¶ SIDERO LABS AND STEELDOME: SECURE STREAMLINED KUBERNETES
SteelDome ships Talos Linux as a first-class node OS inside StratiSYSTEM OS. Your platform team can provision reproducible, policy-driven Kubernetes on VMs or bare metal using an immutable, API-managed operating system—ideal for GitOps and fleet operations.
¶ WHY TALOS
✅ Immutable, minimal nodes – single signed image, zero package drift, drastically reduced attack surface.
✅ API-only operations – provision, upgrade, and troubleshoot via Talos gRPC/talosctl (no SSH/shell).
✅ Declarative machine configs – one YAML per node/role; easy to templatize and version-control.
✅ Predictable rollouts – transaction-style upgrades with clear rollback paths.
✅ Security posture – Secure Boot/TPM workflows; optional FIPS builds for regulated environments.
✅ Confidential-compute ready – Talos on SteelDome runs in Intel TDX/AMD SEV-SNP confidential VMs, with hardware-enforced isolation for control plane and workers.
✅ Measured, attestable nodes – Support for Secure Boot, TPM-backed keys, and measured boot enables node identity and integrity checks before they join your clusters.
 |
 |
¶ A SOFTWARE-DEFINED STACK FOR MODERN KUBERNETES
- StratiSERV (virtualization) – curate Talos control-plane/worker templates, place them on high-performance storage, and run VMs and containers side-by-side.
- HyperSERV (HCI) – converged deployments where Talos, persistent storage, and networking scale linearly.
- StratiSTOR (storage) – CSI integrations and proven persistence patterns.
¶ TALOS ARCHITECTURE — AT A GLANCE
- API surface: all node ops via Talos API (talosctl)
- Source of truth: machine-config YAML (supports multi-doc patterns)
- Bootstrap flow: init control-plane node seeds cluster artefacts; additional control-plane/worker nodes join declaratively
- Production notes: multi-control-plane HA, kubeconfig handling, and clear Day-2 guidance
¶ HOW TALOS WORKS ON STRATISYSTEM
- Define machine configs (control plane & workers)—networking, registries, disks, admission policies.
- Provision nodes as VMs (StratiSERV) or bare metal; apply configs with talosctl or automated boot assets.
- Bootstrap from the init control-plane node; bring up additional control-plane and worker nodes.
- Operate entirely through the API—rolling upgrades, logs, diagnostics, recovery—scriptable and auditable.
- Supported patterns:
▸ Bare metal, virtual, and edge footprints using the same configs and signed images (PXE/ISO/UEFI)
▸ Air-gapped & multi-AZ topologies with mirrored artifacts and pinned versions
¶ SIDERO OMNI FOR FLEET CONTROL
- Single pane to create, upgrade, and enforce policy across Talos clusters—bare metal, DC, edge, and cloud.
- Standardizes fleet hygiene and lifecycle with consistent guardrails across sites and environments.
¶ BENEFITS OF STEELDOME + TALOS
- Determinism – identical nodes every time; no snowflake hosts to remediate.
- Operational simplicity – API-only workflows fold cleanly into CI/CD and GitOps.
- Security by construction – shell-less OS, minimal userspace, Secure Boot/TPM paths, FIPS options.
- Unified platform – run Talos clusters alongside traditional VMs with shared storage and networking.
- Day-0 → Day-2 automation – opinionated boot assets, cluster blueprints, and repeatable upgrades.
- Rapid deployment - Deploy and scale Talos instances in seconds within StratiSYSTEM hypervisor platform.
¶ WHO IT’S FOR
- Platform/SRE teams standardizing on Kubernetes
- Enterprises needing compliance-friendly clusters across regions
- MSPs/OEMs stamping out repeatable edge and DC footprints
- Developers who want predictable node lifecycle without babysitting OSes
¶ ONE PLATFORM. ANY CLUSTER. ANYWHERE.
Talos integrated into StratiSYSTEM turns Kubernetes node management into a declarative, cryptographically verifiable, API-driven workflow. Add Omni when you’re ready for single-pane fleet control across sites, clouds, and hardware profiles.