docs: audit discovery service page#501
Open
Iheanacho-ai wants to merge 1 commit intosiderolabs:mainfrom
Open
Conversation
Signed-off-by: Amarachi Iheanacho <amarachi.iheanacho@siderolabs.com>
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
rothgar
reviewed
Apr 23, 2026
|
|
||
| > Note: Talos supports operations when Discovery Service is disabled, but some features will rely on Kubernetes API availability to discover | ||
| > controlplane endpoints, so in case of a failure disabled Discovery Service makes troubleshooting much harder. | ||
| Each node submits its own data plus the endpoints it observes from other peers. The discovery service aggregates this, deduplicates endpoints, and distributes updates to all connected peers. Peers decrypt the data locally and use it to drive cluster discovery and [KubeSpan](../../networking/kubespan). |
rothgar
reviewed
Apr 23, 2026
| The discovery service doesn’t see actual node information – it only stores and updates encrypted blobs. | ||
| Discovery data is encrypted/decrypted by the clients – the cluster members. | ||
| The discovery service does not have the encryption key. | ||
| - [KubeSpan](../../networking/kubespan) and KubePrism require discovery and do not function correctly without it. |
Member
There was a problem hiding this comment.
They do function on local cache for a period of time. I think it's 20 minutes. Spencer's team would know more details. This is needed because of downtime and upgrades.
rothgar
reviewed
Apr 23, 2026
| If a node reboots while the discovery service is unavailable, it loses all in-memory state and cannot publish its information or retrieve peer data until the service becomes available again. | ||
|
|
||
| If the outage exceeds the TTL, all discovery records expire. When the discovery service comes back online, it may return an empty dataset. Nodes receiving this update drop their existing peer information, which can temporarily disrupt KubeSpan connectivity. | ||
| If the outage exceeds the TTL, all discovery records expire. When the service comes back online, it may return an empty dataset. Nodes receiving this update drop their existing peer information, which can temporarily disrupt KubeSpan connectivity. Recovery is automatic, nodes republish their data, peer information is rebuilt, and connectivity is restored without manual intervention. |
Member
There was a problem hiding this comment.
We need to state if the TTL is hard coded or configurable
rothgar
reviewed
Apr 23, 2026
| ### Affiliates | ||
|
|
||
| #### Affiliates | ||
| An affiliate is a proposed cluster member, a node that shares the same cluster ID and secret. Use this resource to see what nodes the discovery registries are aware of: |
Member
There was a problem hiding this comment.
We should mention how the cluster ID is derived. I know it's generated from the cluster PKI (not exactly sure how) which is why it's important to have unique PKI for each cluster.
rothgar
reviewed
Apr 23, 2026
|
|
||
| Talos Linux includes node-discovery capabilities that depend on a discovery registry. | ||
| This allows you to see the members of your cluster, and the associated IP addresses of the nodes. | ||
| The Talos Linux discovery service enables nodes in a cluster to find and identify each other automatically. Without discovery, nodes have no built-in way to learn about other cluster members, their IP addresses, or their connection endpoints. With discovery enabled, this information is shared and kept up to date across all nodes, which is what allows Talos to form a cluster and, when enabled, establish encrypted [KubeSpan](../../networking/kubespan) tunnels between nodes. |
Member
There was a problem hiding this comment.
I would point out earlier in this page that we run it as a service and they can self-host with a license. I'd also mention at the top that it's important for kubeprism too.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fixes #439