Sidero Labs has been developing Talos Linux, an immutable operating system purpose-built exclusively for running Kubernetes, alongside Omni, a cluster lifecycle management platform. InfoQ met the Sidero team in Amsterdam during the TalosCon 2025 and had conversations about their approach to simplifying Kubernetes operations through minimalism and security-first design.
The concept for Talos emerged from practical frustrations with traditional operating systems in enterprise environments. During their experiences with big players, the team encountered the lengthy annual auditing processes required to prove system security. This experience led to a fundamental realization: if the primary goal is running Kubernetes, why should teams need to manage the complexity of a full operating system?
The team explained their philosophy:
We kind of just landed on the idea that we shouldn't have to care about the operating system at all when it comes to all we want to do is run Kubernetes anyways. The idea of it being immutable kind of came out of that and just being the less stuff that can change, the less things that can go wrong.
Talos takes a radical approach to achieving this goal: stripping everything off the Linux kernel and writing the userland in Go, implementing just enough functionality to run the kubelet. From an operational perspective, this means that when Talos boots and starts running, it simply continues running without the unexpected failures that can occur with traditional operating systems.
Despite its minimalist design, Talos maintains flexibility through strategic architectural decisions, with the team emphasizing their commitment to providing vanilla, upstream Kubernetes with full conformance testing on every release. While Talos makes opinionated decisions about how Kubernetes is deployed underneath, users retain complete control over their Kubernetes clusters. System extensions allow users to build customized versions of Talos supporting specific hardware requirements without compromising the core immutable design, ensuring users aren't bound to a rigid operating system lacking necessary drivers.
Talking about the strategy, Sidero's management team said that product strategy centers on two complementary offerings:
The roadmap for that is to continue to expand support for different types of hardware and to continue to harden Talos.
The team also outlined several directions for Omni's evolution over the next 12 months, with a particular focus on infrastructure provisioners. Currently, provisioners exist for bare metal, Kubevirt, and Oxide, intending to eliminate the need for separate tools like Terraform in the cluster provisioning workflow. The vision is to enable direct VM provisioning from Omni, followed by automatic Talos deployment and cluster formation, creating what the team describes as a cloud-like experience in environments where such simplicity is typically unavailable.
Talos has seen major adoption in edge computing across retail, factory automation, and robotics, prompting the team to explore an appliance-based model that could provide certified hardware with single-node, schedulable Kubernetes environments optimized for edge deployments.
These use cases—ranging from grocery stores running point-of-sale and inventory systems to casinos operating networked kiosks and transportation systems managing distributed edge nodes—share common architectural patterns where edge devices report to centralized Kubernetes clusters that communicate with data centers for seamless cross-environment coordination.
The platform supports edge-specific capabilities, including secure and trusted boot, on-site data hardening, and centralized management through Omni. Its security posture encompasses complete Software Bill of Materials (SBOM) integration for every build, signed commits, fully reproducible builds, and alignment with CIS benchmarks and SELinux enforcement. These measures position Talos favorably for compliance with emerging regulations such as the EU's Cyber Resilience Act.
Sidero has built its community through a distinctive bottom-up strategy where enthusiasts first discover Talos for personal home lab projects, gradually develop deep expertise, and then champion its adoption within their professional organizations; a pattern so successful that the company has hired community members who demonstrated exceptional platform knowledge.
The team remains committed to delivering outstanding experiences for hobby users and home lab enthusiasts, understanding that enterprise adoption typically stems from individual advocacy within companies. While they continue this grassroots approach, they're now also pursuing direct enterprise outreach, anticipating these two strategies will naturally converge as enterprises discover they already have Talos experts among their existing workforce.
Talos enters a growing field of immutable, container-optimized operating systems that includes AWS's Bottlerocket and Flatcar Linux but occupies a distinct position through its singular Kubernetes focus. While Flatcar Linux retains SSH access and allows runtime modifications like dynamically loading kernel modules, Bottlerocket supports multiple orchestrators, including EKS and ECS, with over 250 binaries.
Talos pursues radical minimalism with just 12 binaries and the complete removal of SSH in favor of API-driven management. Bottlerocket's AWS-centric approach and multiple "variants" for different environments contrast with Talos's design to run anywhere Kubernetes runs, using composable system extensions that preserve immutability while adding necessary capabilities.
These differences reflect fundamentally distinct design philosophies: Flatcar aims for container optimization with familiar management patterns, Bottlerocket targets cloud-native container orchestration with broad workload support, while Talos pursues maximum simplification through exclusive Kubernetes focus.
/filters:no_upscale()/sponsorship/topic/0e0d30d6-6ef2-4711-aeb6-098c3e717fd7/ChainguardWebinarNov5-RSB-1759514884971.jpg)