Talos 1.13.0-alpha.2 (2026-02-25)

Welcome to the v1.13.0-alpha.2 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Clang built kernel and ThinLTO

Talos now uses a kernel built using Clang compiler, and optimized using ThinLTO. This should bring a small performance improvement,
alongside some hardening features, such as BTI on supported ARM systems.

talosctl debug

Talos Linux now provides a way to run and attach to the privileged debug container with a user-provided container image.
The debug container might be used for troubleshooting and debugging purposes.

Environment Configuration Document

A new EnvironmentConfig document has been introduced to allow users to specify environment variables for Talos components.
It replaces and deprecates the previous method of setting environment variables via the .machine.env field.

Multiple values for the same environment variable will replace previous values, with the last one taking precedence.

To remove an environment variable, remove it from the EnvironmentConfig document and restart the node.

External Volumes

Talos now supports virtiofs-based external volumes via the new
ExternalVolumeConfig
document.

These virtiofs external volumes are not supported when SELinux is running
in enforcing mode.

Extra Arguments accept slices in addition to strings

Several Talos configuration fields that previously accepted single string values for extra arguments have been updated to accept slices of strings as well.
This includes fields such as .cluster.apiServer.extraArgs.

BREAKING: If you were relying on the resources EtcdConfigs, KubeletConfigs, ControllerManagerConfigs, SchedulerConfigs or APIServerConfigs, the protobuf format has changed from map<string,string> to map<string,message>.

Talos Imager Enhancements

Talos imager now supports running rootless. --privileged and -v /dev:/dev are no longer required.

Image APIs Updated

Talos Linux provides new APIs to manage container images on the node: listing, pulling, importing and removing images.
The new pull APIs provides pull progress notifications.

The CLI commands talosctl image pull, talosctl image list and talosctl image remove have been updated to interact with the new APIs.

Talosctl images k8s-bundle subcommand accepts version parameter

The talosctl images k8s-bundle command now accepts an optional version overrides arguments.

Kubernetes server-side apply

Talos now uses inventory backed server-side apply when applying bootsrap manifests (including extraManifests and inlineManifests).
Purging of unneeded manifests is automatically performed.
The switch and inventory backfill is automatic and no action is needed from the user.

KubeSpan Configuration

A new KubeSpanConfig document has been introduced to configure KubeSpan settings.
It replaces and deprecates the previous method of configuring KubeSpan via the .machine.network.kubespan field.

The old configuration field will continue to work for backward compatibility.

KubeSpan Advertised Network Filters

KubeSpan now supports filtering of advertised networks using the excludeAdvertisedNetworks field in the KubeSpanConfig document.
This allows users to specify a list of CIDRs to exclude from the advertised networks. Please note that routing must be symmetric for any
pair of peers, so if one peer excludes a certain network, the other peer must also exclude it. In other words, for any given pair of peers,
and any pair of their addresses, the traffic should either go through KubeSpan or not, but not one way or the other.

LinkAliasConfig Pattern-Based Multi-Alias

LinkAliasConfig now supports pattern-based alias names using %d format verb (e.g. net%d).

When the alias name contains a %d format verb, the selector is allowed to match multiple links.
Each matched link receives a sequential alias (e.g. net0, net1, ...) based on hardware address order
of the links. Links already aliased by a previous config are automatically skipped.

This enables creating stable aliases from any N links using a single config document,
useful for BondConfig and BridgeConfig member interfaces on varying hardware.

Negative Max Volume Size

Negative max size represents the amount of space to be left free on the device, rather than the size the volume should consume.
For example:
* a max size of "-10GiB" means the volume can grow to the available space minus 10GiB.
* a max size of "-25%" means the volume can grow to the available space minus 25%.

Flannel CNI with Network Policy Support

Talos Linux now supports optionally deploying Flannel CNI with network policy support enabled.
The network policy implementation is kube-network-policies.

To enable Flannel CNI with network policy support, use the following machine configuration patch:

cluster:
  network:
    cni:
      name: flannel
      flannel:
        kubeNetworkPoliciesEnabled: true

(If the cluster is already running, sync the bootstrap manifests after applying the patch to deploy the new CNI configuration.)

Container Image Decompression

Talos now ships with igzip (amd64) and pigz (arm64) to speed up container image decompression.

ProbeConfig

The TCPProbeConfig configuration document allows to configure TCP probes for network reachability checks.
This allows to define a custom connectivity condition.

/proc/PID/mem Access Hardening

A new kernel parameter proc_mem.force_override=never has been introduced by default to enhance system security
by preventing unwanted writes to protected process memory via /proc/PID/mem.
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.

Reproducible Disk Images

Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
identical disk images.

Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.

ResolverConfig

The nameservers configuration in machine configuration now overwrites any previous layers (defaults, platform, etc.) when specified.
Previously a smart merge was performed to keep IPv4/IPv6 nameservers from lower layers if the machine configuration specified only one type.

Service Account Issuer configuration

In API Server, passing extra args with service-account-issuer will append them after default value.
This allows easy migration, e.g. by changing .cluster.controlPlane.endpoint to new value, and keeping the old value in
.cluster.apiServer.extraArgs["service-account-issuer"].

talosctl images talos-bundle can ignore reaching to the registry

The talosctl images talos-bundle command now accepts optional --overlays and --extensions flags.
If those are set to false, the command will not attempt to reach out to the container registry to fetch the latest versions and digests of the overlays and extensions.

Component Updates

Linux: 6.18.13
containerd: 2.2.1
etcd: 3.6.8
CoreDNS: 1.14.1
Kubernetes: 1.36.0-alpha.1
Flannel CNI plugin: v1.9.0-flannel1
Flannel: 0.28.1
LVM2: 2_03_38
runc: 1.4.0
systemd: 259.1
cryptsetup: 2.8.3
Tenstorrent: 2.7.0
iptables: 1.8.12

Talos is built with Go 1.26.0.

VM Hot-Add Support

Talos now includes udev rules to support hot-adding of CPUs in virtualized environments.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Noel Georgi
• Dmitrii Sharshakov
• Orzelius
• Laura Brehm
• Edward Sammut Alessi
• Max Makarov
• Andreas Freund
• Artem Chernyshev
• Bryan Lee
• Fritz Schaal
• Justin Garrison
• Mickaël Canévet
• Nico Berlee
• Pranav Patil
• Alexis La Goutte
• Andras BALI
• Andrei Kvapil
• Birger Johan Nordølum
• Camillo Rossi
• Christopher Puschmann
• Daniil Kivenko
• Dmitrii Sharshakov
• Florian Ströger
• Gregor Gruener
• Jaakko Sirén
• Jan Paul
• Jean-Francois Roy
• Joakim Nohlgård
• Jonas Lammler
• Lennard Klein
• Matthew Sanabria
• Michal Baumgartner
• Olav Thoresen
• Serge van Ginderachter
• Skye Soss
• Spencer Smith
• Sébastien Masset
• Tim Jones
• Utku Ozdemir
• arita
• dataprolet
• drew
• eseiker
• greenpsi
• lmacka
• pranav767

Changes

Talos 1.12.4 (2026-02-13)

Welcome to the v1.12.4 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

KubeSpan Advertised Network Filters

KubeSpan now supports filtering of advertised networks using the excludeAdvertisedNetworks field in the KubeSpanConfig document.
This allows users to specify a list of CIDRs to exclude from the advertised networks. Please note that routing must be symmetric for any
pair of peers, so if one peer excludes a certain network, the other peer must also exclude it. In other words, for any given pair of peers,
and any pair of their addresses, the traffic should either go through KubeSpan or not, but not one way or the other.

Component Updates

Linux: 6.18.9

Talos is built with Go 1.25.7.

Contributors

• Andrey Smirnov
• Daniil Kivenko
• Florian Ströger
• Fritz Schaal
• Mateusz Urbanek

Changes

Changes from siderolabs/discovery-api

Changes from siderolabs/pkgs

Dependency Changes

• github.com/siderolabs/discovery-api v0.1.6 -> v0.1.8
• github.com/siderolabs/pkgs v1.12.0-35-g15d5d78 -> v1.12.0-39-gb1fc4c6

Previous release can be found at v1.12.3

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.7
registry.k8s.io/kube-apiserver:v1.35.0
registry.k8s.io/kube-controller-manager:v1.35.0
registry.k8s.io/kube-scheduler:v1.35.0
registry.k8s.io/kube-proxy:v1.35.0
ghcr.io/siderolabs/kubelet:v1.35.0
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.4
ghcr.io/siderolabs/installer-base:v1.12.4
ghcr.io/siderolabs/imager:v1.12.4
ghcr.io/siderolabs/talos:v1.12.4
ghcr.io/siderolabs/talosctl-all:v1.12.4
ghcr.io/siderolabs/overlays:v1.12.4
ghcr.io/siderolabs/extensions:v1.12.4

Talos 1.12.3 (2026-02-07)

Welcome to the v1.12.3 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.18.8

Talos is built with Go 1.25.7.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Andrei Kvapil
• Gregor Gruener
• Matthew Sanabria

Changes

Changes from siderolabs/pkgs

Changes from siderolabs/tools

Dependency Changes

• github.com/siderolabs/pkgs v1.12.0-32-g4f8efaf -> v1.12.0-35-g15d5d78
• github.com/siderolabs/talos/pkg/machinery v1.12.2 -> v1.12.3
• github.com/siderolabs/tools v1.12.0-4-g31959f4 -> v1.12.0-6-gdc37e09

Previous release can be found at v1.12.2

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.7
registry.k8s.io/kube-apiserver:v1.35.0
registry.k8s.io/kube-controller-manager:v1.35.0
registry.k8s.io/kube-scheduler:v1.35.0
registry.k8s.io/kube-proxy:v1.35.0
ghcr.io/siderolabs/kubelet:v1.35.0
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.3
ghcr.io/siderolabs/installer-base:v1.12.3
ghcr.io/siderolabs/imager:v1.12.3
ghcr.io/siderolabs/talos:v1.12.3
ghcr.io/siderolabs/talosctl-all:v1.12.3
ghcr.io/siderolabs/overlays:v1.12.3
ghcr.io/siderolabs/extensions:v1.12.3

Talos 1.13.0-alpha.1 (2026-02-03)

Welcome to the v1.13.0-alpha.1 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Environment Configuration Document

A new EnvironmentConfig document has been introduced to allow users to specify environment variables for Talos components.
It replaces and deprecates the previous method of setting environment variables via the .machine.env field.

Multiple values for the same environment variable will replace previous values, with the last one taking precedence.

To remove an environment variable, remove it from the EnvironmentConfig document and restart the node.

External Volumes

Talos now supports virtiofs-based external volumes via the new
ExternalVolumeConfig
document.

These virtiofs external volumes are not supported when SELinux is running
in enforcing mode.

Extra Arguments accept slices in addition to strings

Several Talos configuration fields that previously accepted single string values for extra arguments have been updated to accept slices of strings as well.
This includes fields such as .cluster.apiServer.extraArgs.

BREAKING: If you were relying on the resources EtcdConfigs, KubeletConfigs, ControllerManagerConfigs, SchedulerConfigs or APIServerConfigs, the protobuf format has changed from map<string,string> to map<string,message>.

Talos Imager Enhancements

Talos imager now supports running rootless. --privileged and -v /dev:/dev are no longer required.

Talosctl images k8s-bundle subcommand accepts version parameter

The talosctl images k8s-bundle command now accepts an optional version overrides arguments.

Kubernetes server-side apply

Talos now uses inventory backed server-side apply when applying bootsrap manifests (including extraManifests and inlineManifests).
Purging of unneeded manifests is automatically performed.
The switch and inventory backfill is automatic and no action is needed from the user.

KubeSpan Configuration

A new KubeSpanConfig document has been introduced to configure KubeSpan settings.
It replaces and deprecates the previous method of configuring KubeSpan via the .machine.network.kubespan field.

The old configuration field will continue to work for backward compatibility.

Negative Max Volume Size

Negative max size represents the amount of space to be left free on the device, rather than the size the volume should consume.
For example:
* a max size of "-10GiB" means the volume can grow to the available space minus 10GiB.
* a max size of "-25%" means the volume can grow to the available space minus 25%.

Container Image Decompression

Talos now ships with igzip (amd64) and pigz (arm64) to speed up container image decompression.

ProbeConfig

The TCPProbeConfig configuration document allows to configure TCP probes for network reachability checks.
This allows to define a custom connectivity condition.

/proc/PID/mem Access Hardening

A new kernel parameter proc_mem.force_override=never has been introduced by default to enhance system security
by preventing unwanted writes to protected process memory via /proc/PID/mem.
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.

Reproducible Disk Images

Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
identical disk images.

Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.

ResolverConfig

The nameservers configuration in machine configuration now overwrites any previous layers (defaults, platform, etc.) when specified.
Previously a smart merge was performed to keep IPv4/IPv6 nameservers from lower layers if the machine configuration specified only one type.

Service Account Issuer configuration

In API Server, passing extra args with service-account-issuer will append them after default value.
This allows easy migration, e.g. by changing .cluster.controlPlane.endpoint to new value, and keeping the old value in
.cluster.apiServer.extraArgs["service-account-issuer"].

talosctl images talos-bundle can ignore reaching to the registry

The talosctl images talos-bundle command now accepts optional --overlays and --extensions flags.
If those are set to false, the command will not attempt to reach out to the container registry to fetch the latest versions and digests of the overlays and extensions.

Component Updates

Linux: 6.18.8
containerd: 2.2.1
etcd: 3.6.7
CoreDNS: 1.13.2
Kubernetes: 1.35.0
Flannel CNI plugin: v1.9.0-flannel1
LVM2: 2_03_38
runc: 1.4.0
systemd: 259
cryptsetup: 2.8.3

Talos is built with Go 1.25.6.

VM Hot-Add Support

Talos now includes udev rules to support hot-adding of CPUs in virtualized environments.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Noel Georgi
• Dmitrii Sharshakov
• Orzelius
• Laura Brehm
• Bryan Lee
• Edward Sammut Alessi
• Alexis La Goutte
• Andras BALI
• Andrei Kvapil
• Artem Chernyshev
• Birger Johan Nordølum
• Camillo Rossi
• Christopher Puschmann
• Florian Ströger
• Gregor Gruener
• Jaakko Sirén
• Jean-Francois Roy
• Joakim Nohlgård
• Jonas Lammler
• Justin Garrison
• Lennard Klein
• Matthew Sanabria
• Max Makarov
• Michal Baumgartner
• Mickaël Canévet
• Olav Thoresen
• Pranav Patil
• Serge van Ginderachter
• Skye Soss
• Spencer Smith
• Tim Jones
• dataprolet
• eseiker
• pranav767

Changes

Talos 1.12.2 (2026-01-22)

Welcome to the v1.12.2 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

talosctl images talos-bundle can ignore reaching to the registry

The talosctl images talos-bundle command now accepts optional --ovelays and --extensions flags.
If those are set to false, the command will not attempt to reach out to the container registry to fetch the latest versions and digests of the overlays and extensions.

Component Updates

Linux: 6.18.5

Talos is built with Go 1.25.6.

Contributors

• Andrey Smirnov
• Dmitrii Sharshakov
• Andras BALI
• Artem Chernyshev
• Jonas Lammler
• Mateusz Urbanek
• Max Makarov
• Noel Georgi

Changes

Changes from siderolabs/pkgs

Changes from siderolabs/tools

Dependency Changes

• github.com/klauspost/compress v1.18.2 -> v1.18.3
• github.com/siderolabs/go-blockdevice/v2 v2.0.22 -> v2.0.23
• github.com/siderolabs/pkgs v1.12.0-25-g90ff196 -> v1.12.0-32-g4f8efaf
• github.com/siderolabs/talos/pkg/machinery v1.12.1 -> v1.12.2
• github.com/siderolabs/tools v1.12.0-3-g5df8bae -> v1.12.0-4-g31959f4
• go.uber.org/zap v1.27.0 -> v1.27.1
• golang.org/x/net v0.47.0 -> v0.48.0
• golang.org/x/oauth2 v0.33.0 -> v0.34.0
• golang.org/x/sync v0.18.0 -> v0.19.0
• golang.org/x/sys v0.38.0 -> v0.40.0
• golang.org/x/term v0.37.0 -> v0.38.0
• golang.org/x/text v0.31.0 -> v0.33.0

Previous release can be found at v1.12.1

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.7
registry.k8s.io/kube-apiserver:v1.35.0
registry.k8s.io/kube-controller-manager:v1.35.0
registry.k8s.io/kube-scheduler:v1.35.0
registry.k8s.io/kube-proxy:v1.35.0
ghcr.io/siderolabs/kubelet:v1.35.0
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.2
ghcr.io/siderolabs/installer-base:v1.12.2
ghcr.io/siderolabs/imager:v1.12.2
ghcr.io/siderolabs/talos:v1.12.2
ghcr.io/siderolabs/talosctl-all:v1.12.2
ghcr.io/siderolabs/overlays:v1.12.2
ghcr.io/siderolabs/extensions:v1.12.2

Talos 1.12.1 (2026-01-05)

Welcome to the v1.12.1 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.18.2

Talos is built with Go 1.25.5.

Contributors

• Mateusz Urbanek
• Andrey Smirnov
• Dmitrii Sharshakov

Changes

Changes from siderolabs/pkgs

Changes from siderolabs/tools

Dependency Changes

• github.com/klauspost/compress v1.18.1 -> v1.18.2
• github.com/siderolabs/go-blockdevice/v2 v2.0.20 -> v2.0.22
• github.com/siderolabs/pkgs v1.12.0-23-ge0b78b8 -> v1.12.0-25-g90ff196
• github.com/siderolabs/talos/pkg/machinery v1.12.0 -> v1.12.1
• github.com/siderolabs/tools v1.12.0-2-g7d57df0 -> v1.12.0-3-g5df8bae

Previous release can be found at v1.12.0

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.7
registry.k8s.io/kube-apiserver:v1.35.0
registry.k8s.io/kube-controller-manager:v1.35.0
registry.k8s.io/kube-scheduler:v1.35.0
registry.k8s.io/kube-proxy:v1.35.0
ghcr.io/siderolabs/kubelet:v1.35.0
registry.k8s.io/pause:3.10

Talos 1.13.0-alpha.0 (2025-12-25)

Welcome to the v1.13.0-alpha.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

External Volumes

Talos now supports virtiofs-based external volumes via the new
ExternalVolumeConfig
document.

These virtiofs external volumes are not supported when SELinux is running
in enforcing mode.

Talos Imager Enhancements

Talos imager now supports running rootless. --privileged and -v /dev:/dev are no longer required.

Container Image Decompression

Talos now ships with igzip (amd64) and pigz (arm64) to speed up container image decompression.

/proc/PID/mem Access Hardening

A new kernel parameter proc_mem.force_override=never has been introduced by default to enhance system security
by preventing unwanted writes to protected process memory via /proc/PID/mem.
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.

Reproducible Disk Images

Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
identical disk images.

Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.

Component Updates

Linux: 6.18.2
containerd: 2.2.1
etcd: 3.6.7
CoreDNS: 1.13.2
Kubernetes: 1.35.0
Flannel CNI plugin: v1.9.0-flannel1
LVM2: 2_03_38
runc: 1.4.0
systemd: 259
cryptsetup: 2.8.3

Talos is built with Go 1.25.5.

VM Hot-Add Support

Talos now includes udev rules to support hot-adding of CPUs in virtualized environments.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Noel Georgi
• Dmitrii Sharshakov
• Laura Brehm
• Bryan Lee
• Edward Sammut Alessi
• Birger Johan Nordølum
• Christopher Puschmann
• Jaakko Sirén
• Jean-Francois Roy
• Joakim Nohlgård
• Justin Garrison
• Lennard Klein
• Michal Baumgartner
• Orzelius
• Serge van Ginderachter
• Skye Soss
• dataprolet
• eseiker
• pranav767

Changes

Changes from siderolabs/pkgs

Talos 1.10.9 (2025-12-24)

Welcome to the v1.10.9 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

etcd Zombine Members

See this blog post for more details.

This release includes an update to etcd v3.5.26 to ensure that upgrades to Talos v1.11 and later (which default to etcd v3.6) will not be blocked by the presence of zombine members in the etcd cluster.

Please note that etcd version can also be configured via the machine configuration with any version of Talos Linux.

Component Updates

Linux: 6.12.63
runc: 1.2.9
etcd: 3.5.26

Talos is built with Go 1.24.11.

Contributors

• Andrey Smirnov
• Dmitrii Sharshakov

Changes

Changes from siderolabs/pkgs

Changes from siderolabs/tools

Dependency Changes

• github.com/containernetworking/plugins v1.6.2 -> v1.9.0
• github.com/safchain/ethtool v0.5.10 -> v0.6.2
• github.com/siderolabs/pkgs v1.10.0-37-g71b336d -> v1.10.0-38-g3f85dc8
• github.com/siderolabs/talos/pkg/machinery v1.10.8 -> v1.10.9
• github.com/siderolabs/tools v1.10.0-7-g39357c8 -> v1.10.0-8-g11b0a3d
• github.com/stretchr/testify v1.10.0 -> v1.11.1
• go.etcd.io/etcd/api/v3 v3.5.21 -> v3.5.26
• go.etcd.io/etcd/client/pkg/v3 v3.5.21 -> v3.5.26
• go.etcd.io/etcd/client/v3 v3.5.21 -> v3.5.26
• go.etcd.io/etcd/etcdutl/v3 v3.5.21 -> v3.5.26
• golang.org/x/net v0.42.0 -> v0.47.0
• golang.org/x/sync v0.16.0 -> v0.18.0
• golang.org/x/sys v0.34.0 -> v0.38.0
• golang.org/x/term v0.33.0 -> v0.37.0
• golang.org/x/text v0.27.0 -> v0.31.0
• google.golang.org/protobuf v1.36.6 -> v1.36.7

Previous release can be found at v1.10.8

Images

ghcr.io/siderolabs/flannel:v0.26.7
registry.k8s.io/coredns/coredns:v1.12.1
gcr.io/etcd-development/etcd:v3.5.26
registry.k8s.io/kube-apiserver:v1.33.6
registry.k8s.io/kube-controller-manager:v1.33.6
registry.k8s.io/kube-scheduler:v1.33.6
registry.k8s.io/kube-proxy:v1.33.6
ghcr.io/siderolabs/kubelet:v1.33.6
ghcr.io/siderolabs/installer:v1.10.9
registry.k8s.io/pause:3.10

Talos 1.12.0 (2025-12-22)

Welcome to the v1.12.0 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

What's New

See also What's new in Talos v1.12.0 in the documentation for a summary of the most notable changes in this release.

API Server Cipher Suites

The Kubernetes API server in Talos has been updated to use a more secure set of TLS cipher suites by default.
This is in line with a set of best practices documented in CIS 1.12 benchmark.

You can still expand the list of supported cipher suites via the cluster.apiServer.extraArgs."tls-cipher-suites" machine configuration field if needed.

New User Volume type - bind

New field in UserVolumeConfig - volumeType that defaults to partition, but can be set to directory.
When set to directory, provisioning and filesystem operations are skipped and a directory is created under /var/mnt/<name>.

The directory type enables lightweight storage volumes backed by a host directory, instead of requiring a full block device partition.

When volumeType = "directory":

• A directory is created at /var/mnt/<metadata.name>;
• provisioning, filesystem and encryption are prohibited.

Note: this mode does not provide filesystem-level isolation and inherits the EPHEMERAL partition capacity limits.
It should not be used for workloads requiring predictable storage quotas.

Disk Encryption

Talos versions prior to v1.12 used the state of PCR 7 and signed policies locked to PCR 11 for TPM based disk encryption.

Talos now supports configuring which PCRs states are to be used for TPM based disk encryption via the options.pcrs
field in the tpm section of the disk encryption configuration.

If user doesn't specify any options Talos defaults to using PCR 7 for backwards compatibility with existing installations.

This change was made to improve compatibility with systems that may have varying states in PCR 7 due to UEFI Secure Boot configurations
and users may wish to disable locking to PCR 7 state entirely.

Signed PCR policies will still be bound to PCR 11.

The currently used PCR's can be seen with talosctl get volumestatus <volume> -o yaml command.

New User Volume type - disk

volumeType in UserVolumeConfig can be set to disk.
When set to disk, a full block device is used for the volume.

When volumeType = "disk":

• Size specific settings are not allowed in the provisioning block (minSize, maxSize, grow).

Embedded Config

Talos Linux now supports embedding the machine configuration directly into the boot image.

etcd

etcd container image is now pulled from registry.k8s.io/etcd instead of gcr.io/etcd-development/etcd.

Ethernet Configuration

The Ethernet configuration now includes a wakeOnLAN field to enable Wake-on-LAN (WOL) support.
This field can be set to enable WOL and specify the desired WOL modes.

Extra Binaries

Talos Linux now ships with nft binary in the rootfs to support CNIs which shell out to nft command.

Feature Lock

Talos now ignores the following machine configuration fields:

• machine.features.rbac (locked to true)
• machine.features.apidCheckExtKeyUsage (locked to true)
• cluster.apiServer.disablePodSecurityPolicy (locked to true)

These fields were removed from the default machine configuration schema in v1.12 and are now always set to the locked values above.

Talos force reboot

Talos now supports a "force" reboot mode, which allows skipping the graceful userland termination.
It can be used in situations where a userland service (e.g. the kubelet) gets stuck during graceful shutdown, causing the regular reboot flow to fail.

In addition, talosctl was updated to support this feature via talosctl reboot --mode force.

GRUB

Talos Linux introduces new machine configuration option .machine.install.grubUseUKICmdline to control whether GRUB should use the kernel command line
provided by the boot assets (UKI) or to use the command line constructed by Talos itself (legacy behavior).

This option defaults to true for new installations, which means that GRUB will use the command line from the UKI, making it easier to customize kernel parameters via boot asset generation.
For existing installations upgrading to v1.12, this option will default to false to preserve the legacy behavior.

Kernel Log

The kernel log (dmesg) is now also available as the service log named kernel (talosctl logs kernel).

Kernel Module

Talos now supports optionally disabling kernel module signature verification by setting module.sig_enforce=0 kernel parameter.
By default module signature verification is enabled (module.sig_enforce=1).
When using Factory or Imager supply as -module.sig_enfore module.sig_enforce=0 kernel parameters to disable module signature enforcement.

Kernel Security Posture Profile (KSPP)

Talos now enables a stricter set of KSPP sysctl settings by default.
The list of overridden settings is available with talosctl get kernelparamstatus command.

Encrypted Volumes

Talos Linux now consistently provides mapped names for encrypted volumes in the format /dev/mapper/luks2-<volume-id>.
This change should not affect system or user volumes, but might allow easier identification of encrypted volumes,
and specifically for raw encrypted volumes.

Network Configuration

The network configuration under .machine.network (with the exception of KubeSpan) has been deprecated, but it is still supported for backwards compatibility.
See documentation for more information.

Persistent logs

Talos now stores system component logs in /var/log, featuring automatic log rotation and keeping two most
recent log files. This change allows collecting logs from Talos like on any other Linux system.

CRI Registry Configuration

The CRI registry configuration in v1apha1 legacy machine configuration under .machine.registries is now deprecated, but still supported for backwards compatibility.
New configuration documents RegistryMirrorConfig, RegistryAuthConfig and RegistryTLSConfig should be used instead.

talosctl image cache-serve

talosctl includes new subcommand image cache-serve.
It allows serving the created OCI image registry over HTTP/HTTPS.
It is a read-only registry, meaning images cannot be pushed to it, but the backing storage can be updated by re-running the cache-create command;

Additionally talosctl image cache-create has some changes:

• new flag --layout: oci (default), flat:
  • oci preserves current behavior;
  • flat does not repack artifact layer, but moves it to a destination directory, allowing it to be served by talosctl image cache-serve;
• changed flag --platform: now can accept multiple os/arch combinations:
  • comma separated (--platform=linux/amd64,linux/arm64);
  • multiple instances (--platform=linux/amd64 --platform=linux/arm64);

UEFI Boot

When using UEFI boot with systemd-boot as bootloader (on new installs of Talos from 1.10+ onwards), Talos will now not touch the UEFI boot order.
Talos 1.11 made a fix to create UEFI boot entry and set the boot order as first entry, but this behavior caused issues on some systems.
To avoid further issues, Talos will now only create the UEFI boot entry if it does not exist, but will not modify the boot order.

Component Updates

Linux: 6.18.1
Kubernetes: 1.35.0
CNI Plugins: 1.9.0
cryptsetup: 2.8.1
LVM2: 2_03_37
systemd-udevd: 257.8
etcd: 3.6.7
CoreDNS: 1.13.2
Flannel: 0.27.4
Flannel CNI plugin: v1.8.0-flannel2
runc: 1.3.4
containerd: 2.1.6
zfs: 2.4.0

Talos is built with Go 1.25.5.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Noel Georgi
• Dmitrii Sharshakov
• Amarachi Iheanacho
• Orzelius
• Laura Brehm
• Oguz Kilcan
• Justin Garrison
• Artem Chernyshev
• Utku Ozdemir
• Bryan Lee
• George Gaál
• Jorik Jonker
• Michael Smith
• Nicole Hubbard
• 459below
• Adrian L Lange
• Alp Celik
• Andrew Longwill
• Birger Johan Nordølum
• Chris Sanders
• Christopher Puschmann
• Dmitry
• Edward Sammut Alessi
• Febrian
• Florian Grignon
• Fred Heinecke
• Giau. Tran Minh
• Grzegorz Rozniecki
• Guillaume LEGRAIN
• Hector Monsalve
• Jaakko Sirén
• Jean-Francois Roy
• Joakim Nohlgård
• Lennard Klein
• Markus Freitag
• Max Makarov
• Mike Beaumont
• Misha Aksenov
• MrMrRubic
• Olivier Doucet
• Pranav
• Sammy ETUR
• Serge Logvinov
• Serge van Ginderachter
• Skye Soss
• Skyler Mäntysaari
• SuitDeer
• Tom
• aurh1l
• eseiker
• frozenprocess
• frozensprocess
• kassad
• leppeK
• samoreno
• theschles
• winnie

Changes

Talos 1.11.6 (2025-12-16)

Welcome to the v1.11.6 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

UEFI Boot

When using UEFI boot with systemd-boot as bootloader (on new installs of Talos from 1.10+ onwards), Talos will now not touch the UEFI boot order.
Talos 1.11 made a fix to create UEFI boot entry and set the boot order as first entry, but this behavior caused issues on some systems.
To avoid further issues, Talos will now only create the UEFI boot entry if it does not exist, but will not modify the boot order.

Component Updates

Linux: 6.12.62
runc: 1.3.4

Talos is built with Go 1.24.11.

Contributors

• Andrey Smirnov
• Noel Georgi
• Dmitrii Sharshakov

Changes

Changes from siderolabs/pkgs

Changes from siderolabs/tools

Dependency Changes

• github.com/containernetworking/plugins v1.7.1 -> v1.9.0
• github.com/safchain/ethtool v0.6.1 -> v0.6.2
• github.com/siderolabs/pkgs v1.11.0-29-gaee690b -> v1.11.0-36-g49ee0fe
• github.com/siderolabs/talos/pkg/machinery v1.11.5 -> v1.11.6
• github.com/siderolabs/tools v1.11.0-4-g05ee846 -> v1.11.0-5-g7f05320
• github.com/stretchr/testify v1.10.0 -> v1.11.1
• golang.org/x/net v0.43.0 -> v0.47.0
• golang.org/x/sync v0.16.0 -> v0.19.0
• golang.org/x/sys v0.35.0 -> v0.39.0
• golang.org/x/term v0.34.0 -> v0.38.0
• golang.org/x/text v0.28.0 -> v0.32.0

Previous release can be found at v1.11.5

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.12.4
gcr.io/etcd-development/etcd:v3.6.5
registry.k8s.io/kube-apiserver:v1.34.1
registry.k8s.io/kube-controller-manager:v1.34.1
registry.k8s.io/kube-scheduler:v1.34.1
registry.k8s.io/kube-proxy:v1.34.1
ghcr.io/siderolabs/kubelet:v1.34.1
ghcr.io/siderolabs/installer:v1.11.6
registry.k8s.io/pause:3.10