The Secure Operating System for Kubernetes
The Ephemeral, Immutable Kubernetes Operating System.
Delivering Security and Operational Stability.
An Immutable Operating System
If you run Kubernetes, you most likely understand the advantages of immutable containers. You treat them as cattle, not pets, and throw them away when you need to upgrade. Talos OS is an immutable operating system, bringing the same advantages to the underlying Kubernetes infrastructure.
Talos OS mounts the root filesystem as read-only and removes any host-level access such as a shell and SSH. Further, Talos runs in memory from a SquashFS read only filesystem, leaving the primary disk almost entirely to Kubernetes. This means that the node OS configuration will not change. And if there are ever any doubts, a reboot will ensure the correct system configuration.
Talos OS is managed by an easy and powerful API, making operations scalable and simple.
Upgrades are atomic and automated. No patching, no package managers. No configuration management tools.
No operational headaches.
Secure by Design
Talos OS is designed to do one thing – be an OS for Kubernetes. Everything not needed to support Kubernetes is removed, resulting in a much smaller, secure, more stable operating system. Even SSH and shells are removed – administration is done by a mutual TLS authenticated gRPC API.
Talos is hardened by design and configuration:
- All access to the API is secured with Mutual TLS.
- Settings and configuration from the CIS guidelines are applied by default
- Talos runs entirely from a read-only SquashFS filesystem running entirely from RAM. This prevents bad actors from tampering with your hosts, even if they gain console access.
- The console supports no shell access – just displays logs with no interactivity.
- Kubernetes on Talos OS is Distributed, Immutable, and Ephemeral (D.I.E.) – the modern paradigm for InfoSec security.
An OS for Kubernetes - for production workloads
Talos OS is designed to support the demanding requirements of enterprise production deployments.
- Talos OS automatically installs standard Kubernetes, in a secure configuration.
- Supports the latest stable versions of Kubernetes and Linux, ensuring stability and security issues are covered
- Supports all major public cloud providers, virtualization platforms, and bare metal
- Development-to-Production Workflow: Talos OS is ideal for developer workstations, supporting Firecracker micro VMs and Docker containers. This gives the same base OS through the entire app lifecycle from dev to prod.
An API driven Operating System
- It constrains what you can do – this is good, as someone cannot accidentally do things like:
ls -la > /dev/hda (Don’t try this at home!!!)
- It limits you to read only actions, leaving your systems in a known reliable state (immutability for the win!!)
- It allows an audit trail of all actions.
- Being designed for management by an API means that automation of all tasks, across a single machine or a fleet of machines, is easy!
- an OS with an API lends itself naturally to writing better, more secure, more resilient automation.
- An API driven OS is the foundation of having an API driven datacenter, increasing security, stability, agility and scalability.