Install talosctl and kubectl

Sat, Jun 27, 2026 3-minute read

Introduction

In preparation of installing Talos Linux for a kubernetes cluster you need two pieces of software. Or rather in reality you only need talosctl - but kubectl is nice if you want to interact directly with the kubernetes cluster afterwards.

This is a range of very simple steps that allow you to install specific versions of talosctl and the corresponding version of kubectl.

Initial steps

First you need to decide which version of Talos Linus you want to install, since that version drives the version of the kubectl and talosctl version you should install.

The list of releases you can find on github.

At the time of writing the latest non alpha version of Talos was 1.13.5. This version is the version I will be using in this guide.

Browing the release page we can see that this version of Talos is installing version 0.36.2 of k8s components, and then we should install the same version of kubectl - so we ensure we do not have any kind of mismatches when running kubectl against a cluster with a different version. It should be fine to do that, but lets not rock the boat since we can just install the same version of kubectl.

Prequisites

Open up a bash shell.

To make the shell commands reusable we start by defining two variables in a bash shell

export TALOS_VER='1.13.5'
export KUBE_VER='1.36.2'

This allows us to easily modify the versions without having to modify the commands that use these versions.

With these two version variables defined we can continue with installing the two binaries.

Install steps

Install kubectl

# Download kubectl and sha checksums
curl -LO https://dl.k8s.io/release/v${KUBE_VER}/bin/linux/amd64/kubectl
curl -LO "https://dl.k8s.io/release/v${KUBE_VER}/bin/linux/amd64/kubectl.sha256"

This outputs two files in the current directory: kubectl and kubectl.sha256.

Then because we should - we verify that nobody has tampered with the binary after is has been built by running sha256sum against the kubectl binary

echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check

If everything is okay, the sha256sum program will output kubectl: OK - and we are good to install the kubectl in a location that makes it available for all users.

sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl

This copies kubectl into the filesystem into /usr/local/bin/kubectl, sets appropriate permissions and makes the binary executable.

Install talosctl

With talosctl we go through the same steps, although a tiny bit different.

# dowload talosctl and output to talosctl filename
curl -o talosctl -LO https://github.com/siderolabs/talos/releases/download/v${TALOS_VER}/talosctl-linux-amd64
# dowload sha file with checksums for all talos binaries
curl -LO https://github.com/siderolabs/talos/releases/download/v${TALOS_VER}/sha256sum.txt

Since the sha file contains all hashes for all of the Talos binaries, we need to extract only the bits we need for validating talosctl. File looks like this

37e792665810e03d2a0cc11fe6a40283ec54f7d8b49ee6fbb6c9f91f599cd54c  talosctl-freebsd-arm64
cb12209727c0c4d57d74c0595f34d441ba491421e1d3c8a5142ed91028a20232  talosctl-linux-amd64
bd053d8264c1b0c091cbaf15e7b414ab1cd14a56ddd5860f2e2ba01e5aee3bc3  talosctl-linux-arm64
fb531c5503e0626edbd8782ef64718a5f9ac0ff44d91fea601ca83b1d77cb731  talosctl-linux-armv7
4068a7a5d18f2249ae042fcf79ca239e8fc12927738c9ed5f8dd4ea40b2d0006  talosctl-linux-riscv64

So we need to find the line that contains talosctl-linux-amd64, extract the hash from that line and pass the hash onto sha256sum. We do that by a combination of cat, grepand cut.

echo "$(cat sha256sum.txt |grep talosctl-linux-amd64| cut -d ' ' -f1) talosctl" | sha256sum --check

This command line reads the sha256sum.txt file, finds the line that contains talosctl-linux-amd64, turn the line into groups split by a single space and finally output the first part of the group, which is the hash. With that hash it pipes the result into sha256sum which if everything is okay outputs talosctl: OK

Finally we install the talosctl into the filesystem

sudo install -o root -g root -m 0755 talosctl /usr/local/bin/talosctl

Caveat

These commands have only been tested on Debian 13 - but it should also work on all other linux variants as long as it has the same binaries installed.