talos-cluster/talos/patches/controller/cluster.yaml

---
cluster:
  allowSchedulingOnControlPlanes: true
  apiServer:
    admissionControl:
      $$patch: delete
    extraArgs:
      # https://kubernetes.io/docs/tasks/extend-kubernetes/configure-aggregation-layer/
      enable-aggregator-routing: true
      # Enable MutatingAdmissionPolicy feature gate (beta in K8s 1.35)
      feature-gates: MutatingAdmissionPolicy=true
      runtime-config: admissionregistration.k8s.io/v1beta1=true
    auditPolicy:
      apiVersion: audit.k8s.io/v1
      kind: Policy
      rules:
        # Don't log lease heartbeats — these are high-frequency controller/node
        # keepalives that generate the bulk of audit volume with no security value.
        - level: None
          resources:
            - group: "coordination.k8s.io"
              resources: ["leases"]
        # Don't log health/readiness/liveness probes or OpenAPI discovery.
        # These are polled every few seconds by kubelets and Flux controllers.
        - level: None
          nonResourceURLs:
            - "/healthz*"
            - "/readyz*"
            - "/livez*"
            - "/openapi*"
            - "/version"
        # Don't log node kubelet system account operations (node heartbeats,
        # status updates). Still block-listed for auth so no security gap.
        - level: None
          userGroups: ["system:nodes"]
        # Don't log get/list/watch on endpoints & endpointslices — these are
        # polled constantly by kube-proxy replacement (Cilium) and coredns.
        - level: None
          verbs: ["get", "list", "watch"]
          resources:
            - group: ""
              resources: ["endpoints"]
            - group: "discovery.k8s.io"
              resources: ["endpointslices"]
        # Log everything else at Metadata level (headers only, no request body).
        # This covers all auth, RBAC, resource mutations, etc.
        - level: Metadata
  controllerManager:
    extraArgs:
      bind-address: 0.0.0.0
  coreDNS:
    disabled: true
  etcd:
    extraArgs:
      listen-metrics-urls: http://0.0.0.0:2381
    advertisedSubnets:
      - 10.0.0.0/24
  proxy:
    disabled: true
  scheduler:
    extraArgs:
      bind-address: 0.0.0.0