Skip to content
A modern Linux distribution for Kubernetes.
Branch: master
Clone or download
andrewrynhard feat: install bootloader to block device (#455)
Signed-off-by: Andrew Rynhard <>
Latest commit 31a00ef Mar 18, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
docs docs: remove ip=dhcp flag from documentation (#428) Feb 27, 2019
images chore: use buildkitd for builds (#320) Jan 19, 2019
internal feat: install bootloader to block device (#455) Mar 18, 2019
web docs: remove ip=dhcp flag from documentation (#428) Feb 27, 2019
.gitignore chore: use buildkitd for builds (#320) Jan 19, 2019
.travis.yml chore: fix Travis double builds (#380) Feb 19, 2019 chore: prepare release v0.1.0-alpha.19 (#448) Mar 11, 2019 chore: add (#337) Feb 15, 2019 chore: fix git commit hook (#431) Feb 28, 2019
Makefile chore: upgrade conform (#440) Mar 5, 2019


A modern Linux distribution for Kubernetes.

Build Status Release Pre-release

Talos is a modern Linux distribution for Kubernetes that provides a number of capabilities. A few are:

  • Security: reduce your attack surface by practicing the Principle of Least Privilege (PoLP) and enforcing mutual TLS (mTLS).
  • Predictability: remove needless variables and reduce unknown factors from your environment using immutable infrastructure.
  • Evolvability: simplify and increase your ability to easily accommodate future changes to your architecture.

For details on the design and usage of Talos, see the documentation.

$ kubectl get nodes -o wide
NAME              STATUS   ROLES    AGE   VERSION   INTERNAL-IP       EXTERNAL-IP   OS-IMAGE                              KERNEL-VERSION   CONTAINER-RUNTIME   Ready    master   50s   v1.13.2   <none>        Talos (v0.1.0-alpha.16) by Autonomy   4.19.10-talos    containerd://1.2.2   Ready    worker   26s   v1.13.2   <none>        Talos (v0.1.0-alpha.16) by Autonomy   4.19.10-talos    containerd://1.2.2



  • musl-libc: uses musl as the C standard library
  • golang: implements a pure golang init
  • gRPC: exposes a secure gRPC API
  • containerd: runs containerd for system services in tandem with the builtin CRI runtime for Kubernetes pods
  • kubeadm: uses kubeadm to create conformant Kubernetes clusters


Talos takes a defense in depth approach to security. Below, we touch on a few of the measures taken to increase the security posture of Talos.


Talos is a minimalistic distribution that consists of only a handful of binaries and shared libraries. Just enough to run containerd and a small set of system services. This aligns with NIST's recommendation in the Application Container Security Guide:

Whenever possible, organizations should use these minimalistic OSs to reduce their attack surfaces and mitigate the typical risks and hardening activities associated with general-purpose OSs.

Talos differentiates itself and improves on this since it is built for one purpose — to run Kubernetes.


There are a number of ways that Talos provides added hardening:

  • employs the recommended configuration and runtime settings outlined in the Kernel Self Protection Project
  • enables mutual TLS for the API
  • enforces the settings and configurations described in the CIS guidelines


Talos improves its security posture further by mounting the root filesystem as read-only and removing any host-level access by traditional means such as a shell and SSH.


Stay current with our commitment to an n-1 adoption rate of upstream Kubernetes. Additionally, the latest LTS Linux kernel will always be used.


Each Talos node exposes an API designed with cluster administrators in mind. It provides just enough to debug and remediate issues. Using the provided CLI (osctl), you can:

  • restart a node (osctl reboot)
  • get CPU and memory usage of a container (osctl stats)
  • view kernel buffer logs (osctl dmesg)
  • restart a container (osctl restart)
  • tail container logs (osctl logs)

and more.


Query system services:

$ osctl ps
system      blockd   talos/blockd   1461   RUNNING
system      osd      talos/osd      1449   RUNNING
system      proxyd   talos/proxyd   2754   RUNNING
system      trustd   talos/trustd   1451   RUNNING

or query the containers in the namespace:

$ osctl ps -k
NAMESPACE   ID                                                                 IMAGE                                                                     PID    STATUS      0ca1fc5944d6ed075a33197921e0ca4dd4937ae243e428b570fea87ff34f1811   sha256:da86e6ba6ca197bf6bc5e9d900febd906b133eaa4750e6bed647b0fbe50ed43e   2341   RUNNING      356fc70fa1ba691deadf544b9ab4ade2256084a090a711eec3e70fc810709374   sha256:da86e6ba6ca197bf6bc5e9d900febd906b133eaa4750e6bed647b0fbe50ed43e   2342   RUNNING
...      e42ec788edc1e3af71cb6fa151dd8cc1076906dbe09d7099697f36069e38b5a8   sha256:4ff8d484069d463252df6a461ba13f073b247a4f19e421b3117c584d39b4a67f   2508   RUNNING      kubelet                                                                                                2068   RUNNING





If you would like to participate in discussions about Talos, please send an email to with the subject line "Slack Invite", and we would be happy to send an invite to our workspace.

It is important that the subject line is exactly "Slack Invite" (exclude the double quotes).


Twitter Follow




Why "Talos"?

Talos was an automaton created by the Greek God of the forge to protect the island of Crete. He would patrol the coast and enforce laws throughout the land. We felt it was a fitting name for a security focused Linux distribution designed to run Kubernetes.

Why no shell or SSH?

We would like for Talos users to start thinking about what a "machine" is in the context of a Kubernetes cluster. That is that a Kubernetes cluster can be thought of as one massive machine and the nodes merely as additional resources. We don't want humans to focus on the nodes, but rather the machine that is the Kubernetes cluster. Should an issue arise at the node level, osctl should provide the necessary tooling to assist in the identification, debugging, and remediation of the issue. However, the API is based on the Principle of Least Privilege, and exposes only a limited set of methods. We aren't quite there yet, but we envision Talos being a great place for the application of control theory in order to provide a self-healing platform.

How is Talos different than CoreOS/RancherOS/Linuxkit?

Talos is similar in many ways, but there are some differences that make it unique. You can imagine Talos as a container image, in that it is immutable and built with a single purpose in mind. In this case, that purpose is Kubernetes. Talos tightly integrates with Kubernetes, and is not meant to be a general use Linux distribution. This allows us to dramatically decrease the footprint of Talos, and in turn improve a number of other areas like security, predictability, and reliability. In addition to this, interaction with the host is done through a secure gRPC API. If you want to run Kubernetes with zero cruft, Talos is the perect fit.



You can’t perform that action at this time.