kios/core
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
473 commits 1 branch 0 tags 1.5 MiB
  • C 66.2%
  • Shell 19.7%
  • Go 11.3%
  • Dockerfile 1.7%
  • Makefile 1.1%
Find a file
Exact
Emily Shepherd 0746a222a8
 Support overriding pod namespace & cluster domain
2026-03-19 13:26:41 +00:00
docs Enable IPv6 in docs Container image 2026-01-16 16:30:19 +00:00
pkgs/images Reorganise directory 2026-03-07 17:29:44 +00:00
root Support overriding pod namespace & cluster domain 2026-03-19 13:26:41 +00:00
scripts Switch to build-tool for keisson build 2026-02-27 23:03:50 +00:00
.gitignore Switch to build-tool for keisson build 2026-02-27 23:03:50 +00:00
.gitmodules Reorganise directory 2026-03-07 17:29:44 +00:00
build.toml Force setting CONFIG_EMPTY_ROOTFS in buildfile 2026-03-08 15:19:56 +00:00
COPYING.md Add a COPYING file. 2022-02-01 01:07:01 +00:00
mkdocs.yml docs: Add system socket page 2023-06-13 15:27:29 +01:00
README.md Update build documentation 2026-03-07 17:51:17 +00:00

README.md

kiOS

kiOS - the Kubernetes Operating System - is tailored to run Kubernetes nodes with minimal overhead and fast boot times.

Core Features

kiOS does not include a conventional init system - instead it is designed to promptly launch the container runtime and then hand over control to the kubelet.

As a result of this most system services (dhcpc, ntpc etc) run as Pods and are configured via standard kubernetes manifests.

Why kiOS?

kiOS is fast

kiOS doesn't have a large, complex or configurable early init system - no initrc, no runlevels, no service files. As soon as the userspace is ready, kiOS does a small amount of kubernetes-specific init, then immediately launches the container runtime and kubelet with minimal blocking.

kiOS is secure

The host operating system doesn't have a shell at all (no bash, no vim, not even utility commands like echo, cat, ls etc). This reduces the attack vector as malicious scripts will not work on the host system - to attack kiOS, you'd need to get a binary into the system.

The host's root filesystem is ephemeral - it only lives in RAM and most mounts are restrictive, making injecting malicious binaries at runtime much harder for would-be attackers.

Finally, kiOS' simplicity makes hiding malicious binaries much harder, even if you were able to circumvent the protections above. kiOS only has a /bin directory (no /usr/bin or /sbin etc) and this contains just 7 binaries. At runtime, there are only three long term processes in the host pid namespace - init itself, the container runtime, and kubelet). kiOS' lack of complexity makes hiding an 8th binary, or a 4th running process almost impossible.

kiOS is configurable

kiOS runs as little as possible outside of kubernetes - which means most system services run as kubernetes pods. This even includes services that need to exist before networking is ready - for example the ntp (time) or dhcp clients - which run as static pods.

So, if you know how to create kubernetes pods, you know how to configure kiOS!

Building

Building the project is done via Build Tool. The default target will build and output the complete EFI binary and optional kernel modules.