551 lines
32 KiB
YAML
551 lines
32 KiB
YAML
version: v1alpha1 # Indicates the schema used to decode the contents.
|
|
debug: false # Enable verbose logging to the console.
|
|
persist: true
|
|
# Provides machine specific configuration options.
|
|
machine:
|
|
type: controlplane # Defines the role of the machine within the cluster.
|
|
token: ba3boz.uip834bz76elelgq # The `token` is used by a machine to join the PKI of the cluster.
|
|
# The root certificate authority of the PKI.
|
|
ca:
|
|
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEFEZWlMUlkxdXNWMURsc3VmOGh1Y2dNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5UQTVNamt3TURFNU1UbGFGdzB6TlRBNU1qY3dNREU1TVRsYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBcUpsMS9uNmRLVjNMazZwT01kN0pCU2RpMlljdGNaTnFDeFVtCjRSY0J5RHlqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVOTQ2UUoreXdHNVFqMGpabApFWUZnbWdwZUd6a3dCUVlESzJWd0EwRUFYb2RmTHBtMnVrcmdzOFVqZDFOeWJpN2ZtWUVCTkQzZzFKbzhWMlVKCkZnWkR2aEFTSENpT3gvNkxSM2tPQVIybGtjbC95QktZai9YUUM3MWtzdmR5Qnc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
|
|
key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJQndKQ0s1em5tK082NStMVHErUjdJcHB3aXVlK3gvYjhMUnEzZEkzcEsydAotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K
|
|
# Extra certificate subject alternative names for the machine's certificate.
|
|
certSANs: []
|
|
# # Uncomment this to enable SANs.
|
|
# - 10.0.0.10
|
|
# - 172.16.0.10
|
|
# - 192.168.0.10
|
|
|
|
# Used to provide additional options to the kubelet.
|
|
kubelet:
|
|
image: ghcr.io/siderolabs/kubelet:v1.34.0 # The `image` field is an optional reference to an alternative kubelet image.
|
|
defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile.
|
|
disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.
|
|
|
|
# # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list.
|
|
# clusterDNS:
|
|
# - 10.96.0.10
|
|
# - 169.254.2.53
|
|
|
|
# # The `extraArgs` field is used to provide additional flags to the kubelet.
|
|
# extraArgs:
|
|
# key: value
|
|
|
|
# # The `extraMounts` field is used to add additional mounts to the kubelet container.
|
|
# extraMounts:
|
|
# - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container.
|
|
# type: bind # Type specifies the mount kind.
|
|
# source: /var/lib/example # Source specifies the source path of the mount.
|
|
# # Options are fstab style mount options.
|
|
# options:
|
|
# - bind
|
|
# - rshared
|
|
# - rw
|
|
|
|
# # The `extraConfig` field is used to provide kubelet configuration overrides.
|
|
# extraConfig:
|
|
# serverTLSBootstrap: true
|
|
|
|
# # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration.
|
|
# credentialProviderConfig:
|
|
# apiVersion: kubelet.config.k8s.io/v1
|
|
# kind: CredentialProviderConfig
|
|
# providers:
|
|
# - apiVersion: credentialprovider.kubelet.k8s.io/v1
|
|
# defaultCacheDuration: 12h
|
|
# matchImages:
|
|
# - '*.dkr.ecr.*.amazonaws.com'
|
|
# - '*.dkr.ecr.*.amazonaws.com.cn'
|
|
# - '*.dkr.ecr-fips.*.amazonaws.com'
|
|
# - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov'
|
|
# - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov'
|
|
# name: ecr-credential-provider
|
|
|
|
# # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet.
|
|
# nodeIP:
|
|
# # The `validSubnets` field configures the networks to pick kubelet node IP from.
|
|
# validSubnets:
|
|
# - 10.0.0.0/8
|
|
# - '!10.0.0.3/32'
|
|
# - fdc7::/16
|
|
# Provides machine specific network configuration options.
|
|
network: {}
|
|
# # `interfaces` is used to define the network interface configuration.
|
|
# interfaces:
|
|
# - interface: enp0s1 # The interface name.
|
|
# # Assigns static IP addresses to the interface.
|
|
# addresses:
|
|
# - 192.168.2.0/24
|
|
# # A list of routes associated with the interface.
|
|
# routes:
|
|
# - network: 0.0.0.0/0 # The route's network (destination).
|
|
# gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route).
|
|
# metric: 1024 # The optional metric for the route.
|
|
# mtu: 1500 # The interface's MTU.
|
|
#
|
|
# # # Picks a network device using the selector.
|
|
|
|
# # # select a device with bus prefix 00:*.
|
|
# # deviceSelector:
|
|
# # busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
|
|
# # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
|
|
# # deviceSelector:
|
|
# # hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
|
|
# # driver: virtio_net # Kernel driver, supports matching by wildcard.
|
|
# # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
|
|
# # deviceSelector:
|
|
# # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
|
|
# # - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
|
|
# # driver: virtio_net # Kernel driver, supports matching by wildcard.
|
|
|
|
# # # Bond specific options.
|
|
# # bond:
|
|
# # # The interfaces that make up the bond.
|
|
# # interfaces:
|
|
# # - enp2s0
|
|
# # - enp2s1
|
|
# # # Picks a network device using the selector.
|
|
# # deviceSelectors:
|
|
# # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
|
|
# # - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
|
|
# # driver: virtio_net # Kernel driver, supports matching by wildcard.
|
|
# # mode: 802.3ad # A bond option.
|
|
# # lacpRate: fast # A bond option.
|
|
|
|
# # # Bridge specific options.
|
|
# # bridge:
|
|
# # # The interfaces that make up the bridge.
|
|
# # interfaces:
|
|
# # - enxda4042ca9a51
|
|
# # - enxae2a6774c259
|
|
# # # Enable STP on this bridge.
|
|
# # stp:
|
|
# # enabled: true # Whether Spanning Tree Protocol (STP) is enabled.
|
|
|
|
# # # Configure this device as a bridge port.
|
|
# # bridgePort:
|
|
# # master: br0 # The name of the bridge master interface
|
|
|
|
# # # Indicates if DHCP should be used to configure the interface.
|
|
# # dhcp: true
|
|
|
|
# # # DHCP specific options.
|
|
# # dhcpOptions:
|
|
# # routeMetric: 1024 # The priority of all routes received via DHCP.
|
|
|
|
# # # Wireguard specific configuration.
|
|
|
|
# # # wireguard server example
|
|
# # wireguard:
|
|
# # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
|
|
# # listenPort: 51111 # Specifies a device's listening port.
|
|
# # # Specifies a list of peer configurations to apply to a device.
|
|
# # peers:
|
|
# # - publicKey: ABCDEF... # Specifies the public key of this peer.
|
|
# # endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
|
|
# # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
|
|
# # allowedIPs:
|
|
# # - 192.168.1.0/24
|
|
# # # wireguard peer example
|
|
# # wireguard:
|
|
# # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
|
|
# # # Specifies a list of peer configurations to apply to a device.
|
|
# # peers:
|
|
# # - publicKey: ABCDEF... # Specifies the public key of this peer.
|
|
# # endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
|
|
# # persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
|
|
# # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
|
|
# # allowedIPs:
|
|
# # - 192.168.1.0/24
|
|
|
|
# # # Virtual (shared) IP address configuration.
|
|
|
|
# # # layer2 vip example
|
|
# # vip:
|
|
# # ip: 172.16.199.55 # Specifies the IP address to be used.
|
|
|
|
# # Used to statically set the nameservers for the machine.
|
|
# nameservers:
|
|
# - 8.8.8.8
|
|
# - 1.1.1.1
|
|
|
|
# # Used to statically set arbitrary search domains.
|
|
# searchDomains:
|
|
# - example.org
|
|
# - example.com
|
|
|
|
# # Allows for extra entries to be added to the `/etc/hosts` file
|
|
# extraHostEntries:
|
|
# - ip: 192.168.1.100 # The IP of the host.
|
|
# # The host alias.
|
|
# aliases:
|
|
# - example
|
|
# - example.domain.tld
|
|
|
|
# # Configures KubeSpan feature.
|
|
# kubespan:
|
|
# enabled: true # Enable the KubeSpan feature.
|
|
|
|
# Used to provide instructions for installations.
|
|
install:
|
|
disk: /dev/sda # The disk used for installations.
|
|
image: ghcr.io/siderolabs/installer:v1.11.1 # Allows for supplying the image used to perform the installation.
|
|
wipe: false # Indicates if the installation disk should be wiped at installation time.
|
|
|
|
# # Look up disk using disk attributes like model, size, serial and others.
|
|
# diskSelector:
|
|
# size: 4GB # Disk size.
|
|
# model: WDC* # Disk model `/sys/block/<dev>/device/model`.
|
|
# busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path.
|
|
|
|
# # Allows for supplying extra kernel args via the bootloader.
|
|
# extraKernelArgs:
|
|
# - talos.platform=metal
|
|
# - reboot=k
|
|
# Used to configure the machine's container image registry mirrors.
|
|
registries: {}
|
|
# # Specifies mirror configuration for each registry host namespace.
|
|
# mirrors:
|
|
# ghcr.io:
|
|
# # List of endpoints (URLs) for registry mirrors to use.
|
|
# endpoints:
|
|
# - https://registry.insecure
|
|
# - https://ghcr.io/v2/
|
|
|
|
# # Specifies TLS & auth configuration for HTTPS image registries.
|
|
# config:
|
|
# registry.insecure:
|
|
# # The TLS configuration for the registry.
|
|
# tls:
|
|
# insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).
|
|
#
|
|
# # # Enable mutual TLS authentication with the registry.
|
|
# # clientIdentity:
|
|
# # crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
|
|
# # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
|
|
#
|
|
# # # The auth configuration for this registry.
|
|
# # auth:
|
|
# # username: username # Optional registry authentication.
|
|
# # password: password # Optional registry authentication.
|
|
|
|
# Features describe individual Talos features that can be switched on or off.
|
|
features:
|
|
rbac: true # Enable role-based access control (RBAC).
|
|
stableHostname: true # Enable stable default hostname.
|
|
apidCheckExtKeyUsage: true # Enable checks for extended key usage of client certificates in apid.
|
|
diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks.
|
|
# KubePrism - local proxy/load balancer on defined port that will distribute
|
|
kubePrism:
|
|
enabled: true # Enable KubePrism support - will start local load balancing proxy.
|
|
port: 7445 # KubePrism port.
|
|
# Configures host DNS caching resolver.
|
|
hostDNS:
|
|
enabled: true # Enable host DNS caching resolver.
|
|
forwardKubeDNSToHost: true # Use the host DNS resolver as upstream for Kubernetes CoreDNS pods.
|
|
|
|
# # Configure Talos API access from Kubernetes pods.
|
|
# kubernetesTalosAPIAccess:
|
|
# enabled: true # Enable Talos API access from Kubernetes pods.
|
|
# # The list of Talos API roles which can be granted for access from Kubernetes pods.
|
|
# allowedRoles:
|
|
# - os:reader
|
|
# # The list of Kubernetes namespaces Talos API access is available from.
|
|
# allowedKubernetesNamespaces:
|
|
# - kube-system
|
|
# Configures the node labels for the machine.
|
|
nodeLabels:
|
|
node.kubernetes.io/exclude-from-external-load-balancers: ""
|
|
|
|
# # Provides machine specific control plane configuration options.
|
|
|
|
# # ControlPlane definition example.
|
|
# controlPlane:
|
|
# # Controller manager machine specific configuration options.
|
|
# controllerManager:
|
|
# disabled: false # Disable kube-controller-manager on the node.
|
|
# # Scheduler machine specific configuration options.
|
|
# scheduler:
|
|
# disabled: true # Disable kube-scheduler on the node.
|
|
|
|
# # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver.
|
|
|
|
# # nginx static pod.
|
|
# pods:
|
|
# - apiVersion: v1
|
|
# kind: pod
|
|
# metadata:
|
|
# name: nginx
|
|
# spec:
|
|
# containers:
|
|
# - image: nginx
|
|
# name: nginx
|
|
|
|
# # Allows the addition of user specified files.
|
|
|
|
# # MachineFiles usage example.
|
|
# files:
|
|
# - content: '...' # The contents of the file.
|
|
# permissions: 0o666 # The file's permissions in octal.
|
|
# path: /tmp/file.txt # The path of the file.
|
|
# op: append # The operation to use
|
|
|
|
# # The `env` field allows for the addition of environment variables.
|
|
|
|
# # Environment variables definition examples.
|
|
# env:
|
|
# GRPC_GO_LOG_SEVERITY_LEVEL: info
|
|
# GRPC_GO_LOG_VERBOSITY_LEVEL: "99"
|
|
# https_proxy: http://SERVER:PORT/
|
|
# env:
|
|
# GRPC_GO_LOG_SEVERITY_LEVEL: error
|
|
# https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/
|
|
# env:
|
|
# https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/
|
|
|
|
# # Used to configure the machine's time settings.
|
|
|
|
# # Example configuration for cloudflare ntp server.
|
|
# time:
|
|
# disabled: false # Indicates if the time service is disabled for the machine.
|
|
# # description: |
|
|
# servers:
|
|
# - time.cloudflare.com
|
|
# bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence.
|
|
|
|
# # Used to configure the machine's sysctls.
|
|
|
|
# # MachineSysctls usage example.
|
|
# sysctls:
|
|
# kernel.domainname: talos.dev
|
|
# net.ipv4.ip_forward: "0"
|
|
# net/ipv6/conf/eth0.100/disable_ipv6: "1"
|
|
|
|
# # Used to configure the machine's sysfs.
|
|
|
|
# # MachineSysfs usage example.
|
|
# sysfs:
|
|
# devices.system.cpu.cpu0.cpufreq.scaling_governor: performance
|
|
|
|
# # Configures the udev system.
|
|
# udev:
|
|
# # List of udev rules to apply to the udev system
|
|
# rules:
|
|
# - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660"
|
|
|
|
# # Configures the logging system.
|
|
# logging:
|
|
# # Logging destination.
|
|
# destinations:
|
|
# - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp".
|
|
# format: json_lines # Logs format.
|
|
|
|
# # Configures the kernel.
|
|
# kernel:
|
|
# # Kernel modules to load.
|
|
# modules:
|
|
# - name: brtfs # Module name.
|
|
|
|
# # Configures the seccomp profiles for the machine.
|
|
# seccompProfiles:
|
|
# - name: audit.json # The `name` field is used to provide the file name of the seccomp profile.
|
|
# # The `value` field is used to provide the seccomp profile.
|
|
# value:
|
|
# defaultAction: SCMP_ACT_LOG
|
|
|
|
# # Override (patch) settings in the default OCI runtime spec for CRI containers.
|
|
|
|
# # override default open file limit
|
|
# baseRuntimeSpecOverrides:
|
|
# process:
|
|
# rlimits:
|
|
# - hard: 1024
|
|
# soft: 1024
|
|
# type: RLIMIT_NOFILE
|
|
|
|
# # Configures the node annotations for the machine.
|
|
|
|
# # node annotations example.
|
|
# nodeAnnotations:
|
|
# customer.io/rack: r13a25
|
|
|
|
# # Configures the node taints for the machine. Effect is optional.
|
|
|
|
# # node taints example.
|
|
# nodeTaints:
|
|
# exampleTaint: exampleTaintValue:NoSchedule
|
|
# Provides cluster specific configuration options.
|
|
cluster:
|
|
id: wabdDPoOYoFQRwTsW6yH9zdQxETZjZ5wwWZQWs9abYE= # Globally unique identifier for this cluster (base64 encoded random 32 bytes).
|
|
secret: c50wIk9N1b+mINXeZofLwnBI1CAKeHruJi9KLOboULI= # Shared secret of cluster (base64 encoded random 32 bytes).
|
|
# Provides control plane specific configuration options.
|
|
controlPlane:
|
|
endpoint: https://10.5.0.2:6443 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
|
|
clusterName: evo-npcs-infra # Configures the cluster's name.
|
|
# Provides cluster specific network configuration options.
|
|
network:
|
|
dnsDomain: cluster.local # The domain used by Kubernetes DNS.
|
|
# The pod subnet CIDR.
|
|
podSubnets:
|
|
- 10.244.0.0/16
|
|
# The service subnet CIDR.
|
|
serviceSubnets:
|
|
- 10.96.0.0/12
|
|
|
|
# # The CNI used.
|
|
# cni:
|
|
# name: custom # Name of CNI to use.
|
|
# # URLs containing manifests to apply for the CNI.
|
|
# urls:
|
|
# - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml
|
|
token: olqdyh.eset6n7iy5mtwu10 # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster.
|
|
secretboxEncryptionSecret: TX0lEGrKOskTSaV+tBrKRvqRIjw20kb/mwendHetQt4= # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
|
|
# The base64 encoded root certificate authority used by Kubernetes.
|
|
ca:
|
|
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVMrZ0F3SUJBZ0lRY1ZLYUhWU0ZPVWR6MzZvTzltcll5akFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSTFNRGt5T1RBd01Ua3hPVm9YRFRNMU1Ea3lOekF3TVRreApPVm93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCTEFCcnQ0K1dBOGVYRG54RFFjcnpLZzdhMVB5bUd3SkZXcmttWjlXVC8xNUNaSDNtcGwrb1c2TG1XSC8Ka3NLdmJpY0I1cmZwMjdFYUxrRTAyNG9rQy9hallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVVpelFVK2FnQkpEbmdmWFA1aFVGZVJQS09Yb0V3Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQUl0SDZTNnIKK2VXdmVkVXpUNlFNWFplOUdNcDBLVjFzbXRBc25QcEs3bkdVQWlFQW91aEJvZHBSMXJEdGFHQmg0dmZpUVZWdApvMktabmcva01YRExadWJkWUY0PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
|
|
key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUF5TFhTQmxOZHc4WFhCdERwdlh0VlpJaEc1cnNXeUI3eXJzSWZVL2NpVDJvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFc0FHdTNqNVlEeDVjT2ZFTkJ5dk1xRHRyVS9LWWJBa1ZhdVNabjFaUC9Ya0prZmVhbVg2aApib3VaWWYrU3dxOXVKd0htdCtuYnNSb3VRVFRiaWlRTDlnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
|
|
# The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation.
|
|
aggregatorCA:
|
|
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJYekNDQVFXZ0F3SUJBZ0lRTW9OSWlyK2FsWGZMUE1ZUWRPaGF2ekFLQmdncWhrak9QUVFEQWpBQU1CNFgKRFRJMU1Ea3lPVEF3TVRreE9Wb1hEVE0xTURreU56QXdNVGt4T1Zvd0FEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxRwpTTTQ5QXdFSEEwSUFCRWhGTVNIV1VuTEtxb0txR1hOTXdzV2xzY0JRZURmZ2E3MmZ1N1hhcVhrOU5kU1F0bVFyCmlYOW9QV2NqT2FRS01BZ0RIYnNzTWF4S08xZ2hVOGdrdWdtallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWQKQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZApCZ05WSFE0RUZnUVU5S1Y5RHlidWwxOUFFRnAwbHd2eS9sL2Y1Snd3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUlnCkJ5a0x0dU90cktZT2NMRFJzaytETjJuc2crY0JTUjFrMGVTWUltaVhtSXNDSVFDb0xFOUFnRmo4ZkRQWWluUE0KUWNabTlIVCs4SmdEdzdnaCtVQWlDcHFBUFE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
|
|
key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUlOcG1UdkRqalFMMUZndUdONHRza2Mxc1QzR3dpb09WWnlTY2k0V0VOZndvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFU0VVeElkWlNjc3FxZ3FvWmMwekN4YVd4d0ZCNE4rQnJ2Wis3dGRxcGVUMDExSkMyWkN1SgpmMmc5WnlNNXBBb3dDQU1kdXl3eHJFbzdXQ0ZUeUNTNkNRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
|
|
# The base64 encoded private key for service account token generation.
|
|
serviceAccount:
|
|
key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS0FJQkFBS0NBZ0VBdnNWckxUakk2ZjA4U2dzVGxLK0YyNWppbEtIamJhSDRkQXhqQXhLZHFDU2kwN0x5ClFraHdVSkdudGR5VURFeUw1dFZhUzdydmk2K2E1YmRnYVorWFJzaDdadGNvUDJuRW1ZS05zcGpwR25ZZlNHOEkKUWtRcEMrdUF2SlF1alRXY3E2NmhQVTI4a1JvYkN1OFJEcitCMUc3SzhETGJnSE1NVVR0M0hqZmZjZDVQdk9SKwpCRWhuWk1uUzhzeTlsVHpkTk9GUkJjTW5kV0ZVMC9rMnZId0cwRUpCdzMwWDRTN3NMd0o4WHlucmloODAxZEhWClE0Ujlhais0NDJzMjhPV0hwRWlsM3c5eDZtRnpGN2w5RkVjc1U3UUJxaTdrQW13dU1yUWxjdVRtMG5jeGl4WDAKU1ByTlU5UVExb1hvcTRYdG1lbTRkZldpSHg3aExvWTlhSmhvTG9CYThQcWs4MmFQR29rQjBnVms2RXRnSy9DZgpOQ0tmcVc2Q1hDcDRHc3A4QzY3bHlKSjFodkNMcVYrRkMzYzlhcDBZQ2R3U1ZEQjEzYlozdWdtQjdBZFZBa0NJCnR2c2p4NXJMYXQxa0QvSTRQcFpOakNMTHI2bEhnZFdIbUxPMDBVa05DUS9FUlVOV3gxOTQrWkRaV3VTQmM0MDkKcHhQeG9Jc01GQ2pIRkxIQ1FFSFVjbG9yMU1ac0FMZWxxcHhKQzRHOWUwZm1VM0JGMStRaGxOUS92R0pjTWR0SwpWbk9ubjhEV0JvR3cxUVdUOHVFN3kyL0JwOFp0cXk2YmpnTDFwZEIzSTk2OTBHVGQ3SUsxa0ZoY0xSQS96SWJDCjFRSHlieS96d045R0FqRHVublBNa2cwcnJMblhldzI5QUt4MmJLeXFIbnEyTDIxQ1M4ckoySE11Z284Q0F3RUEKQVFLQ0FnQTRaeVViZnpVRDNYL2tRbWNkS0ZJU3paNThKR3NhQUcvMVc2NHdlK0lLRXg3aktYNnY4enZsemxMQQpGY0hkNnduWUMwK0JvWGp1bTFKWVJjSG5LS3l3M0ZpRDNPeEU1M0FkbFBoeEMvMnJlYTRoRzliY3hNcy8vM2FXCkN0ZkNuMDI5Z3NtZ1Z1b0FHckJSS01LcDBoeEFJeXUwSGMxQktvTERSNm9kMEpZclUvZk9XTjRiUlE3d3dTMHgKNVMvT1Btc0dsZkYvR3lhQThYQ0RwYVMxMEpPeElrM1FUeDF1MGhFNWl1b2J0c2l4a3kxclpIbEIxNXUrL0swYwo3QmVYM0wwZ2FPeEZ5WXE4S2VpOTVIVWpPREhXWTV1MFpkMjdDNklURXFrWjBheWZJR2VSQUVJMEM1Y0dpR1ljCkR3WnVKQkJPVjhoV2MvUGxjSnRTUnBWRVpmOHk4VUZaT3BCcG9PSTBqSUdkM3pVZG9SdUxiMnlMWVcxSG1lNGUKZ1dENTRsYm1aZ3poNU5jaGd5bUxSTXZhdjYwZDNFcEFRYVl2M1RlbDJseE5sMHU1d0kzZDRzRWZ5cHd4eU8vNgo4eWFld2hSU04wMTZXTkFrWU5qY2dLdE5UdmxoT0hDVUR5K3BaK3dsN2Rhb1dLNkNRWFVVQXZEQTVaMmd2UlVOClBYaE1CK0kremhUMDNnVWpEcU9LRGFqVU90WXljR3Rvd1RDUG12aDc3MFh2UjJjZTVUVVNZSDMyS3RYemRTWGYKbWJ3U0swMUx4dElBdUZYVFBHaHpTOGxoOVBJVk9SM3Q3Y0pRdWFFVUdUZUpjaFJQOE04VjZaTFlpRkxFT3lKNwpZb1VuaGF0NlNNUGZUeUVoa2JJNFg3M3gvYXVtaC9iMGJGWlJHRFJuakxBWXRKMHgrUUtDQVFFQXlldTJNalRJClBBeGxzSE5RUnpoRGxVUmZyaVA5RWMxZlUxVmtsa0xqSXJ2aEIxbjRKemxmMnVISHE2OElPdTQzbmQreXZWQVcKSWxHcEVOMmdzZXIwaDRuZkFJZ2JlaUZzd0xzNU8xYUdVTTJJc1pyQUR4c1ZZcEtSZCtPbldNMVNiYUFZYU9JSwpESUhmM2doaUNCYTVMOHcyKzF5MEZhSGdGd3Y3NHpQUDFYYTNxVTZKY1NwMDlFdjBOYkZWUFBZT3U1YzNDT2Q1Cm92cFR2WEVWK2dHZ3dCbkEzbGgzMGt5cHVmRGRRUWMvNFBYMHY0K2hIQngvME9jZit0QWVGemxQZjJ0UTFPVDUKRCtaSFVvcGNENUlmdWgvWjdvMXFMRjFyeStuNzdGbmdHNHNQWUpwRWlCZEFOZUFTVktKZ2loVkVjSG1pWUg0UwpUV2ltUEp3clRlek9hUUtDQVFFQThkMUNKS1JhWGtIUk1pR0xIbmdteGRRVG5oS3NEUG1ENHJMVXFxUlRhbmF0CjBwdEhoV00zTGU3ZVR5UFgzZitHUkJ5cEt0QzZvMDljZ0JyRko1ejZRYnhaQ0xLQzY0NTg4eTZoQWVkMlVaaWgKa0xPS3F1dDNOSlZpWS9peWdsYlphNXdGUmFyem1zeHpYNVZPS0ZYVktQWWo3NkJ3RHd6M3R6U1RJcWZoSjVsZwpINXh4ZnJJbm8rYnpnR1B2aWlOalVRV0V4WWNsc25sRGUzQlRJVU92bjFPeDZSQWtmMVZLRFoyYU1XTWhxcEQyCitjdWRuYUdPRHJMR1FaeW9SWk54dFhLbTNtQnhCUlBsVjFWbW5RdHNtVjNHdkZIbWxuY0k1c1JUMG5rM05IOEwKKzhiQUlnU1VpVndUZVZIR2cyWXJIU0RpRGYwSnFieHBmSUZ2T2F1YU53S0NBUUVBaXFsSW8rK2xOYjlac2JOdQpoSW41dHk2Titoc1N0Yi92MzEwN3h3aEZ6RnR5NjhaMzZBKzVhS2sxb2d0L3ZtQktaeXJ3SnBzeHAvMmwrVVFKCkQwVUhDWEMvYURFUGxXNFFyY1drUnNCaldtZmFvQVJpTWIxcWtSZVB0K0hvME0ybTlrdERsL3JwNWE3bVdpWXQKazlwdTc0andsT3NUYSt1TzVLVEJKRVEzVENMTGV3UEkxS0xRVDljODdBWk1QNkhGZWtNY2N3dnFkdVlxeldRMApNRXdmNU91S2krWDYycnIwcnhEZUQ4TDN0ZmVSVEY5SXh2STNQL0VJQUFnZE1kdVVZUzhFQWo3L1hsREgxOEhWCitJZGpMRUNsT3ZGMzRPR0NualNmWUs1VGZQYWc1N2pvcVFBMmd3ak43YnJZU3RyUjlkOUJoN3ZydTZiS3ljS0EKNW5GaFNRS0NBUUJPbDhkV2dOR2NyMlo3RTh0UksxbnVEdXdSQWFCRzF3MjBMTWhPYXZkd01RQnEzMnB1UGI5QQpmYzVmaVJZc1hVd1Q5ZnhDblhFSWdGRmVqMVJoZXZFWFMwempOcDYwVEtqdG5NbFZCUkc5a2d0dUtlbDFnTzVMCmQvOXczTytreXZQN3M4ZEN6RG84b3hNYWpEbkpnWnF5cE1rb3BNbkZHa0drbHNENUVmUm9HYjdTaHRPYWgrbTUKcU9LWFplSUEwVjhFaFBhUCtVcVdwREQ1ZTVhSHlLYlk3eWx3d240Wm9tMWQzMGlybzdyYzRoNWZMWHNhTGRVcgprWXc2NWQwSVB0RkVWTzFFZGJKRUpDTHlMaDRhQ2d4UUNkajZlT0tsSWlrU1U5bXBHeHFGUklOd1hUVXgyS3NyCnQyL2NqR1lsYkoyMTZXbUxnaDRSdWRmTlRZSUhDMndoQW9JQkFBVWNGOFdQdDB0aG1oa1FrdTV3czlCYldGd2sKSUVWT3F0d2lwZkVwSXRZSHl3a2J5WXl6R0pPaGhxdkJBY1BNbEdqVXoxVXZ4Zmx6YUtRb2NvSklXUnF2b3JWRQpIaEVZL09HZTJRUG0xWFJyNXZhZE9BcXArYXdmdlFtZmpyYk9ZR0toSlE0YzIyWjRQaUNKNlhsUzljWm90SGxNCjVPZExBZkZEUzMxWGpUcnE5VUtXN2kya2pHK3pSaThDN3M0ZTU4OGxLZk13ZWhSUlpRSUJWMElVSXNlUTBzRFUKWDh0QWJpNnF0SWdveWU0VUJ0aWE0YnFjQTBwRUxSNU1OWTQ1aGV1ejRtUVFJdGg5UnVhQURIWUJRd0ZYTyt4dQpqMmcyQjNCQVh2ZjJiWE9NZXhKbFl3U2lRUkVwWTFRZ2xUMkRPbUFqYXFmMUJPcEVDNnRtcjJXcVBlQT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
|
|
# API server specific configuration options.
|
|
apiServer:
|
|
image: registry.k8s.io/kube-apiserver:v1.34.0 # The container image used in the API server manifest.
|
|
# Extra certificate subject alternative names for the API server's certificate.
|
|
certSANs:
|
|
- 10.5.0.2
|
|
disablePodSecurityPolicy: true # Disable PodSecurityPolicy in the API server and default manifests.
|
|
# Configure the API server admission plugins.
|
|
admissionControl:
|
|
- name: PodSecurity # Name is the name of the admission controller.
|
|
# Configuration is an embedded configuration object to be used as the plugin's
|
|
configuration:
|
|
apiVersion: pod-security.admission.config.k8s.io/v1alpha1
|
|
defaults:
|
|
audit: restricted
|
|
audit-version: latest
|
|
enforce: baseline
|
|
enforce-version: latest
|
|
warn: restricted
|
|
warn-version: latest
|
|
exemptions:
|
|
namespaces:
|
|
- kube-system
|
|
runtimeClasses: []
|
|
usernames: []
|
|
kind: PodSecurityConfiguration
|
|
# Configure the API server audit policy.
|
|
auditPolicy:
|
|
apiVersion: audit.k8s.io/v1
|
|
kind: Policy
|
|
rules:
|
|
- level: Metadata
|
|
|
|
# # Configure the API server authorization config. Node and RBAC authorizers are always added irrespective of the configuration.
|
|
# authorizationConfig:
|
|
# - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
|
|
# name: webhook # Name is used to describe the authorizer.
|
|
# # webhook is the configuration for the webhook authorizer.
|
|
# webhook:
|
|
# connectionInfo:
|
|
# type: InClusterConfig
|
|
# failurePolicy: Deny
|
|
# matchConditionSubjectAccessReviewVersion: v1
|
|
# matchConditions:
|
|
# - expression: has(request.resourceAttributes)
|
|
# - expression: '!(\''system:serviceaccounts:kube-system\'' in request.groups)'
|
|
# subjectAccessReviewVersion: v1
|
|
# timeout: 3s
|
|
# - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
|
|
# name: in-cluster-authorizer # Name is used to describe the authorizer.
|
|
# # webhook is the configuration for the webhook authorizer.
|
|
# webhook:
|
|
# connectionInfo:
|
|
# type: InClusterConfig
|
|
# failurePolicy: NoOpinion
|
|
# matchConditionSubjectAccessReviewVersion: v1
|
|
# subjectAccessReviewVersion: v1
|
|
# timeout: 3s
|
|
# Controller manager server specific configuration options.
|
|
controllerManager:
|
|
image: registry.k8s.io/kube-controller-manager:v1.34.0 # The container image used in the controller manager manifest.
|
|
# Kube-proxy server-specific configuration options
|
|
proxy:
|
|
image: registry.k8s.io/kube-proxy:v1.34.0 # The container image used in the kube-proxy manifest.
|
|
|
|
# # Disable kube-proxy deployment on cluster bootstrap.
|
|
# disabled: false
|
|
# Scheduler server specific configuration options.
|
|
scheduler:
|
|
image: registry.k8s.io/kube-scheduler:v1.34.0 # The container image used in the scheduler manifest.
|
|
# Configures cluster member discovery.
|
|
discovery:
|
|
enabled: true # Enable the cluster membership discovery feature.
|
|
# Configure registries used for cluster member discovery.
|
|
registries:
|
|
# Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information
|
|
kubernetes:
|
|
disabled: true # Disable Kubernetes discovery registry.
|
|
# Service registry is using an external service to push and pull information about cluster members.
|
|
service: {}
|
|
# # External service endpoint.
|
|
# endpoint: https://discovery.talos.dev/
|
|
# Etcd specific configuration options.
|
|
etcd:
|
|
# The `ca` is the root certificate authority of the PKI.
|
|
ca:
|
|
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmakNDQVNTZ0F3SUJBZ0lSQUlzYldTZGk0eFBGSWZaaU8weFZJdUF3Q2dZSUtvWkl6ajBFQXdJd0R6RU4KTUFzR0ExVUVDaE1FWlhSalpEQWVGdzB5TlRBNU1qa3dNREU1TVRsYUZ3MHpOVEE1TWpjd01ERTVNVGxhTUE4eApEVEFMQmdOVkJBb1RCR1YwWTJRd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFTRUtjNjZnUmtaCi9PQmRUbG02bDdWTUhCSkFFZGh4SS9venIyRHUyemJZRWFmWm1nclFMdlJFUGVwUDRrRjVUT3p3cjhoelpHb1IKNTdpOHBjUHl6V3IzbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSApBd0VHQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRktkK1EzSi93T2xWCjNlckIwUndVd3cwUGlXUTdNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJRlAxWklxc2NuOUtHbmtyRWRFUnFheFYKTEFYSVdtcXVDd09XNnY4RUl6ZnVBaUVBcG9sTHJTN1FhRVJ1b0FtdXNyTFNuZXhsVktETjJ3OUhmRitJTzlpRwpFaWM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
|
|
key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUlZRHM4Y01nNXk4WGNPUU9QV3NuK2RBYVovMjJTZkdEUXFJbnJFOGxtQmlvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFaENuT3VvRVpHZnpnWFU1WnVwZTFUQndTUUJIWWNTUDZNNjlnN3RzMjJCR24yWm9LMEM3MApSRDNxVCtKQmVVenM4Sy9JYzJScUVlZTR2S1hEOHMxcTl3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
|
|
|
|
# # The container image used to create the etcd service.
|
|
# image: gcr.io/etcd-development/etcd:v3.6.4
|
|
|
|
# # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from.
|
|
# advertisedSubnets:
|
|
# - 10.0.0.0/8
|
|
# A list of urls that point to additional manifests.
|
|
extraManifests: []
|
|
# - https://www.example.com/manifest1.yaml
|
|
# - https://www.example.com/manifest2.yaml
|
|
|
|
# A list of inline Kubernetes manifests.
|
|
inlineManifests: []
|
|
# - name: namespace-ci # Name of the manifest.
|
|
# contents: |- # Manifest contents as a string.
|
|
# apiVersion: v1
|
|
# kind: Namespace
|
|
# metadata:
|
|
# name: ci
|
|
|
|
|
|
# # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
|
|
|
|
# # Decryption secret example (do not use in production!).
|
|
# aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
|
|
|
|
# # Core DNS specific configuration options.
|
|
# coreDNS:
|
|
# image: registry.k8s.io/coredns/coredns:v1.12.3 # The `image` field is an override to the default coredns image.
|
|
|
|
# # External cloud provider configuration.
|
|
# externalCloudProvider:
|
|
# enabled: true # Enable external cloud provider.
|
|
# # A list of urls that point to additional manifests for an external cloud provider.
|
|
# manifests:
|
|
# - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml
|
|
# - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml
|
|
|
|
# # A map of key value pairs that will be added while fetching the extraManifests.
|
|
# extraManifestHeaders:
|
|
# Token: "1234567"
|
|
# X-ExtraInfo: info
|
|
|
|
# # Settings for admin kubeconfig generation.
|
|
# adminKubeconfig:
|
|
# certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year).
|
|
|
|
# # Allows running workload on control-plane nodes.
|
|
# allowSchedulingOnControlPlanes: true
|