docs: change meeting times to 24 hour format (#675)
Signed-off-by: Andrew Rynhard <[email protected]>
|1 day ago|
|cmd/osctl||1 day ago|
|docs/proposals||3 weeks ago|
|hack||2 days ago|
|internal||1 day ago|
|pkg||2 days ago|
|.codecov.yml||2 weeks ago|
|.conform.yaml||1 week ago|
|.dockerignore||1 month ago|
|.drone.yml||1 week ago|
|.gitignore||4 weeks ago|
|CHANGELOG.md||2 days ago|
|CODE_OF_CONDUCT.md||3 months ago|
|CONTRIBUTING.md||1 month ago|
|Dockerfile||1 week ago|
|LICENSE||1 year ago|
|Makefile||1 week ago|
|README.md||1 day ago|
|go.mod||1 week ago|
|go.sum||1 week ago|
A modern operating system for Kubernetes.
Talos is a modern operating system for Kubernetes that provides a number of capabilities. A few are:
For details on the design and usage of Talos, see the documentation.
$ kubectl get nodes -o wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME master-1 Ready master 79s v1.14.1 10.5.0.2 <none> Talos (v0.1.0-alpha.24) 4.19.34-talos containerd://1.2.6 master-2 Ready master 42s v1.14.1 10.5.0.3 <none> Talos (v0.1.0-alpha.24) 4.19.34-talos containerd://1.2.6 master-3 Ready master 42s v1.14.1 10.5.0.4 <none> Talos (v0.1.0-alpha.24) 4.19.34-talos containerd://1.2.6 worker-1 Ready worker 44s v1.14.1 10.5.0.5 <none> Talos (v0.1.0-alpha.24) 4.19.34-talos containerd://1.2.6
The quickest way to get started with Talos is to create a local docker-based cluster:
osctl cluster create
Note: You can download
osctlfrom the latest release.
Once the cluster is up, download the kubeconfig:
osctl kubeconfig > kubeconfig kubectl --kubeconfig kubeconfig config set-cluster talos_default --server https://127.0.0.1:6443
Note: It can take up to a minute for the kubeconfig to be available.
To cleanup, run:
osctl cluster destroy
systemservices in tandem with the builtin
CRIruntime for Kubernetes pods
kubeadmto create conformant Kubernetes clusters
Talos takes a defense in depth approach to security. Below, we touch on a few of the measures taken to increase the security posture of Talos.
Talos is a minimalistic distribution that consists of only a handful of binaries and shared libraries.
Just enough to run
containerd and a small set of
This aligns with NIST’s recommendation in the Application Container Security Guide:
Whenever possible, organizations should use these minimalistic OSs to reduce their attack surfaces and mitigate the typical risks and hardening activities associated with general-purpose OSs.
Talos differentiates itself and improves on this since it is built for one purpose — to run Kubernetes.
There are a number of ways that Talos provides added hardening:
Talos improves its security posture further by mounting the root filesystem as read-only and removing any host-level access by traditional means such as a shell and SSH.
Stay current with our commitment to an
n-1 adoption rate of upstream Kubernetes.
Additionally, the latest LTS Linux kernel will always be used.
Each Talos node exposes an API designed with cluster administrators in mind.
It provides just enough to debug and remediate issues.
Using the provided CLI (
osctl), you can:
$ osctl ps NAMESPACE ID IMAGE PID STATUS system ntpd talos/ntpd 101 RUNNING system osd talos/osd 107 RUNNING system proxyd talos/proxyd 393 RUNNING system trustd talos/trustd 115 RUNNING
or query the containers in the
$ osctl ps -k NAMESPACE ID IMAGE PID STATUS k8s.io kube-system/kube-scheduler-master-1:kube-scheduler k8s.gcr.io/hyperkube:v1.14.1 783 RUNNING k8s.io kube-system/kube-scheduler-master-1 k8s.gcr.io/pause:3.1 564 RUNNING k8s.io kube-system/kube-controller-manager-master-1:kube-controller-manager k8s.gcr.io/hyperkube:v1.14.1 744 RUNNING k8s.io kube-system/kube-controller-manager-master-1 k8s.gcr.io/pause:3.1 594 RUNNING k8s.io kube-system/kube-apiserver-master-1 k8s.gcr.io/pause:3.1 593 RUNNING k8s.io kube-system/kube-apiserver-master-1:kube-apiserver k8s.gcr.io/hyperkube:v1.14.1 796 RUNNING k8s.io kube-system/etcd-master-1 k8s.gcr.io/pause:3.1 592 RUNNING k8s.io kube-system/etcd-master-1:etcd k8s.gcr.io/etcd:3.3.10 805 RUNNING k8s.io kubelet k8s.gcr.io/hyperkube:v1.14.1 446 RUNNING
Follow us on Twitter for the latest on Talos, or join our slack for in-depth discussions!
Join our weekly Zoom meetings:
Note: You can check this time against your timezone here.
Talos was an automaton created by the Greek God of the forge to protect the island of Crete. He would patrol the coast and enforce laws throughout the land. We felt it was a fitting name for a security focused operating system designed to run Kubernetes.
Why no shell or SSH?
We would like for Talos users to start thinking about what a “machine” is in the context of a Kubernetes cluster. That is that a Kubernetes cluster can be thought of as one massive machine and the nodes merely as additional resources. We don’t want humans to focus on the nodes, but rather the machine that is the Kubernetes cluster. Should an issue arise at the node level, osctl should provide the necessary tooling to assist in the identification, debugging, and remediation of the issue. However, the API is based on the Principle of Least Privilege, and exposes only a limited set of methods. We aren’t quite there yet, but we envision Talos being a great place for the application of control theory in order to provide a self-healing platform.
How is Talos different than CoreOS/RancherOS/Linuxkit?
Talos is similar in many ways, but there are some differences that make it unique. You can imagine Talos as a container image, in that it is immutable and built with a single purpose in mind. In this case, that purpose is Kubernetes. Talos tightly integrates with Kubernetes, and is not meant to be a general use operating system. This allows us to dramatically decrease the footprint of Talos, and in turn improve a number of other areas like security, predictability, and reliability. In addition to this, interaction with the host is done through a secure gRPC API. If you want to run Kubernetes with zero cruft, Talos is the perfect fit.