Skip to content
bifrost security

Talos (Linux)

Talos is a popular Linux distribution designed for Kubernetes. It is secure, immutable, and minimal.

Enabling AppArmor on Talos

Section titled “Enabling AppArmor on Talos”

To use the bifrost service with Talos, AppArmor must be enabled in the kernel. Since Talos Linux v1.9, SELinux is enabled by default. To use AppArmor, ensure SELinux is disabled, as they cannot be used simultaneously, yet.

Talos has a powerful Image Factory that makes it easy to configure an image. When creating an image with support for AppArmor, add the following kernel command-line arguments at the Customization step:

Terminal window
-selinux lsm=lockdown,capability,yama,apparmor,bpf apparmor=1

This produces a Talos image with AppArmor enabled and ready for use with bifrost.

Using a machine configuration

Section titled “Using a machine configuration”

If you manage Talos via a machine configuration, include:

machine:
    install:
        extraKernelArgs:
            - lsm=lockdown,capability,yama,apparmor,bpf
            - apparmor=1
            - -selinux

Note: extraKernelArgs are applied during install or on upgrade. Simply applying a machine config does not change kernel arguments on an already provisioned node.

For anything else regarding Talos, please consult the Talos Linux Documentation.