From 9f04f2c4ef3a8ace0c07c50fa633da40dda83835 Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Date: Tue, 21 Apr 2026 18:39:32 +0400
Subject: [PATCH] fix: watch kubelet's kubeconfig and time out for cache sync

Fixes #13169

Also fixes a number of other issues with controller being stuck
"watching" over stale data.

The major part of the change is to watch contents of kubelet's
kubeconfig and restart the watch when it changes.

The internals of the watch process don't always bubble up error
properly, or we don't watch for errors.

With this change, not only initial sync has a timeout and a way to abort
the sync process, Talos now can also restart the sync on kubeconfig
change make it more transparent.

This might become irrelevant if we start managing kubeconfig via Talos
controlplane for workers, but for now this seems to be the way to fix
issues.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 149592fa59d20c5aa29e4c0af9a3760585f378ce)
---
 api/resource/definitions/k8s/k8s.proto        |   5 +
 .../machined/pkg/controllers/k8s/endpoint.go  |  41 ++-
 .../k8s/internal/nodewatch/nodewatch.go       |  36 +++
 .../pkg/controllers/k8s/kubelet_kubeconfig.go | 175 +++++++++++
 .../k8s/kubelet_kubeconfig_test.go            | 102 +++++++
 .../pkg/controllers/k8s/node_status.go        |  52 +++-
 .../runtime/v1alpha2/v1alpha2_controller.go   |   1 +
 .../pkg/runtime/v1alpha2/v1alpha2_state.go    |   1 +
 pkg/kubernetes/kubernetes.go                  |  11 +
 .../api/resource/definitions/k8s/k8s.pb.go    | 286 ++++++++++--------
 .../definitions/k8s/k8s_vtproto.pb.go         | 137 +++++++++
 .../resources/k8s/deep_copy.generated.go      |   8 +-
 pkg/machinery/resources/k8s/k8s.go            |   2 +-
 pkg/machinery/resources/k8s/k8s_test.go       |   1 +
 .../resources/k8s/kubelet_kubeconfig.go       |  71 +++++
 website/content/v1.13/reference/api.md        |  16 +
 16 files changed, 808 insertions(+), 137 deletions(-)
 create mode 100644 internal/app/machined/pkg/controllers/k8s/kubelet_kubeconfig.go
 create mode 100644 internal/app/machined/pkg/controllers/k8s/kubelet_kubeconfig_test.go
 create mode 100644 pkg/machinery/resources/k8s/kubelet_kubeconfig.go

diff --git a/api/resource/definitions/k8s/k8s.proto b/api/resource/definitions/k8s/k8s.proto
index 57e9acbb5..a31ebd8e3 100755
--- a/api/resource/definitions/k8s/k8s.proto
+++ b/api/resource/definitions/k8s/k8s.proto
@@ -171,6 +171,11 @@ message KubeletConfigSpec {
   map<string, ArgValues> extra_args = 15;
 }
 
+// KubeletKubeconfigSpec describes the current kubelet kubeconfig file.
+message KubeletKubeconfigSpec {
+  string hash = 1;
+}
+
 // KubeletSpecSpec holds the source of kubelet configuration.
 message KubeletSpecSpec {
   string image = 1;
diff --git a/internal/app/machined/pkg/controllers/k8s/endpoint.go b/internal/app/machined/pkg/controllers/k8s/endpoint.go
index 600386ee7..bc1be24df 100644
--- a/internal/app/machined/pkg/controllers/k8s/endpoint.go
+++ b/internal/app/machined/pkg/controllers/k8s/endpoint.go
@@ -105,19 +105,29 @@ func (ctrl *EndpointController) Run(ctx context.Context, r controller.Runtime, l
 }
 
 func (ctrl *EndpointController) watchEndpointsOnWorker(ctx context.Context, r controller.Runtime, logger *zap.Logger) error {
+	if err := r.UpdateInputs([]controller.Input{
+		{
+			Namespace: config.NamespaceName,
+			Type:      config.MachineTypeType,
+			ID:        optional.Some(config.MachineTypeID),
+			Kind:      controller.InputWeak,
+		},
+		{
+			Namespace: k8s.NamespaceName,
+			Type:      k8s.KubeletKubeconfigType,
+			ID:        optional.Some(k8s.KubeletKubeconfigID),
+			Kind:      controller.InputWeak,
+		},
+	}); err != nil {
+		return err
+	}
+
 	logger.Debug("waiting for kubelet client config", zap.String("file", constants.KubeletKubeconfig))
 
 	if err := conditions.WaitForKubeconfigReady(constants.KubeletKubeconfig).Wait(ctx); err != nil {
 		return err
 	}
 
-	client, err := kubernetes.NewClientFromKubeletKubeconfig()
-	if err != nil {
-		return fmt.Errorf("error building Kubernetes client: %w", err)
-	}
-
-	defer client.Close() //nolint:errcheck
-
 	r.QueueReconcile()
 
 	for {
@@ -127,7 +137,22 @@ func (ctrl *EndpointController) watchEndpointsOnWorker(ctx context.Context, r co
 			return nil
 		}
 
-		if err = ctrl.watchKubernetesEndpointSlices(ctx, r, logger, client); err != nil {
+		// closure to capture the deferred close on client
+		watch := func() error {
+			client, err := kubernetes.NewClientFromKubeletKubeconfig()
+			if err != nil {
+				return fmt.Errorf("error building Kubernetes client: %w", err)
+			}
+
+			defer client.Close() //nolint:errcheck
+
+			if err = ctrl.watchKubernetesEndpointSlices(ctx, r, logger, client); err != nil {
+				return err
+			}
+
+			return nil
+		}
+		if err := watch(); err != nil {
 			return err
 		}
 	}
diff --git a/internal/app/machined/pkg/controllers/k8s/internal/nodewatch/nodewatch.go b/internal/app/machined/pkg/controllers/k8s/internal/nodewatch/nodewatch.go
index b2681ec85..fe5b038ac 100644
--- a/internal/app/machined/pkg/controllers/k8s/internal/nodewatch/nodewatch.go
+++ b/internal/app/machined/pkg/controllers/k8s/internal/nodewatch/nodewatch.go
@@ -8,6 +8,7 @@ package nodewatch
 import (
 	"context"
 	"fmt"
+	"time"
 
 	"go.uber.org/zap"
 	corev1 "k8s.io/api/core/v1"
@@ -21,6 +22,11 @@ import (
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 )
 
+// syncTickInterval is how often a "still waiting for initial sync" error is reported to the caller
+// while the informer hasn't yet completed its initial list. Each tick increments the caller's
+// error counter; once the caller's threshold is reached, the watcher is torn down and rebuilt.
+const syncTickInterval = 10 * time.Second
+
 // NodeWatcher defines a NodeWatcher-based node watcher.
 type NodeWatcher struct {
 	client *kubernetes.Client
@@ -48,6 +54,8 @@ func (r *NodeWatcher) Get() (*corev1.Node, error) {
 }
 
 // Watch starts watching Node state and notifies on updates via notify channel.
+//
+//nolint:gocyclo
 func (r *NodeWatcher) Watch(ctx context.Context, logger *zap.Logger) (<-chan struct{}, <-chan error, func(), error) {
 	logger.Debug("starting node watcher", zap.String("nodename", r.nodename))
 
@@ -92,11 +100,16 @@ func (r *NodeWatcher) Watch(ctx context.Context, logger *zap.Logger) (<-chan str
 
 	informerFactory.Start(ctx.Done())
 
+	syncCtx, syncCancel := context.WithCancel(ctx)
+
 	go func() {
 		logger.Debug("waiting for node cache sync")
 
 		result := informerFactory.WaitForCacheSync(ctx.Done())
 
+		// stop the ticker goroutine below as soon as sync completes (or ctx is done)
+		syncCancel()
+
 		var synced bool
 
 		// result should contain a single entry
@@ -112,5 +125,28 @@ func (r *NodeWatcher) Watch(ctx context.Context, logger *zap.Logger) (<-chan str
 		}
 	}()
 
+	// While the informer is still performing its initial list/sync, periodically
+	// surface a timeout error to the caller's watchErrCh. client-go's reflector
+	// silently retries connection-refused errors during the initial list, so the
+	// WatchErrorHandler never fires in that scenario. Pushing ticks here lets the
+	// caller apply its own threshold and restart the watcher with a fresh client.
+	go func() {
+		ticker := time.NewTicker(syncTickInterval)
+		defer ticker.Stop()
+
+		for {
+			select {
+			case <-syncCtx.Done():
+				return
+			case <-ticker.C:
+				select {
+				case <-syncCtx.Done():
+					return
+				case watchErrCh <- fmt.Errorf("node cache: no sync for %s", syncTickInterval):
+				}
+			}
+		}
+	}()
+
 	return notifyCh, watchErrCh, informerFactory.Shutdown, nil
 }
diff --git a/internal/app/machined/pkg/controllers/k8s/kubelet_kubeconfig.go b/internal/app/machined/pkg/controllers/k8s/kubelet_kubeconfig.go
new file mode 100644
index 000000000..e84971cad
--- /dev/null
+++ b/internal/app/machined/pkg/controllers/k8s/kubelet_kubeconfig.go
@@ -0,0 +1,175 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package k8s
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/cosi-project/runtime/pkg/controller"
+	"github.com/cosi-project/runtime/pkg/safe"
+	"github.com/fsnotify/fsnotify"
+	"go.uber.org/zap"
+
+	"github.com/siderolabs/talos/pkg/machinery/constants"
+	"github.com/siderolabs/talos/pkg/machinery/resources/k8s"
+)
+
+// kubeletKubeconfigPollInterval is the maximum interval between kubelet kubeconfig
+// file reads when fsnotify events are not seen. It acts as a safety net against
+// missed inotify events and also covers the startup window before the kubeconfig
+// directory exists.
+const kubeletKubeconfigPollInterval = 30 * time.Second
+
+// KubeletKubeconfigController watches the kubelet kubeconfig file on disk and
+// exposes its content hash via the [k8s.KubeletKubeconfig] resource. Consumers
+// (e.g. [NodeStatusController]) rebuild their Kubernetes clients whenever the
+// hash changes, which is how we detect that a stale endpoint baked into an
+// existing client should be discarded.
+type KubeletKubeconfigController struct {
+	// Path is the on-disk location of the kubelet kubeconfig. Defaults to
+	// [constants.KubeletKubeconfig] when empty; overridable for tests.
+	Path string
+}
+
+func (ctrl *KubeletKubeconfigController) path() string {
+	if ctrl.Path != "" {
+		return ctrl.Path
+	}
+
+	return constants.KubeletKubeconfig
+}
+
+// Name implements controller.Controller interface.
+func (ctrl *KubeletKubeconfigController) Name() string {
+	return "k8s.KubeletKubeconfigController"
+}
+
+// Inputs implements controller.Controller interface.
+func (ctrl *KubeletKubeconfigController) Inputs() []controller.Input {
+	return nil
+}
+
+// Outputs implements controller.Controller interface.
+func (ctrl *KubeletKubeconfigController) Outputs() []controller.Output {
+	return []controller.Output{
+		{
+			Type: k8s.KubeletKubeconfigType,
+			Kind: controller.OutputExclusive,
+		},
+	}
+}
+
+// Run implements controller.Controller interface.
+//
+//nolint:gocyclo
+func (ctrl *KubeletKubeconfigController) Run(ctx context.Context, r controller.Runtime, logger *zap.Logger) error {
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		return fmt.Errorf("failed to create fsnotify watcher: %w", err)
+	}
+
+	defer watcher.Close() //nolint:errcheck
+
+	kubeconfigDir := filepath.Dir(ctrl.path())
+	watchedDir := false
+
+	// Forward fsnotify events and errors into the controller loop via QueueReconcile.
+	go func() {
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case event, ok := <-watcher.Events:
+				if !ok {
+					return
+				}
+
+				if filepath.Clean(event.Name) == ctrl.path() {
+					r.QueueReconcile()
+				}
+			case werr, ok := <-watcher.Errors:
+				if !ok {
+					return
+				}
+
+				logger.Warn("fsnotify error on kubelet kubeconfig", zap.Error(werr))
+			}
+		}
+	}()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return nil
+		case <-r.EventCh():
+		case <-time.After(kubeletKubeconfigPollInterval):
+		}
+
+		if !watchedDir {
+			if _, statErr := os.Stat(kubeconfigDir); statErr == nil {
+				if addErr := watcher.Add(kubeconfigDir); addErr != nil {
+					return fmt.Errorf("failed to add %q to fsnotify watcher: %w", kubeconfigDir, addErr)
+				}
+
+				watchedDir = true
+			}
+		}
+
+		r.StartTrackingOutputs()
+
+		hash, err := hashKubeletKubeconfig(ctrl.path())
+		if err != nil {
+			return fmt.Errorf("failed to hash kubelet kubeconfig: %w", err)
+		}
+
+		if hash != "" {
+			if err = safe.WriterModify(ctx, r,
+				k8s.NewKubeletKubeconfig(k8s.NamespaceName, k8s.KubeletKubeconfigID),
+				func(res *k8s.KubeletKubeconfig) error {
+					res.TypedSpec().Hash = hash
+
+					return nil
+				},
+			); err != nil {
+				return fmt.Errorf("failed to update KubeletKubeconfig resource: %w", err)
+			}
+		}
+
+		if err := safe.CleanupOutputs[*k8s.KubeletKubeconfig](ctx, r); err != nil {
+			return fmt.Errorf("failed to cleanup KubeletKubeconfig resource: %w", err)
+		}
+	}
+}
+
+// hashKubeletKubeconfig returns the hex-encoded SHA-256 hash of the file at the
+// given path. If the file does not exist, it returns an empty string and nil
+// error.
+func hashKubeletKubeconfig(path string) (string, error) {
+	f, err := os.Open(path)
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return "", nil
+		}
+
+		return "", err
+	}
+
+	defer f.Close() //nolint:errcheck
+
+	h := sha256.New()
+	if _, err := io.Copy(h, f); err != nil {
+		return "", err
+	}
+
+	return hex.EncodeToString(h.Sum(nil)), nil
+}
diff --git a/internal/app/machined/pkg/controllers/k8s/kubelet_kubeconfig_test.go b/internal/app/machined/pkg/controllers/k8s/kubelet_kubeconfig_test.go
new file mode 100644
index 000000000..427fb0de7
--- /dev/null
+++ b/internal/app/machined/pkg/controllers/k8s/kubelet_kubeconfig_test.go
@@ -0,0 +1,102 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package k8s_test
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"errors"
+	"os"
+	"path/filepath"
+	"slices"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/suite"
+
+	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/ctest"
+	k8sctrl "github.com/siderolabs/talos/internal/app/machined/pkg/controllers/k8s"
+	"github.com/siderolabs/talos/pkg/machinery/resources/k8s"
+)
+
+type KubeletKubeconfigSuite struct {
+	ctest.DefaultSuite
+
+	kubeconfigPath string
+}
+
+func TestKubeletKubeconfigSuite(t *testing.T) {
+	t.Parallel()
+
+	dir := t.TempDir()
+	path := filepath.Join(dir, "kubeconfig-kubelet")
+
+	s := &KubeletKubeconfigSuite{
+		kubeconfigPath: path,
+	}
+
+	s.DefaultSuite = ctest.DefaultSuite{
+		Timeout: 10 * time.Second,
+		AfterSetup: func(ds *ctest.DefaultSuite) {
+			// Reset filesystem state so tests don't leak into each other.
+			if err := os.Remove(path); err != nil && !errors.Is(err, os.ErrNotExist) {
+				ds.Require().NoError(err)
+			}
+
+			ds.Require().NoError(ds.Runtime().RegisterController(&k8sctrl.KubeletKubeconfigController{
+				Path: path,
+			}))
+		},
+	}
+
+	suite.Run(t, s)
+}
+
+func hashOf(data []byte) string {
+	sum := sha256.Sum256(data)
+
+	return hex.EncodeToString(sum[:])
+}
+
+func (suite *KubeletKubeconfigSuite) writeKubeconfig(data []byte) {
+	suite.T().Helper()
+
+	suite.Require().NoError(os.WriteFile(suite.kubeconfigPath, data, 0o600))
+}
+
+func (suite *KubeletKubeconfigSuite) TestMissingFileNoResource() {
+	ctest.AssertNoResource[*k8s.KubeletKubeconfig](suite, k8s.KubeletKubeconfigID)
+}
+
+func (suite *KubeletKubeconfigSuite) TestCreateUpdateDelete() {
+	initial := []byte("apiVersion: v1\nkind: Config\nclusters: []\n")
+
+	suite.writeKubeconfig(initial)
+
+	ctest.AssertResource(
+		suite,
+		k8s.KubeletKubeconfigID,
+		func(res *k8s.KubeletKubeconfig, assert *assert.Assertions) {
+			assert.Equal(hashOf(initial), res.TypedSpec().Hash)
+		},
+	)
+
+	updated := slices.Concat(initial, []byte("users: []\n"))
+
+	suite.writeKubeconfig(updated)
+
+	ctest.AssertResource(
+		suite,
+		k8s.KubeletKubeconfigID,
+		func(res *k8s.KubeletKubeconfig, assert *assert.Assertions) {
+			assert.Equal(hashOf(updated), res.TypedSpec().Hash)
+		},
+	)
+
+	suite.Require().NoError(os.Remove(suite.kubeconfigPath))
+
+	ctest.AssertNoResource[*k8s.KubeletKubeconfig](suite, k8s.KubeletKubeconfigID)
+}
diff --git a/internal/app/machined/pkg/controllers/k8s/node_status.go b/internal/app/machined/pkg/controllers/k8s/node_status.go
index 32106cf3d..cdcadd582 100644
--- a/internal/app/machined/pkg/controllers/k8s/node_status.go
+++ b/internal/app/machined/pkg/controllers/k8s/node_status.go
@@ -45,6 +45,12 @@ func (ctrl *NodeStatusController) Inputs() []controller.Input {
 			ID:        optional.Some(k8s.NodenameID),
 			Kind:      controller.InputWeak,
 		},
+		{
+			Namespace: k8s.NamespaceName,
+			Type:      k8s.KubeletKubeconfigType,
+			ID:        optional.Some(k8s.KubeletKubeconfigID),
+			Kind:      controller.InputWeak,
+		},
 	}
 }
 
@@ -63,14 +69,15 @@ func (ctrl *NodeStatusController) Outputs() []controller.Output {
 //nolint:gocyclo,cyclop
 func (ctrl *NodeStatusController) Run(ctx context.Context, r controller.Runtime, logger *zap.Logger) error {
 	var (
-		kubernetesClient *kubernetes.Client
-		nodewatcher      *nodewatch.NodeWatcher
-		watchCtxCancel   context.CancelFunc
-		notifyCh         <-chan struct{}
-		watchErrCh       <-chan error
-		notifyCloser     func()
-		watchErrors      int
-		watchReady       bool
+		kubernetesClient     *kubernetes.Client
+		nodewatcher          *nodewatch.NodeWatcher
+		watchCtxCancel       context.CancelFunc
+		notifyCh             <-chan struct{}
+		watchErrCh           <-chan error
+		notifyCloser         func()
+		watchErrors          int
+		watchReady           bool
+		watcherKubeconfigVer string
 	)
 
 	closeWatcher := func() {
@@ -95,6 +102,7 @@ func (ctrl *NodeStatusController) Run(ctx context.Context, r controller.Runtime,
 		watchErrors = 0
 		watchReady = false
 		nodewatcher = nil
+		watcherKubeconfigVer = ""
 	}
 
 	defer closeWatcher()
@@ -140,11 +148,37 @@ func (ctrl *NodeStatusController) Run(ctx context.Context, r controller.Runtime,
 			return err
 		}
 
+		// Look up the current kubelet kubeconfig hash. If it is not yet published,
+		// the kubeconfig was read by WaitForKubeconfigReady but the
+		// KubeletKubeconfigController hasn't written its resource yet — wait for it
+		// so we never bind a watcher to a hash we haven't recorded.
+		kubeconfigRes, err := safe.ReaderGetByID[*k8s.KubeletKubeconfig](ctx, r, k8s.KubeletKubeconfigID)
+		if err != nil {
+			if !state.IsNotFoundError(err) {
+				return fmt.Errorf("error getting kubelet kubeconfig: %w", err)
+			}
+
+			continue
+		}
+
+		currentKubeconfigVer := kubeconfigRes.TypedSpec().Hash
+
 		if nodewatcher != nil && nodewatcher.Nodename() != nodename.TypedSpec().Nodename {
 			// nodename changed, so we need to reinitialize the watcher
 			closeWatcher()
 		}
 
+		if nodewatcher != nil && watcherKubeconfigVer != currentKubeconfigVer {
+			// kubelet kubeconfig on disk changed — the cached client may be pinned
+			// to a stale endpoint, so rebuild the watcher with a fresh client.
+			logger.Info("kubelet kubeconfig changed, restarting node watcher",
+				zap.String("old_hash", watcherKubeconfigVer),
+				zap.String("new_hash", currentKubeconfigVer),
+			)
+
+			closeWatcher()
+		}
+
 		if kubernetesClient == nil {
 			kubernetesClient, err = kubernetes.NewClientFromKubeletKubeconfig()
 			if err != nil {
@@ -165,6 +199,8 @@ func (ctrl *NodeStatusController) Run(ctx context.Context, r controller.Runtime,
 			if err != nil {
 				return fmt.Errorf("error setting up node watcher: %w", err) //nolint:govet
 			}
+
+			watcherKubeconfigVer = currentKubeconfigVer
 		}
 
 		if !watchReady {
diff --git a/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_controller.go b/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_controller.go
index 1d2ad31d2..92e784126 100644
--- a/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_controller.go
+++ b/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_controller.go
@@ -257,6 +257,7 @@ func (ctrl *Controller) Run(ctx context.Context, drainer *runtime.Drainer) error
 		&k8s.EndpointController{},
 		&k8s.ExtraManifestController{},
 		k8s.NewKubeletConfigController(),
+		&k8s.KubeletKubeconfigController{},
 		&k8s.KubeletServiceController{
 			V1Alpha1Services: system.Services(ctrl.v1alpha1Runtime),
 			V1Alpha1Mode:     ctrl.v1alpha1Runtime.State().Platform().Mode(),
diff --git a/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_state.go b/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_state.go
index a9010df9a..135f6af5c 100644
--- a/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_state.go
+++ b/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_state.go
@@ -147,6 +147,7 @@ func NewState() (*State, error) {
 		&k8s.Endpoint{},
 		&k8s.ExtraManifestsConfig{},
 		&k8s.KubeletConfig{},
+		&k8s.KubeletKubeconfig{},
 		&k8s.KubeletLifecycle{},
 		&k8s.KubeletSpec{},
 		&k8s.KubePrismConfig{},
diff --git a/pkg/kubernetes/kubernetes.go b/pkg/kubernetes/kubernetes.go
index 3d9bcc228..5605afe55 100644
--- a/pkg/kubernetes/kubernetes.go
+++ b/pkg/kubernetes/kubernetes.go
@@ -8,6 +8,7 @@ import (
 	"context"
 	"fmt"
 	"log"
+	"net"
 	"net/url"
 	"os"
 	"time"
@@ -52,6 +53,16 @@ func NewClientFromKubeletKubeconfig() (*Client, error) {
 		return nil, err
 	}
 
+	// Set an explicit dial timeout so that requests to a stale/unreachable
+	// API server endpoint fail fast instead of hanging indefinitely at the TCP
+	// layer (the default Linux tcp_syn_retries can cause connect() to block for
+	// over two minutes). This only affects establishing new TCP connections,
+	// not the lifetime of in-flight watches.
+	config.Dial = (&net.Dialer{
+		Timeout:   15 * time.Second,
+		KeepAlive: 30 * time.Second,
+	}).DialContext
+
 	return NewForConfig(config)
 }
 
diff --git a/pkg/machinery/api/resource/definitions/k8s/k8s.pb.go b/pkg/machinery/api/resource/definitions/k8s/k8s.pb.go
index dc18718fc..73028baf0 100644
--- a/pkg/machinery/api/resource/definitions/k8s/k8s.pb.go
+++ b/pkg/machinery/api/resource/definitions/k8s/k8s.pb.go
@@ -1417,6 +1417,51 @@ func (x *KubeletConfigSpec) GetExtraArgs() map[string]*ArgValues {
 	return nil
 }
 
+// KubeletKubeconfigSpec describes the current kubelet kubeconfig file.
+type KubeletKubeconfigSpec struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Hash          string                 `protobuf:"bytes,1,opt,name=hash,proto3" json:"hash,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *KubeletKubeconfigSpec) Reset() {
+	*x = KubeletKubeconfigSpec{}
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[19]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *KubeletKubeconfigSpec) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*KubeletKubeconfigSpec) ProtoMessage() {}
+
+func (x *KubeletKubeconfigSpec) ProtoReflect() protoreflect.Message {
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[19]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use KubeletKubeconfigSpec.ProtoReflect.Descriptor instead.
+func (*KubeletKubeconfigSpec) Descriptor() ([]byte, []int) {
+	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{19}
+}
+
+func (x *KubeletKubeconfigSpec) GetHash() string {
+	if x != nil {
+		return x.Hash
+	}
+	return ""
+}
+
 // KubeletSpecSpec holds the source of kubelet configuration.
 type KubeletSpecSpec struct {
 	state                    protoimpl.MessageState `protogen:"open.v1"`
@@ -1432,7 +1477,7 @@ type KubeletSpecSpec struct {
 
 func (x *KubeletSpecSpec) Reset() {
 	*x = KubeletSpecSpec{}
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[19]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[20]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1444,7 +1489,7 @@ func (x *KubeletSpecSpec) String() string {
 func (*KubeletSpecSpec) ProtoMessage() {}
 
 func (x *KubeletSpecSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[19]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[20]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1457,7 +1502,7 @@ func (x *KubeletSpecSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use KubeletSpecSpec.ProtoReflect.Descriptor instead.
 func (*KubeletSpecSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{19}
+	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{20}
 }
 
 func (x *KubeletSpecSpec) GetImage() string {
@@ -1512,7 +1557,7 @@ type ManifestSpec struct {
 
 func (x *ManifestSpec) Reset() {
 	*x = ManifestSpec{}
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[20]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[21]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1524,7 +1569,7 @@ func (x *ManifestSpec) String() string {
 func (*ManifestSpec) ProtoMessage() {}
 
 func (x *ManifestSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[20]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[21]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1537,7 +1582,7 @@ func (x *ManifestSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use ManifestSpec.ProtoReflect.Descriptor instead.
 func (*ManifestSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{20}
+	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{21}
 }
 
 func (x *ManifestSpec) GetItems() []*SingleManifest {
@@ -1557,7 +1602,7 @@ type ManifestStatusSpec struct {
 
 func (x *ManifestStatusSpec) Reset() {
 	*x = ManifestStatusSpec{}
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[21]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[22]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1569,7 +1614,7 @@ func (x *ManifestStatusSpec) String() string {
 func (*ManifestStatusSpec) ProtoMessage() {}
 
 func (x *ManifestStatusSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[21]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[22]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1582,7 +1627,7 @@ func (x *ManifestStatusSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use ManifestStatusSpec.ProtoReflect.Descriptor instead.
 func (*ManifestStatusSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{21}
+	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{22}
 }
 
 func (x *ManifestStatusSpec) GetManifestsApplied() []string {
@@ -1603,7 +1648,7 @@ type NodeAnnotationSpecSpec struct {
 
 func (x *NodeAnnotationSpecSpec) Reset() {
 	*x = NodeAnnotationSpecSpec{}
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[22]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[23]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1615,7 +1660,7 @@ func (x *NodeAnnotationSpecSpec) String() string {
 func (*NodeAnnotationSpecSpec) ProtoMessage() {}
 
 func (x *NodeAnnotationSpecSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[22]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[23]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1628,7 +1673,7 @@ func (x *NodeAnnotationSpecSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use NodeAnnotationSpecSpec.ProtoReflect.Descriptor instead.
 func (*NodeAnnotationSpecSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{22}
+	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{23}
 }
 
 func (x *NodeAnnotationSpecSpec) GetKey() string {
@@ -1656,7 +1701,7 @@ type NodeIPConfigSpec struct {
 
 func (x *NodeIPConfigSpec) Reset() {
 	*x = NodeIPConfigSpec{}
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[23]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[24]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1668,7 +1713,7 @@ func (x *NodeIPConfigSpec) String() string {
 func (*NodeIPConfigSpec) ProtoMessage() {}
 
 func (x *NodeIPConfigSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[23]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[24]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1681,7 +1726,7 @@ func (x *NodeIPConfigSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use NodeIPConfigSpec.ProtoReflect.Descriptor instead.
 func (*NodeIPConfigSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{23}
+	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{24}
 }
 
 func (x *NodeIPConfigSpec) GetValidSubnets() []string {
@@ -1708,7 +1753,7 @@ type NodeIPSpec struct {
 
 func (x *NodeIPSpec) Reset() {
 	*x = NodeIPSpec{}
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[24]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[25]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1720,7 +1765,7 @@ func (x *NodeIPSpec) String() string {
 func (*NodeIPSpec) ProtoMessage() {}
 
 func (x *NodeIPSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[24]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[25]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1733,7 +1778,7 @@ func (x *NodeIPSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use NodeIPSpec.ProtoReflect.Descriptor instead.
 func (*NodeIPSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{24}
+	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{25}
 }
 
 func (x *NodeIPSpec) GetAddresses() []*common.NetIP {
@@ -1754,7 +1799,7 @@ type NodeLabelSpecSpec struct {
 
 func (x *NodeLabelSpecSpec) Reset() {
 	*x = NodeLabelSpecSpec{}
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[25]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[26]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1766,7 +1811,7 @@ func (x *NodeLabelSpecSpec) String() string {
 func (*NodeLabelSpecSpec) ProtoMessage() {}
 
 func (x *NodeLabelSpecSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[25]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[26]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1779,7 +1824,7 @@ func (x *NodeLabelSpecSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use NodeLabelSpecSpec.ProtoReflect.Descriptor instead.
 func (*NodeLabelSpecSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{25}
+	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{26}
 }
 
 func (x *NodeLabelSpecSpec) GetKey() string {
@@ -1811,7 +1856,7 @@ type NodeStatusSpec struct {
 
 func (x *NodeStatusSpec) Reset() {
 	*x = NodeStatusSpec{}
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[26]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[27]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1823,7 +1868,7 @@ func (x *NodeStatusSpec) String() string {
 func (*NodeStatusSpec) ProtoMessage() {}
 
 func (x *NodeStatusSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[26]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[27]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1836,7 +1881,7 @@ func (x *NodeStatusSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use NodeStatusSpec.ProtoReflect.Descriptor instead.
 func (*NodeStatusSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{26}
+	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{27}
 }
 
 func (x *NodeStatusSpec) GetNodename() string {
@@ -1893,7 +1938,7 @@ type NodeTaintSpecSpec struct {
 
 func (x *NodeTaintSpecSpec) Reset() {
 	*x = NodeTaintSpecSpec{}
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[27]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[28]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1905,7 +1950,7 @@ func (x *NodeTaintSpecSpec) String() string {
 func (*NodeTaintSpecSpec) ProtoMessage() {}
 
 func (x *NodeTaintSpecSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[27]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[28]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1918,7 +1963,7 @@ func (x *NodeTaintSpecSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use NodeTaintSpecSpec.ProtoReflect.Descriptor instead.
 func (*NodeTaintSpecSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{27}
+	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{28}
 }
 
 func (x *NodeTaintSpecSpec) GetKey() string {
@@ -1954,7 +1999,7 @@ type NodenameSpec struct {
 
 func (x *NodenameSpec) Reset() {
 	*x = NodenameSpec{}
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[28]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[29]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1966,7 +2011,7 @@ func (x *NodenameSpec) String() string {
 func (*NodenameSpec) ProtoMessage() {}
 
 func (x *NodenameSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[28]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[29]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1979,7 +2024,7 @@ func (x *NodenameSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use NodenameSpec.ProtoReflect.Descriptor instead.
 func (*NodenameSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{28}
+	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{29}
 }
 
 func (x *NodenameSpec) GetNodename() string {
@@ -2014,7 +2059,7 @@ type Resources struct {
 
 func (x *Resources) Reset() {
 	*x = Resources{}
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[29]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[30]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -2026,7 +2071,7 @@ func (x *Resources) String() string {
 func (*Resources) ProtoMessage() {}
 
 func (x *Resources) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[29]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[30]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2039,7 +2084,7 @@ func (x *Resources) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use Resources.ProtoReflect.Descriptor instead.
 func (*Resources) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{29}
+	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{30}
 }
 
 func (x *Resources) GetRequests() map[string]string {
@@ -2072,7 +2117,7 @@ type SchedulerConfigSpec struct {
 
 func (x *SchedulerConfigSpec) Reset() {
 	*x = SchedulerConfigSpec{}
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[30]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[31]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -2084,7 +2129,7 @@ func (x *SchedulerConfigSpec) String() string {
 func (*SchedulerConfigSpec) ProtoMessage() {}
 
 func (x *SchedulerConfigSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[30]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[31]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2097,7 +2142,7 @@ func (x *SchedulerConfigSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use SchedulerConfigSpec.ProtoReflect.Descriptor instead.
 func (*SchedulerConfigSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{30}
+	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{31}
 }
 
 func (x *SchedulerConfigSpec) GetEnabled() bool {
@@ -2160,7 +2205,7 @@ type SecretsStatusSpec struct {
 
 func (x *SecretsStatusSpec) Reset() {
 	*x = SecretsStatusSpec{}
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[31]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[32]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -2172,7 +2217,7 @@ func (x *SecretsStatusSpec) String() string {
 func (*SecretsStatusSpec) ProtoMessage() {}
 
 func (x *SecretsStatusSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[31]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[32]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2185,7 +2230,7 @@ func (x *SecretsStatusSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use SecretsStatusSpec.ProtoReflect.Descriptor instead.
 func (*SecretsStatusSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{31}
+	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{32}
 }
 
 func (x *SecretsStatusSpec) GetReady() bool {
@@ -2212,7 +2257,7 @@ type SingleManifest struct {
 
 func (x *SingleManifest) Reset() {
 	*x = SingleManifest{}
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[32]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[33]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -2224,7 +2269,7 @@ func (x *SingleManifest) String() string {
 func (*SingleManifest) ProtoMessage() {}
 
 func (x *SingleManifest) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[32]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[33]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2237,7 +2282,7 @@ func (x *SingleManifest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use SingleManifest.ProtoReflect.Descriptor instead.
 func (*SingleManifest) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{32}
+	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{33}
 }
 
 func (x *SingleManifest) GetObject() *structpb.Struct {
@@ -2257,7 +2302,7 @@ type StaticPodServerStatusSpec struct {
 
 func (x *StaticPodServerStatusSpec) Reset() {
 	*x = StaticPodServerStatusSpec{}
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[33]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[34]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -2269,7 +2314,7 @@ func (x *StaticPodServerStatusSpec) String() string {
 func (*StaticPodServerStatusSpec) ProtoMessage() {}
 
 func (x *StaticPodServerStatusSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[33]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[34]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2282,7 +2327,7 @@ func (x *StaticPodServerStatusSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use StaticPodServerStatusSpec.ProtoReflect.Descriptor instead.
 func (*StaticPodServerStatusSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{33}
+	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{34}
 }
 
 func (x *StaticPodServerStatusSpec) GetUrl() string {
@@ -2302,7 +2347,7 @@ type StaticPodSpec struct {
 
 func (x *StaticPodSpec) Reset() {
 	*x = StaticPodSpec{}
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[34]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[35]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -2314,7 +2359,7 @@ func (x *StaticPodSpec) String() string {
 func (*StaticPodSpec) ProtoMessage() {}
 
 func (x *StaticPodSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[34]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[35]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2327,7 +2372,7 @@ func (x *StaticPodSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use StaticPodSpec.ProtoReflect.Descriptor instead.
 func (*StaticPodSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{34}
+	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{35}
 }
 
 func (x *StaticPodSpec) GetPod() *structpb.Struct {
@@ -2347,7 +2392,7 @@ type StaticPodStatusSpec struct {
 
 func (x *StaticPodStatusSpec) Reset() {
 	*x = StaticPodStatusSpec{}
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[35]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[36]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -2359,7 +2404,7 @@ func (x *StaticPodStatusSpec) String() string {
 func (*StaticPodStatusSpec) ProtoMessage() {}
 
 func (x *StaticPodStatusSpec) ProtoReflect() protoreflect.Message {
-	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[35]
+	mi := &file_resource_definitions_k8s_k8s_proto_msgTypes[36]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -2372,7 +2417,7 @@ func (x *StaticPodStatusSpec) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use StaticPodStatusSpec.ProtoReflect.Descriptor instead.
 func (*StaticPodStatusSpec) Descriptor() ([]byte, []int) {
-	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{35}
+	return file_resource_definitions_k8s_k8s_proto_rawDescGZIP(), []int{36}
 }
 
 func (x *StaticPodStatusSpec) GetPodStatus() *structpb.Struct {
@@ -2522,7 +2567,9 @@ const file_resource_definitions_k8s_k8s_proto_rawDesc = "" +
 	"extra_args\x18\x0f \x03(\v2@.talos.resource.definitions.k8s.KubeletConfigSpec.ExtraArgsEntryR\textraArgs\x1ag\n" +
 	"\x0eExtraArgsEntry\x12\x10\n" +
 	"\x03key\x18\x01 \x01(\tR\x03key\x12?\n" +
-	"\x05value\x18\x02 \x01(\v2).talos.resource.definitions.k8s.ArgValuesR\x05value:\x028\x01\"\xbc\x02\n" +
+	"\x05value\x18\x02 \x01(\v2).talos.resource.definitions.k8s.ArgValuesR\x05value:\x028\x01\"+\n" +
+	"\x15KubeletKubeconfigSpec\x12\x12\n" +
+	"\x04hash\x18\x01 \x01(\tR\x04hash\"\xbc\x02\n" +
 	"\x0fKubeletSpecSpec\x12\x14\n" +
 	"\x05image\x18\x01 \x01(\tR\x05image\x12\x12\n" +
 	"\x04args\x18\x02 \x03(\tR\x04args\x12J\n" +
@@ -2619,7 +2666,7 @@ func file_resource_definitions_k8s_k8s_proto_rawDescGZIP() []byte {
 	return file_resource_definitions_k8s_k8s_proto_rawDescData
 }
 
-var file_resource_definitions_k8s_k8s_proto_msgTypes = make([]protoimpl.MessageInfo, 48)
+var file_resource_definitions_k8s_k8s_proto_msgTypes = make([]protoimpl.MessageInfo, 49)
 var file_resource_definitions_k8s_k8s_proto_goTypes = []any{
 	(*APIServerConfigSpec)(nil),          // 0: talos.resource.definitions.k8s.APIServerConfigSpec
 	(*AdmissionControlConfigSpec)(nil),   // 1: talos.resource.definitions.k8s.AdmissionControlConfigSpec
@@ -2640,81 +2687,82 @@ var file_resource_definitions_k8s_k8s_proto_goTypes = []any{
 	(*KubePrismEndpointsSpec)(nil),       // 16: talos.resource.definitions.k8s.KubePrismEndpointsSpec
 	(*KubePrismStatusesSpec)(nil),        // 17: talos.resource.definitions.k8s.KubePrismStatusesSpec
 	(*KubeletConfigSpec)(nil),            // 18: talos.resource.definitions.k8s.KubeletConfigSpec
-	(*KubeletSpecSpec)(nil),              // 19: talos.resource.definitions.k8s.KubeletSpecSpec
-	(*ManifestSpec)(nil),                 // 20: talos.resource.definitions.k8s.ManifestSpec
-	(*ManifestStatusSpec)(nil),           // 21: talos.resource.definitions.k8s.ManifestStatusSpec
-	(*NodeAnnotationSpecSpec)(nil),       // 22: talos.resource.definitions.k8s.NodeAnnotationSpecSpec
-	(*NodeIPConfigSpec)(nil),             // 23: talos.resource.definitions.k8s.NodeIPConfigSpec
-	(*NodeIPSpec)(nil),                   // 24: talos.resource.definitions.k8s.NodeIPSpec
-	(*NodeLabelSpecSpec)(nil),            // 25: talos.resource.definitions.k8s.NodeLabelSpecSpec
-	(*NodeStatusSpec)(nil),               // 26: talos.resource.definitions.k8s.NodeStatusSpec
-	(*NodeTaintSpecSpec)(nil),            // 27: talos.resource.definitions.k8s.NodeTaintSpecSpec
-	(*NodenameSpec)(nil),                 // 28: talos.resource.definitions.k8s.NodenameSpec
-	(*Resources)(nil),                    // 29: talos.resource.definitions.k8s.Resources
-	(*SchedulerConfigSpec)(nil),          // 30: talos.resource.definitions.k8s.SchedulerConfigSpec
-	(*SecretsStatusSpec)(nil),            // 31: talos.resource.definitions.k8s.SecretsStatusSpec
-	(*SingleManifest)(nil),               // 32: talos.resource.definitions.k8s.SingleManifest
-	(*StaticPodServerStatusSpec)(nil),    // 33: talos.resource.definitions.k8s.StaticPodServerStatusSpec
-	(*StaticPodSpec)(nil),                // 34: talos.resource.definitions.k8s.StaticPodSpec
-	(*StaticPodStatusSpec)(nil),          // 35: talos.resource.definitions.k8s.StaticPodStatusSpec
-	nil,                                  // 36: talos.resource.definitions.k8s.APIServerConfigSpec.EnvironmentVariablesEntry
-	nil,                                  // 37: talos.resource.definitions.k8s.APIServerConfigSpec.ExtraArgsEntry
-	nil,                                  // 38: talos.resource.definitions.k8s.ControllerManagerConfigSpec.EnvironmentVariablesEntry
-	nil,                                  // 39: talos.resource.definitions.k8s.ControllerManagerConfigSpec.ExtraArgsEntry
-	nil,                                  // 40: talos.resource.definitions.k8s.ExtraManifest.ExtraHeadersEntry
-	nil,                                  // 41: talos.resource.definitions.k8s.KubeletConfigSpec.ExtraArgsEntry
-	nil,                                  // 42: talos.resource.definitions.k8s.NodeStatusSpec.LabelsEntry
-	nil,                                  // 43: talos.resource.definitions.k8s.NodeStatusSpec.AnnotationsEntry
-	nil,                                  // 44: talos.resource.definitions.k8s.Resources.RequestsEntry
-	nil,                                  // 45: talos.resource.definitions.k8s.Resources.LimitsEntry
-	nil,                                  // 46: talos.resource.definitions.k8s.SchedulerConfigSpec.EnvironmentVariablesEntry
-	nil,                                  // 47: talos.resource.definitions.k8s.SchedulerConfigSpec.ExtraArgsEntry
-	(*structpb.Struct)(nil),              // 48: google.protobuf.Struct
-	(*common.NetIP)(nil),                 // 49: common.NetIP
-	(*proto.Mount)(nil),                  // 50: talos.resource.definitions.proto.Mount
-	(*common.NetIPPrefix)(nil),           // 51: common.NetIPPrefix
+	(*KubeletKubeconfigSpec)(nil),        // 19: talos.resource.definitions.k8s.KubeletKubeconfigSpec
+	(*KubeletSpecSpec)(nil),              // 20: talos.resource.definitions.k8s.KubeletSpecSpec
+	(*ManifestSpec)(nil),                 // 21: talos.resource.definitions.k8s.ManifestSpec
+	(*ManifestStatusSpec)(nil),           // 22: talos.resource.definitions.k8s.ManifestStatusSpec
+	(*NodeAnnotationSpecSpec)(nil),       // 23: talos.resource.definitions.k8s.NodeAnnotationSpecSpec
+	(*NodeIPConfigSpec)(nil),             // 24: talos.resource.definitions.k8s.NodeIPConfigSpec
+	(*NodeIPSpec)(nil),                   // 25: talos.resource.definitions.k8s.NodeIPSpec
+	(*NodeLabelSpecSpec)(nil),            // 26: talos.resource.definitions.k8s.NodeLabelSpecSpec
+	(*NodeStatusSpec)(nil),               // 27: talos.resource.definitions.k8s.NodeStatusSpec
+	(*NodeTaintSpecSpec)(nil),            // 28: talos.resource.definitions.k8s.NodeTaintSpecSpec
+	(*NodenameSpec)(nil),                 // 29: talos.resource.definitions.k8s.NodenameSpec
+	(*Resources)(nil),                    // 30: talos.resource.definitions.k8s.Resources
+	(*SchedulerConfigSpec)(nil),          // 31: talos.resource.definitions.k8s.SchedulerConfigSpec
+	(*SecretsStatusSpec)(nil),            // 32: talos.resource.definitions.k8s.SecretsStatusSpec
+	(*SingleManifest)(nil),               // 33: talos.resource.definitions.k8s.SingleManifest
+	(*StaticPodServerStatusSpec)(nil),    // 34: talos.resource.definitions.k8s.StaticPodServerStatusSpec
+	(*StaticPodSpec)(nil),                // 35: talos.resource.definitions.k8s.StaticPodSpec
+	(*StaticPodStatusSpec)(nil),          // 36: talos.resource.definitions.k8s.StaticPodStatusSpec
+	nil,                                  // 37: talos.resource.definitions.k8s.APIServerConfigSpec.EnvironmentVariablesEntry
+	nil,                                  // 38: talos.resource.definitions.k8s.APIServerConfigSpec.ExtraArgsEntry
+	nil,                                  // 39: talos.resource.definitions.k8s.ControllerManagerConfigSpec.EnvironmentVariablesEntry
+	nil,                                  // 40: talos.resource.definitions.k8s.ControllerManagerConfigSpec.ExtraArgsEntry
+	nil,                                  // 41: talos.resource.definitions.k8s.ExtraManifest.ExtraHeadersEntry
+	nil,                                  // 42: talos.resource.definitions.k8s.KubeletConfigSpec.ExtraArgsEntry
+	nil,                                  // 43: talos.resource.definitions.k8s.NodeStatusSpec.LabelsEntry
+	nil,                                  // 44: talos.resource.definitions.k8s.NodeStatusSpec.AnnotationsEntry
+	nil,                                  // 45: talos.resource.definitions.k8s.Resources.RequestsEntry
+	nil,                                  // 46: talos.resource.definitions.k8s.Resources.LimitsEntry
+	nil,                                  // 47: talos.resource.definitions.k8s.SchedulerConfigSpec.EnvironmentVariablesEntry
+	nil,                                  // 48: talos.resource.definitions.k8s.SchedulerConfigSpec.ExtraArgsEntry
+	(*structpb.Struct)(nil),              // 49: google.protobuf.Struct
+	(*common.NetIP)(nil),                 // 50: common.NetIP
+	(*proto.Mount)(nil),                  // 51: talos.resource.definitions.proto.Mount
+	(*common.NetIPPrefix)(nil),           // 52: common.NetIPPrefix
 }
 var file_resource_definitions_k8s_k8s_proto_depIdxs = []int32{
 	13, // 0: talos.resource.definitions.k8s.APIServerConfigSpec.extra_volumes:type_name -> talos.resource.definitions.k8s.ExtraVolume
-	36, // 1: talos.resource.definitions.k8s.APIServerConfigSpec.environment_variables:type_name -> talos.resource.definitions.k8s.APIServerConfigSpec.EnvironmentVariablesEntry
-	29, // 2: talos.resource.definitions.k8s.APIServerConfigSpec.resources:type_name -> talos.resource.definitions.k8s.Resources
-	37, // 3: talos.resource.definitions.k8s.APIServerConfigSpec.extra_args:type_name -> talos.resource.definitions.k8s.APIServerConfigSpec.ExtraArgsEntry
+	37, // 1: talos.resource.definitions.k8s.APIServerConfigSpec.environment_variables:type_name -> talos.resource.definitions.k8s.APIServerConfigSpec.EnvironmentVariablesEntry
+	30, // 2: talos.resource.definitions.k8s.APIServerConfigSpec.resources:type_name -> talos.resource.definitions.k8s.Resources
+	38, // 3: talos.resource.definitions.k8s.APIServerConfigSpec.extra_args:type_name -> talos.resource.definitions.k8s.APIServerConfigSpec.ExtraArgsEntry
 	2,  // 4: talos.resource.definitions.k8s.AdmissionControlConfigSpec.config:type_name -> talos.resource.definitions.k8s.AdmissionPluginSpec
-	48, // 5: talos.resource.definitions.k8s.AdmissionPluginSpec.configuration:type_name -> google.protobuf.Struct
-	48, // 6: talos.resource.definitions.k8s.AuditPolicyConfigSpec.config:type_name -> google.protobuf.Struct
-	48, // 7: talos.resource.definitions.k8s.AuthorizationAuthorizersSpec.webhook:type_name -> google.protobuf.Struct
+	49, // 5: talos.resource.definitions.k8s.AdmissionPluginSpec.configuration:type_name -> google.protobuf.Struct
+	49, // 6: talos.resource.definitions.k8s.AuditPolicyConfigSpec.config:type_name -> google.protobuf.Struct
+	49, // 7: talos.resource.definitions.k8s.AuthorizationAuthorizersSpec.webhook:type_name -> google.protobuf.Struct
 	5,  // 8: talos.resource.definitions.k8s.AuthorizationConfigSpec.config:type_name -> talos.resource.definitions.k8s.AuthorizationAuthorizersSpec
 	13, // 9: talos.resource.definitions.k8s.ControllerManagerConfigSpec.extra_volumes:type_name -> talos.resource.definitions.k8s.ExtraVolume
-	38, // 10: talos.resource.definitions.k8s.ControllerManagerConfigSpec.environment_variables:type_name -> talos.resource.definitions.k8s.ControllerManagerConfigSpec.EnvironmentVariablesEntry
-	29, // 11: talos.resource.definitions.k8s.ControllerManagerConfigSpec.resources:type_name -> talos.resource.definitions.k8s.Resources
-	39, // 12: talos.resource.definitions.k8s.ControllerManagerConfigSpec.extra_args:type_name -> talos.resource.definitions.k8s.ControllerManagerConfigSpec.ExtraArgsEntry
-	49, // 13: talos.resource.definitions.k8s.EndpointSpec.addresses:type_name -> common.NetIP
-	40, // 14: talos.resource.definitions.k8s.ExtraManifest.extra_headers:type_name -> talos.resource.definitions.k8s.ExtraManifest.ExtraHeadersEntry
+	39, // 10: talos.resource.definitions.k8s.ControllerManagerConfigSpec.environment_variables:type_name -> talos.resource.definitions.k8s.ControllerManagerConfigSpec.EnvironmentVariablesEntry
+	30, // 11: talos.resource.definitions.k8s.ControllerManagerConfigSpec.resources:type_name -> talos.resource.definitions.k8s.Resources
+	40, // 12: talos.resource.definitions.k8s.ControllerManagerConfigSpec.extra_args:type_name -> talos.resource.definitions.k8s.ControllerManagerConfigSpec.ExtraArgsEntry
+	50, // 13: talos.resource.definitions.k8s.EndpointSpec.addresses:type_name -> common.NetIP
+	41, // 14: talos.resource.definitions.k8s.ExtraManifest.extra_headers:type_name -> talos.resource.definitions.k8s.ExtraManifest.ExtraHeadersEntry
 	11, // 15: talos.resource.definitions.k8s.ExtraManifestsConfigSpec.extra_manifests:type_name -> talos.resource.definitions.k8s.ExtraManifest
 	15, // 16: talos.resource.definitions.k8s.KubePrismConfigSpec.endpoints:type_name -> talos.resource.definitions.k8s.KubePrismEndpoint
 	15, // 17: talos.resource.definitions.k8s.KubePrismEndpointsSpec.endpoints:type_name -> talos.resource.definitions.k8s.KubePrismEndpoint
-	50, // 18: talos.resource.definitions.k8s.KubeletConfigSpec.extra_mounts:type_name -> talos.resource.definitions.proto.Mount
-	48, // 19: talos.resource.definitions.k8s.KubeletConfigSpec.extra_config:type_name -> google.protobuf.Struct
-	48, // 20: talos.resource.definitions.k8s.KubeletConfigSpec.credential_provider_config:type_name -> google.protobuf.Struct
-	41, // 21: talos.resource.definitions.k8s.KubeletConfigSpec.extra_args:type_name -> talos.resource.definitions.k8s.KubeletConfigSpec.ExtraArgsEntry
-	50, // 22: talos.resource.definitions.k8s.KubeletSpecSpec.extra_mounts:type_name -> talos.resource.definitions.proto.Mount
-	48, // 23: talos.resource.definitions.k8s.KubeletSpecSpec.config:type_name -> google.protobuf.Struct
-	48, // 24: talos.resource.definitions.k8s.KubeletSpecSpec.credential_provider_config:type_name -> google.protobuf.Struct
-	32, // 25: talos.resource.definitions.k8s.ManifestSpec.items:type_name -> talos.resource.definitions.k8s.SingleManifest
-	49, // 26: talos.resource.definitions.k8s.NodeIPSpec.addresses:type_name -> common.NetIP
-	42, // 27: talos.resource.definitions.k8s.NodeStatusSpec.labels:type_name -> talos.resource.definitions.k8s.NodeStatusSpec.LabelsEntry
-	43, // 28: talos.resource.definitions.k8s.NodeStatusSpec.annotations:type_name -> talos.resource.definitions.k8s.NodeStatusSpec.AnnotationsEntry
-	51, // 29: talos.resource.definitions.k8s.NodeStatusSpec.pod_cid_rs:type_name -> common.NetIPPrefix
-	44, // 30: talos.resource.definitions.k8s.Resources.requests:type_name -> talos.resource.definitions.k8s.Resources.RequestsEntry
-	45, // 31: talos.resource.definitions.k8s.Resources.limits:type_name -> talos.resource.definitions.k8s.Resources.LimitsEntry
+	51, // 18: talos.resource.definitions.k8s.KubeletConfigSpec.extra_mounts:type_name -> talos.resource.definitions.proto.Mount
+	49, // 19: talos.resource.definitions.k8s.KubeletConfigSpec.extra_config:type_name -> google.protobuf.Struct
+	49, // 20: talos.resource.definitions.k8s.KubeletConfigSpec.credential_provider_config:type_name -> google.protobuf.Struct
+	42, // 21: talos.resource.definitions.k8s.KubeletConfigSpec.extra_args:type_name -> talos.resource.definitions.k8s.KubeletConfigSpec.ExtraArgsEntry
+	51, // 22: talos.resource.definitions.k8s.KubeletSpecSpec.extra_mounts:type_name -> talos.resource.definitions.proto.Mount
+	49, // 23: talos.resource.definitions.k8s.KubeletSpecSpec.config:type_name -> google.protobuf.Struct
+	49, // 24: talos.resource.definitions.k8s.KubeletSpecSpec.credential_provider_config:type_name -> google.protobuf.Struct
+	33, // 25: talos.resource.definitions.k8s.ManifestSpec.items:type_name -> talos.resource.definitions.k8s.SingleManifest
+	50, // 26: talos.resource.definitions.k8s.NodeIPSpec.addresses:type_name -> common.NetIP
+	43, // 27: talos.resource.definitions.k8s.NodeStatusSpec.labels:type_name -> talos.resource.definitions.k8s.NodeStatusSpec.LabelsEntry
+	44, // 28: talos.resource.definitions.k8s.NodeStatusSpec.annotations:type_name -> talos.resource.definitions.k8s.NodeStatusSpec.AnnotationsEntry
+	52, // 29: talos.resource.definitions.k8s.NodeStatusSpec.pod_cid_rs:type_name -> common.NetIPPrefix
+	45, // 30: talos.resource.definitions.k8s.Resources.requests:type_name -> talos.resource.definitions.k8s.Resources.RequestsEntry
+	46, // 31: talos.resource.definitions.k8s.Resources.limits:type_name -> talos.resource.definitions.k8s.Resources.LimitsEntry
 	13, // 32: talos.resource.definitions.k8s.SchedulerConfigSpec.extra_volumes:type_name -> talos.resource.definitions.k8s.ExtraVolume
-	46, // 33: talos.resource.definitions.k8s.SchedulerConfigSpec.environment_variables:type_name -> talos.resource.definitions.k8s.SchedulerConfigSpec.EnvironmentVariablesEntry
-	29, // 34: talos.resource.definitions.k8s.SchedulerConfigSpec.resources:type_name -> talos.resource.definitions.k8s.Resources
-	48, // 35: talos.resource.definitions.k8s.SchedulerConfigSpec.config:type_name -> google.protobuf.Struct
-	47, // 36: talos.resource.definitions.k8s.SchedulerConfigSpec.extra_args:type_name -> talos.resource.definitions.k8s.SchedulerConfigSpec.ExtraArgsEntry
-	48, // 37: talos.resource.definitions.k8s.SingleManifest.object:type_name -> google.protobuf.Struct
-	48, // 38: talos.resource.definitions.k8s.StaticPodSpec.pod:type_name -> google.protobuf.Struct
-	48, // 39: talos.resource.definitions.k8s.StaticPodStatusSpec.pod_status:type_name -> google.protobuf.Struct
+	47, // 33: talos.resource.definitions.k8s.SchedulerConfigSpec.environment_variables:type_name -> talos.resource.definitions.k8s.SchedulerConfigSpec.EnvironmentVariablesEntry
+	30, // 34: talos.resource.definitions.k8s.SchedulerConfigSpec.resources:type_name -> talos.resource.definitions.k8s.Resources
+	49, // 35: talos.resource.definitions.k8s.SchedulerConfigSpec.config:type_name -> google.protobuf.Struct
+	48, // 36: talos.resource.definitions.k8s.SchedulerConfigSpec.extra_args:type_name -> talos.resource.definitions.k8s.SchedulerConfigSpec.ExtraArgsEntry
+	49, // 37: talos.resource.definitions.k8s.SingleManifest.object:type_name -> google.protobuf.Struct
+	49, // 38: talos.resource.definitions.k8s.StaticPodSpec.pod:type_name -> google.protobuf.Struct
+	49, // 39: talos.resource.definitions.k8s.StaticPodStatusSpec.pod_status:type_name -> google.protobuf.Struct
 	3,  // 40: talos.resource.definitions.k8s.APIServerConfigSpec.ExtraArgsEntry.value:type_name -> talos.resource.definitions.k8s.ArgValues
 	3,  // 41: talos.resource.definitions.k8s.ControllerManagerConfigSpec.ExtraArgsEntry.value:type_name -> talos.resource.definitions.k8s.ArgValues
 	3,  // 42: talos.resource.definitions.k8s.KubeletConfigSpec.ExtraArgsEntry.value:type_name -> talos.resource.definitions.k8s.ArgValues
@@ -2737,7 +2785,7 @@ func file_resource_definitions_k8s_k8s_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_resource_definitions_k8s_k8s_proto_rawDesc), len(file_resource_definitions_k8s_k8s_proto_rawDesc)),
 			NumEnums:      0,
-			NumMessages:   48,
+			NumMessages:   49,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
diff --git a/pkg/machinery/api/resource/definitions/k8s/k8s_vtproto.pb.go b/pkg/machinery/api/resource/definitions/k8s/k8s_vtproto.pb.go
index b015ce3ee..81faba89e 100644
--- a/pkg/machinery/api/resource/definitions/k8s/k8s_vtproto.pb.go
+++ b/pkg/machinery/api/resource/definitions/k8s/k8s_vtproto.pb.go
@@ -1499,6 +1499,46 @@ func (m *KubeletConfigSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
 	return len(dAtA) - i, nil
 }
 
+func (m *KubeletKubeconfigSpec) MarshalVT() (dAtA []byte, err error) {
+	if m == nil {
+		return nil, nil
+	}
+	size := m.SizeVT()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBufferVT(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *KubeletKubeconfigSpec) MarshalToVT(dAtA []byte) (int, error) {
+	size := m.SizeVT()
+	return m.MarshalToSizedBufferVT(dAtA[:size])
+}
+
+func (m *KubeletKubeconfigSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
+	if m == nil {
+		return 0, nil
+	}
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.unknownFields != nil {
+		i -= len(m.unknownFields)
+		copy(dAtA[i:], m.unknownFields)
+	}
+	if len(m.Hash) > 0 {
+		i -= len(m.Hash)
+		copy(dAtA[i:], m.Hash)
+		i = protohelpers.EncodeVarint(dAtA, i, uint64(len(m.Hash)))
+		i--
+		dAtA[i] = 0xa
+	}
+	return len(dAtA) - i, nil
+}
+
 func (m *KubeletSpecSpec) MarshalVT() (dAtA []byte, err error) {
 	if m == nil {
 		return nil, nil
@@ -3138,6 +3178,20 @@ func (m *KubeletConfigSpec) SizeVT() (n int) {
 	return n
 }
 
+func (m *KubeletKubeconfigSpec) SizeVT() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.Hash)
+	if l > 0 {
+		n += 1 + l + protohelpers.SizeOfVarint(uint64(l))
+	}
+	n += len(m.unknownFields)
+	return n
+}
+
 func (m *KubeletSpecSpec) SizeVT() (n int) {
 	if m == nil {
 		return 0
@@ -7664,6 +7718,89 @@ func (m *KubeletConfigSpec) UnmarshalVT(dAtA []byte) error {
 	}
 	return nil
 }
+func (m *KubeletKubeconfigSpec) UnmarshalVT(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return protohelpers.ErrIntOverflow
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: KubeletKubeconfigSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: KubeletKubeconfigSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Hash", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return protohelpers.ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Hash = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := protohelpers.Skip(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.unknownFields = append(m.unknownFields, dAtA[iNdEx:iNdEx+skippy]...)
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
 func (m *KubeletSpecSpec) UnmarshalVT(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
diff --git a/pkg/machinery/resources/k8s/deep_copy.generated.go b/pkg/machinery/resources/k8s/deep_copy.generated.go
index 022b0bc76..14d17f74f 100644
--- a/pkg/machinery/resources/k8s/deep_copy.generated.go
+++ b/pkg/machinery/resources/k8s/deep_copy.generated.go
@@ -2,7 +2,7 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-// Code generated by "deep-copy -type AdmissionControlConfigSpec -type APIServerConfigSpec -type AuditPolicyConfigSpec -type AuthorizationConfigSpec -type BootstrapManifestsConfigSpec -type ConfigStatusSpec -type ControllerManagerConfigSpec -type EndpointSpec -type ExtraManifestsConfigSpec -type KubeletLifecycleSpec -type KubePrismConfigSpec -type KubePrismEndpointsSpec -type KubePrismStatusesSpec -type KubeletSpecSpec -type ManifestSpec -type ManifestStatusSpec -type NodeAnnotationSpecSpec -type NodeCordonedSpecSpec -type NodeLabelSpecSpec -type NodeTaintSpecSpec -type KubeletConfigSpec -type NodeIPSpec -type NodeIPConfigSpec -type NodeStatusSpec -type NodenameSpec -type SchedulerConfigSpec -type SecretsStatusSpec -type StaticPodSpec -type StaticPodStatusSpec -type StaticPodServerStatusSpec -header-file ../../../../hack/boilerplate.txt -o deep_copy.generated.go ."; DO NOT EDIT.
+// Code generated by "deep-copy -type AdmissionControlConfigSpec -type APIServerConfigSpec -type AuditPolicyConfigSpec -type AuthorizationConfigSpec -type BootstrapManifestsConfigSpec -type ConfigStatusSpec -type ControllerManagerConfigSpec -type EndpointSpec -type ExtraManifestsConfigSpec -type KubeletKubeconfigSpec -type KubeletLifecycleSpec -type KubePrismConfigSpec -type KubePrismEndpointsSpec -type KubePrismStatusesSpec -type KubeletSpecSpec -type ManifestSpec -type ManifestStatusSpec -type NodeAnnotationSpecSpec -type NodeCordonedSpecSpec -type NodeLabelSpecSpec -type NodeTaintSpecSpec -type KubeletConfigSpec -type NodeIPSpec -type NodeIPConfigSpec -type NodeStatusSpec -type NodenameSpec -type SchedulerConfigSpec -type SecretsStatusSpec -type StaticPodSpec -type StaticPodStatusSpec -type StaticPodServerStatusSpec -header-file ../../../../hack/boilerplate.txt -o deep_copy.generated.go ."; DO NOT EDIT.
 
 package k8s
 
@@ -210,6 +210,12 @@ func (o ExtraManifestsConfigSpec) DeepCopy() ExtraManifestsConfigSpec {
 	return cp
 }
 
+// DeepCopy generates a deep copy of KubeletKubeconfigSpec.
+func (o KubeletKubeconfigSpec) DeepCopy() KubeletKubeconfigSpec {
+	var cp KubeletKubeconfigSpec = o
+	return cp
+}
+
 // DeepCopy generates a deep copy of KubeletLifecycleSpec.
 func (o KubeletLifecycleSpec) DeepCopy() KubeletLifecycleSpec {
 	var cp KubeletLifecycleSpec = o
diff --git a/pkg/machinery/resources/k8s/k8s.go b/pkg/machinery/resources/k8s/k8s.go
index 7afd18c34..d89d813f5 100644
--- a/pkg/machinery/resources/k8s/k8s.go
+++ b/pkg/machinery/resources/k8s/k8s.go
@@ -7,7 +7,7 @@ package k8s
 
 import "github.com/cosi-project/runtime/pkg/resource"
 
-//go:generate go tool github.com/siderolabs/deep-copy -type AdmissionControlConfigSpec -type APIServerConfigSpec -type AuditPolicyConfigSpec -type AuthorizationConfigSpec -type BootstrapManifestsConfigSpec -type ConfigStatusSpec -type ControllerManagerConfigSpec -type EndpointSpec -type ExtraManifestsConfigSpec -type KubeletLifecycleSpec -type KubePrismConfigSpec -type KubePrismEndpointsSpec -type KubePrismStatusesSpec -type KubeletSpecSpec -type ManifestSpec -type ManifestStatusSpec -type NodeAnnotationSpecSpec -type NodeCordonedSpecSpec -type NodeLabelSpecSpec -type NodeTaintSpecSpec -type KubeletConfigSpec -type NodeIPSpec -type NodeIPConfigSpec -type NodeStatusSpec -type NodenameSpec -type SchedulerConfigSpec -type SecretsStatusSpec -type StaticPodSpec -type StaticPodStatusSpec -type StaticPodServerStatusSpec  -header-file ../../../../hack/boilerplate.txt -o deep_copy.generated.go .
+//go:generate go tool github.com/siderolabs/deep-copy -type AdmissionControlConfigSpec -type APIServerConfigSpec -type AuditPolicyConfigSpec -type AuthorizationConfigSpec -type BootstrapManifestsConfigSpec -type ConfigStatusSpec -type ControllerManagerConfigSpec -type EndpointSpec -type ExtraManifestsConfigSpec -type KubeletKubeconfigSpec -type KubeletLifecycleSpec -type KubePrismConfigSpec -type KubePrismEndpointsSpec -type KubePrismStatusesSpec -type KubeletSpecSpec -type ManifestSpec -type ManifestStatusSpec -type NodeAnnotationSpecSpec -type NodeCordonedSpecSpec -type NodeLabelSpecSpec -type NodeTaintSpecSpec -type KubeletConfigSpec -type NodeIPSpec -type NodeIPConfigSpec -type NodeStatusSpec -type NodenameSpec -type SchedulerConfigSpec -type SecretsStatusSpec -type StaticPodSpec -type StaticPodStatusSpec -type StaticPodServerStatusSpec  -header-file ../../../../hack/boilerplate.txt -o deep_copy.generated.go .
 
 // NamespaceName contains resources supporting Kubernetes components on all node types.
 const NamespaceName resource.Namespace = "k8s"
diff --git a/pkg/machinery/resources/k8s/k8s_test.go b/pkg/machinery/resources/k8s/k8s_test.go
index fcaf9281c..c06c4ad6b 100644
--- a/pkg/machinery/resources/k8s/k8s_test.go
+++ b/pkg/machinery/resources/k8s/k8s_test.go
@@ -36,6 +36,7 @@ func TestRegisterResource(t *testing.T) {
 		&k8s.Endpoint{},
 		&k8s.ExtraManifestsConfig{},
 		&k8s.KubeletConfig{},
+		&k8s.KubeletKubeconfig{},
 		&k8s.KubeletLifecycle{},
 		&k8s.KubeletSpec{},
 		&k8s.KubePrismStatuses{},
diff --git a/pkg/machinery/resources/k8s/kubelet_kubeconfig.go b/pkg/machinery/resources/k8s/kubelet_kubeconfig.go
new file mode 100644
index 000000000..4235ced61
--- /dev/null
+++ b/pkg/machinery/resources/k8s/kubelet_kubeconfig.go
@@ -0,0 +1,71 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package k8s
+
+import (
+	"github.com/cosi-project/runtime/pkg/resource"
+	"github.com/cosi-project/runtime/pkg/resource/meta"
+	"github.com/cosi-project/runtime/pkg/resource/protobuf"
+	"github.com/cosi-project/runtime/pkg/resource/typed"
+
+	"github.com/siderolabs/talos/pkg/machinery/proto"
+)
+
+// KubeletKubeconfigType is type of KubeletKubeconfig resource.
+const KubeletKubeconfigType = resource.Type("KubeletKubeconfigs.kubernetes.talos.dev")
+
+// KubeletKubeconfigID is a singleton resource ID for KubeletKubeconfig.
+const KubeletKubeconfigID = resource.ID("kubelet")
+
+// KubeletKubeconfig resource exposes the on-disk kubelet kubeconfig state so
+// that consumers can detect when the file has changed and rebuild their
+// Kubernetes clients (the informer's reflector doesn't bubble up
+// connection-refused errors against a stale endpoint).
+type KubeletKubeconfig = typed.Resource[KubeletKubeconfigSpec, KubeletKubeconfigExtension]
+
+// KubeletKubeconfigSpec describes the current kubelet kubeconfig file.
+//
+//gotagsrewrite:gen
+type KubeletKubeconfigSpec struct {
+	// Hash is a content digest of the kubeconfig file. It changes whenever the
+	// file contents change, which is the signal consumers use to rebuild their
+	// Kubernetes clients.
+	Hash string `yaml:"hash" protobuf:"1"`
+}
+
+// NewKubeletKubeconfig initializes a KubeletKubeconfig resource.
+func NewKubeletKubeconfig(namespace resource.Namespace, id resource.ID) *KubeletKubeconfig {
+	return typed.NewResource[KubeletKubeconfigSpec, KubeletKubeconfigExtension](
+		resource.NewMetadata(namespace, KubeletKubeconfigType, id, resource.VersionUndefined),
+		KubeletKubeconfigSpec{},
+	)
+}
+
+// KubeletKubeconfigExtension provides auxiliary methods for KubeletKubeconfig.
+type KubeletKubeconfigExtension struct{}
+
+// ResourceDefinition implements [typed.Extension] interface.
+func (KubeletKubeconfigExtension) ResourceDefinition() meta.ResourceDefinitionSpec {
+	return meta.ResourceDefinitionSpec{
+		Type:             KubeletKubeconfigType,
+		Aliases:          []resource.Type{},
+		DefaultNamespace: NamespaceName,
+		PrintColumns: []meta.PrintColumn{
+			{
+				Name:     "Hash",
+				JSONPath: "{.hash}",
+			},
+		},
+	}
+}
+
+func init() {
+	proto.RegisterDefaultTypes()
+
+	err := protobuf.RegisterDynamic[KubeletKubeconfigSpec](KubeletKubeconfigType, &KubeletKubeconfig{})
+	if err != nil {
+		panic(err)
+	}
+}
diff --git a/website/content/v1.13/reference/api.md b/website/content/v1.13/reference/api.md
index 7a77030f3..c5f0d0533 100644
--- a/website/content/v1.13/reference/api.md
+++ b/website/content/v1.13/reference/api.md
@@ -445,6 +445,7 @@ description: Talos gRPC API reference.
     - [KubePrismStatusesSpec](#talos.resource.definitions.k8s.KubePrismStatusesSpec)
     - [KubeletConfigSpec](#talos.resource.definitions.k8s.KubeletConfigSpec)
     - [KubeletConfigSpec.ExtraArgsEntry](#talos.resource.definitions.k8s.KubeletConfigSpec.ExtraArgsEntry)
+    - [KubeletKubeconfigSpec](#talos.resource.definitions.k8s.KubeletKubeconfigSpec)
     - [KubeletSpecSpec](#talos.resource.definitions.k8s.KubeletSpecSpec)
     - [ManifestSpec](#talos.resource.definitions.k8s.ManifestSpec)
     - [ManifestStatusSpec](#talos.resource.definitions.k8s.ManifestStatusSpec)
@@ -7884,6 +7885,21 @@ KubeletConfigSpec holds the source of kubelet configuration.
 
 
 
+<a name="talos.resource.definitions.k8s.KubeletKubeconfigSpec"></a>
+
+### KubeletKubeconfigSpec
+KubeletKubeconfigSpec describes the current kubelet kubeconfig file.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| hash | [string](#string) |  |  |
+
+
+
+
+
+
 <a name="talos.resource.definitions.k8s.KubeletSpecSpec"></a>
 
 ### KubeletSpecSpec