Talos is a modern OS designed to be secure, immutable, and minimal. All system management is done via an API, and there is no shell or interactive console. Some of the capabilities and benefits provided by Talos include:
- Security: Talos reduces your attack surface by practicing the Principle of Least Privilege (PoLP) and by securing the API with mutual TLS (mTLS) authentication.
- Predictability: Talos eliminates unneeded variables and reduces unknown factors in your environment by employing immutable infrastructure ideology.
- Evolvability: Talos simplifies your architecture and increases your ability to easily accommodate future changes.
For details on the various components that make up Talos, please see the components section.
To get started with talos, see the Getting Started Guide.
- musl-libc: uses musl as the C standard library
- golang: implements a pure golang
- gRPC: exposes a secure gRPC API
- containerd: runs containerd for
systemservices in tandem with the builtin
CRIruntime for Kubernetes pods
- kubeadm: uses
kubeadmto create conformant Kubernetes clusters
Talos takes a defense in depth approach to security. Below, we touch on a few of the measures taken to increase the security posture of Talos.
Talos is a minimalistic distribution that consists of only a handful of binaries and shared libraries.
Just enough to run
containerd and a small set of
This aligns with NIST’s recommendation in the Application Container Security Guide:
Whenever possible, organizations should use these minimalistic OSs to reduce their attack surfaces and mitigate the typical risks and hardening activities associated with general-purpose OSs.
Talos differentiates itself and improves on this since it is built for one purpose — to run Kubernetes.
There are a number of ways that Talos provides added hardening:
- employs the recommended configuration and runtime settings outlined in the Kernel Self Protection Project
- enables mutual TLS for the API
- enforces the settings and configurations described in the CIS guidelines
Talos improves its security posture further by mounting the root filesystem as read-only and removing any host-level access by traditional means such as a shell and SSH.
Stay current with our commitment to an
n-1 adoption rate of upstream Kubernetes.
Additionally, the latest LTS Linux kernel will always be used.
Each Talos node exposes an API designed with cluster administrators in mind.
It provides just enough to debug and remediate issues.
Using the provided CLI (
osctl), you can:
- restart a node (
- get CPU and memory usage of a container (
- view kernel buffer logs (
- restart a container (
- tail container logs (
$ osctl ps NAMESPACE ID IMAGE PID STATUS system ntpd talos/ntpd 101 RUNNING system osd talos/osd 107 RUNNING system proxyd talos/proxyd 393 RUNNING system trustd talos/trustd 115 RUNNING
or query the containers in the
$ osctl ps -k NAMESPACE ID IMAGE PID STATUS k8s.io kube-system/kube-scheduler-master-1:kube-scheduler k8s.gcr.io/hyperkube:v1.14.1 783 RUNNING k8s.io kube-system/kube-scheduler-master-1 k8s.gcr.io/pause:3.1 564 RUNNING k8s.io kube-system/kube-controller-manager-master-1:kube-controller-manager k8s.gcr.io/hyperkube:v1.14.1 744 RUNNING k8s.io kube-system/kube-controller-manager-master-1 k8s.gcr.io/pause:3.1 594 RUNNING k8s.io kube-system/kube-apiserver-master-1 k8s.gcr.io/pause:3.1 593 RUNNING k8s.io kube-system/kube-apiserver-master-1:kube-apiserver k8s.gcr.io/hyperkube:v1.14.1 796 RUNNING k8s.io kube-system/etcd-master-1 k8s.gcr.io/pause:3.1 592 RUNNING k8s.io kube-system/etcd-master-1:etcd k8s.gcr.io/etcd:3.3.10 805 RUNNING k8s.io kubelet k8s.gcr.io/hyperkube:v1.14.1 446 RUNNING