Mastering security in your Kubernetes infrastructure with Omni and Talos Linux

Kubernetes gives teams power, flexibility, and speed, but it comes at a cost. Its complexity can easily create blind spots, opening the door to bad actors and making infrastructure security difficult. This is particularly problematic as cyber threats are on the rise.

Nearly 46% of organizations reported loss of revenue or customers as a result of a Kubernetes and container-related security incident, and 30% faced legal or compliance penalties. In 2024, cyber threats were found to have increased 75% year-over-year, and the total number of attacks is only expected to increase.

Successful security today requires powerful features as well as a carefully designed foundation, built upon processes that drastically reduce vulnerabilities. That’s why we do things differently at Sidero.

Businesses looking to make their Kubernetes infrastructure more secure often choose to add more software and layers to their systems. This solves certain problems, but ultimately creates new opportunities for error and vulnerability. Instead of adding layers, Talos Linux and Omni eliminate every unnecessary binary and focus on absolute minimalism. This provides an inherent, fundamental security that takes away pressure from your team.

Here’s what makes Omni and Talos Linux so powerful. If you’re looking for a full list of relevant features, you’ll find that at the end of this article.

The OS is too big. We shrink it.

Last time we checked, there were 2780 binaries in Ubuntu and 2391 in Flatcar. Talos Linux has <50. That’s a fraction of the size, and is by design.

Binaries and size are not direct indicators of security but rather reflect a system’s attack surface and susceptibility to errors. If even 1% of binaries have a known vulnerability at any given time, your risk is going to be far higher with a system using 2780 binaries than one with <50. Fewer binaries also make it easier for your team to validate security.

Talos Linux delivers only what you need and nothing more, so you get more security and less work.

Drift and misconfiguration ruin reliability. We remove them.

According to one study (gated), organizations rank misconfiguration as their second-highest concern in container and Kubernetes environments, and numerous reports cite misconfigured or drifted infrastructure as the source of a data breach. While Kubernetes’s high customizability is one of its greatest advantages, several practices can easily lead to misconfigurations and vulnerabilities.

SSH and manual configuration are built into the processes of many teams, as these allow organizations to quickly address evolving strategies, practices, or requirements. However, while practical in the day-to-day, they cause problems over time, opening the door directly to configuration drift and increased vulnerabilities.

Immutability largely closes these doors. That’s why Talos Linux replaces practices like SSH with APIs and declarative configuration, encouraging best practices and reducing the chance of error.

Talos Linux boots from a signed, read-only image and includes a root file system, limiting modification. On UEFI systems, it uses a signed UKI (Unified Kernel Image), which is signed by Sidero as the authority and verified on boot. All changes on Talos Linux must pass through an API, which validates the changes, providing a limited and predictable set of functionality.

By removing SSH and the shell entirely, Talos Linux fully enforces the immutability model, limiting configuration drift, simplifying auditing and rollback, eliminating an attack vector, and even reducing the surface for lateral movement during a breach.

Boot is a soft target. We harden it.

Boot time is particularly dangerous for a Kubernetes infrastructure. Malware at the firmware or bootloader level avoids the reach of traditional security tools and is difficult to detect. It also persists across reboots and re-imaging, leaving many teams waiting for the problem to be patched. The ability to block someone from gaining access beneath the OS and tampering with files is critical for both organizational security and for meeting high-assurance compliance requirements like FIPS.

While Secure Boot increases system security, verifying the digital signatures of bootloaders and operating systems, Trusted Boot is needed to stop attempts to modify system files, inject malicious code, or otherwise compromise the kernel. Talos Linux comes with both.

Talos Linux’s out-of-the-box Trusted Boot allows it to provide a 3-step chain of trust security, validating each layer and ensuring the process is halted if any component has been tampered with.

When Secure Boot and disk encryption are enabled, Talos Linux will only ever boot from a verified image from a decryptable disk and will validate the integrity of the system at every boot. The system trusts only a signed EFI boot device and ensures no tampering occurred during early boot stages. This ensures boot disk integrity because it is only accessible by the machine without human interaction. Decryption happens using keys securely stored in the TPM or retrieved from a remote Key Management System (KMS). Furthermore, it prevents rootkits or boot-time malware from compromising the OS.

Access can be abused. We lock it down.

Kernel exploits allow an attacker to escalate privileges and break trust. This drastically increases their reach and capacity to cause damage. Kernel protections are recommended by frameworks like SOC 2, NIST, and CIS and are particularly valuable for edge and bare metal, where the burden of security falls squarely on the team’s shoulders rather than a solution provider.

Some Linux-based Kubernetes OSes provide a level of support through tools like SELinux, AppArmor, or Mandatory Access Control, which can contain certain Kernel exploits. Talos Linux is the only Linux distribution known to us that is KSPP hardened by default and requires signed kernel modules.

Kernel Self Protection Project (KSPP) proactively hardens the kernel to prevent issues altogether, ensuring memory protection and blocking unprivileged BPF to preventpotentially devastating infrastructure attacks. Talos Linux further builds on KSPP and enforces signed-only module loading and prevents runtime extension of the kernel by only using static kernels. This makes it one of the most secure Linux distributions you can find.

Secrets can leak. Ours don’t.

Most Kubernetes setups require operators to manually manage and secure system-level secrets like Kubernetes API certificates and disk encryption keys. These credentials are critical to the integrity of the cluster, yet are often stored on disk, passed through provisioning pipelines, or handled inconsistently across environments. Usually, securing these secrets is your responsibility. With Omni, it’s built in.

Omni generates, distributes, and manages all system secrets for you, ensuring that the certificates protecting your Kubernetes and Talos APIs, as well as your disk encryption keys, are handled securely and not exposed. This removes a common source of operational risk and greatly simplifies compliance for sensitive environments.

FIPS compliance

FIPS 140-3 compliance is a must-have for many teams working in regulated environments. Talos Linux comes with the option for FIPS-compliant builds, making it easy to ensure your OS is fully compliant.

Securing your Kubernetes infrastructure with Talos Linux and Omni

Here’s a look at our features and facets that keep your Kubernetes infrastructure secure.

Operating System & Runtime Security

• No shell or SSH: Eliminates remote code execution and arbitrary changes
• Read-only root filesystem: Prevents modification or tampering of binaries
• <50 binaries total: Reduces attack surface and limits CVEs
• Kernel Self Protection Project (KSPP): Prevents classes of kernel-level exploits
• SE Linux / Seccomp: Restricts runtime process capabilities and access
• Ingress firewall: Allows only explicitly permitted ports to be accessible externally
• Node-to-node encryption: KubeSpan secures communication within the cluster
• Node-to-Omni encryption: SideroLink secures communication and protects the Talos API from unauthenticated access
• Open source: Talos Linux is a transparent codebase with broad community visibility
• CIS Benchmark validated

Boot and Disk Integrity

• Secure Boot: Ensures only signed EFI boot files run
• Trusted Boot: Enables full-chain verification from firmware to OS
• Disk encryption with TPM or remote KMS: Ensures disk access only on original hardware or via secured KMS
• Signed container images: Verified with Sigstore and Sidero employee signatures
• Fully bootstrapped builds: Full source-to-build trust chain through StageX

API & Access Control

• mTLS-authenticated API: Strong mutual TLS with PKI and certificate rotation
• No passwords: Authentication only via secure mTLS
• Limited-scope API: Prevents broad access, only allows specific validated operations
• OAuth-based RBAC: Granular access control for Talos, Omni, and Kubernetes APIs
• Audit logs: Track and review access and changes

Omni-specific Protections

• Hardened system access: Prevents manual tampering and disallows unverified upgrades
• Managed node disk encryption: Enforced encryption for all nodes via Omni
• Access control tied to identities: Users and permissions managed centrally