boldfield/controlplane.ex.yaml

## controlplane.ex.yaml
version: v1alpha1 # Indicates the schema used to decode the contents.
debug: true # Enable verbose logging to the console.
persist: true
machine:
    type: controlplane # Defines the role of the machine within the cluster.
    token: <token>
    ca:
        crt: <crt>
        key: <key>
    certSANs: []

    kubelet:
        image: ghcr.io/siderolabs/kubelet:v1.30.2 # The `image` field is an optional reference to an alternative kubelet image.
        defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile.
        disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.
    network:
        hostname: k8s03
    install:
        image: ghcr.io/siderolabs/installer:v1.7.5 # Allows for supplying the image used to perform the installation.
        wipe: true
        diskSelector:
            model: SanDisk*

        extraKernelArgs:
            - talos.platform=metal
    registries: {}
    features:
        rbac: true # Enable role-based access control (RBAC).
        stableHostname: true # Enable stable default hostname.
        apidCheckExtKeyUsage: true # Enable checks for extended key usage of client certificates in apid.
        diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks.
        kubePrism:
            enabled: true # Enable KubePrism support - will start local load balancing proxy.
            port: 7445 # KubePrism port.
        hostDNS:
            enabled: true # Enable host DNS caching resolver.
cluster:
    id: <id>
    secret: <secret>
    controlPlane:
        endpoint: <endpoint>
    clusterName: <name>
    network:
        dnsDomain: cluster.local # The domain used by Kubernetes DNS.
        podSubnets:
            - 10.244.0.0/16
        serviceSubnets:
            - 10.96.0.0/12
    token: <token>
    secretboxEncryptionSecret: <secret>
    ca:
        crt: <crt>
        key: <key>
    aggregatorCA:
        crt: <crt>
        key: <key>
    serviceAccount:
        key: <key>
    apiServer:
        image: registry.k8s.io/kube-apiserver:v1.30.1 # The container image used in the API server manifest.
        certSANs:
            - k8s.summercamp.eastharbor.casa
        disablePodSecurityPolicy: true # Disable PodSecurityPolicy in the API server and default manifests.
        admissionControl:
            - name: PodSecurity # Name is the name of the admission controller.
              configuration:
                apiVersion: pod-security.admission.config.k8s.io/v1alpha1
                defaults:
                    audit: restricted
                    audit-version: latest
                    enforce: baseline
                    enforce-version: latest
                    warn: restricted
                    warn-version: latest
                exemptions:
                    namespaces:
                        - kube-system
                    runtimeClasses: []
                    usernames: []
                kind: PodSecurityConfiguration
        auditPolicy:
            apiVersion: audit.k8s.io/v1
            kind: Policy
            rules:
                - level: Metadata
    controllerManager:
        image: registry.k8s.io/kube-controller-manager:v1.30.1 # The container image used in the controller manager manifest.
    proxy:
        image: registry.k8s.io/kube-proxy:v1.30.1 # The container image used in the kube-proxy manifest.
    scheduler:
        image: registry.k8s.io/kube-scheduler:v1.30.1 # The container image used in the scheduler manifest.
    discovery:
        enabled: true # Enable the cluster membership discovery feature.
        registries:
            kubernetes:
                disabled: true # Disable Kubernetes discovery registry.
            service: {}
    etcd:
        ca:
            crt: <crt>
            key: <key>
    extraManifests: []
    inlineManifests: []
	version: v1alpha1 # Indicates the schema used to decode the contents.
	debug: true # Enable verbose logging to the console.
	persist: true
	machine:
	type: controlplane # Defines the role of the machine within the cluster.
	token: <token>
	ca:
	crt: <crt>
	key: <key>
	certSANs: []

	kubelet:
	image: ghcr.io/siderolabs/kubelet:v1.30.2 # The `image` field is an optional reference to an alternative kubelet image.
	defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile.
	disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.
	network:
	hostname: k8s03
	install:
	image: ghcr.io/siderolabs/installer:v1.7.5 # Allows for supplying the image used to perform the installation.
	wipe: true
	diskSelector:
	model: SanDisk*

	extraKernelArgs:
	- talos.platform=metal
	registries: {}
	features:
	rbac: true # Enable role-based access control (RBAC).
	stableHostname: true # Enable stable default hostname.
	apidCheckExtKeyUsage: true # Enable checks for extended key usage of client certificates in apid.
	diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks.
	kubePrism:
	enabled: true # Enable KubePrism support - will start local load balancing proxy.
	port: 7445 # KubePrism port.
	hostDNS:
	enabled: true # Enable host DNS caching resolver.
	cluster:
	id: <id>
	secret: <secret>
	controlPlane:
	endpoint: <endpoint>
	clusterName: <name>
	network:
	dnsDomain: cluster.local # The domain used by Kubernetes DNS.
	podSubnets:
	- 10.244.0.0/16
	serviceSubnets:
	- 10.96.0.0/12
	token: <token>
	secretboxEncryptionSecret: <secret>
	ca:
	crt: <crt>
	key: <key>
	aggregatorCA:
	crt: <crt>
	key: <key>
	serviceAccount:
	key: <key>
	apiServer:
	image: registry.k8s.io/kube-apiserver:v1.30.1 # The container image used in the API server manifest.
	certSANs:
	- k8s.summercamp.eastharbor.casa
	disablePodSecurityPolicy: true # Disable PodSecurityPolicy in the API server and default manifests.
	admissionControl:
	- name: PodSecurity # Name is the name of the admission controller.
	configuration:
	apiVersion: pod-security.admission.config.k8s.io/v1alpha1
	defaults:
	audit: restricted
	audit-version: latest
	enforce: baseline
	enforce-version: latest
	warn: restricted
	warn-version: latest
	exemptions:
	namespaces:
	- kube-system
	runtimeClasses: []
	usernames: []
	kind: PodSecurityConfiguration
	auditPolicy:
	apiVersion: audit.k8s.io/v1
	kind: Policy
	rules:
	- level: Metadata
	controllerManager:
	image: registry.k8s.io/kube-controller-manager:v1.30.1 # The container image used in the controller manager manifest.
	proxy:
	image: registry.k8s.io/kube-proxy:v1.30.1 # The container image used in the kube-proxy manifest.
	scheduler:
	image: registry.k8s.io/kube-scheduler:v1.30.1 # The container image used in the scheduler manifest.
	discovery:
	enabled: true # Enable the cluster membership discovery feature.
	registries:
	kubernetes:
	disabled: true # Disable Kubernetes discovery registry.
	service: {}
	etcd:
	ca:
	crt: <crt>
	key: <key>
	extraManifests: []
	inlineManifests: []