Talos
Omni
Kubernetes Guides--insecure flag is a per-command argument that allows the talosctl client to communicate with the Talos API when a node is in maintenance mode, that is, before it has been configured with a machine configuration.
Talos normally uses mutual TLS (mTLS) for all API communications.
This means that both the talosctl client and the node verify each other’s identity using certificates provided in the machine configuration.
However, when a node is in maintenance mode, it still serves the Talos API over TLS, but with some key differences:
- The node uses a self-signed TLS certificate.
- The client (talosctl) does not present a certificate.
- Neither side can verify the other’s identity.
--insecure flag tells talosctl to skip verifying the server’s certificate, allowing the connection to proceed.
Only a small subset of Talos API commands support the —insecure flag, specifically those required for initial setup and maintenance operations.
However, once you’ve applied a machine config, you must stop using the --insecure flag for all subsequent operations.
The node will now expect secure communication using certificates stored in a talosconfig file.
Note: The --insecure flag is used in a different context by the talosctl image cache-create command.
This command is not used for interacting with the Talos node, but for allowing access to insecure image registries that do not support TLS.
Validating the Node Identity in --insecure Mode
When using --insecure, talosctl cannot automatically verify the identity of the remote node.
However, Talos still provides a way to manually confirm that you are communicating with the intended machine.
Certificate fingerprint
When a Talos node boots into maintenance mode, it generates a temporary, self-signed TLS certificate. The certificate fingerprint is printed directly to the machine’s console logs during boot. You can view this fingerprint via:- Physical console access
- VM console
- Serial console
- IPMI or other out-of-band management interfaces
Using the fingerprint with talosctl
Once you have obtained the fingerprint from the console, you can explicitly pass it to talosctl:
In Omni-Managed Clusters
The--insecure flag works differently when you’re using Omni to manage Talos clusters.
Here, the flag is used for nodes that haven’t joined a cluster yet.
These nodes will only listen for communication over the SideroLink connection, a secure, point-to-point connection between Omni and the Talos node.
So the SideroLink connection is the only way you can run commands against a node connected to Omni.
This architecture provides a unique security advantage because if a machine is managed by Omni, you cannot send configurations to it from another machine without authentication, even if they are on the same network.
This is because the Talos machine does not listen on any general network interface and only communicates with Omni through the secure SideroLink tunnel.
Supported Commands With the insecure Flag
The following commands can be used with the —insecure flag:talosctl apply-config
Use this command alongside the --insecure flag to apply a machine configuration for the first time.
talosctl version
Check the Talos version running on the node.
talosctl get
Retrieves resources from the node.
Verify which resources are retrievable in --insecure mode by following these steps:
-
Set your Talos node IP address as a variable (replace
<node_ip>with the IP address of your Talos node): -
List resources available in
--insecuremode: -
List resources not available in
--insecuremode:
talosctl meta
Manages key-value pairs in the META partition.
talosctl reset
Resets the nodes in Omni.
talosctl wipe disk
Erase data from disk partitions on a Talos node.
Refer to the CLI reference for full CLI details.
Usage Example
Here is an example of how to use the--insecure flag in Talos: