicy: apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata # # Configure the API server authorization config. Node and RBAC authorizers are always added irrespective of the configuration. # authorizationConfig: # - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`. # name: webhook # Name is used to describe the authorizer. # # webhook is the configuration for the webhook authorizer. # webhook: # connectionInfo: # type: InClusterConfig # failurePolicy: Deny # matchConditionSubjectAccessReviewVersion: v1 # matchConditions: # - expression: has(request.resourceAttributes) # - expression: '!(\''system:serviceaccounts:kube-system\'' in request.groups)' # subjectAccessReviewVersion: v1 # timeout: 3s # - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`. # name: in-cluster-authorizer # Name is used to describe the authorizer. # # webhook is the configuration for the webhook authorizer. # webhook: # connectionInfo: # type: InClusterConfig # failurePolicy: NoOpinion # matchConditionSubjectAccessReviewVersion: v1 # subjectAccessReviewVersion: v1 # timeout: 3s # Controller manager server specific configuration options. controllerManager: image: registry.k8s.io/kube-controller-manager:v1.32.0 # The container image used in the controller manager manifest. # Kube-proxy server-specific configuration options proxy: image: registry.k8s.io/kube-proxy:v1.32.0 # The container image used in the kube-proxy manifest. # # Disable kube-proxy deployment on cluster bootstrap. # disabled: false # Scheduler server specific configuration options. scheduler: image: registry.k8s.io/kube-scheduler:v1.32.0 # The container image used in the scheduler manifest. # Configures cluster member discovery. discovery: enabled: true # Enable the cluster membership discovery feature. # Configure registries used for cluster member discovery. registries: # Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information kubernetes: disabled: true # Disable Kubernetes discovery registry. # Service registry is using an external service to push and pull information about cluster members. service: {} # # External service endpoint. # endpoint: https://discovery.talos.dev/ # Etcd specific configuration options. etcd: # The `ca` is the root certificate authority of the PKI. ca: crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmekNDQVNTZ0F3SUJBZ0lSQU5xaTJoai9LTkt3cmcrTTZyeHQ1YXN3Q2dZSUtvWkl6ajBFQXdJd0R6RU4KTUFzR0ExVUVDaE1FWlhSalpEQWVGdzB5TlRBMU1ERXhNREV6TURaYUZ3MHpOVEEwTWpreE1ERXpNRFphTUE4eApEVEFMQmdOVkJBb1RCR1YwWTJRd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFRelJzakZZV3BlCk5YMDlQWHJMeW1CUldyMEpGcGNkaCs0QUhTaEtPbXh6NzFaUGw2R2U4aGdjWlVJSGxIM2kzUE1uUERsTE9vdDkKMjc2UEU5REc0bG81bzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSApBd0VHQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRk8zNlU0RTNONk1HCkMraUM0QXN0YTVRMmphK0ZNQW9HQ0NxR1NNNDlCQU1DQTBrQU1FWUNJUUNJRDlLeXJOczZ6RFp0KzVDaFV6QjgKNEgyV2Y4MG40c0ljYWlzRU16em5CZ0loQVA5V0VXcTZkNlZpdjNacENsK3JXcWdLS2MvaTlrVG5pdHdPZ0tjZwozdmlXCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU9MakJYbFFlNzdxSVRjNktnTVFzWlhqQVF5Y0JRa3Q0YVZaYzg1YkM2aXZvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFTTBiSXhXRnFYalY5UFQxNnk4cGdVVnE5Q1JhWEhZZnVBQjBvU2pwc2MrOVdUNWVobnZJWQpIR1ZDQjVSOTR0enpKenc1U3pxTGZkdStqeFBReHVKYU9RPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= # # The container image used to create the etcd service. # image: gcr.io/etcd-development/etcd:v3.5.17 # # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from. # advertisedSubnets: # - 10.0.0.0/8 # A list of urls that point to additional manifests. extraManifests: [] # - https://www.example.com/manifest1.yaml # - https://www.example.com/manifest2.yaml # A list of inline Kubernetes manifests. inlineManifests: [] # - name: namespace-ci # Name of the manifest. # contents: |- # Manifest contents as a string. # apiVersion: v1 # kind: Namespace # metadata: # name: ci # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). # # Decryption secret example (do not use in production!). # aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM= # # Core DNS specific configuration options. # coreDNS: # image: registry.k8s.io/coredns/coredns:v1.12.0 # The `image` field is an override to the default coredns image. # # External cloud provider configuration. # externalCloudProvider: # enabled: true # Enable external cloud provider. # # A list of urls that point to additional manifests for an external cloud provider. # manifests: # - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml # - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml # # A map of key value pairs that will be added while fetching the extraManifests. # extraManifestHeaders: # Token: "1234567" # X-ExtraInfo: info # # Settings for admin kubeconfig generation. # adminKubeconfig: # certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year). # # Allows running workload on control-plane nodes. allowSchedulingOnControlPlanes: true