Created
June 26, 2024 06:21
-
-
Save boldfield/d17644daf4317b99d50896125f5df553 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version: v1alpha1 # Indicates the schema used to decode the contents. | |
debug: true # Enable verbose logging to the console. | |
persist: true | |
machine: | |
type: controlplane # Defines the role of the machine within the cluster. | |
token: <token> | |
ca: | |
crt: <crt> | |
key: <key> | |
certSANs: [] | |
kubelet: | |
image: ghcr.io/siderolabs/kubelet:v1.30.2 # The `image` field is an optional reference to an alternative kubelet image. | |
defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile. | |
disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory. | |
network: | |
hostname: k8s03 | |
install: | |
image: ghcr.io/siderolabs/installer:v1.7.5 # Allows for supplying the image used to perform the installation. | |
wipe: true | |
diskSelector: | |
model: SanDisk* | |
extraKernelArgs: | |
- talos.platform=metal | |
registries: {} | |
features: | |
rbac: true # Enable role-based access control (RBAC). | |
stableHostname: true # Enable stable default hostname. | |
apidCheckExtKeyUsage: true # Enable checks for extended key usage of client certificates in apid. | |
diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks. | |
kubePrism: | |
enabled: true # Enable KubePrism support - will start local load balancing proxy. | |
port: 7445 # KubePrism port. | |
hostDNS: | |
enabled: true # Enable host DNS caching resolver. | |
cluster: | |
id: <id> | |
secret: <secret> | |
controlPlane: | |
endpoint: <endpoint> | |
clusterName: <name> | |
network: | |
dnsDomain: cluster.local # The domain used by Kubernetes DNS. | |
podSubnets: | |
- 10.244.0.0/16 | |
serviceSubnets: | |
- 10.96.0.0/12 | |
token: <token> | |
secretboxEncryptionSecret: <secret> | |
ca: | |
crt: <crt> | |
key: <key> | |
aggregatorCA: | |
crt: <crt> | |
key: <key> | |
serviceAccount: | |
key: <key> | |
apiServer: | |
image: registry.k8s.io/kube-apiserver:v1.30.1 # The container image used in the API server manifest. | |
certSANs: | |
- k8s.summercamp.eastharbor.casa | |
disablePodSecurityPolicy: true # Disable PodSecurityPolicy in the API server and default manifests. | |
admissionControl: | |
- name: PodSecurity # Name is the name of the admission controller. | |
configuration: | |
apiVersion: pod-security.admission.config.k8s.io/v1alpha1 | |
defaults: | |
audit: restricted | |
audit-version: latest | |
enforce: baseline | |
enforce-version: latest | |
warn: restricted | |
warn-version: latest | |
exemptions: | |
namespaces: | |
- kube-system | |
runtimeClasses: [] | |
usernames: [] | |
kind: PodSecurityConfiguration | |
auditPolicy: | |
apiVersion: audit.k8s.io/v1 | |
kind: Policy | |
rules: | |
- level: Metadata | |
controllerManager: | |
image: registry.k8s.io/kube-controller-manager:v1.30.1 # The container image used in the controller manager manifest. | |
proxy: | |
image: registry.k8s.io/kube-proxy:v1.30.1 # The container image used in the kube-proxy manifest. | |
scheduler: | |
image: registry.k8s.io/kube-scheduler:v1.30.1 # The container image used in the scheduler manifest. | |
discovery: | |
enabled: true # Enable the cluster membership discovery feature. | |
registries: | |
kubernetes: | |
disabled: true # Disable Kubernetes discovery registry. | |
service: {} | |
etcd: | |
ca: | |
crt: <crt> | |
key: <key> | |
extraManifests: [] | |
inlineManifests: [] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment