Talos Linux: An Immutable OS for Kubernetes in Your Homelab
Talos Linux takes a different approach to running Kubernetes: it's a purpose-built OS with no SSH, no bash shell, no package manager, and no way to log in. The entire system is managed through an API. That sounds extreme, but the result is a remarkably stable, secure, and reproducible Kubernetes platform.
Photo by Simona Sroková on Unsplash
If you've ever fought with a node that drifted from its intended state — a misconfigured package, an accidental apt upgrade, an SSH key that shouldn't be there — Talos eliminates the problem at the OS layer.
What Makes Talos Different
Traditional Kubernetes nodes run on general-purpose Linux (Ubuntu, CentOS, Debian). Talos replaces that with:
- Read-only root filesystem: The OS can't be modified at runtime
- No shell access: Configuration happens entirely through the Talos API
- Minimal attack surface: Only what Kubernetes needs is present
- Declarative configuration: Node state is defined in YAML, applied via
talosctl - Atomic upgrades: OS and Kubernetes upgrades are applied as a unit and rolled back if they fail
The tradeoff: there's no escape hatch. You can't SSH in to debug a problem the traditional way. Instead, you use talosctl to inspect state, stream logs, and apply changes.
When Talos Makes Sense for Homelabs
Talos is a good fit if you:
- Want production-grade Kubernetes practices at home
- Are building a multi-node cluster and want consistent node state
- Have had nodes drift over time and want to prevent it
- Use GitOps (Flux, ArgoCD) and want every layer to be declarative
It's less ideal if you:
- Need to install custom software on the host OS
- Run a single-node "cluster" where management overhead isn't worth it
- Are newer to Kubernetes and want to troubleshoot interactively
Getting Started: Single Node with QEMU
For testing, create a Talos VM with the CLI:
# Install talosctl
curl -sL https://talos.dev/install | sh
# Download the ISO
curl -LO https://github.com/siderolabs/talos/releases/latest/download/talos-amd64.iso
# Generate cluster config
talosctl gen config my-homelab-cluster https://192.168.1.100:6443 \
--output-dir ./clusterconfig
# This generates:
# - clusterconfig/controlplane.yaml
# - clusterconfig/worker.yaml
# - clusterconfig/talosconfig
Boot the ISO on a VM or bare metal. Once the machine boots, apply the config:
# Apply config to the node (use the node's IP)
talosctl apply-config \
--insecure \
--nodes 192.168.1.100 \
--file clusterconfig/controlplane.yaml
Like what you're reading? Subscribe to HomeLab Starter — free weekly guides in your inbox.
Multi-Node Cluster on Bare Metal
For a 3-node cluster (1 control plane + 2 workers):
# Generate config
talosctl gen config homelab-k8s https://192.168.1.100:6443
# Apply controlplane config
talosctl apply-config --insecure \
--nodes 192.168.1.100 \
--file clusterconfig/controlplane.yaml
# Apply worker config to each worker
talosctl apply-config --insecure \
--nodes 192.168.1.101 \
--file clusterconfig/worker.yaml
talosctl apply-config --insecure \
--nodes 192.168.1.102 \
--file clusterconfig/worker.yaml
# Bootstrap etcd (run once on the controlplane)
talosctl bootstrap \
--talosconfig clusterconfig/talosconfig \
--nodes 192.168.1.100
# Get kubeconfig
talosctl kubeconfig \
--talosconfig clusterconfig/talosconfig \
--nodes 192.168.1.100
The cluster is up. Verify:
kubectl get nodes
Configuration as Code
Talos machine configs are YAML files you can store in git. To customize a node:
# controlplane.yaml (excerpt)
machine:
type: controlplane
install:
disk: /dev/sda
image: ghcr.io/siderolabs/installer:v1.8.0
network:
hostname: k8s-cp-01
interfaces:
- interface: eth0
addresses:
- 192.168.1.100/24
routes:
- network: 0.0.0.0/0
gateway: 192.168.1.1
dhcp: false
time:
servers:
- pool.ntp.org
kubelet:
extraArgs:
max-pods: "250"
When you change the config, apply it:
talosctl apply-config --nodes 192.168.1.100 --file controlplane.yaml
Talos validates the config and applies it safely, rebooting if required.
Upgrading Talos and Kubernetes
Upgrading is a single command:
# Upgrade Talos OS
talosctl upgrade \
--nodes 192.168.1.100 \
--image ghcr.io/siderolabs/installer:v1.9.0
# Upgrade Kubernetes version
talosctl upgrade-k8s \
--to 1.31.0
Talos rolls back automatically if the upgrade fails to come back healthy.
Talosctl Commands You'll Use
# Inspect node services
talosctl services --nodes 192.168.1.100
# Stream logs from a service
talosctl logs machined --nodes 192.168.1.100 -f
# Check disk usage
talosctl df --nodes 192.168.1.100
# Inspect running processes
talosctl ps --nodes 192.168.1.100
# Read kernel ring buffer (dmesg)
talosctl dmesg --nodes 192.168.1.100
# Reboot a node
talosctl reboot --nodes 192.168.1.100
# Reset to factory state (wipes the node)
talosctl reset --nodes 192.168.1.100 --graceful
Custom Extensions
Talos is minimal by default, but extensions let you add functionality:
machine:
install:
extensions:
- image: ghcr.io/siderolabs/iscsi-tools:v0.1.5 # iSCSI support
- image: ghcr.io/siderolabs/intel-ucode:20240910 # Intel microcode
- image: ghcr.io/siderolabs/drbd:9.2.11-v1.8.0 # DRBD for HA storage
Extensions are baked into the node image at install time — no post-install package installation.
Pros and Cons vs. Standard Ubuntu Kubernetes
| Aspect | Talos Linux | Ubuntu + kubeadm |
|---|---|---|
| Node drift | Impossible | Common over time |
| SSH access | No | Yes |
| Troubleshooting style | API + talosctl | Shell + kubectl |
| Upgrade safety | Atomic, auto-rollback | Manual, can fail mid-way |
| Learning curve | Steeper | Gentler |
| Flexibility | Limited to K8s use cases | Full OS access |
| Security surface | Minimal | Standard Linux |
Getting Started Resources
- Official docs:
talos.dev talosctlreference:talosctl helpcovers all commands- Extension catalog:
github.com/siderolabs/extensions - Community:
/r/talosand the Talos Slack channel
Talos has a steeper initial setup than standard Ubuntu nodes, but the long-term manageability is genuinely better for homelab Kubernetes clusters that you want to keep running without constant maintenance.