Talos Linux:
Bare metal to Kubernetes
in under a minute.
No SSH. No shell.
No package manager.
Three things Talos Linux doesn't ship. Each one removes a class of failure that no configuration flag can fully close.
sshd listens on :22. Operator authenticates with a key, gets a PTY, runs commands as root. Same path opens to anyone with a stolen key, an exposed config, or an unpatched daemon.
No sshd, no getty, no console login. The only ingress is apid on :50000, gRPC over mTLS, client cert required. Every call is typed, logged, and authorised against the machine config.
Root filesystem is rw. apt, dnf, sed, and a careless operator all write to the same disk. State diverges from the manifest with every patch.
Root is a SquashFS image, mounted ro. Upgrades write a new image to the inactive partition and reboot into it. Rollback is the reverse. Running state is the image hash.
~2,800 binaries on disk. Most have nothing to do with the kubelet โ bash, perl, gcc, gpg, but each ships with a CVE history and a dependency tree.
<50 binaries, each required to bring up a node: kernel, containerd, kubelet, etcd, machined. If it's not on that list, it's not on the box.
Whole categories of risk,
gone.
Talos Linux doesn't ship the things that need hardening. The categories below don't apply โ not because they've been mitigated, but because the surface they target isn't on the box.
Less to run. Less to break.
Less to defend.
A general-purpose distribution starts with everything and tries to remove what Kubernetes doesn't need. Talos Linux starts with nothing and adds only what's needed.
ยน Talos Linux 1.13.2, as of May 21, 2026. CVEs addressed via patches in the current release or published VEX statements (siderolabs/talos-vex).
ยฒ Ubuntu 26.04 server cloud image, as of May 21, 2026.
| Capability | Traditional Linux | Talos Linux |
|---|---|---|
| Purpose | General-purpose, runs anything | Built only for Kubernetes |
| Binaries shipped | 1,280 (Ubuntu 26.04)ยฒ | 40 |
| OS footprint | 2.5โ4GB | ~80MB |
| Root filesystem | Mutable, disk-backed | Read-only, ephemeral, RAM-resident |
| Configuration model | Imperative + config management bolt-ons | Declarative YAML, reconciled via API |
| Configuration drift | Accumulates over time | Structurally impossible |
| Update mechanism | Package-by-package (apt / yum / dnf) | Atomic A/B image swap, OS + K8s together |
| Failed-upgrade recovery | Manual intervention | Automatic rollback |
| Remote access | SSH | mTLS-authenticated gRPC API |
| Shell on host | bash / sh / sudo | None |
| Package manager | apt / yum / dnf | None |
| SSH daemon | openssh-server | None |
Trusted by homelabs and enterprises alike.
Six years in production. 330+ contributors. A Kubernetes certified distribution. Runs your Raspberry Pi in a closet, 11K+ nodes at a single Fortune Global 500 customer, hundreds of edge sites, and everything in between.
I'm consistently being blown away by the amount of engineering that has gone into Talos Linux for running k8s easily and securely.
It's crazy to think that there was a time all of this had to be manually wired up. As much as I don't like drinking an individual company's koolaid, so far this one's lit.
Talos is so nice and simple to manage when compared to having to manage both k3s and the host OS.
To make it even better, deploy a self-hosted instance of Omni to manage the Talos nodes โ gives you a nice interface to handle rolling out config patches, rolling Talos and k8s updates, scaling up and down, and integrating with infrastructure providers to automatically provision machines.
Get started now.
Two commands. Local cluster running in under a minute.
$brew install siderolabs/tap/talosctl$talosctl cluster createWhen you're ready to
manage a fleet.
When the fleet outgrows manual lifecycle management, Talos Omni picks up โ provisioning, upgrades, config, and backups across every cluster from one place. Available as SaaS or self-hosted.
- FIPS 140-3 compliant builds
- CIS benchmarked
- SBOM on every release
- SOC 2 Type II compliant
