// the find
siderolabs/talos
Talos Linux is a modern Linux distribution built for Kubernetes.
Talos Linux is an OS purpose-built to run Kubernetes — immutable, API-only, no SSH, no shell. You manage everything through `talosctl` over mTLS gRPC. It's aimed at teams who want their Kubernetes nodes to be cattle, not pets, and who are willing to trade operational flexibility for a dramatically reduced attack surface.
The no-shell, no-SSH design is the real thing here — the attack surface genuinely is smaller, not just marketed as smaller. The API-first architecture means every node operation is auditable and scriptable by default, which solves the 'who did what to this node at 2am' problem that haunts traditional distros. mTLS everywhere for node communication is correctly wired by default rather than bolted on later. The upgrade story (atomic A/B partition upgrades with rollback) is well thought out and production-tested.
No shell is also the main thing that will bite you during an incident — if your `talosctl` connectivity breaks, your debugging options are severely limited compared to SSHing in. The learning curve is steeper than vanilla Kubernetes nodes; operators who are comfortable with standard Linux troubleshooting tools need to relearn their entire incident response playbook. Extension support for custom kernel modules or OS-level software exists but is more friction than just `apt install` on a standard node. The tight coupling between Talos versions and supported Kubernetes versions means you can't upgrade them independently, which adds coordination overhead in conservative environments.