Talos: Secure, immutable, and minimal Linux OS for running Kubernetes
Talos Linux is a secure, minimalistic Linux distribution for Kubernetes, managed via API. It emphasizes security, immutability, and aligns with NIST and CIS guidelines. It offers quick deployment and supports large clusters.
Read original article
Talos Linux is a specialized Linux distribution tailored for Kubernetes environments, emphasizing security, predictability, and evolvability. Managed solely through an API, it boasts minimalism and immutability, reducing attack surfaces and configuration drift. Talos Linux is production-ready, supporting large Kubernetes clusters and is open source from Sidero Labs. It offers quick cluster deployment, aligning with NIST's security recommendations and CIS guidelines by default. The system is hardened, employing Kernel Self Protection Project configurations and mutual TLS authentication for API access. Talos Linux operates with a read-only root filesystem, enhancing security, and runs in memory, leaving the disk entirely to Kubernetes. It ensures the latest stable versions of Kubernetes and Linux, reflecting a commitment to Cloud Native Computing Foundation standards.
Related
Canonical's 'distroless' Linux images are a game-changer for enterprises
Canonical introduces 'distroless' Linux images with long-term support, enhancing security by reducing attack surface. Plans include supporting various platforms and adding open-source components to Ubuntu Pro subscriptions, emphasizing AI/ML tools. Collaboration with Microsoft for .NET containers solidifies Canonical's commitment to rapid security resolutions.
CVE-2021-4440: A Linux CNA Case Study
The Linux CNA mishandled CVE-2021-4440 in the 5.10 LTS kernel, causing information leakage and KASLR defeats. The issue affected Debian Bullseye and SUSE's 5.3.18 kernel, resolved in version 5.10.218.
Show HN: EtchaOS – Secure, immutable, in-memory remixes of popular Linux distros
EtchaOS is a secure, minimal, and immutable Linux distribution for cloud, on-premise, and embedded systems. It prioritizes security, consistency, automatic upgrades, flexibility, and customization. Developed by Candid Development LLC.
The Trouble with Tar: Introducing High Availability, Zone-Aware Load Balancing
Topology Aware Routing (TAR) in Kubernetes poses challenges by restricting traffic within zones, affecting system reliability. Linkerd's HAZL offers dynamic load balancing across zones for high availability and cost reduction, addressing TAR limitations.
Tau: Open-source PaaS – A self-hosted Vercel / Netlify / Cloudflare alternative
Tau is an open-source Git-Native CDN PaaS on GitHub, covering installation, configuration, launching, networking, storage, computing, E2E testing, local cloud, and documentation for effective utilization.
15 commentshttps://github.com/siderolabs/talos/issues/8367
Unless I’ve missed something, this isn’t a big deal in an AWS-style cloud where extra storage volumes (EBS, etc) have essentially no incremental cost, and maybe it’s okay on bare metal if the bare metal is explicitly designed with a completely separate boot disk (this includes Raspberry Pi using SD for boot and some other device for actual storage), but it seemed like a mostly showstopping issue for an average server that was specced with the intent to boot off a partition.
I suppose one could fudge it with NVMe namespaces if the hardware cooperates. (I’ve never personally tried setting up a nontrivial namespace setup.)
Has anyone set up Talos in a useful way on a server with a single disk or a single RAID array?
Something that Talos does differently is everything is an API. Machine configuration, upgrades, debugging…it’s all APIs. This helps with maintaining systems way beyond the usual cloud-init and systemd wrappers in other “minimal” distros.
The second big change is Talos Linux is only designed for Kubernetes. It’s not a generic Linux kernel+container runtime. The init system was designed to run the kubelet and publish an API that feels like a Kubernetes native component.
This drastically reduces the Linux knowledge required to run, scale, and maintain a complex system like Kubernetes.
I’ve been doing a set of live streams called Talos Linux install fest walking new users through setting up their first cluster on Talos. Each install is in a new environment so please check it out.
Before that, we had a Kubespray based setup. It's a bunch of Ansible script and it allows to make any custom setup, like absolutely anything as you in control of the machines. But the other side of this is that it's extremely easy to break everything. Which we did a couple of times. And so any upgrade is a risk of loosing the whole cluster, so we decided it must be run in VM with full backup before each upgrade. Another problem that it takes about an hour to apply a change, because Ansible has to apply all the scripts each time.
Then we migrated to Talos, and it's a day and night. The initial setup took like an hour, including reading the docs and a tutorial. Easy to setup, easy to maintain, easy to upgrade (and it takes minutes). Note that we run the nodes as VMs in Proxmox, so the disk and network setup are outside of Talos scope, as well as backups, and it's actually simplifies everything. So it "just works" and we can focus on your app not the cluster setup.
Talos improves security further by mounting the root filesystem as read-only and removing any host-level such as a shell and SSH.
After host-level, probably 'access'.
Related
Canonical's 'distroless' Linux images are a game-changer for enterprises
Canonical introduces 'distroless' Linux images with long-term support, enhancing security by reducing attack surface. Plans include supporting various platforms and adding open-source components to Ubuntu Pro subscriptions, emphasizing AI/ML tools. Collaboration with Microsoft for .NET containers solidifies Canonical's commitment to rapid security resolutions.
CVE-2021-4440: A Linux CNA Case Study
The Linux CNA mishandled CVE-2021-4440 in the 5.10 LTS kernel, causing information leakage and KASLR defeats. The issue affected Debian Bullseye and SUSE's 5.3.18 kernel, resolved in version 5.10.218.
Show HN: EtchaOS – Secure, immutable, in-memory remixes of popular Linux distros
EtchaOS is a secure, minimal, and immutable Linux distribution for cloud, on-premise, and embedded systems. It prioritizes security, consistency, automatic upgrades, flexibility, and customization. Developed by Candid Development LLC.
The Trouble with Tar: Introducing High Availability, Zone-Aware Load Balancing
Topology Aware Routing (TAR) in Kubernetes poses challenges by restricting traffic within zones, affecting system reliability. Linkerd's HAZL offers dynamic load balancing across zones for high availability and cost reduction, addressing TAR limitations.
Tau: Open-source PaaS – A self-hosted Vercel / Netlify / Cloudflare alternative
Tau is an open-source Git-Native CDN PaaS on GitHub, covering installation, configuration, launching, networking, storage, computing, E2E testing, local cloud, and documentation for effective utilization.