Start trialGet demo β†’
Join us at TalosCon, Oct 2026, Amsterdam

Talos Linux:
Bare metal to Kubernetes
in under a minute.

Go to repoRead the docs β†’

No SSH. No shell.
No package manager.

Three things Talos Linux doesn't ship. Each one removes a class of failure that no configuration flag can fully close.

Traditional Linux
Talos Linux
1Access model

sshd listens on :22. Operator authenticates with a key, gets a PTY, runs commands as root. Same path opens to anyone with a stolen key, an exposed config, or an unpatched daemon.

No sshd, no getty, no console login. The only ingress is apid on :50000, gRPC over mTLS, client cert required. Every call is typed, logged, and authorised against the machine config.

2Mutability

Root filesystem is rw. apt, dnf, sed, and a careless operator all write to the same disk. State diverges from the manifest with every patch.

Root is a SquashFS image, mounted ro. Upgrades write a new image to the inactive partition and reboot into it. Rollback is the reverse. Running state is the image hash.

3Attack surface

1,280 binariesΒΉ on disk. Most have nothing to do with the kubelet (bash, perl, gcc, gpg), but each ships with a CVE history and a dependency tree.

<50 binaries, each required to bring up a node: kernel, containerd, kubelet, etcd, machined. If it's not on that list, it's not on the box.

ΒΉ Ubuntu 26.04 server cloud image, pulled May 21, 2026. Script: https://github.com/siderolabs/contrib/blob/main/hack/ubuntu-scan.sh.

Whole categories of risk,
gone.

Talos Linux doesn't ship the things that need hardening. The categories below don't apply, not because they've been mitigated, but because the surface they target isn't on the box.

SSH-based intrusion
No SSH daemon. Nothing to intrude on.
Shell-based privilege escalation
No shell. CVE-2026-31431 (Copy Fail) barely scratches Talos Linux.
Package manager supply chain attacks
No package manager. Nothing to install on a running node.
Configuration drift
Read-only root filesystem. Every change goes through the API.
Persistent malware and rootkits
Ephemeral, RAM-resident OS. Reboot returns to declared state.
Unpatched CVEs in unused binaries
We don't ship the unused binaries.
Credential and key theft from disk
Encrypted partitions, TPM-sealed. No shell to grep through them.
Ad-hoc commands on a running node
Every change is declarative YAML applied through the API.
Failed-upgrade brick
Atomic A/B swap. Failed image rolls back automatically.

Less to run. Less to break.
Less to defend.

A general-purpose distribution starts with everything and tries to remove what Kubernetes doesn't need. Talos Linux starts with nothing and adds only what's needed.

Ubuntu Server 22.04.05 Β· critical & high CVEs279Outstanding, base install.ΒΉ
Talos Linux Β· critical & high CVEs6All addressed via VEX or patches.Β²

ΒΉ Ubuntu 26.04 server cloud image, pulled May 21, 2026. Script: https://github.com/siderolabs/contrib/blob/main/hack/ubuntu-scan.sh.

Β² Talos Linux 1.13.2, pulled May 21, 2026. CVEs addressed via patches or VEX statements (https://github.com/siderolabs/talos-vex).

CapabilityTraditional LinuxTalos Linux
PurposeGeneral-purpose, runs anythingBuilt only for Kubernetes
Binaries shipped1,280 (Ubuntu 26.04)ΒΉ40
OS footprint2.5–4GB~80MB
Root filesystemMutable, disk-backedRead-only, ephemeral, RAM-resident
Configuration modelImperative + config management bolt-onsDeclarative YAML, reconciled via API
Configuration driftAccumulates over timeStructurally impossible
Update mechanismPackage-by-package (apt / yum / dnf)Atomic A/B image swap, OS + K8s together
Failed-upgrade recoveryManual interventionAutomatic rollback
Remote accessSSHmTLS-authenticated gRPC API
Shell on hostbash / sh / sudoNone
Package managerapt / yum / dnfNone
SSH daemonopenssh-serverNone

Trusted by homelabs and enterprises alike.

Six years in production. 330+ contributors. A Kubernetes certified distribution. Runs your Raspberry Pi in a closet, 11K+ nodes at a single Fortune Global 500 customer, hundreds of edge sites, and everything in between.

Talos Linux
Open source
MPL 2.0 Β· forever
Talos Linux
10,200+
GitHub stars ⭐
Talos Linux
330+
Contributors
Talos Omni
Source-readable
BSL 1.1
Community extensions
Awesome-talos
Terraform modules, homelab configs, integrations, dashboards, maintained by the community.
github.com/siderolabs/awesome-talos
User conference
TalosCon 2026 Β· Oct 15–16 Β· Amsterdam
Two days of talks, workshops, and hallway track from the people who run Talos Linux in production.
register

I'm consistently being blown away by the amount of engineering that has gone into Talos Linux for running k8s easily and securely.

It's crazy to think that there was a time all of this had to be manually wired up. As much as I don't like drinking an individual company's koolaid, so far this one's lit.

Sage Amethyst
@sageamethyst.rocks Β· Bluesky Β· Oct 25, 2025

Talos is so nice and simple to manage when compared to having to manage both k3s and the host OS.

To make it even better, deploy a self-hosted instance of Omni to manage the Talos nodes. Gives you a nice interface to handle rolling out config patches, rolling Talos and k8s updates, scaling up and down, and integrating with infrastructure providers to automatically provision machines.

clintkev251
Reddit Β· r/homelab Β· March 2026

Get started now.

Two commands. Local cluster running in under a minute.

Install
$brew install siderolabs/tap/talosctl
$talosctl cluster create

When you're ready to
manage a fleet.

When the fleet outgrows manual lifecycle management, Talos Omni picks up: provisioning, upgrades, config, and backups across every cluster from one place. Available as SaaS or self-hosted.

Read about Talos Omni β†’

  • FIPS 140-3 compliant builds
  • CIS benchmarked
  • SBOM on every release
  • SOC 2 Type II compliant
  • Nokia
  • Roche
  • Powerflex
  • SGX
  • Hathora
  • Nexxen
  • Ubisoft
  • Berkshire Grey
  • Promptly Health
  • DSV
  • Equinix

Pro-humans,
anti-heroics.

Start trialGet demo β†’