It is then recommended to deploy Cilium using a suitable method from the documentation.

Best Practices for Networking and CNI

For Single-Node Deployments:

Disable KubeSpan. It is intended for connecting nodes in different networks together and is not useful in this configuration

For Highly Available Configurations:

KubeSpan provides transparent network encryption between all nodes in a cluster-wide mesh VPN network. KubeSpan is well suited for use cases that involve bursting from one network (e.g. bare metal) to another (e.g. a cloud provider) for extra capacity. Because KubeSpan currently creates a full mesh network, it is not recommended for clusters with more than 100 nodes. 

KubeSpan uses Wireguard VPN tunneling to provide cluster meshing. It is not recommended for high-throughput applications such as storage replication and HPC due to packet encryption overhead, which reduces total throughput and is best for general cluster networking.

Storage

While there are many different Kubernetes storage options, and Talos Linux will work with most of them, we generally recommend:

• Longhorn, which is simple to manage, prioritizes data redundancy, exports local filesystem storage as CSI, has configurable cluster PVC backups, and is suitable for general Kubernetes workloads.

• Local Path Provisioner, which provides simple but less resilient storage, linking nodes to PersistentVolumeClaims. For many use cases, Local Path Provisioner may be sufficient for a deployment given its lightweight profile.

Alternatively, storage outside of the cluster can be consumed within a cluster, such as:

• nfs-subdir-external-provisioner
• csi-driver-iscsi 

Load Balancing

While load balancing is not required in single-node clusters, we recommend MetalLB or KubeVIP for most use cases to make exposing Services more straightforward.

With one of the above solutions, load balancing can be configured with either ARP or BGP respectively.

Monitoring and Logging

We recommend Prometheus for small or few clusters and VictoriaMetrics for more complicated or large-scale deployments.

We recommend Grafana for observability and VictoriaLogs or Loki logs for logging.

It should be noted that systems running Talos Linux are compatible with most monitoring solutions. The above are simply monitoring systems that are good choices for Kubernetes infrastructure that we and our customers have had success with. 

We recommend configuring Talos Linux to send system logs to a logging server, see the documentation. 

Tuning

If performance is more important than minimizing power consumption, we recommend setting appropriate performance settings, as documented in the latest performance tuning documentation.

Talos Linux Extensions

Talos Linux extensions provide additional functionality beyond the base OS. They are recommended for:

• Situations where the hardware running Talos Linux requires specific firmware, drivers, or services (i.e. GPU drivers and NIC firmware).
• Security-related features (e.g. Visor and Kata-Containers).
• External integrations such as storage or network options (e.g. DRDB, iscsi, btrfs, Cloudflared).

To install an extension, a custom Talos Linux installer image must be built with the desired extensions included. Such an image can be produced through the hosted service at factory.talos.dev. Aside from configuration, once deployed, the Talos Linux OS cannot be modified without the image being replaced via an upgrade to the custom-built image.

Image creation is automated when using Omni.

It is recommended to install microcode extensions for the target deployment processor, such as intel-ucode or amd-ucode.

More information can be found at:

• Talos Extensions Documentation
• SideroLabs Extensions Repository

Talos Linux Overlays

Often in edge deployments, ARM devices or embedded hardware is utilized. In order to maximize or enable compatibility, the Talos Linux factory and imager provide overlays for firmware, bootloader, and device tree blobs.

Overlays include support for many devices, such as: 

• Raspberry Pi
• Orange Pi
• Rock64
• Jetson Nano
• Pine64
• And many more

See official overlays here. 

Security Considerations

Talos Linux is secure with a default install, but there are additional capabilities that can be enabled. Note that there is overhead with additional security features, whether in operational complexity or node performance.

Omni contains SideroLink which automatically creates a firewall to the Talos API and eliminates the need to apply local firewall rules to secure the Talos API before the node is provisioned.

TrustedBoot with SecureBoot and Disk Encryption

Talos Linux supports TrustedBoot in order to protect against boot-level malware attacks. Talos Linux implements a fully signed execution path from firmware to userspace. When used in conjunction with disk encryption backed by hardware TPM or Omni’s KMS, this provides very strong protection and guarantees that only trusted Talos Linux can run, even when an attacker has physical access to the server.

SecureBoot does complicate OS installation and upgrades, and for all cases, careful consideration must be taken into account. 

We recommend using TrustedBoot for edge deployments.

Ingress Firewall

The Talos Linux Ingress Firewall provides an additional security layer by controlling inbound network traffic at the OS level. The Ingress Firewall defaults to “allow” for all traffic. When using Talos Linux through Omni, the Talos Linux API is only accessible through the SideroLink tunnel. All other access is blocked by Ingress Firewall rules. For a production setup, we recommend blocking all traffic not explicitly permitted and only allowing traffic explicitly to/from classes of machines, such as control plane nodes and workers. This may be appropriate where:

• Kubernetes workloads are exposed to the internet.
• Regulatory compliance demands OS level ingress controls and security frameworks beyond Kubernetes-native NetworkPolicies.
• Zero-trust environments are needed to complement Kubernetes RBAC and service mesh policies by filtering traffic at the host level.

For an example of recommended rules, see the documentation.

OS and Kubernetes Authentication

The Kubernetes API Server supports configuring the use of an external auth provider, allowing only authenticated and authorized users to restrict access to a cluster. It is recommended to adopt such a mechanism for production clusters. Any OAuth or OIDC provider is supported (such as Auth0), with varying levels of supporting configuration and authentication proxies, eliminating the risk of an employee leaving the enterprise with admin-level kubeconfig access for a cluster, and simplifies compliance.

PodSecurity Standards

Talos Linux defaults to the baseline PodSecurity Standards enabled. This means that workloads cannot run with privileged security contexts, such as root user, node host network access, hostPath, and privileged.

Some components required in edge environments may require privileged access to engage with hardware devices, network, and local storage. We recommend placing such components in separate namespaces to scope the access for privileged to only what needs it. 

For more information, see here.

Certificates and Secrets

Talos Linux uses Secrets, including cluster CA and system CA, in the machine configuration to declare the cluster.

Omni completely manages cluster Secrets, ensuring they are obscured and never revealed.

Cluster Upgrades

Omni simplifies cluster upgrades. Whether using the web interface or cluster templates, Omni safely reconciles cluster changes such as Talos Linux and Kubernetes versions, configuration patches, and node management declaratively by utilizing Talos Linux and Kubernetes APIs and health checks. 

As cluster configuration templates are declarative and contain no secrets, administrators can utilize Git to keep cluster changes version controlled.
Omni carefully handles all upgrade paths between older and latest versions, ensuring migration to latest versions is at the suitable pace of organizational needs.

Since Talos Linux is image-based and uses an A/B boot system, upgrades between release versions of the OS will either succeed and boot into the new release or fail and revert back to the previous version, ensuring broken states never occur. Talos Linux upgrades are initiated on a per-node basis. The upgrade process will cordon the node in Kubernetes, then reboot into the new image. It is up to the user to ensure all nodes in a cluster are upgraded consistently and follow the recommended upgrade paths. When using Omni, Talos Linux upgrades are orchestrated on a cluster level, not a node level. Omni handles a wider range of upgrade paths and any upgrade allowed in the UI is supported.

Kubernetes upgrades are managed separately from Talos Linux upgrades. During a Kubernetes upgrade, Kubernetes is upgraded by replacing components in the running cluster with new versions and migrating any related resources. When running in a highly available configuration, Kubernetes upgrades are non-disruptive and do not require a reboot.

Cluster Reproducibility

Deploying Kubernetes with Talos Linux starts with configuration. The machine configuration is fully declarative, enabling users to describe everything about the machine and its cluster components. Clusters can be reliably restored by applying the configuration files for each machine to the same number and types of machines, with the appropriate per-machine patches, and restoring etcd, making redeployments and disaster recovery straightforward and consistent. Depending on the particular deployment, more steps may be required.

Omni further simplifies the configuration process by creating declarative configurations of clusters as a whole, not just a machine, allowing the creation, templating, modification, and recreation of clusters with declarative cluster templates which handle all cluster, machine, secret, and patch management, while never exposing the cluster secrets.

Application Management

We recommend ArgoCD for declarative GitOps-based management of applications, where one or more git repositories act as the source of truth for what is deployed on one or more clusters.

We recommend using Omni cluster templates for the initial configuration and deployment of ArgoCD (as demonstrated here) and then using Argo to manage the applications.

GitOps is incredibly important for remote deployments, where access to the cluster is only possible through GitOps.

Additional Software

The Kubernetes ecosystem contains many options for other functions that may or may not be desired for any particular deployment. Additional Kubernetes software can be used to address certain needs, such as container security and compliance, namespace controls, policy compliance and governance, CI/CD tooling, secret management, and more. This reference architecture document does not express opinions on these functions. However, because Talos Linux deploys vanilla upstream Kubernetes, such clusters are compatible with virtually any of the options enterprises may be using for these functions. For enterprises that would like specific recommendations for their use cases, either Sidero Labs or one of our consulting partners can be engaged for consultation.

Device Plugins

Accessing specialized or specific hardware such as cameras, robotics equipment, or other USB and serial devices via Linux device filesystem on Talos Linux is managed in a non-privileged way using the generic device driver plugin, if not a specific plugin driver for Kubernetes. For details, see the documentation here.

NUT Client Extension

When deploying on the edge with a UPS and to ensure the integrity of stateful data and hardware longevity, the NUT client extension allows for Talos Linux shutdown to be triggered by compatible hardware when reserve power is nearly depleted. 

See the following documentation:

• siderolabs extensions – nut-client
•  networkupstools – nut

GPU drivers

NVIDIA GPUs are supported on Talos Linux through the NVIDIA driver extensions. Open or closed driver variants are both available with Talos Linux extensions. To enable it, the kernel modules and a sysctl must be configured. 

For more information, please see the following documentation.

Progressive migration from Virtual Machines

KubeVirt on Talos Linux is a proven, reliable way to migrate legacy workloads from Virtual Machines into Kubernetes for edge deployments to run alongside containerized applications, and is also capable of ensuring the trusted execution of processes within a virtualized environment. With KubeVirt, Virtual Machines can talk to Pods (and vice versa) and can also be exposed like regular Pods through Services, Ingress, Gateway-API, and more. Retaining virtual machines and running them on Kubernetes is a helpful way to balance the needs of your organization and to ease into modernizing. Import your existing virtualized workloads using tooling like Forklift from providers like VMware vSphere, OVA, oVirt, and OpenStack. 

To effectively run Virtual Machines in KubeVirt, it is best to have:

• A CSI provider that supports LiveMigration, such as Longhorn
• A CNI plugin to provide attachment of multiple network interfaces, such as KubeOVN or Multus, which wraps an existing CNI (e.g: Flannel, Cilium)

With its declarative configuration, workloads running through KubeVirt can be managed through GitOps like ArgoCD. Running Virtual Machines on Talos Linux through KubeVirt is suitable for bare metal, datacenter, and edge deployments.

Further Configuration

There are a myriad of choices available when setting up Kubernetes clusters. While common best practices work in some scenarios, they may not be suitable for others.

Sidero Professional Services can work with you to architect a configuration tailored to your requirements.

Contact us

If you have questions or want to discuss how to get started with Omni and Talos Linux for Kubernetes at the edge, contact us.