This content originally appeared on DEV Community and was authored by Chiqo Rifky Saputra
Transform your single VPS into a production-ready Kubernetes powerhouse
๐ฏ Who This Guide Is For: This is a starter guide specifically designed for learners with one VPS or cloud server for educational purposes. If you have multiple physical machines in a homelab setup, you'll need different configurations and networking approaches.
๐ Inspiration & Credits
Before we dive into this exciting journey, I want to give proper credit to Mischa van den Burg for his inspiring videos that motivated this comprehensive guide:
๐ฏ "The Kubernetes Homelab That Prints Job Offers - 2025" - His insights about how Kubernetes creates incredible learning opportunities and reignites passion for cloud-native computing.
๐ค "How To Learn Kubernetes in 2025" - Perfect for those still deciding whether it's worth learning Kubernetes despite its complexity. If you have the passion to learn cloud-native computing, this is a great starting point!
๐ก Why This Matters: As Mischa demonstrates, building real-world Kubernetes projects isn't just about learningโit's about creating opportunities that can transform your career in DevOps and cloud engineering. Even with the complexity, the passion for cloud-native technology makes the journey worthwhile.
๐ Introduction: Welcome to the Cloud-Native Revolution
Imagine you're building a smart city. Traditional infrastructure is like having individual houses scattered everywhereโeach with its own utilities, security systems, and maintenance crews. Cloud-native architecture, powered by Kubernetes, is like creating a modern apartment complex where everything is centralized, automated, and efficiently managed.
Today, we're going to build your first Kubernetes cluster using two incredible technologies:
- Talos Linux: Think of it as the ultimate apartment building managerโsecure, automated, and never sleeps
- Cilium: The smart networking system that connects everything with lightning speed
By the end of this guide, you'll have a production-ready Kubernetes cluster running on a single VPS that can scale and adapt to your needs.
๐ค Why Kubernetes? Understanding the "Why" Before the "How"
The Restaurant Analogy
Imagine you own a restaurant. In the old days (traditional deployment), you had:
- One chef doing everything
- If the chef gets sick, the restaurant closes
- During rush hour, customers wait forever
- Scaling means hiring more chefs and buying more kitchens
With Kubernetes, your restaurant becomes a smart food court:
- Multiple specialized stations (containers) handle different tasks
- Automatic scaling: More pizza stations appear during lunch rush
- Self-healing: If one station breaks, another takes over instantly
- Resource sharing: All stations share the same utilities efficiently
๐ฏ Kubernetes Benefits
| Feature | Benefit | Impact |
|---|---|---|
| ๐ Auto-Scaling | Automatically adjusts resources | ๐ Efficiency |
| ๐ก๏ธ Self-Healing | Restarts failed containers | ๐ Fast Recovery |
| ๐ฆ Portability | Run anywhere consistently | ๐ฐ Cost-Effective |
| ๐ Fast Deployment | Deploy in seconds, not hours | โก Speed |
| ๐ง Declarative | Describe desired state | ๐ฏ Reliability |
| ๐ Service Discovery | Apps find each other automatically | ๐ Connectivity |
Why Kubernetes is Essential for Modern Applications
- Scalability: Your app can grow from 10 to 10,000 users seamlessly
- Reliability: If something breaks, Kubernetes fixes it automatically
- Efficiency: Maximum resource utilization means lower costs
- Portability: Run anywhereโcloud, on-premises, or hybrid
- Developer Productivity: Focus on code, not infrastructure
๐ก๏ธ Enter Talos Linux: The Security-First Operating System
The Fortress Analogy
Traditional Linux servers are like medieval castles with many doors, windows, and secret passages. Each entry point is a potential security risk. Talos Linux is like a modern bank vault:
- Single API entrance: Only one way in, heavily guarded
- No SSH backdoors: No secret passages for attackers
- Immutable: The vault structure can't be modified from inside
- Self-updating: Automatically upgrades its security systems
๐ฅ Traditional Linux vs Talos Linux
| Aspect | Traditional Linux | Talos Linux | Winner |
|---|---|---|---|
| ๐ช Access Method | SSH Access | ๐ API Only | ๐ก๏ธ Talos |
| ๐ ๏ธ Shell Access | Full Shell | ๐ซ No Shell | ๐ก๏ธ Talos |
| ๐ System State | Mutable | ๐ Immutable | ๐ก๏ธ Talos |
| ๐ง Updates | Manual Updates | ๐ค Auto Updates | ๐ก๏ธ Talos |
| ๐ฏ Attack Surface | Large | ๐ก๏ธ Minimal | ๐ก๏ธ Talos |
| ๐ Debugging | Easy | API-based | ๐ค Depends |
Talos Linux Advantages
โ
Zero Attack Surface: No shell, no SSH, no unnecessary services
โ
API-Driven: Everything managed through secure APIs
โ
Immutable: OS can't be tampered with at runtime
โ
Kubernetes-Native: Built specifically for container workloads
โ
Minimal Resources: Tiny footprint means more resources for your apps
๐ธ๏ธ Cilium: The Neural Network of Your Cluster
The Smart City Traffic System Analogy
Traditional networking (kube-proxy) is like having traffic lights at every intersectionโfunctional but slow. Cilium is like having an AI traffic management system:
- eBPF Technology: Like having sensors everywhere that make instant decisions
- No Bottlenecks: Traffic flows smoothly without stopping at every light
- Security Built-in: Automatically blocks suspicious vehicles
- Observability: Real-time monitoring of all traffic patterns
โก Cilium eBPF Superpowers
| Performance | Security | Observability |
|---|---|---|
| ๐ Kernel Speed | ๐ก๏ธ L3/L4/L7 Security | ๐ Deep Observability |
| โก Zero-Copy Networking | ๐ Network Policies | ๐ Real-time Metrics |
| ๐ Load Balancing | ๐ซ DDoS Protection | ๐๏ธ Traffic Visualization |
| ๐ High Throughput | ๐ Encryption | ๐ Network Debugging |
| ๐ฏ Low Latency | ๐ก๏ธ Identity-based Security | ๐ Performance Analytics |
Why Cilium Over Traditional CNI
๐ Performance: eBPF runs in kernel spaceโblazingly fast
๐ Security: Network policies enforced at the kernel level
๐ Observability: Deep insights into network traffic
๐ Load Balancing: Replaces kube-proxy with better performance
๐๏ธ Our Architecture: The Blueprint
We're building a single-node Kubernetes cluster that acts as both control plane and worker. Think of it as a studio apartment that's perfectly organizedโcompact but fully functional.
๐๏ธ Architecture Stack
| Layer | Component | Features |
|---|---|---|
| ๐ Infrastructure | VPS (Single Node) | Your cloud server foundation |
| ๐ก๏ธ Operating System | Talos Linux (Immutable) | โข API-driven management โข Zero attack surface โข Automatic updates |
| โ๏ธ Orchestration | Kubernetes Control Plane + Worker | โข etcd (cluster database) โข API Server (cluster brain) โข Scheduler (workload placement) โข Kubelet (node agent) |
| ๐ธ๏ธ Networking | Cilium CNI (eBPF) | โข Pod-to-pod communication โข Load balancing โข Network security policies โข Observability with Hubble |
| ๐ฆ Applications | Your Workloads | โข Web services โข Databases โข APIs โข Microservices |
๐ ๏ธ Prerequisites: What You'll Need
Before we start building, make sure you have:
๐ Checklist:
- โ A VPS (DigitalOcean, Linode, Vultr, etc.) with at least 2GB RAM (this is for starter, you can upgrade later)
- โ talosctl installed on your local machine
- โ kubectl for Kubernetes management
- โ helm for package management
- โ Basic terminal knowledge (don't worry, we'll guide you through everything!)
Installing Required Tools
# Install talosctl (macOS)
brew install siderolabs/tap/talosctl
# Install kubectl
brew install kubectl
# Install helm
brew install helm
๐ Step-by-Step Setup Guide
Phase 0: Preparing Your Configuration
First, let's create our Talos configuration patch. This is like creating the blueprint for our smart building:
Create patch.yaml:
# Talos Linux Configuration Patch for Single Node VPS with Cilium CNI
# This patch configures Talos for a single-node setup with custom networking and storage
# Machine-specific configuration
machine:
install:
disk: /dev/vda # Primary disk for VPS installation
network:
interfaces:
- interface: eth0 # Primary network interface on VPS
# Cluster configuration
cluster:
# Allow workloads to be scheduled on control plane (single node setup)
allowSchedulingOnControlPlanes: true # Required for single node - control plane acts as worker too
network:
cni:
name: none # Disable default CNI - Cilium will provide networking
proxy:
disabled: true # Disable kube-proxy - Cilium will handle load balancing with eBPF
Phase 1: Talos Linux Installation
Step 0: Preparing Your VPS for Talos Installation
Before generating the configuration, you need to ensure your VPS can boot Talos Linux. You have several options:
๐ง Installation Methods:
Option 1: ISO Mounting (Most Common)
- Download the Talos Linux ISO from:
- GitHub releases (official releases)
- Talos Linux Factory (custom images for specific platforms)
- Mount it through your VPS provider's control panel
- Boot from the mounted ISO
Option 2: Netboot (Provider-Specific)
- Some providers like Onidel VPS offer netboot options
- Check your VPS control panel for "Custom OS" or "Netboot" features
- Configure it to boot Talos Linux directly from the network
Option 3: Siderolabs Booter (Advanced)
- Use the siderolabs/booter tool for PXE boot
- Perfect for automated deployments or multiple machines
- Requires network boot capability on your VPS
# Example: Using siderolabs booter (if your VPS supports PXE)
docker run --rm --network host \
ghcr.io/siderolabs/booter:v0.1.0
โ ๏ธ Important: Make sure your VPS successfully boots into the Talos Linux installation environment before proceeding to the next step. You should see the Talos maintenance mode interface.
Step 1: Generate Talos Configuration
# Replace YOUR_VPS_IP with your actual VPS IP address
talosctl gen config talos-cilium-single-node-cluster https://YOUR_VPS_IP:6443 \
--config-patch @patch.yaml \
--output-dir ./out
What's happening here?
- We're creating configuration files for our cluster
- The patch file customizes the setup for our single-node scenario
- All generated files go into the
./outdirectory
Step 2: Apply Configuration to Your VPS
# This installs Talos Linux on your VPS
talosctl apply -f ./out/controlplane.yaml -n YOUR_VPS_IP -i
โฐ Wait Time: Your VPS will reboot and install Talos Linux. This takes about 5-10 minutes. Grab a coffee! โ
Step 3: Bootstrap the Kubernetes Cluster
# This starts the Kubernetes control plane
talosctl bootstrap -n YOUR_VPS_IP -e YOUR_VPS_IP --talosconfig ./out/talosconfig
What's bootstrapping?
Think of it as turning on the power in your smart building. All the systems come online and start talking to each other.
Step 4: Get Your Kubernetes Access Key
# This downloads the key to access your cluster
talosctl -n YOUR_VPS_IP -e YOUR_VPS_IP --talosconfig ./out/talosconfig kubeconfig ./out/kubeconfig
# Set up your local environment
export KUBECONFIG=./out/kubeconfig
Step 5: Verify Kubernetes is Running
kubectl get nodes
You should see something like:
NAME STATUS ROLES AGE VERSION
talos-xxx-xxx NotReady control-plane 1m v1.28.x
Don't panic about "NotReady"! This is normalโwe haven't installed networking yet.
Phase 2: Installing Cilium CNI
Now we're going to install the nervous system of our clusterโthe networking layer.
Step 1: Add Cilium Repository
helm repo add cilium https://helm.cilium.io/
helm repo update
Step 2: Install Cilium with Optimized Settings
helm install cilium cilium/cilium \
--version 1.18.1 \
--namespace kube-system \
--set ipam.mode=kubernetes \
--set securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
--set securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
--set cgroup.autoMount.enabled=false \
--set cgroup.hostRoot=/sys/fs/cgroup \
--set operator.replicas=1 \
--set kubeProxyReplacement=true \
--set hubble.relay.enabled=true \
--set hubble.ui.enabled=true \
--set k8sServiceHost=YOUR_VPS_IP \
--set k8sServicePort=6443
๐ง Understanding the Cilium Configuration Parameters
Let me break down what each of these parameters does and why they're crucial for our Talos + Cilium setup:
๐ฆ Basic Installation Settings
--version 1.18.1 # Specific Cilium version for stability
--namespace kube-system # Install in the system namespace
๐ง IP Address Management (IPAM)
--set ipam.mode=kubernetes # Let Kubernetes handle IP allocation
Why this matters: Instead of Cilium managing IPs directly, we let Kubernetes do it. Think of it like letting the hotel concierge assign room numbers instead of guests picking their own!
๐ Security Capabilities
--set securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}"
--set securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}"
What these do:
- NET_ADMIN: Manage network interfaces and routing
- SYS_ADMIN: System administration tasks
- NET_RAW: Create raw sockets for network operations
- CHOWN/FOWNER: Change file ownership
- KILL: Terminate processes
- IPC_LOCK: Lock memory pages
Why so many permissions? Cilium needs deep system access to manage networking at the kernel level. It's like giving a master key to the building superintendent!
๐ Control Groups (cgroups) Configuration
--set cgroup.autoMount.enabled=false # Don't auto-mount cgroups
--set cgroup.hostRoot=/sys/fs/cgroup # Use host's cgroup filesystem
Talos-specific: Since Talos manages the system differently than traditional Linux, we need to tell Cilium exactly where to find the cgroup filesystem.
โ๏ธ Single-Node Optimizations
--set operator.replicas=1 # Only one operator instance
Why only 1? In a multi-node cluster, you'd want multiple operators for high availability. But with just one node, multiple operators would just waste resources!
๐ Kube-Proxy Replacement
--set kubeProxyReplacement=true # Replace kube-proxy entirely
Game changer: This is where Cilium shines! Instead of using the traditional kube-proxy, Cilium handles all service load balancing with eBPF - much faster and more efficient!
๐๏ธ Observability with Hubble
--set hubble.relay.enabled=true # Enable Hubble relay
--set hubble.ui.enabled=true # Enable Hubble web UI
What's Hubble? Think of it as a security camera system for your network traffic. You can see exactly what's talking to what, when, and why!
๐ API Server Connection
--set k8sServiceHost=YOUR_VPS_IP # Your VPS public IP
--set k8sServicePort=6443 # Kubernetes API port
Critical for single-node: Tells Cilium how to reach the Kubernetes API server from outside the cluster.
๐ก Pro Tip: Parameter Customization
๐ฏ Key Parameters You Might Want to Adjust
| Parameter | Purpose | Customization Tip |
|---|---|---|
k8sServiceHost |
API server connection | โ Your actual VPS IP |
operator.replicas |
Operator instances | โ Scale with node count |
hubble.ui.enabled |
Web UI for monitoring | โ Disable if not needed |
kubeProxyReplacement |
Performance mode | โ Keep true for eBPF benefits |
securityContext.capabilities |
System permissions | โ Don't change unless you know why |
Remember: Each parameter serves a specific purpose in making Cilium work seamlessly with Talos Linux. Don't randomly change them unless you understand the implications!
What do all these settings do?
-
kubeProxyReplacement=true: Cilium replaces kube-proxy for better performance hubble.ui.enabled=true: Gives us a beautiful network monitoring dashboardoperator.replicas=1: Optimized for single-node deployment
Step 3: Verify Everything is Working
# Check if Cilium pods are running
kubectl get pods -n kube-system -l k8s-app=cilium
# Check node status (should now be Ready!)
kubectl get nodes
# Check Cilium status
cilium status --wait
Success looks like:
NAME STATUS ROLES AGE VERSION
talos-xxx-xxx Ready control-plane 5m v1.28.x
๐ Congratulations! What You've Built
You've just created a production-ready Kubernetes cluster with:
๐ฏ Achievement Unlocked!
| Component | Achievement | Status |
|---|---|---|
| ๐ก๏ธ Security | Talos Linux with zero attack surface | โ Complete |
| โก Performance | Cilium with eBPF networking | โ Complete |
| ๐ฏ Efficiency | Single-node control plane + worker | โ Complete |
| ๐๏ธ Architecture | Cloud-native ready infrastructure | โ Complete |
| ๐๏ธ Observability | Built-in monitoring with Hubble | โ Complete |
| ๐ Ready for | Production workloads and scaling | ๐ Ready! |
๐ Understanding What You Built
The Magic Behind the Scenes
- Talos Linux is running as your OS, managing everything through APIs
- Kubernetes is orchestrating containers and managing resources
- Cilium is handling all networking with eBPF superpowers
- Your cluster can now run any containerized application
๐ฃ๏ธ Your Journey Ahead
| Category | Next Steps | Popular Tools |
|---|---|---|
| ๐ Web Applications | Deploy websites and APIs | React, Vue, Node.js |
| ๐๏ธ Databases | Persistent data storage | PostgreSQL, MongoDB, Redis |
| ๐ Monitoring | Observability stack | Prometheus, Grafana, Alerting |
| ๐ CI/CD Pipeline | Automated deployments | GitLab, GitHub Actions, ArgoCD |
| ๐ช Ingress Controllers | External access | Traefik, NGINX, Istio |
| ๐ Security Hardening | Advanced security | Network policies, RBAC, Vault |
| ๐ Scaling | Handle more traffic | HPA, VPA, Cluster Autoscaler |
๐ก Wisdom Gained
| Lesson | Key Insight | Impact |
|---|---|---|
| 1๏ธโฃ Approachability | Kubernetes isn't scary with the right guidance | ๐ฏ Confidence boost |
| 2๏ธโฃ Security First | Talos makes security simple and automatic | ๐ก๏ธ Peace of mind |
| 3๏ธโฃ Performance | eBPF networking is truly game-changing | โก Speed & efficiency |
| 4๏ธโฃ Efficiency | Single-node clusters are surprisingly powerful | ๐ช Resource optimization |
| 5๏ธโฃ Accessibility | Modern infrastructure is accessible to everyone | ๐ Democratized tech |
๐ค Join the Community
You're now part of the cloud-native community! Here are some great resources:
๐ Community Resources
| Platform | Resource | What You'll Find |
|---|---|---|
| ๐ก๏ธ Talos Linux | talos.dev | Official docs, guides, API reference |
| ๐ธ๏ธ Cilium | cilium.io | eBPF tutorials, networking guides |
| โ๏ธ Kubernetes | kubernetes.io | Complete K8s documentation |
| ๐๏ธ CNCF | cncf.io | Cloud-native landscape & projects |
| ๐ฌ Discord/Slack | Community channels | Real-time help & discussions |
| ๐ Documentation | Official docs | Step-by-step tutorials |
| ๐ฅ YouTube | Video content | Conferences, demos, deep-dives |
๐ก Final Thoughts
Building your first Kubernetes cluster is like learning to driveโit seems overwhelming at first, but once you understand the basics, a whole world of possibilities opens up. You've just built something that many enterprises pay thousands of dollars for, using open-source tools and a single VPS.
๐ "The future of infrastructure is declarative, automated, and secure. You're now equipped with the knowledge to be part of that future."
Happy clustering! ๐
Did this guide help you build your first Kubernetes cluster? Share your experience in the comments below, and don't forget to follow for more cloud-native tutorials!
Tags: #Kubernetes #TalosLinux #Cilium #CloudNative #DevOps #Containers #eBPF #Infrastructure #Tutorial #Beginner
This content originally appeared on DEV Community and was authored by Chiqo Rifky Saputra
Chiqo Rifky Saputra | Sciencx (2025-09-05T15:30:10+00:00) Building Your First Cloud-Native Kubernetes Cluster: A Beginner’s Journey with Talos Linux and Cilium. Retrieved from https://www.scien.cx/2025/09/05/building-your-first-cloud-native-kubernetes-cluster-a-beginners-journey-with-talos-linux-and-cilium/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.