Talos 1.13.0-alpha.2 (2026-02-25)

Welcome to the v1.13.0-alpha.2 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Clang built kernel and ThinLTO

Talos now uses a kernel built using Clang compiler, and optimized using ThinLTO. This should bring a small performance improvement,
alongside some hardening features, such as BTI on supported ARM systems.

talosctl debug

Talos Linux now provides a way to run and attach to the privileged debug container with a user-provided container image.
The debug container might be used for troubleshooting and debugging purposes.

Environment Configuration Document

A new EnvironmentConfig document has been introduced to allow users to specify environment variables for Talos components.
It replaces and deprecates the previous method of setting environment variables via the .machine.env field.

Multiple values for the same environment variable will replace previous values, with the last one taking precedence.

To remove an environment variable, remove it from the EnvironmentConfig document and restart the node.

External Volumes

Talos now supports virtiofs-based external volumes via the new
ExternalVolumeConfig
document.

These virtiofs external volumes are not supported when SELinux is running
in enforcing mode.

Extra Arguments accept slices in addition to strings

Several Talos configuration fields that previously accepted single string values for extra arguments have been updated to accept slices of strings as well.
This includes fields such as .cluster.apiServer.extraArgs.

BREAKING: If you were relying on the resources EtcdConfigs, KubeletConfigs, ControllerManagerConfigs, SchedulerConfigs or APIServerConfigs, the protobuf format has changed from map<string,string> to map<string,message>.

Talos Imager Enhancements

Talos imager now supports running rootless. --privileged and -v /dev:/dev are no longer required.

Image APIs Updated

Talos Linux provides new APIs to manage container images on the node: listing, pulling, importing and removing images.
The new pull APIs provides pull progress notifications.

The CLI commands talosctl image pull, talosctl image list and talosctl image remove have been updated to interact with the new APIs.

Talosctl images k8s-bundle subcommand accepts version parameter

The talosctl images k8s-bundle command now accepts an optional version overrides arguments.

Kubernetes server-side apply

Talos now uses inventory backed server-side apply when applying bootsrap manifests (including extraManifests and inlineManifests).
Purging of unneeded manifests is automatically performed.
The switch and inventory backfill is automatic and no action is needed from the user.

KubeSpan Configuration

A new KubeSpanConfig document has been introduced to configure KubeSpan settings.
It replaces and deprecates the previous method of configuring KubeSpan via the .machine.network.kubespan field.

The old configuration field will continue to work for backward compatibility.

KubeSpan Advertised Network Filters

KubeSpan now supports filtering of advertised networks using the excludeAdvertisedNetworks field in the KubeSpanConfig document.
This allows users to specify a list of CIDRs to exclude from the advertised networks. Please note that routing must be symmetric for any
pair of peers, so if one peer excludes a certain network, the other peer must also exclude it. In other words, for any given pair of peers,
and any pair of their addresses, the traffic should either go through KubeSpan or not, but not one way or the other.

LinkAliasConfig Pattern-Based Multi-Alias

LinkAliasConfig now supports pattern-based alias names using %d format verb (e.g. net%d).

When the alias name contains a %d format verb, the selector is allowed to match multiple links.
Each matched link receives a sequential alias (e.g. net0, net1, ...) based on hardware address order
of the links. Links already aliased by a previous config are automatically skipped.

This enables creating stable aliases from any N links using a single config document,
useful for BondConfig and BridgeConfig member interfaces on varying hardware.

Negative Max Volume Size

Negative max size represents the amount of space to be left free on the device, rather than the size the volume should consume.
For example:
* a max size of "-10GiB" means the volume can grow to the available space minus 10GiB.
* a max size of "-25%" means the volume can grow to the available space minus 25%.

Flannel CNI with Network Policy Support

Talos Linux now supports optionally deploying Flannel CNI with network policy support enabled.
The network policy implementation is kube-network-policies.

To enable Flannel CNI with network policy support, use the following machine configuration patch:

cluster:
  network:
    cni:
      name: flannel
      flannel:
        kubeNetworkPoliciesEnabled: true

(If the cluster is already running, sync the bootstrap manifests after applying the patch to deploy the new CNI configuration.)

Container Image Decompression

Talos now ships with igzip (amd64) and pigz (arm64) to speed up container image decompression.

ProbeConfig

The TCPProbeConfig configuration document allows to configure TCP probes for network reachability checks.
This allows to define a custom connectivity condition.

/proc/PID/mem Access Hardening

A new kernel parameter proc_mem.force_override=never has been introduced by default to enhance system security
by preventing unwanted writes to protected process memory via /proc/PID/mem.
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.

Reproducible Disk Images

Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
identical disk images.

Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.

ResolverConfig

The nameservers configuration in machine configuration now overwrites any previous layers (defaults, platform, etc.) when specified.
Previously a smart merge was performed to keep IPv4/IPv6 nameservers from lower layers if the machine configuration specified only one type.

Service Account Issuer configuration

In API Server, passing extra args with service-account-issuer will append them after default value.
This allows easy migration, e.g. by changing .cluster.controlPlane.endpoint to new value, and keeping the old value in
.cluster.apiServer.extraArgs["service-account-issuer"].

talosctl images talos-bundle can ignore reaching to the registry

The talosctl images talos-bundle command now accepts optional --overlays and --extensions flags.
If those are set to false, the command will not attempt to reach out to the container registry to fetch the latest versions and digests of the overlays and extensions.

Component Updates

Linux: 6.18.13
containerd: 2.2.1
etcd: 3.6.8
CoreDNS: 1.14.1
Kubernetes: 1.36.0-alpha.1
Flannel CNI plugin: v1.9.0-flannel1
Flannel: 0.28.1
LVM2: 2_03_38
runc: 1.4.0
systemd: 259.1
cryptsetup: 2.8.3
Tenstorrent: 2.7.0
iptables: 1.8.12

Talos is built with Go 1.26.0.

VM Hot-Add Support

Talos now includes udev rules to support hot-adding of CPUs in virtualized environments.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Noel Georgi
• Dmitrii Sharshakov
• Orzelius
• Laura Brehm
• Edward Sammut Alessi
• Max Makarov
• Andreas Freund
• Artem Chernyshev
• Bryan Lee
• Fritz Schaal
• Justin Garrison
• Mickaël Canévet
• Nico Berlee
• Pranav Patil
• Alexis La Goutte
• Andras BALI
• Andrei Kvapil
• Birger Johan Nordølum
• Camillo Rossi
• Christopher Puschmann
• Daniil Kivenko
• Dmitrii Sharshakov
• Florian Ströger
• Gregor Gruener
• Jaakko Sirén
• Jan Paul
• Jean-Francois Roy
• Joakim Nohlgård
• Jonas Lammler
• Lennard Klein
• Matthew Sanabria
• Michal Baumgartner
• Olav Thoresen
• Serge van Ginderachter
• Skye Soss
• Spencer Smith
• Sébastien Masset
• Tim Jones
• Utku Ozdemir
• arita
• dataprolet
• drew
• eseiker
• greenpsi
• lmacka
• pranav767

Changes

Changes since v1.13.0-alpha.1

Changes from siderolabs/discovery-api

Changes from siderolabs/go-cmd

Changes from siderolabs/go-debug

Changes from siderolabs/go-kubernetes

Changes from siderolabs/kms-client

Changes from siderolabs/pkgs

Changes from siderolabs/proto-codec

Changes from siderolabs/tools

Dependency Changes

• github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 -> v1.21.0
• github.com/aws/aws-sdk-go-v2/config v1.31.20 -> v1.32.7
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 -> v1.18.17
• github.com/aws/aws-sdk-go-v2/service/acm v1.37.19 new
• github.com/aws/aws-sdk-go-v2/service/kms v1.46.0 -> v1.49.5
• github.com/aws/smithy-go v1.23.2 -> v1.24.0
• github.com/containerd/cgroups/v3 v3.0.5 -> v3.1.2
• github.com/containerd/containerd/api v1.9.0 -> v1.10.0
• github.com/containerd/containerd/v2 v2.1.5 -> v2.2.1
• github.com/containerd/platforms v1.0.0-rc.1 -> v1.0.0-rc.2
• github.com/cosi-project/runtime v1.12.0 -> v1.14.0
• github.com/docker/cli v29.0.0 -> v29.2.1
• github.com/gdamore/tcell/v2 v2.9.0 -> v2.13.8
• github.com/godbus/dbus/v5 v5.1.0 -> v5.2.2
• github.com/google/cadvisor v0.53.0 -> v0.56.2
• github.com/google/cel-go v0.26.1 -> v0.27.0
• github.com/google/go-containerregistry v0.20.6 -> v0.20.7
• github.com/google/go-tpm v0.9.7 -> v0.9.8
• github.com/hetznercloud/hcloud-go/v2 v2.30.0 -> v2.36.0
• github.com/jsimonetti/rtnetlink/v2 v2.1.0 -> v2.2.0
• github.com/klauspost/compress v1.18.1 -> v1.18.4
• github.com/linode/go-metadata v0.2.2 -> v0.2.4
• github.com/mdlayher/ethtool v0.4.0 -> v0.5.1
• github.com/miekg/dns v1.1.68 -> v1.1.72
• github.com/moby/moby/api v1.52.0 -> v1.53.0
• github.com/moby/moby/client v0.1.0 -> v0.2.2
• github.com/navidys/tvxwidgets v0.13.0 new
• github.com/opencontainers/runtime-spec v1.2.1 -> v1.3.0
• github.com/scaleway/scaleway-sdk-go v1.0.0-beta.35 -> v1.0.0-beta.36
• github.com/siderolabs/discovery-api v0.1.6 -> v0.1.8
• github.com/siderolabs/go-blockdevice/v2 v2.0.20 -> v2.0.25
• github.com/siderolabs/go-cmd v0.1.3 -> v0.2.0
• github.com/siderolabs/go-debug v0.6.1 -> v0.6.2
• github.com/siderolabs/go-kubernetes v0.2.28 -> v0.2.32
• github.com/siderolabs/kms-client v0.1.0 -> v0.2.0
• github.com/siderolabs/pkgs v1.12.0-23-ge0b78b8 -> v1.13.0-alpha.0-61-g3c982f8
• github.com/siderolabs/proto-codec v0.1.2 -> v0.1.3
• github.com/siderolabs/talos/pkg/machinery v1.12.0 -> v1.13.0-alpha.2
• github.com/siderolabs/tools v1.12.0-2-g7d57df0 -> v1.13.0-alpha.0-16-g9de9770
• github.com/sirupsen/logrus v1.9.3 -> v1.9.4
• github.com/spf13/cobra v1.10.1 -> v1.10.2
• go.etcd.io/etcd/api/v3 v3.6.6 -> v3.6.7
• go.etcd.io/etcd/client/pkg/v3 v3.6.6 -> v3.6.7
• go.etcd.io/etcd/client/v3 v3.6.6 -> v3.6.7
• go.etcd.io/etcd/etcdutl/v3 v3.6.6 -> v3.6.7
• go.uber.org/zap v1.27.0 -> v1.27.1
• go.yaml.in/yaml/v4 v4.0.0-rc.3 -> v4.0.0-rc.4
• golang.org/x/net v0.47.0 -> v0.50.0
• golang.org/x/oauth2 v0.33.0 -> v0.35.0
• golang.org/x/sync v0.18.0 -> v0.19.0
• golang.org/x/sys v0.38.0 -> v0.41.0
• golang.org/x/term v0.37.0 -> v0.40.0
• golang.org/x/text v0.31.0 -> v0.34.0
• google.golang.org/grpc v1.76.0 -> v1.79.1
• google.golang.org/protobuf v1.36.10 -> f2248ac996af
• sigs.k8s.io/cli-utils 77c836a69463 new

Previous release can be found at v1.12.0

Images

ghcr.io/siderolabs/flannel:v0.28.1
registry.k8s.io/coredns/coredns:v1.14.1
registry.k8s.io/etcd:v3.6.8
registry.k8s.io/pause:3.10.1
registry.k8s.io/kube-apiserver:v1.36.0-alpha.1
registry.k8s.io/kube-controller-manager:v1.36.0-alpha.1
registry.k8s.io/kube-scheduler:v1.36.0-alpha.1
registry.k8s.io/kube-proxy:v1.36.0-alpha.1
ghcr.io/siderolabs/kubelet:v1.36.0-alpha.1
registry.k8s.io/networking/kube-network-policies:v0.9.2
ghcr.io/siderolabs/installer:v1.13.0-alpha.2
ghcr.io/siderolabs/installer-base:v1.13.0-alpha.2
ghcr.io/siderolabs/imager:v1.13.0-alpha.2
ghcr.io/siderolabs/talos:v1.13.0-alpha.2
ghcr.io/siderolabs/talosctl-all:v1.13.0-alpha.2
ghcr.io/siderolabs/overlays:v1.13.0-alpha.2
ghcr.io/siderolabs/extensions:v1.13.0-alpha.2