Talos Linux — Immutable, API-Managed OS for Kubernetes

Introduction

Talos Linux is a purpose-built operating system for Kubernetes: no shell, no systemd, no SSH, no package manager. A single machined PID 1 written in Go exposes a signed gRPC API; every configuration change — kernel args, CNI, disks, upgrades — happens through talosctl. The surface area for compromise is ~10% of a general-purpose Linux.

What Talos Linux Does

• Boots from ISO / PXE / cloud image into a stateless root filesystem
• Configures Kubernetes control plane and workers via declarative YAML
• Exposes only machined (gRPC, mTLS) — no SSH, no shell, no package manager
• Upgrades atomically by writing a new system image to B partition and rebooting
• Supports AWS, Azure, GCP, Hetzner, Equinix, vSphere, bare metal, Raspberry Pi

Architecture Overview

Talos is built with a minimal musl-libc + Go userspace. machined is PID 1 and supervises a handful of services (etcd, kubelet, containerd, apid, trustd). All state that needs to persist lives on an ephemeral partition; the root is read-only SquashFS. The gRPC API is mTLS-authenticated via a per-cluster CA bundle; talosctl is the only operator-facing tool.

Self-Hosting & Configuration

• Use the Image Factory to build custom installer images with extensions
• controlplane.yaml / worker.yaml define every node's config declaratively
• Omni (SaaS) or self-hosted provides cluster lifecycle UI and KubeSpan VPN
• Upgrades: talosctl upgrade --image ghcr.io/siderolabs/installer:v1.8.2
• Backups: talosctl etcd snapshot stores an encrypted etcd snapshot

Key Features

• No SSH, no shell — drastically reduced attack surface
• Immutable A/B root partitions; atomic upgrades and instant rollback
• Declarative machine config versioned in Git
• KubeSpan mesh (WireGuard) links nodes across clouds without a VPN appliance
• CNCF Sandbox project with active commercial backing (Sidero Labs)

Comparison with Similar Tools

• Flatcar / CoreOS — immutable too, but still include SSH and Ignition; broader distro
• Bottlerocket (AWS) — similar philosophy, tightly coupled to EKS/ECS on AWS
• k0s / k3s on Ubuntu — easier onboarding but relies on general-purpose OS
• Rancher OS — older, discontinued direction
• Photon OS — VMware-centric minimal OS; less Kubernetes-focused

FAQ

Q: How do I debug a node without SSH? A: talosctl logs machined, talosctl dmesg, talosctl shell (ephemeral debug pod). Everything is via the API.

Q: Does it run arbitrary workloads? A: Only Kubernetes workloads. Talos only supports containerd-managed pods.

Q: Can I run on bare metal? A: Yes — it is the original target. Use PXE, iPXE, or USB installer images.

Q: What about persistent storage? A: STATE + EPHEMERAL partitions are auto-provisioned; use Rook/Longhorn/Ceph for PVs.

Sources

• https://github.com/siderolabs/talos
• https://www.talos.dev