Skip to main content
For some more constrained environments, it is important to whitelist only specific domains for outbound internet access. These rules will need to be updated to allow for certain domains if the user wishes to still install and bootstrap Talos from public sources. That said, users should also note that all of the following components can be mirrored locally with an internal registry, as well as a self-hosted discovery service and image factory. Discovery Service:
  • discovery.talos.dev
Image Factory:
  • factory.talos.dev
  • *.factory.talos.dev
  • *.r2.cloudflarestorage.com (Cloudflare R2 origin storage)
Google Container Registry / Google Artifact Registry (GCR/GAR):
  • gcr.io
  • storage.googleapis.com (backing blob storage for images)
  • *.pkg.dev (backing blob storage for images)
Github Container Registry (GHCR)
  • ghcr.io
  • *.githubusercontent.com (backing blob storage for images)
Kubernetes Registry (k8s.io)
  • registry.k8s.io
  • *.s3.dualstack.us-east-1.amazonaws.com (backing blob storage for images)
These rules only cover that which is required for Talos to be fully installed and running. There may be other domains like docker.io that must be allowed for non-default CNIs or workload container images.