Getting Started with Talos

Talos Linux is a minimal, immutable operating system designed specifically for running Kubernetes. It provides enhanced security through API-driven configuration with no shell access, automatic updates, and a reduced attack surface. This guide shows you how to use Talos with KSail for local development (Docker provider), cloud deployments (Hetzner Cloud provider), or managed clusters through Sidero Omni (Omni provider).

What is Talos?

Talos Linux is fundamentally different from traditional Linux distributions:

Immutable: No package manager, no shell, no SSH—the OS cannot be modified at runtime
API-driven: All configuration happens via the Talos API using machine config patches
Secure by default: Minimal attack surface with only essential services running
Kubernetes-native: Designed specifically for Kubernetes, not general-purpose computing
Declarative: Configuration is defined as code and applied atomically

When to Use Talos

Talos is ideal for security-focused production workloads, GitOps workflows, and multi-cloud deployments requiring immutable infrastructure. However, it’s not suitable for quick prototyping (use Vanilla or K3s instead), scenarios requiring shell access or traditional Linux tools, or environments that require Windows/macOS nodes or a general-purpose Linux OS with shell and package management.

Quick Start

Local Development with Docker

Create a Talos cluster on your local machine using Docker containers as nodes.

Prerequisites

Docker Desktop or Docker Engine installed and running
docker ps command works

Step 1: Initialize Project

ksail cluster init \
  --name talos-dev \
  --distribution Talos \
  --provider Docker \
  --control-planes 1 \
  --workers 2

This creates:

ksail.yaml — KSail configuration
talos/ directory — Talos configuration patches

Step 2: Create Cluster

ksail cluster create

KSail will:

Download the Talos Docker image
Create Docker containers as control plane and worker nodes
Bootstrap the Kubernetes cluster
Configure kubectl context
Install CNI (Cilium by default)

Expected output:

✓ Creating Talos cluster...
✓ Bootstrapping Kubernetes...
✓ Installing Cilium CNI...
✓ Cluster ready!

Cluster:  talos-dev
Nodes:    3 (1 control plane, 2 workers)
Provider: Docker

Step 3: Verify Cluster

# Check cluster info
ksail cluster info

# View nodes
kubectl get nodes

# View all pods
kubectl get pods -A

Step 4: Deploy an Application

# Create a test deployment
kubectl create deployment nginx --image=nginx

# Expose it
kubectl expose deployment nginx --port=80 --type=NodePort

# Check the service
kubectl get svc nginx

Step 5: Cleanup

# Delete the cluster and all resources
ksail cluster delete

Production Deployment on Hetzner Cloud

Create a production-ready Talos cluster on Hetzner Cloud infrastructure.

Prerequisites

Hetzner Cloud account
Hetzner Cloud API token (get it from Hetzner Cloud Console → Project → Security → API Tokens)
Docker installed locally (for cluster initialization)

Step 1: Configure API Token

export HCLOUD_TOKEN=your-hetzner-api-token

Step 2: Initialize Project

ksail cluster init \
  --name talos-prod \
  --distribution Talos \
  --provider Hetzner \
  --control-planes 1 \
  --workers 2

This creates:

ksail.yaml — KSail configuration
talos/ directory — Talos configuration patches

Step 3: Create Cluster

ksail cluster create

KSail will:

Create Hetzner Cloud servers (control plane + workers)
Upload Talos ISO to servers
Boot servers with Talos
Bootstrap the Kubernetes cluster
Configure kubectl context
Install CNI and CSI drivers
Configure Hetzner Cloud Controller Manager for LoadBalancer support

Expected output:

✓ Creating Hetzner Cloud servers...
✓ Uploading Talos ISO...
✓ Bootstrapping Kubernetes...
✓ Installing Cilium CNI...
✓ Installing Hetzner CSI...
✓ Cluster ready!

Cluster:  talos-prod
Nodes:    3 (1 control plane, 2 workers)
Provider: Hetzner (fsn1-dc14)

Step 4: Verify Cluster

# Check cluster info
ksail cluster info

# View nodes with external IPs
kubectl get nodes -o wide

# Verify CSI driver
kubectl get pods -n kube-system | grep hcloud-csi

Step 5: Deploy with LoadBalancer

# Create a sample application
kubectl create deployment web --image=nginx --replicas=3

# Expose with a Hetzner Cloud Load Balancer
kubectl expose deployment web --port=80 --type=LoadBalancer

# Wait for external IP (takes ~1-2 minutes)
kubectl get svc web --watch

The LoadBalancer service will provision a real Hetzner Cloud Load Balancer with a public IP.

Step 6: Cleanup

# Delete the cluster and all Hetzner resources
ksail cluster delete

Managed Deployment via Sidero Omni

Create a Talos cluster managed through Sidero Omni, which handles machine lifecycle and cluster orchestration via a SaaS API.

Prerequisites

A Sidero Omni account
Omni service account key (create one in the Omni web UI under Settings → Service Accounts)
Your Omni API endpoint URL (e.g., https://<account>.omni.siderolabs.io:443)
Machines already registered in Omni and available for allocation

Step 1: Configure Credentials

export OMNI_SERVICE_ACCOUNT_KEY=your-base64-encoded-service-account-key

Step 2: Initialize Project

ksail cluster init \
  --name talos-omni \
  --distribution Talos \
  --provider Omni \
  --control-planes 1 \
  --workers 2

This creates:

ksail.yaml — KSail configuration
talos/ directory — Talos configuration patches

Step 3: Add the Omni Endpoint

The scaffolder does not generate the omni: block automatically. Open ksail.yaml and add spec.cluster.omni.endpoint manually:

spec:
  cluster:
    omni:
      endpoint: "https://<account>.omni.siderolabs.io:443"

Step 4: Create Cluster

ksail cluster create

KSail will:

Connect to your Omni instance using the service account key
Allocate registered machines to the cluster
Apply Talos configuration patches via the Omni API
Bootstrap the Kubernetes cluster
Configure kubectl context

Expected output:

✓ Connecting to Omni...
✓ Allocating machines...
✓ Bootstrapping Kubernetes...
✓ Installing Cilium CNI...
✓ Cluster ready!

Cluster:  talos-omni
Nodes:    3 (1 control plane, 2 workers)
Provider: Omni

Step 5: Verify Cluster

# Check cluster info
ksail cluster info

# View nodes
kubectl get nodes

# View all pods
kubectl get pods -A

Step 6: Cleanup

# Delete the cluster (deallocates machines in Omni, does not wipe them)
ksail cluster delete

Use Cases

Talos excels at immutable infrastructure where all changes happen via declarative configuration patches stored in version control—making configuration drift impossible. It’s particularly valuable for security-focused production deployments where no SSH access, API-driven operations, and a minimal attack surface are requirements (ideal for compliance-regulated workloads with GitOps tooling like Flux or ArgoCD).

For multi-environment consistency, use the same Talos distribution from local Docker development through production Hetzner Cloud deployments—configuration patches are portable and behavior is identical across providers, eliminating “works on my machine” issues.

Common operations via Talos API:

talosctl -n <node-ip> get machineconfig   # View configuration
talosctl -n <node-ip> version             # Check Talos version
talosctl -n <node-ip> logs                # System logs
talosctl -n <node-ip> upgrade --image ghcr.io/siderolabs/installer:v1.6.0

Architecture

Talos on Docker

graph TB
    subgraph "Docker Host"
        subgraph "Control Plane Container"
            ETCD[etcd]
            API[kube-apiserver]
            SCHED[kube-scheduler]
            CM[kube-controller-manager]
            KUBELET_CP[kubelet]
        end
        
        subgraph "Worker Container 1"
            KUBELET_W1[kubelet]
            POD1[Pods]
        end
        
        subgraph "Worker Container 2"
            KUBELET_W2[kubelet]
            POD2[Pods]
        end
        
        NETWORK[Docker Bridge Network]
        
        API -.->|manages| KUBELET_W1
        API -.->|manages| KUBELET_W2
        
        KUBELET_CP -->|runs| POD1
        KUBELET_W1 -->|runs| POD1
        KUBELET_W2 -->|runs| POD2
        
        NETWORK -.->|connectivity| API
        NETWORK -.->|connectivity| KUBELET_W1
        NETWORK -.->|connectivity| KUBELET_W2
    end

Key characteristics:

Each node is a Docker container running Talos Linux
Containers communicate via Docker network
No VM overhead—direct container-to-container communication
MetalLB provides LoadBalancer services (optional, via --load-balancer Enabled)

Talos on Hetzner

graph TB
    subgraph "Hetzner Cloud"
        subgraph "Control Plane Server"
            ETCD[etcd]
            API[kube-apiserver]
            SCHED[kube-scheduler]
            CM[kube-controller-manager]
            KUBELET_CP[kubelet]
        end
        
        subgraph "Worker Server 1"
            KUBELET_W1[kubelet]
            POD1[Pods]
        end
        
        subgraph "Worker Server 2"
            KUBELET_W2[kubelet]
            POD2[Pods]
        end
        
        LB[Hetzner Cloud Load Balancer]
        CSI[Hetzner CSI Driver]
        CCM[Hetzner Cloud Controller Manager]
        
        API -.->|manages| KUBELET_W1
        API -.->|manages| KUBELET_W2
        
        CCM -.->|provisions| LB
        CSI -.->|provisions volumes| KUBELET_W1
        CSI -.->|provisions volumes| KUBELET_W2
        
        LB -->|routes traffic| POD1
        LB -->|routes traffic| POD2
    end
    
    USER[Internet Users]
    USER -->|https://| LB

Key characteristics:

Each node is a Hetzner Cloud server running Talos Linux
Hetzner Cloud Controller Manager provides LoadBalancer support
Hetzner CSI Driver provides persistent volumes
Public IPs for external access

Distribution Comparison

Feature	Vanilla (Kind)	K3s (K3d)	Talos	VCluster
Maturity	Production	Production	Production	Production
Setup Time	~2 min	~1 min	~3 min (Docker)	~1 min
Node Weight	Heavy	Light	Medium	Very Light
Multi-node	✅	✅	✅	✅
Shell Access	✅	✅	❌ (API-only)	✅
Immutable OS	❌	❌	✅	N/A
Production Ready	❌ (local)	⚠️ (edge)	✅	✅ (nested)
LoadBalancer Support	Optional	Built-in	Optional/Cloud	Synced
Cloud Providers	❌	❌	✅ (Hetzner)	❌
Security Posture	Standard	Standard	✅ Enhanced	Standard
Configuration Style	YAML	YAML	Patches (YAML)	Helm Values
Learning Curve	Low	Low	Medium	Medium

Choose Talos when:

Security and compliance are priorities
You want immutable infrastructure
You’re deploying to production (Hetzner or other clouds in future)
You embrace API-driven operations

Choose others when:

You need shell access for debugging (Vanilla, K3s, VCluster)
You want the fastest setup (K3s, VCluster)
You’re running CI/CD tests (VCluster for isolation)
You want upstream Kubernetes (Vanilla)

Troubleshooting

Cluster Creation Fails

Check Docker status (docker ps, docker network ls), verify HCLOUD_TOKEN for Hetzner, or try cleaning up and retrying with ksail cluster delete && ksail cluster create.

Nodes Not Ready

Check CNI pods are running (kubectl get pods -n kube-system and look for your CNI pods, e.g. cilium- or calico-), verify Talos health (talosctl -n <node-ip> health), or reinstall CNI with ksail cluster update.

LoadBalancer Not Working (Docker)

Verify MetalLB is enabled in ksail.yaml (loadBalancer: Enabled), check MetalLB pods (kubectl get pods -n metallb-system), and verify IP pool exists (kubectl get ipaddresspools -n metallb-system).

Cannot Access Talos API

Check ~/.talos/config exists, verify node IPs with kubectl get nodes -o wide, and use explicit node IP with talosctl -n <node-ip> --talosconfig ~/.talos/config get members.

Advanced Topics

Custom Node Counts

Adjust control plane and worker nodes in your existing ksail.yaml (requires distribution: Talos):

# Partial snippet — add to your existing ksail.yaml
spec:
  cluster:
    distribution: Talos
    talos:
      controlPlanes: 3  # HA setup
      workers: 5

Persistent Storage (Hetzner)

Use Hetzner CSI driver for cloud volumes:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: data-pvc
spec:
  accessModes: [ReadWriteOnce]
  storageClassName: hcloud-volumes
  resources:
    requests:
      storage: 10Gi

Talos Upgrades

Upgrade without cluster recreation: talosctl -n <node-ip> upgrade --image ghcr.io/siderolabs/installer:v1.6.0. See Talos upgrade docs for coordination details.

GitOps Integration

Enable Flux or ArgoCD for declarative workload management—see GitOps Workflows.

Next Steps

Explore KSail Features

GitOps Integration: Bootstrap Flux or ArgoCD
Secret Management: Encrypt secrets with SOPS
AI Chat: Interactive cluster management with GitHub Copilot
VSCode Extension: Manage clusters from your editor

Try Other Distributions

Vanilla (Kind): Upstream Kubernetes for maximum compatibility
K3s (K3d): Lightweight K3s for resource-constrained environments and CI/CD
VCluster: Virtual clusters for multi-tenancy

Learn More

Installation Guide: Install KSail on your system
CLI Flags: Comprehensive command documentation
Configuration Reference: Detailed YAML options
LoadBalancer Configuration: LoadBalancer options for Talos
Support Matrix: Detailed Talos × component compatibility
Contributing: Contribute to KSail development

Resources

Talos Linux: https://www.talos.dev/
Talos GitHub: https://github.com/siderolabs/talos
Hetzner Cloud: https://www.hetzner.com/cloud
Sidero Omni: https://www.siderolabs.com/platform/saas-for-kubernetes/
Omni Documentation: https://omni.siderolabs.com/docs/
MetalLB: https://metallb.universe.tf/
Talos Configuration Reference: https://www.talos.dev/latest/reference/configuration/