Kubernetes gives teams power, flexibility, and speed. But it comes at a cost. The complexity of Kubernetes infrastructures can create blind spots. Those blind spots open doors to bad actors.
Nearly 46% of organizations reported loss of revenue or customers as a result of a Kubernetes and container-related security incident, and 30% faced legal or compliance penalties. And the level of attacks is only going to increase. In fact, in 2024, cyber threats were already found to have increased 75% year-over-year.
This is why a fundamental, inherent method of security is necessary to ensure infrastructure remains safe year after year. Successful security will require both powerful features and a carefully designed foundation. That’s why we do things differently at Sidero.
Businesses often add more software to their system in an effort to make them more secure, even though this adds new opportunities for error and vulnerability. Instead of adding layers, Talos Linux and Omni eliminate every unnecessary binary, prioritize immutability, and achieve absolute minimalism. Together, the pair provides an inherent security that takes away work and pressure from your team.
Here’s what makes Omni and Talos Linux so powerful. If you’re looking for a full list of relevant features, you’ll find that at the end of this article.
The OS is Too Big. We Shrink It.
Last time we checked, there were 2780 binaries in Ubuntu and 2391 in Flatcar. Talos Linux has <50. That’s a fraction of the size, and is by design.
Binaries and size are not direct indicators of security, but rather reflect the small attack surface and opportunity for errors. If even 1% of binaries have a known vulnerability at any given time, your risk skyrockets, just because of the OS. With fewer vulnerabilities, you leave fewer opportunities for malicious actors. It also makes it easier for your team to validate security.
Talos Linux delivers only what you need and nothing more, so you get more security and less work.
Drift and Misconfiguration Ruin Reliability. We Remove It.
According to one study (gated), organizations rank misconfiguration as their second highest concern in container and Kubernetes environments, and numerous reports cite misconfigured or drifted infrastructure as the source of a data breach. While Kubernetes’s high customizability is one of its greatest advantages, several practices can easily lead to misconfigurations and vulnerabilities.
SSH and manual configuration are built into the processes of many teams, as they allow organizations to quickly address changes to strategy, best practices, and other common occurrences. However, while practical in the day-to-day, they cause problems over time, opening the door directly to the possibility of configuration drift and increased vulnerabilities.
Immutability largely closes these doors, as Talos Linux removes the tools that enable problematic practices like SSHing into production. Its API-driven nature encourages best practices for ongoing maintenance through declarative configuration.
Talos Linux boots from a signed, read-only image and includes a root file system limiting modification. On UEFI systems, it uses a signed UKI (Unified Kernel Image), which is signed by Sidero as the authority and verified on boot. All changes on Talos Linux must pass through an API, which validates the changes, providing a limited and predictable/expected set of functionality.
By removing SSH and the shell entirely, Talos Linux fully enforces the immutability model, drastically limiting configuration drift, simplifying auditing and rollback, eliminating an attack vector, and even reducing the surface for lateral movement during a breach.
Boot is a Soft Target. We Harden It.
Boot time is particularly dangerous for a Kubernetes infrastructure. Malware at the firmware or bootloader level avoids the reach of traditional security tools and is difficult to detect. It also persists across reboots and re-imaging, leaving many teams waiting for the problem to be patched. The ability to block someone from gaining access beneath the OS and tampering with files is critical for both organizational security and for meeting high-assurance compliance requirements like FIPS.
Secure Boot increases system security, verifying the digital signatures of bootloaders and operating systems, but Trusted Boot is needed to stop attempts to modify system files, inject malicious code, or otherwise compromise the kernel.
Talos Linux provides out-of-the-box Trusted Boot, allowing it to provide a 3-step chain of trust security, validating each layer and ensuring the process is halted if any component has been tampered with.
When Secure Boot and disk encryption are enabled, Talos Linux will only ever boot from a verified image from a decryptable disk and will validate the integrity of the system at every boot. Boot only from a trusted EFI boot device, and validate that no tampering has occurred during early boot. This ensures boot disk integrity because it is only accessible by the machine without human interaction, as automatic decryption with keys only stored securely on the machine in the TPM or in a remote Key Management System (KMS). Furthermore, it prevents rootkits or boot-time malware from compromising the OS.
Access Can Be Abused. We Lock it Down.
Kernel exploits allow an attacker to escalate privileges and break trust. This drastically increases their reach and capacity to cause damage. Kernel protections are recommended by frameworks like SOC 2, NIST, and CIS and are particularly valuable for edge and bare metal, where the burden of security falls squarely on the team’s shoulders rather than a solution provider.
Some Linux-based Kubernetes OSes provide a level of support through tools like SELinux, AppArmor, or Mandatory Access Control, which can contain certain Kernel exploits. But Talos Linux is the only Linux distribution known to us that is KSPP hardened by default and requires signed kernel modules.
Kernel Self Protection Project (KSPP) proactively hardens the kernel to prevent issues altogether, ensuring memory protection and blocking unprivileged BPF and preventing potentially devastating infrastructure attacks. Talos Linux also builds on KSPP and enforces signed-only module loading and prevents runtime extension of the kernel by only using static kernels, making it one of the most secure Linux distributions.
Secrets Can Leak. Ours Don’t.
Most Kubernetes setups require operators to manually manage and secure system-level secrets like Kubernetes API certificates, Talos API keys, and disk encryption keys. These credentials are critical to the integrity of the cluster, yet are often stored on disk, passed through provisioning pipelines, or handled inconsistently across environments. Usually, securing these secrets is your responsibility. But with Omni, it’s built in.
Omni generates, distributes, and manages all system secrets for you, ensuring that the certificates protecting your Kubernetes and Talos APIs, as well as your disk encryption keys, are handled securely and not exposed. This removes a common source of operational risk and greatly simplifies compliance for sensitive environments.
FIPS Compliance
FIPS 140-3 compliance is a must-have for many teams working in regulated environments. We are currently rolling out a FIPS mode that starts at the foundation: Talos Linux, our immutable, API-driven OS built specifically for Kubernetes. This is available in private beta and will be available for customers in a future release.
Security with Talos Linux and Omni
Here’s a look at our features and facets that keep your Kubernetes infrastructure safe.
Operating System & Runtime Security
- No shell or SSH: Eliminates remote code execution and arbitrary changes
- Read-only root filesystem: Prevents modification or tampering of binaries
- <50 binaries total: Reduces attack surface and limits CVEs
- Kernel Self Protection Project (KSPP): Prevents classes of kernel-level exploits
- SE Linux / Seccomp: Restricts runtime process capabilities and access
- Ingress firewall: Allows only explicitly permitted ports to be accessible externally
- Node-to-node encryption: KubeSpan secures communication within the cluster
- Node-to-Omni encryption: SideroLink secures communication and protects the Talos API from unauthenticated access
- Open source: Talos Linux is a transparent codebase with broad community visibility
- CIS Benchmark validated
Boot and Disk Integrity
- Secure Boot: Ensures only signed EFI boot files run
- Trusted Boot: Enables full-chain verification from firmware to OS
- Disk encryption with TPM or remote KMS: Ensures disk access only on original hardware or via secured KMS
- Signed container images: Verified with Sigstore and Sidero employee signatures
- Fully bootstrapped builds: Full source-to-build trust chain through StageX
API & Access Control
- mTLS-authenticated API: Strong mutual TLS with PKI and certificate rotation
- No passwords: Authentication only via secure mTLS
- Limited-scope API: Prevents broad access, only allows specific validated operations
- OAuth-based RBAC: Granular access control for Talos, Omni, and Kubernetes APIs
- Audit logs: Track and review access and changes
Omni-specific Protections
- Hardened system access: Prevents manual tampering and disallows unverified upgrades
- Managed node disk encryption: Enforced encryption for all nodes via Omni
- Access control tied to identities: Users and permissions managed centrally