Skip to main content
Talos Linux is a modern OS for running Kubernetes: secure, immutable, and minimal. It’s fully open source, production-ready, and supported by the team at Sidero Labs.

What is Talos Linux?

Talos Linux is a purpose-built Linux distribution designed exclusively for Kubernetes. Unlike traditional Linux distributions, Talos has no shell, no SSH access, and no interactive console. All system management is performed via a secure API using the talosctl CLI tool and gRPC.
Talos Linux eliminates the traditional attack vectors associated with SSH access and shell commands, providing a minimal and hardened security posture for your Kubernetes infrastructure.

Key Benefits

Talos Linux delivers three core advantages for Kubernetes operations:

Security

Talos reduces your attack surface through its minimal, hardened, and immutable design:
  • No SSH or shell access - eliminates traditional remote access vulnerabilities
  • API-driven management - all operations secured with mutual TLS (mTLS) authentication
  • Immutable infrastructure - system files cannot be modified at runtime
  • Minimal footprint - only essential components required for Kubernetes
  • Hardened by default - secure configuration out of the box

Predictability

Talos eliminates configuration drift and delivers consistent infrastructure:
  • Immutable infrastructure - no configuration drift between nodes
  • Declarative configuration - define desired state, Talos enforces it
  • Atomic updates - upgrades are all-or-nothing operations
  • Reproducible deployments - identical configuration produces identical results

Evolvability

Talos simplifies operations and keeps your infrastructure current:
  • Simplified architecture - purpose-built for Kubernetes only
  • Increased agility - API-driven automation enables rapid changes
  • Current versions - always delivers stable Kubernetes and Linux kernel versions
  • Seamless upgrades - rolling updates with zero-downtime

Architecture Overview

Talos Linux is built on several key architectural principles:

API-First Design

Every operation in Talos is performed through the gRPC API. The talosctl CLI communicates with the Talos API on port 50000, authenticated via mutual TLS: 
# All operations go through the API
talosctl -n <node-ip> version
talosctl -n <node-ip> get members
talosctl -n <node-ip> reboot

Immutable System

The Talos root filesystem is immutable and ephemeral:
  • System binaries cannot be modified
  • No package manager or shell access
  • Configuration is declarative and API-driven
  • Updates replace the entire OS image

Minimal Attack Surface

Talos includes only what’s necessary to run Kubernetes:
  • Linux kernel (version 6.18.15-talos)
  • containerd as the container runtime
  • etcd for control plane nodes
  • Kubernetes components
  • Essential networking and storage drivers

Use Cases

Talos Linux is ideal for:

Production Kubernetes

Run production workloads with confidence on a secure, minimal OS designed specifically for Kubernetes.

Edge Computing

Deploy lightweight, secure Kubernetes clusters at the edge with minimal resource overhead.

Secure Environments

Meet strict security requirements with an immutable, API-only operating system.

Automated Infrastructure

Build fully automated, GitOps-driven infrastructure with API-first management.

How Talos Works

Talos Linux operates through a simple workflow:
1

Boot

Talos boots from an image (ISO, disk image, or cloud image) and loads the immutable OS into memory.
2

Configure

Apply a machine configuration via the API that defines the node’s role (control plane or worker) and settings.
3

Bootstrap

Initialize the Kubernetes cluster by bootstrapping etcd on a control plane node.
4

Operate

Manage the cluster entirely through the Talos API using talosctl commands.

Management via talosctl

The talosctl CLI is your interface to Talos Linux. Common operations include: 
# View cluster health
talosctl -n <node-ip> health

# Get node configuration
talosctl -n <node-ip> get machineconfig

# View logs
talosctl -n <node-ip> logs kubelet

# Upgrade the OS
talosctl -n <node-ip> upgrade --image ghcr.io/siderolabs/talos:v1.13.0

# Retrieve kubeconfig
talosctl -n <node-ip> kubeconfig
All talosctl commands require the -n or --nodes flag to specify target node(s), or you can set endpoints in your talosconfig file.

Comparison with Traditional Linux

FeatureTraditional LinuxTalos Linux
Shell accessSSH, local consoleNone
Package managerapt, yum, etc.None
ManagementManual or config management toolsAPI-driven
System updatesIn-place package updatesAtomic OS image replacement
ConfigurationMutable filesImmutable, API-applied
Attack surfaceLarge (many services, users)Minimal (API only)
PurposeGeneral purposeKubernetes only

Next Steps

Ready to get started with Talos Linux?

Quickstart

Create your first Talos cluster in minutes using Docker.

Installation

Install talosctl on your local machine to manage Talos clusters.

Community and Support

Join the Talos Linux community:
Talos Linux is open source and licensed under the Mozilla Public License v2.0. View the source code on GitHub.

Build docs developers (and LLMs) love

Get started for freeTalk to us