DEV Community

Cover image for Building Your First Cloud-Native Kubernetes Cluster: A Beginner's Journey with Talos Linux and Cilium
Chiqo Rifky Saputra
Chiqo Rifky Saputra

Posted on

Building Your First Cloud-Native Kubernetes Cluster: A Beginner's Journey with Talos Linux and Cilium

Transform your single VPS into a production-ready Kubernetes powerhouse

🎯 Who This Guide Is For: This is a starter guide specifically designed for learners with one VPS or cloud server for educational purposes. If you have multiple physical machines in a homelab setup, you'll need different configurations and networking approaches.


πŸ™ Inspiration & Credits

Before we dive into this exciting journey, I want to give proper credit to Mischa van den Burg for his inspiring videos that motivated this comprehensive guide:

🎯 "The Kubernetes Homelab That Prints Job Offers - 2025" - His insights about how Kubernetes creates incredible learning opportunities and reignites passion for cloud-native computing.

πŸ€” "How To Learn Kubernetes in 2025" - Perfect for those still deciding whether it's worth learning Kubernetes despite its complexity. If you have the passion to learn cloud-native computing, this is a great starting point!

πŸ’‘ Why This Matters: As Mischa demonstrates, building real-world Kubernetes projects isn't just about learningβ€”it's about creating opportunities that can transform your career in DevOps and cloud engineering. Even with the complexity, the passion for cloud-native technology makes the journey worthwhile.


🌟 Introduction: Welcome to the Cloud-Native Revolution

Imagine you're building a smart city. Traditional infrastructure is like having individual houses scattered everywhereβ€”each with its own utilities, security systems, and maintenance crews. Cloud-native architecture, powered by Kubernetes, is like creating a modern apartment complex where everything is centralized, automated, and efficiently managed.

Today, we're going to build your first Kubernetes cluster using two incredible technologies:

  • Talos Linux: Think of it as the ultimate apartment building managerβ€”secure, automated, and never sleeps
  • Cilium: The smart networking system that connects everything with lightning speed

By the end of this guide, you'll have a production-ready Kubernetes cluster running on a single VPS that can scale and adapt to your needs.

πŸ€” Why Kubernetes? Understanding the "Why" Before the "How"

Comparison Image: Traditional restaurant vs modern food court

The Restaurant Analogy

Imagine you own a restaurant. In the old days (traditional deployment), you had:

  • One chef doing everything
  • If the chef gets sick, the restaurant closes
  • During rush hour, customers wait forever
  • Scaling means hiring more chefs and buying more kitchens

With Kubernetes, your restaurant becomes a smart food court:

  • Multiple specialized stations (containers) handle different tasks
  • Automatic scaling: More pizza stations appear during lunch rush
  • Self-healing: If one station breaks, another takes over instantly
  • Resource sharing: All stations share the same utilities efficiently

🎯 Kubernetes Benefits

Feature Benefit Impact
πŸ”„ Auto-Scaling Automatically adjusts resources πŸ“Š Efficiency
πŸ›‘οΈ Self-Healing Restarts failed containers πŸš€ Fast Recovery
πŸ“¦ Portability Run anywhere consistently πŸ’° Cost-Effective
πŸš€ Fast Deployment Deploy in seconds, not hours ⚑ Speed
πŸ”§ Declarative Describe desired state 🎯 Reliability
🌐 Service Discovery Apps find each other automatically πŸ”— Connectivity

Why Kubernetes is Essential for Modern Applications

  1. Scalability: Your app can grow from 10 to 10,000 users seamlessly
  2. Reliability: If something breaks, Kubernetes fixes it automatically
  3. Efficiency: Maximum resource utilization means lower costs
  4. Portability: Run anywhereβ€”cloud, on-premises, or hybrid
  5. Developer Productivity: Focus on code, not infrastructure

πŸ›‘οΈ Enter Talos Linux: The Security-First Operating System

Security Comparison: Medieval castle vs modern bank vault

The Fortress Analogy

Traditional Linux servers are like medieval castles with many doors, windows, and secret passages. Each entry point is a potential security risk. Talos Linux is like a modern bank vault:

  • Single API entrance: Only one way in, heavily guarded
  • No SSH backdoors: No secret passages for attackers
  • Immutable: The vault structure can't be modified from inside
  • Self-updating: Automatically upgrades its security systems

πŸ₯Š Traditional Linux vs Talos Linux

Aspect Traditional Linux Talos Linux Winner
πŸšͺ Access Method SSH Access πŸ” API Only πŸ›‘οΈ Talos
πŸ› οΈ Shell Access Full Shell 🚫 No Shell πŸ›‘οΈ Talos
πŸ“ System State Mutable πŸ”’ Immutable πŸ›‘οΈ Talos
πŸ”§ Updates Manual Updates πŸ€– Auto Updates πŸ›‘οΈ Talos
🎯 Attack Surface Large πŸ›‘οΈ Minimal πŸ›‘οΈ Talos
πŸ” Debugging Easy API-based 🀝 Depends

Talos Linux Advantages

βœ… Zero Attack Surface: No shell, no SSH, no unnecessary services
βœ… API-Driven: Everything managed through secure APIs
βœ… Immutable: OS can't be tampered with at runtime
βœ… Kubernetes-Native: Built specifically for container workloads
βœ… Minimal Resources: Tiny footprint means more resources for your apps

πŸ•ΈοΈ Cilium: The Neural Network of Your Cluster

Network Comparison: Traffic lights vs AI traffic system

The Smart City Traffic System Analogy

Traditional networking (kube-proxy) is like having traffic lights at every intersectionβ€”functional but slow. Cilium is like having an AI traffic management system:

  • eBPF Technology: Like having sensors everywhere that make instant decisions
  • No Bottlenecks: Traffic flows smoothly without stopping at every light
  • Security Built-in: Automatically blocks suspicious vehicles
  • Observability: Real-time monitoring of all traffic patterns

⚑ Cilium eBPF Superpowers

Performance Security Observability
πŸš€ Kernel Speed πŸ›‘οΈ L3/L4/L7 Security πŸ” Deep Observability
⚑ Zero-Copy Networking πŸ”’ Network Policies πŸ“Š Real-time Metrics
πŸ”„ Load Balancing 🚫 DDoS Protection πŸ‘οΈ Traffic Visualization
πŸ“ˆ High Throughput πŸ” Encryption πŸ› Network Debugging
🎯 Low Latency πŸ›‘οΈ Identity-based Security πŸ“ˆ Performance Analytics

Why Cilium Over Traditional CNI

πŸš€ Performance: eBPF runs in kernel spaceβ€”blazingly fast
πŸ”’ Security: Network policies enforced at the kernel level
πŸ“Š Observability: Deep insights into network traffic
πŸ”„ Load Balancing: Replaces kube-proxy with better performance

πŸ—οΈ Our Architecture: The Blueprint

Architecture Diagram: Single-node Kubernetes cluster

We're building a single-node Kubernetes cluster that acts as both control plane and worker. Think of it as a studio apartment that's perfectly organizedβ€”compact but fully functional.

πŸ—οΈ Architecture Stack

Layer Component Features
🌐 Infrastructure VPS (Single Node) Your cloud server foundation
πŸ›‘οΈ Operating System Talos Linux (Immutable) β€’ API-driven management
β€’ Zero attack surface
β€’ Automatic updates
βš™οΈ Orchestration Kubernetes Control Plane + Worker β€’ etcd (cluster database)
β€’ API Server (cluster brain)
β€’ Scheduler (workload placement)
β€’ Kubelet (node agent)
πŸ•ΈοΈ Networking Cilium CNI (eBPF) β€’ Pod-to-pod communication
β€’ Load balancing
β€’ Network security policies
β€’ Observability with Hubble
πŸ“¦ Applications Your Workloads β€’ Web services
β€’ Databases
β€’ APIs
β€’ Microservices

πŸ› οΈ Prerequisites: What You'll Need

Prerequisites Checklist

Before we start building, make sure you have:

πŸ“‹ Checklist:

  • βœ… A VPS (DigitalOcean, Linode, Vultr, etc.) with at least 2GB RAM (this is for starter, you can upgrade later)
  • βœ… talosctl installed on your local machine
  • βœ… kubectl for Kubernetes management
  • βœ… helm for package management
  • βœ… Basic terminal knowledge (don't worry, we'll guide you through everything!)

Installing Required Tools

# Install talosctl (macOS)
brew install siderolabs/tap/talosctl

# Install kubectl
brew install kubectl

# Install helm
brew install helm
Enter fullscreen mode Exit fullscreen mode

πŸš€ Step-by-Step Setup Guide

Phase 0: Preparing Your Configuration

First, let's create our Talos configuration patch. This is like creating the blueprint for our smart building:

Create patch.yaml:

# Talos Linux Configuration Patch for Single Node VPS with Cilium CNI
# This patch configures Talos for a single-node setup with custom networking and storage

# Machine-specific configuration
machine:
  install:
    disk: /dev/vda # Primary disk for VPS installation
  network:
    interfaces:
      - interface: eth0 # Primary network interface on VPS

# Cluster configuration
cluster:
  # Allow workloads to be scheduled on control plane (single node setup)
  allowSchedulingOnControlPlanes: true # Required for single node - control plane acts as worker too

  network:
    cni:
      name: none # Disable default CNI - Cilium will provide networking
  proxy:
    disabled: true # Disable kube-proxy - Cilium will handle load balancing with eBPF
Enter fullscreen mode Exit fullscreen mode

Phase 1: Talos Linux Installation

Talos Installation Process

Step 0: Preparing Your VPS for Talos Installation

Before generating the configuration, you need to ensure your VPS can boot Talos Linux. You have several options:

πŸ”§ Installation Methods:

Option 1: ISO Mounting (Most Common)

  • Download the Talos Linux ISO from:
  • Mount it through your VPS provider's control panel
  • Boot from the mounted ISO

Option 2: Netboot (Provider-Specific)

  • Some providers like Onidel VPS offer netboot options
  • Check your VPS control panel for "Custom OS" or "Netboot" features
  • Configure it to boot Talos Linux directly from the network

Option 3: Siderolabs Booter (Advanced)

  • Use the siderolabs/booter tool for PXE boot
  • Perfect for automated deployments or multiple machines
  • Requires network boot capability on your VPS
# Example: Using siderolabs booter (if your VPS supports PXE)
docker run --rm --network host \
  ghcr.io/siderolabs/booter:v0.1.0
Enter fullscreen mode Exit fullscreen mode

⚠️ Important: Make sure your VPS successfully boots into the Talos Linux installation environment before proceeding to the next step. You should see the Talos maintenance mode interface.

Step 1: Generate Talos Configuration

# Replace YOUR_VPS_IP with your actual VPS IP address
talosctl gen config talos-cilium-single-node-cluster https://YOUR_VPS_IP:6443 \
  --config-patch @patch.yaml \
  --output-dir ./out
Enter fullscreen mode Exit fullscreen mode

What's happening here?

  • We're creating configuration files for our cluster
  • The patch file customizes the setup for our single-node scenario
  • All generated files go into the ./out directory

Step 2: Apply Configuration to Your VPS

# This installs Talos Linux on your VPS
talosctl apply -f ./out/controlplane.yaml -n YOUR_VPS_IP -i
Enter fullscreen mode Exit fullscreen mode

⏰ Wait Time: Your VPS will reboot and install Talos Linux. This takes about 5-10 minutes. Grab a coffee! β˜•

Coffee Break

Step 3: Bootstrap the Kubernetes Cluster

# This starts the Kubernetes control plane
talosctl bootstrap -n YOUR_VPS_IP -e YOUR_VPS_IP --talosconfig ./out/talosconfig
Enter fullscreen mode Exit fullscreen mode

What's bootstrapping?
Think of it as turning on the power in your smart building. All the systems come online and start talking to each other.

Step 4: Get Your Kubernetes Access Key

# This downloads the key to access your cluster
talosctl -n YOUR_VPS_IP -e YOUR_VPS_IP --talosconfig ./out/talosconfig kubeconfig ./out/kubeconfig

# Set up your local environment
export KUBECONFIG=./out/kubeconfig
Enter fullscreen mode Exit fullscreen mode

Step 5: Verify Kubernetes is Running

kubectl get nodes
Enter fullscreen mode Exit fullscreen mode

You should see something like:

NAME                STATUS     ROLES           AGE   VERSION
talos-xxx-xxx       NotReady   control-plane   1m    v1.28.x
Enter fullscreen mode Exit fullscreen mode

Don't panic about "NotReady"! This is normalβ€”we haven't installed networking yet.

Phase 2: Installing Cilium CNI

Cilium Installation

Now we're going to install the nervous system of our clusterβ€”the networking layer.

Step 1: Add Cilium Repository

helm repo add cilium https://helm.cilium.io/
helm repo update
Enter fullscreen mode Exit fullscreen mode

Step 2: Install Cilium with Optimized Settings

helm install cilium cilium/cilium \
    --version 1.18.1 \
    --namespace kube-system \
    --set ipam.mode=kubernetes \
    --set securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
    --set securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
    --set cgroup.autoMount.enabled=false \
    --set cgroup.hostRoot=/sys/fs/cgroup \
    --set operator.replicas=1 \
    --set kubeProxyReplacement=true \
    --set hubble.relay.enabled=true \
    --set hubble.ui.enabled=true \
    --set k8sServiceHost=YOUR_VPS_IP \
    --set k8sServicePort=6443
Enter fullscreen mode Exit fullscreen mode

πŸ”§ Understanding the Cilium Configuration Parameters

Let me break down what each of these parameters does and why they're crucial for our Talos + Cilium setup:

πŸ“¦ Basic Installation Settings

--version 1.18.1                    # Specific Cilium version for stability
--namespace kube-system              # Install in the system namespace
Enter fullscreen mode Exit fullscreen mode

🧠 IP Address Management (IPAM)

--set ipam.mode=kubernetes           # Let Kubernetes handle IP allocation
Enter fullscreen mode Exit fullscreen mode

Why this matters: Instead of Cilium managing IPs directly, we let Kubernetes do it. Think of it like letting the hotel concierge assign room numbers instead of guests picking their own!

πŸ” Security Capabilities

--set securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}"
--set securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}"
Enter fullscreen mode Exit fullscreen mode

What these do:

  • NET_ADMIN: Manage network interfaces and routing
  • SYS_ADMIN: System administration tasks
  • NET_RAW: Create raw sockets for network operations
  • CHOWN/FOWNER: Change file ownership
  • KILL: Terminate processes
  • IPC_LOCK: Lock memory pages

Why so many permissions? Cilium needs deep system access to manage networking at the kernel level. It's like giving a master key to the building superintendent!

πŸ“ Control Groups (cgroups) Configuration

--set cgroup.autoMount.enabled=false # Don't auto-mount cgroups
--set cgroup.hostRoot=/sys/fs/cgroup  # Use host's cgroup filesystem
Enter fullscreen mode Exit fullscreen mode

Talos-specific: Since Talos manages the system differently than traditional Linux, we need to tell Cilium exactly where to find the cgroup filesystem.

βš–οΈ Single-Node Optimizations

--set operator.replicas=1            # Only one operator instance
Enter fullscreen mode Exit fullscreen mode

Why only 1? In a multi-node cluster, you'd want multiple operators for high availability. But with just one node, multiple operators would just waste resources!

πŸ”„ Kube-Proxy Replacement

--set kubeProxyReplacement=true      # Replace kube-proxy entirely
Enter fullscreen mode Exit fullscreen mode

Game changer: This is where Cilium shines! Instead of using the traditional kube-proxy, Cilium handles all service load balancing with eBPF - much faster and more efficient!

πŸ‘οΈ Observability with Hubble

--set hubble.relay.enabled=true      # Enable Hubble relay
--set hubble.ui.enabled=true         # Enable Hubble web UI
Enter fullscreen mode Exit fullscreen mode

What's Hubble? Think of it as a security camera system for your network traffic. You can see exactly what's talking to what, when, and why!

🌐 API Server Connection

--set k8sServiceHost=YOUR_VPS_IP     # Your VPS public IP
--set k8sServicePort=6443            # Kubernetes API port
Enter fullscreen mode Exit fullscreen mode

Critical for single-node: Tells Cilium how to reach the Kubernetes API server from outside the cluster.

πŸ’‘ Pro Tip: Parameter Customization

🎯 Key Parameters You Might Want to Adjust

Parameter Purpose Customization Tip
k8sServiceHost API server connection β†’ Your actual VPS IP
operator.replicas Operator instances β†’ Scale with node count
hubble.ui.enabled Web UI for monitoring β†’ Disable if not needed
kubeProxyReplacement Performance mode β†’ Keep true for eBPF benefits
securityContext.capabilities System permissions β†’ Don't change unless you know why

Remember: Each parameter serves a specific purpose in making Cilium work seamlessly with Talos Linux. Don't randomly change them unless you understand the implications!

What do all these settings do?

  • kubeProxyReplacement=true: Cilium replaces kube-proxy for better performance
  • hubble.ui.enabled=true: Gives us a beautiful network monitoring dashboard

  • operator.replicas=1: Optimized for single-node deployment

Step 3: Verify Everything is Working

# Check if Cilium pods are running
kubectl get pods -n kube-system -l k8s-app=cilium

# Check node status (should now be Ready!)
kubectl get nodes

# Check Cilium status
cilium status --wait
Enter fullscreen mode Exit fullscreen mode

Success looks like:

NAME                STATUS   ROLES           AGE   VERSION
talos-xxx-xxx       Ready    control-plane   5m    v1.28.x
Enter fullscreen mode Exit fullscreen mode

Success Celebration

πŸŽ‰ Congratulations! What You've Built

You've just created a production-ready Kubernetes cluster with:

🎯 Achievement Unlocked!

Component Achievement Status
πŸ›‘οΈ Security Talos Linux with zero attack surface βœ… Complete
⚑ Performance Cilium with eBPF networking βœ… Complete
🎯 Efficiency Single-node control plane + worker βœ… Complete
πŸ—οΈ Architecture Cloud-native ready infrastructure βœ… Complete
πŸ‘οΈ Observability Built-in monitoring with Hubble βœ… Complete
πŸš€ Ready for Production workloads and scaling πŸŽ‰ Ready!

πŸ” Understanding What You Built

The Magic Behind the Scenes

  1. Talos Linux is running as your OS, managing everything through APIs
  2. Kubernetes is orchestrating containers and managing resources
  3. Cilium is handling all networking with eBPF superpowers
  4. Your cluster can now run any containerized application

πŸ›£οΈ Your Journey Ahead

Category Next Steps Popular Tools
🌐 Web Applications Deploy websites and APIs React, Vue, Node.js
πŸ—„οΈ Databases Persistent data storage PostgreSQL, MongoDB, Redis
πŸ“Š Monitoring Observability stack Prometheus, Grafana, Alerting
πŸ”„ CI/CD Pipeline Automated deployments GitLab, GitHub Actions, ArgoCD
πŸšͺ Ingress Controllers External access Traefik, NGINX, Istio
πŸ” Security Hardening Advanced security Network policies, RBAC, Vault
πŸ“ˆ Scaling Handle more traffic HPA, VPA, Cluster Autoscaler

πŸ’‘ Wisdom Gained

Lesson Key Insight Impact
1️⃣ Approachability Kubernetes isn't scary with the right guidance 🎯 Confidence boost
2️⃣ Security First Talos makes security simple and automatic πŸ›‘οΈ Peace of mind
3️⃣ Performance eBPF networking is truly game-changing ⚑ Speed & efficiency
4️⃣ Efficiency Single-node clusters are surprisingly powerful πŸ’ͺ Resource optimization
5️⃣ Accessibility Modern infrastructure is accessible to everyone 🌟 Democratized tech

🀝 Join the Community

You're now part of the cloud-native community! Here are some great resources:

🌍 Community Resources

Platform Resource What You'll Find
πŸ›‘οΈ Talos Linux talos.dev Official docs, guides, API reference
πŸ•ΈοΈ Cilium cilium.io eBPF tutorials, networking guides
βš™οΈ Kubernetes kubernetes.io Complete K8s documentation
πŸ›οΈ CNCF cncf.io Cloud-native landscape & projects
πŸ’¬ Discord/Slack Community channels Real-time help & discussions
πŸ“š Documentation Official docs Step-by-step tutorials
πŸŽ₯ YouTube Video content Conferences, demos, deep-dives

πŸ’‘ Final Thoughts

Building your first Kubernetes cluster is like learning to driveβ€”it seems overwhelming at first, but once you understand the basics, a whole world of possibilities opens up. You've just built something that many enterprises pay thousands of dollars for, using open-source tools and a single VPS.

🌟 "The future of infrastructure is declarative, automated, and secure. You're now equipped with the knowledge to be part of that future."

Happy clustering! πŸš€


Did this guide help you build your first Kubernetes cluster? Share your experience in the comments below, and don't forget to follow for more cloud-native tutorials!

Tags: #Kubernetes #TalosLinux #Cilium #CloudNative #DevOps #Containers #eBPF #Infrastructure #Tutorial #Beginner

Top comments (0)