Secure Operating System for Kubernetes
The Ephemeral, Immutable Kubernetes Operating System
Delivering Security and Operational Stability.
An Immutable Operating System
If you run Kubernetes, you understand the advantages of immutable containers. You treat them as cattle, not pets, and throw them away when you need to upgrade. Talos OS is an immutable operating system, bringing the same advantages to the underlying Kubernetes infrastructure.
Talos OS is managed by an easy and powerful API, making operations scalable and simple.
Upgrades are atomic and automated, using a dual disk image scheme to facilitate rollbacks. If an upgrade fails to boot, Talos will roll back to the previous version.
No patching, no package managers. No configuration management tools.
No operational headaches.
Secure by Design
Talos OS is designed to do one thing – be an OS for Kubernetes. Everything not needed to support Kubernetes is removed, resulting in a much smaller, secure, more stable operating system. Even SSH and shells are removed – administration is done by a mutual TLS authenticated gRPC API.
Talos OS mounts the root filesystem as read-only and removes any host-level access such as a shell and SSH. Further, Talos runs in memory from a SquashFS read-only filesystem, leaving the primary disk almost entirely to Kubernetes. This means that the node OS configuration will not change. And if there are ever any doubts, a reboot will ensure the correct system configuration.
Talos is hardened by design and configuration:
- All access to the API is secured with Mutual TLS.
- Settings and configuration from the CIS guidelines are applied by default
- Talos runs entirely from a read-only SquashFS filesystem running entirely from RAM. This prevents bad actors from tampering with your hosts, even if they gain console access.
- The console supports no shell access – just displays logs with no interactivity.
- Kubernetes on Talos OS is Distributed, Immutable, and Ephemeral (D.I.E.) – the modern paradigm for InfoSec security.
A Container OS for Kubernetes - for production workloads
Talos OS is designed to support the demanding requirements of enterprise production deployments.
- Talos OS automatically installs vanilla Kubernetes, in a secure configuration.
- Supports the latest stable versions of Kubernetes and Linux, ensuring stability and security issues are addressed.
- Supports all platforms: major public cloud providers, virtualization platforms, and bare metal, including ARM technology.
- Runs on the edge: Talos OS supports kubernetes on Raspberry Pi and other Single Board Computers, for Kubernetes on the edge.
- Development-to-Production Workflow: Talos OS is ideal for developer workstations, supporting QEMU, Firecracker micro VMs and Docker containers. This gives the same base OS through the entire app lifecycle from dev to prod.
An API driven Operating System
- It constrains what you can do – this is good, as someone cannot accidentally do things like:
ls -la > /dev/hda (Don’t try this at home!!!)
- It limits you to read only actions, leaving your systems in a known reliable state (immutability for the win!!)
- It allows an audit trail of all actions.
- Being designed for management by an API means that automation of all tasks, across a single machine or a fleet of machines, is easy!
- an OS with an API lends itself naturally to writing better, more secure, more resilient automation.
- An API driven OS is the foundation of having an API driven datacenter, increasing security, stability, agility and scalability.
Open Source Code, Enterprise grade support
Talos OS is 100% open source code. Use it for free, work with an engaged community, and contribute back if you wish.
However, if you want the assurance of expert Kubernetes support, 24 x 7 response, professional services or training, Talos Systems’ team of professionals can help.
A support contract from Talos Systems lets you focus on building value for your business, with confidence in your Kubernetes and Talos OS deployments.
Talos OS is an Open Source project from the Talos Systems team.
Ready to get started? Get the docs, join the project, or talk to our team!