No Description
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Andrew Rynhard ecad4e35a9
docs: change meeting times to 24 hour format (#675)
1 day ago
cmd/osctl fix: Address lint warning for unknown linter (#676) 1 day ago
docs/proposals chore: add proposals template (#590) 3 weeks ago
hack feat(init): Add initToken parameter to userdata (#664) 2 days ago
internal refactor: change conditions to be interface, add descriptions (#677) 1 day ago
pkg feat(init): Add initToken parameter to userdata (#664) 2 days ago
.codecov.yml chore: update codecov project threshold to 17% (#609) 2 weeks ago
.conform.yaml refactor: move osinstall into osctl (#629) 1 week ago
.dockerignore chore: expose userdata and osctl client packages (#471) 1 month ago
.drone.yml chore: remove AMI publish step (#650) 1 week ago
.gitignore chore(ci): Update buildkit to 0.4 (#538) 4 weeks ago chore: prepare release v0.1.0-alpha.27 (#671) 2 days ago chore: add (#337) 3 months ago chore: move website to netlify (#482) 1 month ago
Dockerfile feat: use osctl in installer (#654) 1 week ago
LICENSE Initial commit 1 year ago
Makefile fix: add libressl to rootfs (#659) 1 week ago docs: change meeting times to 24 hour format (#675) 1 day ago
go.mod feat: add bootstrap token package (#657) 1 week ago
go.sum feat: add bootstrap token package (#657) 1 week ago


A modern operating system for Kubernetes.

Release Pre-release

Talos is a modern operating system for Kubernetes that provides a number of capabilities. A few are:

  • Security: reduce your attack surface by practicing the Principle of Least Privilege (PoLP) and enforcing mutual TLS (mTLS).
  • Predictability: remove needless variables and reduce unknown factors from your environment using immutable infrastructure.
  • Evolvability: simplify and increase your ability to easily accommodate future changes to your architecture.

For details on the design and usage of Talos, see the documentation.

$ kubectl get nodes -o wide
master-1   Ready    master   79s   v1.14.1      <none>        Talos (v0.1.0-alpha.24)   4.19.34-talos    containerd://1.2.6
master-2   Ready    master   42s   v1.14.1      <none>        Talos (v0.1.0-alpha.24)   4.19.34-talos    containerd://1.2.6
master-3   Ready    master   42s   v1.14.1      <none>        Talos (v0.1.0-alpha.24)   4.19.34-talos    containerd://1.2.6
worker-1   Ready    worker   44s   v1.14.1      <none>        Talos (v0.1.0-alpha.24)   4.19.34-talos    containerd://1.2.6

Quick Start

The quickest way to get started with Talos is to create a local docker-based cluster:

osctl cluster create

Note: You can download osctl from the latest release.

Once the cluster is up, download the kubeconfig:

osctl kubeconfig > kubeconfig
kubectl --kubeconfig kubeconfig config set-cluster talos_default --server

Note: It can take up to a minute for the kubeconfig to be available.

To cleanup, run:

osctl cluster destroy



  • musl-libc: uses musl as the C standard library
  • golang: implements a pure golang init
  • gRPC: exposes a secure gRPC API
  • containerd: runs containerd for system services in tandem with the builtin CRI runtime for Kubernetes pods
  • kubeadm: uses kubeadm to create conformant Kubernetes clusters


Talos takes a defense in depth approach to security. Below, we touch on a few of the measures taken to increase the security posture of Talos.


Talos is a minimalistic distribution that consists of only a handful of binaries and shared libraries. Just enough to run containerd and a small set of system services. This aligns with NIST’s recommendation in the Application Container Security Guide:

Whenever possible, organizations should use these minimalistic OSs to reduce their attack surfaces and mitigate the typical risks and hardening activities associated with general-purpose OSs.

Talos differentiates itself and improves on this since it is built for one purpose — to run Kubernetes.


There are a number of ways that Talos provides added hardening:

  • employs the recommended configuration and runtime settings outlined in the Kernel Self Protection Project
  • enables mutual TLS for the API
  • enforces the settings and configurations described in the CIS guidelines


Talos improves its security posture further by mounting the root filesystem as read-only and removing any host-level access by traditional means such as a shell and SSH.


Stay current with our commitment to an n-1 adoption rate of upstream Kubernetes. Additionally, the latest LTS Linux kernel will always be used.


Each Talos node exposes an API designed with cluster administrators in mind. It provides just enough to debug and remediate issues. Using the provided CLI (osctl), you can:

  • restart a node (osctl reboot)
  • get CPU and memory usage of a container (osctl stats)
  • view kernel buffer logs (osctl dmesg)
  • restart a container (osctl restart)
  • tail container logs (osctl logs)

and more.


Query system services:

$ osctl ps
system      ntpd     talos/ntpd     101   RUNNING
system      osd      talos/osd      107   RUNNING
system      proxyd   talos/proxyd   393   RUNNING
system      trustd   talos/trustd   115   RUNNING

or query the containers in the namespace:

$ osctl ps -k
NAMESPACE   ID                                                                     IMAGE                          PID   STATUS      kube-system/kube-scheduler-master-1:kube-scheduler              783   RUNNING      kube-system/kube-scheduler-master-1                                     564   RUNNING      kube-system/kube-controller-manager-master-1:kube-controller-manager   744   RUNNING      kube-system/kube-controller-manager-master-1                            594   RUNNING      kube-system/kube-apiserver-master-1                                     593   RUNNING      kube-system/kube-apiserver-master-1:kube-apiserver              796   RUNNING      kube-system/etcd-master-1                                               592   RUNNING      kube-system/etcd-master-1:etcd                                        805   RUNNING      kubelet                                                         446   RUNNING


Follow us on Twitter for the latest on Talos, or join our slack for in-depth discussions!

Twitter Follow Slack Invite

Join our weekly Zoom meetings:

  • Office hours Mondays at 17:00 UTC
  • Maintainer hours Thursdays at 17:00 UTC

Note: You can check this time against your timezone here.






Why “Talos”?

Talos was an automaton created by the Greek God of the forge to protect the island of Crete. He would patrol the coast and enforce laws throughout the land. We felt it was a fitting name for a security focused operating system designed to run Kubernetes.

Why no shell or SSH?

We would like for Talos users to start thinking about what a “machine” is in the context of a Kubernetes cluster. That is that a Kubernetes cluster can be thought of as one massive machine and the nodes merely as additional resources. We don’t want humans to focus on the nodes, but rather the machine that is the Kubernetes cluster. Should an issue arise at the node level, osctl should provide the necessary tooling to assist in the identification, debugging, and remediation of the issue. However, the API is based on the Principle of Least Privilege, and exposes only a limited set of methods. We aren’t quite there yet, but we envision Talos being a great place for the application of control theory in order to provide a self-healing platform.

How is Talos different than CoreOS/RancherOS/Linuxkit?

Talos is similar in many ways, but there are some differences that make it unique. You can imagine Talos as a container image, in that it is immutable and built with a single purpose in mind. In this case, that purpose is Kubernetes. Talos tightly integrates with Kubernetes, and is not meant to be a general use operating system. This allows us to dramatically decrease the footprint of Talos, and in turn improve a number of other areas like security, predictability, and reliability. In addition to this, interaction with the host is done through a secure gRPC API. If you want to run Kubernetes with zero cruft, Talos is the perfect fit.