Skip to content

Releases: siderolabs/talos

v1.13.2

12 May 19:25
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v1.13.2
This tag was signed with the committer’s verified signature. The key has expired.
frezbo Noel Georgi
GPG key ID: 21A9F444075C9E36
Expired
Verified
Learn about vigilant mode.
c5d7c65
This commit was signed with the committer’s verified signature. The key has expired.
frezbo Noel Georgi
GPG key ID: 21A9F444075C9E36
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.13.2 Latest
Latest

Talos 1.13.2 (2026-05-12)

Welcome to the v1.13.2 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Etcd: 3.6.11
Linux: 6.18.29

Talos is built with Go 1.26.3.

Contributors

  • Noel Georgi

Changes

1 commit

  • c5d7c6536 release(v1.13.2): prepare release

Dependency Changes

  • github.com/siderolabs/talos/pkg/machinery v1.13.1 -> v1.13.2

Previous release can be found at v1.13.1

Images

ghcr.io/siderolabs/flannel:v0.28.4
registry.k8s.io/coredns/coredns:v1.14.2
registry.k8s.io/etcd:v3.6.11
registry.k8s.io/pause:3.10.1
registry.k8s.io/kube-apiserver:v1.36.0
registry.k8s.io/kube-controller-manager:v1.36.0
registry.k8s.io/kube-scheduler:v1.36.0
registry.k8s.io/kube-proxy:v1.36.0
ghcr.io/siderolabs/kubelet:v1.36.0
registry.k8s.io/networking/kube-network-policies:v1.0.0
ghcr.io/siderolabs/installer:v1.13.2
ghcr.io/siderolabs/installer-base:v1.13.2
ghcr.io/siderolabs/imager:v1.13.2
ghcr.io/siderolabs/talos:v1.13.2
ghcr.io/siderolabs/talosctl-all:v1.13.2
ghcr.io/siderolabs/overlays:v1.13.2
ghcr.io/siderolabs/extensions:v1.13.2
Assets 60
0 Join discussion

v1.14.0-alpha.0

29 Apr 15:50
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v1.14.0-alpha.0
This tag was signed with the committer’s verified signature.
shanduur Mateusz Urbanek
GPG key ID: F16F84591E26D77F
Verified
Learn about vigilant mode.
462015b
This commit was signed with the committer’s verified signature.
shanduur Mateusz Urbanek
GPG key ID: F16F84591E26D77F
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.14.0-alpha.0 Pre-release
Pre-release

Talos 1.14.0-alpha.0 (2026-04-29)

Welcome to the v1.14.0-alpha.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Default Installer Image

The default installer image has been updated to use the Image Factory.

Host DNS Configuration

HostDNS configuration was moved from the v1alpha1 config .machine.features.hostDNS field to the new hostDNS in the ResolverConfig document.

NTS for Time Synchronization

Talos now supports Network Time Security (NTS) for secure time synchronization.
This feature enhances the security of NTP by providing cryptographic authentication of time sources.

NTS is enabled by default (without any configuration sources) for the default time.cloudflare.com time server
NTS can be enabled for custom time servers via the new useNTS field in the TimeServerConfig document.

TLS 1.3 Minimum Version

Talos now runs etcd and kube-apiserver with a minimum TLS version of 1.3, improving security by leveraging the latest TLS features and cipher suites.
Custom settings for cipher suites have been removed, as they are ignored when TLS 1.3 is used, which simplifies configuration and ensures the use of modern, secure defaults.

Component Updates

Linux: 6.18.25
Kubernetes: 1.36.0

Talos is built with Go 1.26.2.

Contributors

  • Andrey Smirnov
  • Noel Georgi
  • Mateusz Urbanek
  • Utku Ozdemir
  • Orzelius
  • Oguz Kilcan
  • buckaroo
  • Ansgar Dahlen
  • Benoît Knecht
  • David Orman
  • Dharsan Baskar
  • Dmitrii Sharshakov
  • Dmitriy Matrenichev
  • Edward Sammut Alessi
  • Erwan Leboucher
  • Kevin Tijssen
  • Nico Berlee
  • Zadkiel AHARONIAN

Changes

104 commits

  • 462015bcd release(v1.14.0-alpha.0): prepare release
  • 8a037a56e test: fix flaky tests
  • 08c81d838 feat: bump kernel to 6.18.25
  • fe40b6e58 fix(ci): fetch empty pr labels
  • 837a9ed07 feat: move host DNS config into ResolverConfig
  • 96a8ecd1e feat: default to factory installer image
  • f19eef78b fix: revert add extraArgs from service-account-issuer
  • 6821225b6 fix: revert use append instead of prepend in service-account-issuer
  • b43c3a124 feat: add quirk for talosctl factory downloads
  • df0b9a8da refactor: make all controller unit-test follow modern patterns
  • c2948cef2 feat: support auth for Image Factory in cluster create
  • 560bcf0ca feat: enforce TLS 1.3 minmum version for Kubernetes components
  • 3db14309e fix(talosctl): ensure uncordon runs after reboot/upgrade errors
  • ecf2fa855 feat: update Kubernetes to v1.36.0
  • 71557eadd fix(ci): skip misc jobs not on pull request
  • 026313b7c docs: rename security-insights.yml to lowercase for LFX detection
  • dc4ffd490 fix(ci): fix jobs not interpolating matrix due to condition
  • 25e2f37e2 chore: generate comments for fields in resource proto
  • 149592fa5 fix: watch kubelet's kubeconfig and time out for cache sync
  • 1f315e6e9 feat: update Linux to 6.18.23
  • 0198eedc2 feat: add NTS (Network Time Security) support for NTP time sync
  • 6830a8b97 fix(ci): matrix jobs cleanups
  • 71aeb347f test: fix OOM test flake
  • 9b9542cc5 test: fix a flake in the manifest sync test
  • 863d882b6 test: add image verification for factory.talos.dev
  • bba0b4aee chore(ci): nvidia update helm values
  • 3399ff4de fix: propagate route table down to the resource
  • c684ec60e chore: prepare for Talos 1.14 release
  • ed9545d0d chore(ci): bump gpu operator version
  • 4de3e4393 fix(ci): cron triggered workflows
  • 212182e6f chore: bump container registry library
  • c028db0b8 fix: do not flip machine stage to rebooting during shutdown
  • 6ce62d9e8 fix(ci): workflow runs with workflow_run
  • 509cd9733 fix: boot entry detection
  • 5e3f30188 feat(ci): rework to schedule daily runs after a cron
  • 7fa4d3919 fix: zfs extensions test
  • 1ef8e630a test: allow more tests to run in FIPS strict mode
  • bdcc9321b fix: reduce memory dashboard usage
  • 2d177af82 chore: update Syft to v1.42.4+patches
  • 0d8362119 fix: return failed precondition on upgrade when not installed
  • be58eafab fix: wrong slot of encryption key was logged
  • 015081c76 feat: update dependencies
  • 9fbb7c95d fix: audit trustd code for security
  • 986e97fc7 feat: update Flannel to 0.28.4
  • f3817d1d1 chore: update sign images to support image name suffix
  • e776721f3 feat: update Kubernetes 1.36.0-rc.1
  • f6e7346fa fix: encode extra args fields in resources with new id
  • 3c7bb80ba chore: bump tools
  • 3ba35c9b9 chore(ci): nvidia try UKI boot
  • e3e8f01ca chore: bump tools
  • 181584a5f fix: handle boot failure
  • c464c7e88 fix: upgrade API in maintenance mode (legacy)
  • b7512d912 feat: update Kubernetes to 1.36.0-rc.0
  • 4ba11156f refactor: allow overriding out image name suffix
  • c81aa125c fix: panic in reading PCR values
  • 6a3ab87c5 feat(ci): add nvidia arm64 matrix
  • 21f459aab fix(talosctl): always use default GRPC dial options
  • ca208e514 fix: validate hostDNS forwarding requires hostDNS to be enabled
  • 9fcb9e05b feat: bump go to 1.26.2
  • 0bfdf7f70 fix: create correct blackhole routes for IPv4
  • 52b920032 feat: add client-side Kubernetes node drain to reboot and upgrade commands
  • 968ec1e0c refactor: propagate NAME properly, allow to set on build
  • acc69c346 fix: set the minimum TLS version to 1.3
  • 0cfa6e302 chore: bump some tool dependencies
  • 4229bb9d2 feat: add dis-vulncheck tool
  • d697f5538 fix: don't set xattrs while decompressing extensions
  • 34fb2cbe5 refactor: remove manual shell completion and replace with cobra completion
  • 79fa2e300 feat: allow more nvidia and nvme files from extensions
  • 414f78a29 feat: allow glibc ld files in etc
  • 1bbba4301 feat: update Flannel to v0.28.2
  • 55815e0fa fix: handle ISOs with zeroes in volume labels
  • 7b6ab0c1c feat: add flag to force fallback to legacy upgrade
  • 5e24d5265 feat: add resource view to talosctl dashboard
  • 649ab7fe4 fix: add os:meta:writer role to the dashboard
  • 10cdfa909 fix: drop talosctl install
  • 087ced85f fix: unseal with "slow" TPM
  • 11ab0a8c5 fix: drop unused type from ExternalVolume schema
  • e2df0f6ce fix: always grow disks
  • 919d8c365 chore: drop debug shell
  • 783a35851 fix: add metal-agent mode to runtime capabilities
  • 37b2221cc docs: add SECURITY-INSIGHTS.yml for OSPS Baseline QA-04.01
  • bed2bd414 feat: add graceful power off support to QEMU VM launcher
  • 3400059cc fix: incorrect route source for on-link routes
  • b3dfbf743 feat: bump musl to 1.2.6
  • 4227921b3 test: fix the PKI mismatch test flake
  • f2bc2dcc6 feat: update NVIDIA production drivers to 595.58.03
  • aa5946dd3 test: fix cron failures for provision-1 & provision-2
  • 1dd701efa fix: allow blockdevice wipe in maintenance mode
  • 786bf00ab feat: add --platform=all support to image cache-create
  • e1f645e3c feat: validate luks headers for tampering
  • ad72c7300 test: improve maintenance API provision tests
  • 70cefab6a test: fix the flakes in tests with trusted roots
  • aacff17f4 test: bump memory for Flannel netpolicy tests
  • 9c3459114 feat: update Linux to 6.18.19, CNI to 1.9.1
  • 038cb8735 feat: enforce PID check on connections to services over file sockets
  • e2b2dd3ea chore: update go-kubernetes library
  • 9597714f6 fix: add symlinks nvidia-ctk and nvidia-cdi-hook in /usr/bin
  • 8ac47d677 fix: unset rlimits for extension services
  • b1a02f368 feat: update Kubernetes to 1.36.0-beta.0
  • 362fdc9ec feat: update etcd to 3.6.9
  • 0a47f40b3 fix(machined): clear stale bond ARP/NS targets on decode
  • 86344639f fix: update diff library to v1.0.1
  • eff89d1ed fix: panics in diff algorithms
  • 8e1c8a7a9 test: fix the apid test against AWS/GCP

Changes from siderolabs/go-kubeconfig

2 commits

Changes from siderolabs/grpc-proxy

3 commits

Read more
Loading
0 Join discussion

v1.13.0

27 Apr 11:44
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v1.13.0
This tag was signed with the committer’s verified signature.
shanduur Mateusz Urbanek
GPG key ID: F16F84591E26D77F
Verified
Learn about vigilant mode.
b9e9c65
This commit was signed with the committer’s verified signature.
shanduur Mateusz Urbanek
GPG key ID: F16F84591E26D77F
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.13.0

Talos 1.13.0 (2026-04-27)

Welcome to the v1.13.0 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Clang built kernel and ThinLTO

Talos now uses a kernel built using Clang compiler, and optimized using ThinLTO. This should bring a small performance improvement,
alongside some hardening features, such as BTI on supported ARM systems.

Container Device Interface

Talos now enables CDI by default and extension/extension services can bring in dynamic
CDI spec files under /run/cdi.

talosctl debug

Talos Linux now provides a way to run and attach to the privileged debug container with a user-provided container image.
The debug container might be used for troubleshooting and debugging purposes.

Environment Configuration Document

A new EnvironmentConfig document has been introduced to allow users to specify environment variables for Talos components.
It replaces and deprecates the previous method of setting environment variables via the .machine.env field.

Multiple values for the same environment variable will replace previous values, with the last one taking precedence.

To remove an environment variable, remove it from the EnvironmentConfig document and restart the node.

External Volumes

Talos now supports virtiofs-based external volumes via the new
ExternalVolumeConfig
document.

These virtiofs external volumes are not supported when SELinux is running
in enforcing mode.

Extra Arguments accept slices in addition to strings

Several Talos configuration fields that previously accepted single string values for extra arguments have been updated to accept slices of strings as well.
This includes fields such as .cluster.apiServer.extraArgs.

BREAKING: If you were relying on the resources EtcdConfigs, KubeletConfigs, ControllerManagerConfigs, SchedulerConfigs or APIServerConfigs, the protobuf format has changed from map<string,string> to map<string,message>.

Container Image Signature Verification

Talos now supports machine-wide container image signature verification via the new ImageVerificationConfig machine config document.

Any image which gets pulled on the node will be verified against the configured rules, and if no rule matches, it will be pulled without verification.

Talos Imager Enhancements

Talos imager now supports running rootless. --privileged and -v /dev:/dev are no longer required.

Image APIs Updated

Talos Linux provides new APIs to manage container images on the node: listing, pulling, importing and removing images.
The new pull API provides pull progress notifications.

The CLI commands talosctl image pull, talosctl image list and talosctl image remove have been updated to interact with the new APIs.

Talosctl images k8s-bundle subcommand accepts version parameter

The talosctl images k8s-bundle command now accepts an optional argument to override Talos version.

Install and Upgrade API

Talos now exposes install and upgrade operations via the LifecycleService API, enabling programmatic installs and upgrades through a single, consistent interface.
The legacy upgrade API is deprecated; new integrations should migrate to LifecycleService for future compatibility.

Kubernetes server-side apply

Talos now uses inventory backed server-side apply when applying bootstrap manifests (including extraManifests and inlineManifests).
Purging of unneeded manifests is automatically performed.
The switch and inventory backfill is automatic and no action is needed from the user.

Dynamic Linux Kernel Preemption Model

Talos Linux now defaults to dynamic Linux kernel preemption model, the default value none matches
previous version, but now with kernel argument preempt= the preemption model can be changed.

See Linux kernel documentation for more
information on supported values.

This change only applies to amd64 (x86_64) architecture.

KubeSpan Configuration

A new KubeSpanConfig document has been introduced to configure KubeSpan settings.
It replaces and deprecates the previous method of configuring KubeSpan via the .machine.network.kubespan field.

The old configuration field will continue to work for backward compatibility.

KubeSpan Advertised Network Filters

KubeSpan now supports filtering of advertised networks using the excludeAdvertisedNetworks field in the KubeSpanConfig document.
This allows users to specify a list of CIDRs to exclude from the advertised networks. Please note that routing must be symmetric for any
pair of peers, so if one peer excludes a certain network, the other peer must also exclude it. In other words, for any given pair of peers,
and any pair of their addresses, the traffic should either go through KubeSpan or not, but not one way or the other.

LinkAliasConfig Pattern-Based Multi-Alias

LinkAliasConfig now supports pattern-based alias names using %d format verb (e.g. net%d).

When the alias name contains a %d format verb, the selector is allowed to match multiple links.
Each matched link receives a sequential alias (e.g. net0, net1, ...) based on hardware address order
of the links. Links already aliased by a previous config are automatically skipped.

This enables creating stable aliases from any N links using a single config document,
useful for BondConfig and BridgeConfig member interfaces on varying hardware.

Negative Max Volume Size

Negative max size represents the amount of space to be left free on the device, rather than the size the volume should consume.
For example:
* a max size of "-10GiB" means the volume can grow to the available space minus 10GiB.
* a max size of "-25%" means the volume can grow to the available space minus 25%.

Flannel CNI with Network Policy Support

Talos Linux now supports optionally deploying Flannel CNI with network policy support enabled.
The network policy implementation is kube-network-policies.

To enable Flannel CNI with network policy support, use the following machine configuration patch:

cluster:
  network:
    cni:
      name: flannel
      flannel:
        kubeNetworkPoliciesEnabled: true

(If the cluster is already running, sync the bootstrap manifests after applying the patch to deploy the new CNI configuration.)

NVIDIA GPU Support

Talos switched to using CDI and now supports configuring NVIDIA GPU via the gpu-operator helm chart.
See the documentation on upgrade notes
for more details on how to configure NVIDIA GPU support in Talos.

Container Image Decompression

Talos now ships with igzip (amd64) and pigz (arm64) to speed up container image decompression.

ProbeConfig

The TCPProbeConfig configuration document allows to configure TCP probes for network reachability checks.
This allows to define a custom connectivity condition.

/proc/PID/mem Access Hardening

A new kernel parameter proc_mem.force_override=never has been introduced by default to enhance system security
by preventing unwanted writes to protected process memory via /proc/PID/mem.
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.

Reproducible Disk Images

Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
identical disk images.

Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.

ResolverConfig

The nameservers configuration in machine configuration now overwrites any previous layers (defaults, platform, etc.) when specified.
Previously a smart merge was performed to keep IPv4/IPv6 nameservers from lower layers if the machine configuration specified only one type.

Routing Rules Support

Talos now supports routing rules via the new RoutingRuleConfig machine config document.

talosctl images talos-bundle can ignore reaching to the registry

The talosctl images talos-bundle command now accepts optional --overlays and --extensions flags.
If those are set to false, the command will not attempt to reach out to the container registry to fetch the latest versions and digests of the overlays and extensions.

Lifecycle Upgrade in talosctl

talosctl upgrades now route through LifecycleService, aligning CLI behavior with the new install/upgrade API and unifying the upgrade path.
This change is transparent to users but standardizes the backend used for upgrades.

Component Updates

Linux: 6.18.24
containerd: 2.2.3
etcd: 3.6.9
CoreDNS: 1.14.2
Kubernetes: 1.36.0
CNI: 1.9.1
Flannel CNI plugin: v1.9.1-flannel1
Flannel: 0.28.4
LVM2: 2_03_38
runc: 1.4.2
systemd: 259.5
cryptsetup: 2.8.3
Tenstorrent: 2.7.0
iptables: 1.8.12
musl: 1.2.6

Talos is built with Go 1.26.2.

VM Hot-Add Support

Talos now includes udev rules to support hot-adding of CPUs in virtualized environments.

VRF Support

Talos now supports VRF (Virtual Routing and Forwarding) via the new VRFConfig machine...

Read more
Loading
3 Join discussion

v1.12.7

24 Apr 16:48
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v1.12.7
This tag was signed with the committer’s verified signature. The key has expired.
frezbo Noel Georgi
GPG key ID: 21A9F444075C9E36
Expired
Verified
Learn about vigilant mode.
91c6399
This commit was signed with the committer’s verified signature. The key has expired.
frezbo Noel Georgi
GPG key ID: 21A9F444075C9E36
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.12.7

Talos 1.12.7 (2026-04-24)

Welcome to the v1.12.7 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.18.24
containerd: 2.1.7
etcd: 3.6.9
Kubernetes: v1.35.4

Talos is built with Go 1.25.9.

Contributors

  • Noel Georgi
  • Andrey Smirnov
  • Mateusz Urbanek
  • Orzelius
  • Utku Ozdemir

Changes

19 commits

  • 91c63991e release(v1.12.7): prepare release
  • 3b228caf1 feat: bring in apparmor profile files
  • 1a05b4a11 feat: update kubernetes to v1.35.4
  • b796be09b feat: bump pkgs, spdystream
  • a75ce6f00 feat: bump pkgs, tools
  • c1ea8dbc7 test: fix OOM test flake
  • d5b691b8f fix: watch kubelet's kubeconfig and time out for cache sync
  • 27655c5bc fix: propagate route table down to the resource
  • fcda84bc4 fix: boot entry detection
  • 330561c87 fix: do not flip machine stage to rebooting during shutdown
  • 8ef448884 fix: zfs extensions test
  • 8bc593d17 fix: wrong slot of encryption key was logged
  • 89f561593 fix: panic in reading PCR values
  • 317deede0 feat: add dis-vulncheck tool
  • 0654a7f7e fix: handle ISOs with zeroes in volume labels
  • e16007b44 fix: unseal with "slow" TPM
  • 388a56b79 fix: incorrect route source for on-link routes
  • 7e42474c5 test: fix the flakes in tests with trusted roots
  • d52ebe21d feat: update etcd to 3.6.9

Changes from siderolabs/pkgs

8 commits

Changes from siderolabs/tools

3 commits

Dependency Changes

  • github.com/siderolabs/go-blockdevice/v2 v2.0.26 -> v2.0.28
  • github.com/siderolabs/pkgs v1.12.0-50-ga92bed5 -> v1.12.0-58-g86d6af1
  • github.com/siderolabs/talos/pkg/machinery v1.12.6 -> v1.12.7
  • github.com/siderolabs/tools v1.12.0-7-g57916cb -> v1.12.0-10-gbbd753d
  • go.etcd.io/etcd/api/v3 v3.6.6 -> v3.6.9
  • go.etcd.io/etcd/client/pkg/v3 v3.6.6 -> v3.6.9
  • go.etcd.io/etcd/client/v3 v3.6.6 -> v3.6.9
  • go.etcd.io/etcd/etcdutl/v3 v3.6.6 -> v3.6.9
  • k8s.io/api v0.35.2 -> v0.35.4
  • k8s.io/apiextensions-apiserver v0.35.2 -> v0.35.4
  • k8s.io/apimachinery v0.35.2 -> v0.35.4
  • k8s.io/apiserver v0.35.2 -> v0.35.4
  • k8s.io/client-go v0.35.2 -> v0.35.4
  • k8s.io/component-base v0.35.2 -> v0.35.4
  • k8s.io/cri-api v0.35.2 -> v0.35.4
  • k8s.io/kube-scheduler v0.35.2 -> v0.35.4
  • k8s.io/kubectl v0.35.2 -> v0.35.4
  • k8s.io/kubelet v0.35.2 -> v0.35.4
  • k8s.io/pod-security-admission v0.35.2 -> v0.35.4

Previous release can be found at v1.12.6

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.9
registry.k8s.io/kube-apiserver:v1.35.4
registry.k8s.io/kube-controller-manager:v1.35.4
registry.k8s.io/kube-scheduler:v1.35.4
registry.k8s.io/kube-proxy:v1.35.4
ghcr.io/siderolabs/kubelet:v1.35.4
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.7
ghcr.io/siderolabs/installer-base:v1.12.7
ghcr.io/siderolabs/imager:v1.12.7
ghcr.io/siderolabs/talos:v1.12.7
ghcr.io/siderolabs/talosctl-all:v1.12.7
ghcr.io/siderolabs/overlays:v1.12.7
ghcr.io/siderolabs/extensions:v1.12.7
Loading
0 Join discussion

v1.13.0-rc.0

16 Apr 12:16
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v1.13.0-rc.0
This tag was signed with the committer’s verified signature.
smira Andrey Smirnov
GPG key ID: 322C6F63F594CE7C
Verified
Learn about vigilant mode.
1f949d9
This commit was signed with the committer’s verified signature.
smira Andrey Smirnov
GPG key ID: 322C6F63F594CE7C
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.13.0-rc.0 Pre-release
Pre-release

Talos 1.13.0-rc.0 (2026-04-16)

Welcome to the v1.13.0-rc.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Clang built kernel and ThinLTO

Talos now uses a kernel built using Clang compiler, and optimized using ThinLTO. This should bring a small performance improvement,
alongside some hardening features, such as BTI on supported ARM systems.

Container Device Interface

Talos now enables CDI by default and extension/extension services can bring in dynamic
CDI spec files under /run/cdi.

talosctl debug

Talos Linux now provides a way to run and attach to the privileged debug container with a user-provided container image.
The debug container might be used for troubleshooting and debugging purposes.

Environment Configuration Document

A new EnvironmentConfig document has been introduced to allow users to specify environment variables for Talos components.
It replaces and deprecates the previous method of setting environment variables via the .machine.env field.

Multiple values for the same environment variable will replace previous values, with the last one taking precedence.

To remove an environment variable, remove it from the EnvironmentConfig document and restart the node.

External Volumes

Talos now supports virtiofs-based external volumes via the new
ExternalVolumeConfig
document.

These virtiofs external volumes are not supported when SELinux is running
in enforcing mode.

Extra Arguments accept slices in addition to strings

Several Talos configuration fields that previously accepted single string values for extra arguments have been updated to accept slices of strings as well.
This includes fields such as .cluster.apiServer.extraArgs.

BREAKING: If you were relying on the resources EtcdConfigs, KubeletConfigs, ControllerManagerConfigs, SchedulerConfigs or APIServerConfigs, the protobuf format has changed from map<string,string> to map<string,message>.

Container Image Signature Verification

Talos now supports machine-wide container image signature verification via the new ImageVerificationConfig machine config document.

Any image which gets pulled on the node will be verified against the configured rules, and if no rule matches, it will be pulled without verification.

Talos Imager Enhancements

Talos imager now supports running rootless. --privileged and -v /dev:/dev are no longer required.

Image APIs Updated

Talos Linux provides new APIs to manage container images on the node: listing, pulling, importing and removing images.
The new pull API provides pull progress notifications.

The CLI commands talosctl image pull, talosctl image list and talosctl image remove have been updated to interact with the new APIs.

Talosctl images k8s-bundle subcommand accepts version parameter

The talosctl images k8s-bundle command now accepts an optional argument to override Talos version.

Install and Upgrade API

Talos now exposes install and upgrade operations via the LifecycleService API, enabling programmatic installs and upgrades through a single, consistent interface.
The legacy upgrade API is deprecated; new integrations should migrate to LifecycleService for future compatibility.

Kubernetes server-side apply

Talos now uses inventory backed server-side apply when applying bootstrap manifests (including extraManifests and inlineManifests).
Purging of unneeded manifests is automatically performed.
The switch and inventory backfill is automatic and no action is needed from the user.

Dynamic Linux Kernel Preemption Model

Talos Linux now defaults to dynamic Linux kernel preemption model, the default value none matches
previous version, but now with kernel argument preempt= the preemption model can be changed.

See Linux kernel documentation for more
information on supported values.

This change only applies to amd64 (x86_64) architecture.

KubeSpan Configuration

A new KubeSpanConfig document has been introduced to configure KubeSpan settings.
It replaces and deprecates the previous method of configuring KubeSpan via the .machine.network.kubespan field.

The old configuration field will continue to work for backward compatibility.

KubeSpan Advertised Network Filters

KubeSpan now supports filtering of advertised networks using the excludeAdvertisedNetworks field in the KubeSpanConfig document.
This allows users to specify a list of CIDRs to exclude from the advertised networks. Please note that routing must be symmetric for any
pair of peers, so if one peer excludes a certain network, the other peer must also exclude it. In other words, for any given pair of peers,
and any pair of their addresses, the traffic should either go through KubeSpan or not, but not one way or the other.

LinkAliasConfig Pattern-Based Multi-Alias

LinkAliasConfig now supports pattern-based alias names using %d format verb (e.g. net%d).

When the alias name contains a %d format verb, the selector is allowed to match multiple links.
Each matched link receives a sequential alias (e.g. net0, net1, ...) based on hardware address order
of the links. Links already aliased by a previous config are automatically skipped.

This enables creating stable aliases from any N links using a single config document,
useful for BondConfig and BridgeConfig member interfaces on varying hardware.

Negative Max Volume Size

Negative max size represents the amount of space to be left free on the device, rather than the size the volume should consume.
For example:
* a max size of "-10GiB" means the volume can grow to the available space minus 10GiB.
* a max size of "-25%" means the volume can grow to the available space minus 25%.

Flannel CNI with Network Policy Support

Talos Linux now supports optionally deploying Flannel CNI with network policy support enabled.
The network policy implementation is kube-network-policies.

To enable Flannel CNI with network policy support, use the following machine configuration patch:

cluster:
  network:
    cni:
      name: flannel
      flannel:
        kubeNetworkPoliciesEnabled: true

(If the cluster is already running, sync the bootstrap manifests after applying the patch to deploy the new CNI configuration.)

NVIDIA GPU Support

Talos switched to using CDI and now supports configuring NVIDIA GPU via the gpu-operator helm chart.
See the documentation on upgrade notes
for more details on how to configure NVIDIA GPU support in Talos.

Container Image Decompression

Talos now ships with igzip (amd64) and pigz (arm64) to speed up container image decompression.

ProbeConfig

The TCPProbeConfig configuration document allows to configure TCP probes for network reachability checks.
This allows to define a custom connectivity condition.

/proc/PID/mem Access Hardening

A new kernel parameter proc_mem.force_override=never has been introduced by default to enhance system security
by preventing unwanted writes to protected process memory via /proc/PID/mem.
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.

Reproducible Disk Images

Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
identical disk images.

Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.

ResolverConfig

The nameservers configuration in machine configuration now overwrites any previous layers (defaults, platform, etc.) when specified.
Previously a smart merge was performed to keep IPv4/IPv6 nameservers from lower layers if the machine configuration specified only one type.

Routing Rules Support

Talos now supports routing rules via the new RoutingRuleConfig machine config document.

Service Account Issuer configuration

In API Server, passing extra args with service-account-issuer will append them after default value.
This allows easy migration, e.g. by changing .cluster.controlPlane.endpoint to new value, and keeping the old value in
.cluster.apiServer.extraArgs["service-account-issuer"].

talosctl images talos-bundle can ignore reaching to the registry

The talosctl images talos-bundle command now accepts optional --overlays and --extensions flags.
If those are set to false, the command will not attempt to reach out to the container registry to fetch the latest versions and digests of the overlays and extensions.

Lifecycle Upgrade in talosctl

talosctl upgrades now route through LifecycleService, aligning CLI behavior with the new install/upgrade API and unifying the upgrade path.
This change is transparent to users but standardizes the backend used for upgrades.

Component Updates

Linux: 6.18.22
containerd: 2.2.3
etcd: 3.6.9
CoreDNS: 1.14.2
Kubernetes: 1.36.0-rc.1
CNI: 1.9.1
Flannel CNI plugin: v1.9.0-flannel1
Flannel...

Read more
Loading
0 Join discussion

v1.13.0-beta.1

27 Mar 14:37
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v1.13.0-beta.1
This tag was signed with the committer’s verified signature.
smira Andrey Smirnov
GPG key ID: 322C6F63F594CE7C
Verified
Learn about vigilant mode.
213ecf2
This commit was signed with the committer’s verified signature.
smira Andrey Smirnov
GPG key ID: 322C6F63F594CE7C
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.13.0-beta.1 Pre-release
Pre-release

Talos 1.13.0-beta.1 (2026-03-27)

Welcome to the v1.13.0-beta.1 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Clang built kernel and ThinLTO

Talos now uses a kernel built using Clang compiler, and optimized using ThinLTO. This should bring a small performance improvement,
alongside some hardening features, such as BTI on supported ARM systems.

Container Device Interface

Talos now enables CDI by default and extension/extension services can bring in dynamic
CDI spec files under /run/cdi.

talosctl debug

Talos Linux now provides a way to run and attach to the privileged debug container with a user-provided container image.
The debug container might be used for troubleshooting and debugging purposes.

Environment Configuration Document

A new EnvironmentConfig document has been introduced to allow users to specify environment variables for Talos components.
It replaces and deprecates the previous method of setting environment variables via the .machine.env field.

Multiple values for the same environment variable will replace previous values, with the last one taking precedence.

To remove an environment variable, remove it from the EnvironmentConfig document and restart the node.

External Volumes

Talos now supports virtiofs-based external volumes via the new
ExternalVolumeConfig
document.

These virtiofs external volumes are not supported when SELinux is running
in enforcing mode.

Extra Arguments accept slices in addition to strings

Several Talos configuration fields that previously accepted single string values for extra arguments have been updated to accept slices of strings as well.
This includes fields such as .cluster.apiServer.extraArgs.

BREAKING: If you were relying on the resources EtcdConfigs, KubeletConfigs, ControllerManagerConfigs, SchedulerConfigs or APIServerConfigs, the protobuf format has changed from map<string,string> to map<string,message>.

Container Image Signature Verification

Talos now supports machine-wide container image signature verification via the new ImageVerificationConfig machine config document.

Any image which gets pulled on the node will be verified against the configured rules, and if no rule matches, it will be pulled without verification.

Talos Imager Enhancements

Talos imager now supports running rootless. --privileged and -v /dev:/dev are no longer required.

Image APIs Updated

Talos Linux provides new APIs to manage container images on the node: listing, pulling, importing and removing images.
The new pull API provides pull progress notifications.

The CLI commands talosctl image pull, talosctl image list and talosctl image remove have been updated to interact with the new APIs.

Talosctl images k8s-bundle subcommand accepts version parameter

The talosctl images k8s-bundle command now accepts an optional argument to override Talos version.

Install and Upgrade API

Talos now exposes install and upgrade operations via the LifecycleService API, enabling programmatic installs and upgrades through a single, consistent interface.
The legacy upgrade API is deprecated; new integrations should migrate to LifecycleService for future compatibility.

Kubernetes server-side apply

Talos now uses inventory backed server-side apply when applying bootstrap manifests (including extraManifests and inlineManifests).
Purging of unneeded manifests is automatically performed.
The switch and inventory backfill is automatic and no action is needed from the user.

Dynamic Linux Kernel Preemption Model

Talos Linux now defaults to dynamic Linux kernel preemption model, the default value none matches
previous version, but now with kernel argument preempt= the preemption model can be changed.

See Linux kernel documentation for more
information on supported values.

This change only applies to amd64 (x86_64) architecture.

KubeSpan Configuration

A new KubeSpanConfig document has been introduced to configure KubeSpan settings.
It replaces and deprecates the previous method of configuring KubeSpan via the .machine.network.kubespan field.

The old configuration field will continue to work for backward compatibility.

KubeSpan Advertised Network Filters

KubeSpan now supports filtering of advertised networks using the excludeAdvertisedNetworks field in the KubeSpanConfig document.
This allows users to specify a list of CIDRs to exclude from the advertised networks. Please note that routing must be symmetric for any
pair of peers, so if one peer excludes a certain network, the other peer must also exclude it. In other words, for any given pair of peers,
and any pair of their addresses, the traffic should either go through KubeSpan or not, but not one way or the other.

LinkAliasConfig Pattern-Based Multi-Alias

LinkAliasConfig now supports pattern-based alias names using %d format verb (e.g. net%d).

When the alias name contains a %d format verb, the selector is allowed to match multiple links.
Each matched link receives a sequential alias (e.g. net0, net1, ...) based on hardware address order
of the links. Links already aliased by a previous config are automatically skipped.

This enables creating stable aliases from any N links using a single config document,
useful for BondConfig and BridgeConfig member interfaces on varying hardware.

Negative Max Volume Size

Negative max size represents the amount of space to be left free on the device, rather than the size the volume should consume.
For example:
* a max size of "-10GiB" means the volume can grow to the available space minus 10GiB.
* a max size of "-25%" means the volume can grow to the available space minus 25%.

Flannel CNI with Network Policy Support

Talos Linux now supports optionally deploying Flannel CNI with network policy support enabled.
The network policy implementation is kube-network-policies.

To enable Flannel CNI with network policy support, use the following machine configuration patch:

cluster:
  network:
    cni:
      name: flannel
      flannel:
        kubeNetworkPoliciesEnabled: true

(If the cluster is already running, sync the bootstrap manifests after applying the patch to deploy the new CNI configuration.)

NVIDIA GPU Support

Talos switched to using CDI and now supports configuring NVIDIA GPU via the gpu-operator helm chart.
See the documentation on upgrade notes
for more details on how to configure NVIDIA GPU support in Talos.

Container Image Decompression

Talos now ships with igzip (amd64) and pigz (arm64) to speed up container image decompression.

ProbeConfig

The TCPProbeConfig configuration document allows to configure TCP probes for network reachability checks.
This allows to define a custom connectivity condition.

/proc/PID/mem Access Hardening

A new kernel parameter proc_mem.force_override=never has been introduced by default to enhance system security
by preventing unwanted writes to protected process memory via /proc/PID/mem.
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.

Reproducible Disk Images

Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
identical disk images.

Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.

ResolverConfig

The nameservers configuration in machine configuration now overwrites any previous layers (defaults, platform, etc.) when specified.
Previously a smart merge was performed to keep IPv4/IPv6 nameservers from lower layers if the machine configuration specified only one type.

Routing Rules Support

Talos now supports routing rules via the new RoutingRuleConfig machine config document.

Service Account Issuer configuration

In API Server, passing extra args with service-account-issuer will append them after default value.
This allows easy migration, e.g. by changing .cluster.controlPlane.endpoint to new value, and keeping the old value in
.cluster.apiServer.extraArgs["service-account-issuer"].

talosctl images talos-bundle can ignore reaching to the registry

The talosctl images talos-bundle command now accepts optional --overlays and --extensions flags.
If those are set to false, the command will not attempt to reach out to the container registry to fetch the latest versions and digests of the overlays and extensions.

Lifecycle Upgrade in talosctl

talosctl upgrades now route through LifecycleService, aligning CLI behavior with the new install/upgrade API and unifying the upgrade path.
This change is transparent to users but standardizes the backend used for upgrades.

Component Updates

Linux: 6.18.19
containerd: 2.2.2
etcd: 3.6.9
CoreDNS: 1.14.2
Kubernetes: 1.36.0-beta.0
CNI: 1.9.1
Flannel CNI plugin: v1.9.0-flannel1
...

Read more
Loading
0 Join discussion

v1.12.6

19 Mar 15:52
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v1.12.6
This tag was signed with the committer’s verified signature.
smira Andrey Smirnov
GPG key ID: 322C6F63F594CE7C
Verified
Learn about vigilant mode.
a1b8bd6
This commit was signed with the committer’s verified signature.
smira Andrey Smirnov
GPG key ID: 322C6F63F594CE7C
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.12.6

Talos 1.12.6 (2026-03-19)

Welcome to the v1.12.6 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.18.18
runc: 1.3.5

Talos is built with Go 1.25.8.

Contributors

  • Mickaël Canévet
  • Andrey Smirnov
  • Dominik Pitz
  • Kai Zhang
  • Noel Georgi
  • Stanley Chan
  • Zadkiel AHARONIAN

Changes

21 commits

  • a1b8bd612 release(v1.12.6): prepare release
  • 72bd570f0 feat: update Linux to 6.18.18
  • 9d5638f4c fix: accept image cache volume encryption config
  • 0f018bf80 fix: panic in hardware.SystemInfoController
  • c46b89807 fix: validate missing apiVersion in config document decoder
  • c47cad9ec fix: pull in a fix for dmesg timestamps
  • 190336a66 fix: prevent stale discovered volumes reads
  • 217e9bb02 fix: bring in new version of go-cmd and go-blockdevice
  • d7779a5ba fix: stop pulling wrong platform for images
  • eb6eb664a fix(machined): support USERDATA legacy fallback in OpenNebula driver
  • ba20c7c12 feat(machined): add ONEGATE proxy route and deterministic interface iteration for OpenNebula
  • 739f66458 feat(machined): inherit IP6_METHOD from METHOD in OpenNebula driver
  • 93878c079 fix(machined): align OpenNebula hostname precedence with reference
  • 9718d737f feat(machined): add IPv6 alias address support for OpenNebula (ETH*_ALIAS*_IP6)
  • b649fb467 feat(machined): support ETH*_IP6_METHOD (static/dhcp/auto/disable) for OpenNebula
  • c81df6fa9 refactor(machined): extract per-interface IPv4 helper in OpenNebula driver
  • 501924e5a fix(machined): use ParseFQDN for hostname parsing in OpenNebula
  • e9331b271 feat(machined): support per-interface route metric for OpenNebula (ETH*_METRIC)
  • 6e78afbab feat(machined): add network alias support for OpenNebula (ETH*_ALIAS*)
  • 9f648b491 feat(machined): merge global and per-interface DNS for OpenNebula
  • 04fba03a9 feat(machined): add static routes support via ETH*_ROUTES for OpenNebula

Changes from siderolabs/go-cmd

2 commits

Changes from siderolabs/go-kmsg

3 commits

Changes from siderolabs/pkgs

4 commits

Dependency Changes

  • github.com/google/go-containerregistry v0.20.6 -> v0.20.7
  • github.com/siderolabs/go-blockdevice/v2 v2.0.24 -> v2.0.26
  • github.com/siderolabs/go-cmd v0.1.3 -> v0.2.0
  • github.com/siderolabs/go-kmsg v0.1.4 -> v0.1.5
  • github.com/siderolabs/pkgs v1.12.0-46-ge695c74 -> v1.12.0-50-ga92bed5
  • github.com/siderolabs/talos/pkg/machinery v1.12.5 -> v1.12.6
  • github.com/spf13/cobra v1.10.1 -> v1.10.2
  • golang.org/x/sys v0.41.0 -> v0.42.0
  • google.golang.org/grpc v1.78.0 -> v1.79.3

Previous release can be found at v1.12.5

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.8
registry.k8s.io/kube-apiserver:v1.35.2
registry.k8s.io/kube-controller-manager:v1.35.2
registry.k8s.io/kube-scheduler:v1.35.2
registry.k8s.io/kube-proxy:v1.35.2
ghcr.io/siderolabs/kubelet:v1.35.2
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.6
ghcr.io/siderolabs/installer-base:v1.12.6
ghcr.io/siderolabs/imager:v1.12.6
ghcr.io/siderolabs/talos:v1.12.6
ghcr.io/siderolabs/talosctl-all:v1.12.6
ghcr.io/siderolabs/overlays:v1.12.6
ghcr.io/siderolabs/extensions:v1.12.6
Loading
0 Join discussion

v1.13.0-beta.0

18 Mar 14:11
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v1.13.0-beta.0
This tag was signed with the committer’s verified signature.
shanduur Mateusz Urbanek
GPG key ID: F16F84591E26D77F
Verified
Learn about vigilant mode.
a544aea
This commit was signed with the committer’s verified signature.
shanduur Mateusz Urbanek
GPG key ID: F16F84591E26D77F
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.13.0-beta.0 Pre-release
Pre-release

Talos 1.13.0-beta.0 (2026-03-18)

Welcome to the v1.13.0-beta.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Clang built kernel and ThinLTO

Talos now uses a kernel built using Clang compiler, and optimized using ThinLTO. This should bring a small performance improvement,
alongside some hardening features, such as BTI on supported ARM systems.

Container Device Interface

Talos now enables CDI by default and extension/extension services can bring in dynamic
CDI spec files under /run/cdi.

talosctl debug

Talos Linux now provides a way to run and attach to the privileged debug container with a user-provided container image.
The debug container might be used for troubleshooting and debugging purposes.

Environment Configuration Document

A new EnvironmentConfig document has been introduced to allow users to specify environment variables for Talos components.
It replaces and deprecates the previous method of setting environment variables via the .machine.env field.

Multiple values for the same environment variable will replace previous values, with the last one taking precedence.

To remove an environment variable, remove it from the EnvironmentConfig document and restart the node.

External Volumes

Talos now supports virtiofs-based external volumes via the new
ExternalVolumeConfig
document.

These virtiofs external volumes are not supported when SELinux is running
in enforcing mode.

Extra Arguments accept slices in addition to strings

Several Talos configuration fields that previously accepted single string values for extra arguments have been updated to accept slices of strings as well.
This includes fields such as .cluster.apiServer.extraArgs.

BREAKING: If you were relying on the resources EtcdConfigs, KubeletConfigs, ControllerManagerConfigs, SchedulerConfigs or APIServerConfigs, the protobuf format has changed from map<string,string> to map<string,message>.

Container Image Signature Verification

Talos now supports machine-wide container image signature verification via the new ImageVerificationConfig machine config document.

Any image which gets pulled on the node will be verified against the configured rules, and if no rule matches, it will be pulled without verification.

Talos Imager Enhancements

Talos imager now supports running rootless. --privileged and -v /dev:/dev are no longer required.

Image APIs Updated

Talos Linux provides new APIs to manage container images on the node: listing, pulling, importing and removing images.
The new pull APIs provides pull progress notifications.

The CLI commands talosctl image pull, talosctl image list and talosctl image remove have been updated to interact with the new APIs.

Talosctl images k8s-bundle subcommand accepts version parameter

The talosctl images k8s-bundle command now accepts an optional version overrides arguments.

Install and Upgrade API

Talos now exposes install and upgrade operations via the LifecycleService API, enabling programmatic installs and upgrades through a single, consistent interface.
The legacy upgrade API is deprecated; new integrations should migrate to LifecycleService for future compatibility.

Kubernetes server-side apply

Talos now uses inventory backed server-side apply when applying bootsrap manifests (including extraManifests and inlineManifests).
Purging of unneeded manifests is automatically performed.
The switch and inventory backfill is automatic and no action is needed from the user.

Dynamic Linux Kernel Preemption Model

Talos Linux now defaults to dynamic Linux kernel preemption model, the default value none matches
previous version, but now with kernel argument preempt= the preemption model can be changed.

See Linux kernel documentation for more
information on supported values.

This change only applies to amd64 (x86_64) architecture.

KubeSpan Configuration

A new KubeSpanConfig document has been introduced to configure KubeSpan settings.
It replaces and deprecates the previous method of configuring KubeSpan via the .machine.network.kubespan field.

The old configuration field will continue to work for backward compatibility.

KubeSpan Advertised Network Filters

KubeSpan now supports filtering of advertised networks using the excludeAdvertisedNetworks field in the KubeSpanConfig document.
This allows users to specify a list of CIDRs to exclude from the advertised networks. Please note that routing must be symmetric for any
pair of peers, so if one peer excludes a certain network, the other peer must also exclude it. In other words, for any given pair of peers,
and any pair of their addresses, the traffic should either go through KubeSpan or not, but not one way or the other.

LinkAliasConfig Pattern-Based Multi-Alias

LinkAliasConfig now supports pattern-based alias names using %d format verb (e.g. net%d).

When the alias name contains a %d format verb, the selector is allowed to match multiple links.
Each matched link receives a sequential alias (e.g. net0, net1, ...) based on hardware address order
of the links. Links already aliased by a previous config are automatically skipped.

This enables creating stable aliases from any N links using a single config document,
useful for BondConfig and BridgeConfig member interfaces on varying hardware.

Negative Max Volume Size

Negative max size represents the amount of space to be left free on the device, rather than the size the volume should consume.
For example:
* a max size of "-10GiB" means the volume can grow to the available space minus 10GiB.
* a max size of "-25%" means the volume can grow to the available space minus 25%.

Flannel CNI with Network Policy Support

Talos Linux now supports optionally deploying Flannel CNI with network policy support enabled.
The network policy implementation is kube-network-policies.

To enable Flannel CNI with network policy support, use the following machine configuration patch:

cluster:
  network:
    cni:
      name: flannel
      flannel:
        kubeNetworkPoliciesEnabled: true

(If the cluster is already running, sync the bootstrap manifests after applying the patch to deploy the new CNI configuration.)

NVIDIA GPU Support

Talos switched to using CDI and now supports configuring NVIDIA GPU via the gpu-operator helm chart.
See the documentation on upgrade notes
for more details on how to configure NVIDIA GPU support in Talos.

Container Image Decompression

Talos now ships with igzip (amd64) and pigz (arm64) to speed up container image decompression.

ProbeConfig

The TCPProbeConfig configuration document allows to configure TCP probes for network reachability checks.
This allows to define a custom connectivity condition.

/proc/PID/mem Access Hardening

A new kernel parameter proc_mem.force_override=never has been introduced by default to enhance system security
by preventing unwanted writes to protected process memory via /proc/PID/mem.
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.

Reproducible Disk Images

Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
identical disk images.

Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.

ResolverConfig

The nameservers configuration in machine configuration now overwrites any previous layers (defaults, platform, etc.) when specified.
Previously a smart merge was performed to keep IPv4/IPv6 nameservers from lower layers if the machine configuration specified only one type.

Routing Rules Support

Talos now supports routing rules via the new RoutingRuleConfig machine config document.

Service Account Issuer configuration

In API Server, passing extra args with service-account-issuer will append them after default value.
This allows easy migration, e.g. by changing .cluster.controlPlane.endpoint to new value, and keeping the old value in
.cluster.apiServer.extraArgs["service-account-issuer"].

talosctl images talos-bundle can ignore reaching to the registry

The talosctl images talos-bundle command now accepts optional --overlays and --extensions flags.
If those are set to false, the command will not attempt to reach out to the container registry to fetch the latest versions and digests of the overlays and extensions.

Lifecycle Upgrade in talosctl

talosctl upgrades now route through LifecycleService, aligning CLI behavior with the new install/upgrade API and unifying the upgrade path.
This change is transparent to users but standardizes the backend used for upgrades.

Component Updates

Linux: 6.18.18
containerd: 2.2.2
etcd: 3.6.8
CoreDNS: 1.14.2
Kubernetes: 1.36.0-alpha.2
Flannel CNI plugin: v1.9.0-flannel1
Flannel: 0.28.1
...

Read more
Loading
2 Join discussion

v1.12.5

09 Mar 15:16
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v1.12.5
This tag was signed with the committer’s verified signature.
smira Andrey Smirnov
GPG key ID: 322C6F63F594CE7C
Verified
Learn about vigilant mode.
da6c6e4
This commit was signed with the committer’s verified signature.
smira Andrey Smirnov
GPG key ID: 322C6F63F594CE7C
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.12.5

Talos 1.12.5 (2026-03-09)

Welcome to the v1.12.5 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.18.15
Kubernetes: 1.35.2
etcd: 3.6.8

Talos is built with Go 1.25.8.

Contributors

  • Andrey Smirnov
  • Mateusz Urbanek
  • Dmitrii Sharshakov
  • Fritz Schaal
  • Jan Paul
  • Max Makarov
  • Mickaël Canévet
  • Nico Berlee
  • Orzelius
  • Spencer Smith

Changes

19 commits

  • da6c6e461 release(v1.12.5): prepare release
  • 4f978a747 fix: correctly calculate end ranges for nftables sets
  • 8d52e2dbe feat: add trusted roots generation to stdpatches
  • 628487715 fix: use correct dhcp option for unicast dhcp renewal
  • dcf23be4f fix: ignore image digest when doing upgrade-k8s
  • f8a2a9b7a fix(machined): opennebula: process ETH*_ vars regardless of NETWORK context flag
  • db9ff23ae fix: patch with delete for LinkConfigs
  • e0c38e2ae fix: update path handling on talosctl cgroups
  • ca2d4c146 fix: stop Kubernetes client from dynamically reloading the certs
  • 70ae2f274 refactor: split locate and provision
  • c3b04844e fix: hold user volumes root mountpoint
  • d935420b2 fix: handle raw encryption keys with \n properly
  • 7fe1a47af fix: remove stale endpoints
  • 3ea08888a fix: allow static hosts in /etc/hosts without hostname
  • 5ebb00fdc fix: switch to better Myers algorithm implementation
  • 2b4037935 feat: update etcd to v3.6.8
  • 1ce9328e4 fix: disks flag parsing and handling in create qemu command
  • 1f989dfb0 fix: read multi-doc machine config with newer talosctl
  • 40ba6e3ec feat: update Linux 6.18.15, Go 1.25.8

Changes from siderolabs/go-debug

1 commit

Changes from siderolabs/pkgs

7 commits

Changes from siderolabs/tools

1 commit

Dependency Changes

  • github.com/docker/cli v29.0.0 -> v29.2.1
  • github.com/siderolabs/go-blockdevice/v2 v2.0.23 -> v2.0.24
  • github.com/siderolabs/go-debug v0.6.1 -> v0.6.2
  • github.com/siderolabs/pkgs v1.12.0-39-gb1fc4c6 -> v1.12.0-46-ge695c74
  • github.com/siderolabs/talos/pkg/machinery v1.12.3 -> v1.12.5
  • github.com/siderolabs/tools v1.12.0-6-gdc37e09 -> v1.12.0-7-g57916cb
  • golang.org/x/net v0.48.0 -> v0.51.0
  • golang.org/x/sys v0.40.0 -> v0.41.0
  • golang.org/x/term v0.38.0 -> v0.40.0
  • golang.org/x/text v0.33.0 -> v0.34.0
  • google.golang.org/grpc v1.76.0 -> v1.78.0
  • google.golang.org/protobuf v1.36.10 -> v1.36.11
  • k8s.io/api v0.35.0 -> v0.35.2
  • k8s.io/apiextensions-apiserver v0.35.0 -> v0.35.2
  • k8s.io/apiserver v0.35.0 -> v0.35.2
  • k8s.io/client-go v0.35.0 -> v0.35.2
  • k8s.io/component-base v0.35.0 -> v0.35.2
  • k8s.io/kube-scheduler v0.35.0 -> v0.35.2
  • k8s.io/kubectl v0.35.0 -> v0.35.2
  • k8s.io/kubelet v0.35.0 -> v0.35.2
  • k8s.io/pod-security-admission v0.35.0 -> v0.35.2

Previous release can be found at v1.12.4

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.8
registry.k8s.io/kube-apiserver:v1.35.2
registry.k8s.io/kube-controller-manager:v1.35.2
registry.k8s.io/kube-scheduler:v1.35.2
registry.k8s.io/kube-proxy:v1.35.2
ghcr.io/siderolabs/kubelet:v1.35.2
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.5
ghcr.io/siderolabs/installer-base:v1.12.5
ghcr.io/siderolabs/imager:v1.12.5
ghcr.io/siderolabs/talos:v1.12.5
ghcr.io/siderolabs/talosctl-all:v1.12.5
ghcr.io/siderolabs/overlays:v1.12.5
ghcr.io/siderolabs/extensions:v1.12.5
Loading
1 Join discussion

v1.13.0-alpha.2

25 Feb 11:05
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v1.13.0-alpha.2
This tag was signed with the committer’s verified signature.
shanduur Mateusz Urbanek
GPG key ID: F16F84591E26D77F
Verified
Learn about vigilant mode.
59311a7
This commit was signed with the committer’s verified signature.
shanduur Mateusz Urbanek
GPG key ID: F16F84591E26D77F
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.13.0-alpha.2 Pre-release
Pre-release

Talos 1.13.0-alpha.2 (2026-02-25)

Welcome to the v1.13.0-alpha.2 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Clang built kernel and ThinLTO

Talos now uses a kernel built using Clang compiler, and optimized using ThinLTO. This should bring a small performance improvement,
alongside some hardening features, such as BTI on supported ARM systems.

talosctl debug

Talos Linux now provides a way to run and attach to the privileged debug container with a user-provided container image.
The debug container might be used for troubleshooting and debugging purposes.

Environment Configuration Document

A new EnvironmentConfig document has been introduced to allow users to specify environment variables for Talos components.
It replaces and deprecates the previous method of setting environment variables via the .machine.env field.

Multiple values for the same environment variable will replace previous values, with the last one taking precedence.

To remove an environment variable, remove it from the EnvironmentConfig document and restart the node.

External Volumes

Talos now supports virtiofs-based external volumes via the new
ExternalVolumeConfig
document.

These virtiofs external volumes are not supported when SELinux is running
in enforcing mode.

Extra Arguments accept slices in addition to strings

Several Talos configuration fields that previously accepted single string values for extra arguments have been updated to accept slices of strings as well.
This includes fields such as .cluster.apiServer.extraArgs.

BREAKING: If you were relying on the resources EtcdConfigs, KubeletConfigs, ControllerManagerConfigs, SchedulerConfigs or APIServerConfigs, the protobuf format has changed from map<string,string> to map<string,message>.

Talos Imager Enhancements

Talos imager now supports running rootless. --privileged and -v /dev:/dev are no longer required.

Image APIs Updated

Talos Linux provides new APIs to manage container images on the node: listing, pulling, importing and removing images.
The new pull APIs provides pull progress notifications.

The CLI commands talosctl image pull, talosctl image list and talosctl image remove have been updated to interact with the new APIs.

Talosctl images k8s-bundle subcommand accepts version parameter

The talosctl images k8s-bundle command now accepts an optional version overrides arguments.

Kubernetes server-side apply

Talos now uses inventory backed server-side apply when applying bootsrap manifests (including extraManifests and inlineManifests).
Purging of unneeded manifests is automatically performed.
The switch and inventory backfill is automatic and no action is needed from the user.

KubeSpan Configuration

A new KubeSpanConfig document has been introduced to configure KubeSpan settings.
It replaces and deprecates the previous method of configuring KubeSpan via the .machine.network.kubespan field.

The old configuration field will continue to work for backward compatibility.

KubeSpan Advertised Network Filters

KubeSpan now supports filtering of advertised networks using the excludeAdvertisedNetworks field in the KubeSpanConfig document.
This allows users to specify a list of CIDRs to exclude from the advertised networks. Please note that routing must be symmetric for any
pair of peers, so if one peer excludes a certain network, the other peer must also exclude it. In other words, for any given pair of peers,
and any pair of their addresses, the traffic should either go through KubeSpan or not, but not one way or the other.

LinkAliasConfig Pattern-Based Multi-Alias

LinkAliasConfig now supports pattern-based alias names using %d format verb (e.g. net%d).

When the alias name contains a %d format verb, the selector is allowed to match multiple links.
Each matched link receives a sequential alias (e.g. net0, net1, ...) based on hardware address order
of the links. Links already aliased by a previous config are automatically skipped.

This enables creating stable aliases from any N links using a single config document,
useful for BondConfig and BridgeConfig member interfaces on varying hardware.

Negative Max Volume Size

Negative max size represents the amount of space to be left free on the device, rather than the size the volume should consume.
For example:
* a max size of "-10GiB" means the volume can grow to the available space minus 10GiB.
* a max size of "-25%" means the volume can grow to the available space minus 25%.

Flannel CNI with Network Policy Support

Talos Linux now supports optionally deploying Flannel CNI with network policy support enabled.
The network policy implementation is kube-network-policies.

To enable Flannel CNI with network policy support, use the following machine configuration patch:

cluster:
  network:
    cni:
      name: flannel
      flannel:
        kubeNetworkPoliciesEnabled: true

(If the cluster is already running, sync the bootstrap manifests after applying the patch to deploy the new CNI configuration.)

Container Image Decompression

Talos now ships with igzip (amd64) and pigz (arm64) to speed up container image decompression.

ProbeConfig

The TCPProbeConfig configuration document allows to configure TCP probes for network reachability checks.
This allows to define a custom connectivity condition.

/proc/PID/mem Access Hardening

A new kernel parameter proc_mem.force_override=never has been introduced by default to enhance system security
by preventing unwanted writes to protected process memory via /proc/PID/mem.
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.

Reproducible Disk Images

Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
identical disk images.

Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.

ResolverConfig

The nameservers configuration in machine configuration now overwrites any previous layers (defaults, platform, etc.) when specified.
Previously a smart merge was performed to keep IPv4/IPv6 nameservers from lower layers if the machine configuration specified only one type.

Service Account Issuer configuration

In API Server, passing extra args with service-account-issuer will append them after default value.
This allows easy migration, e.g. by changing .cluster.controlPlane.endpoint to new value, and keeping the old value in
.cluster.apiServer.extraArgs["service-account-issuer"].

talosctl images talos-bundle can ignore reaching to the registry

The talosctl images talos-bundle command now accepts optional --overlays and --extensions flags.
If those are set to false, the command will not attempt to reach out to the container registry to fetch the latest versions and digests of the overlays and extensions.

Component Updates

Linux: 6.18.13
containerd: 2.2.1
etcd: 3.6.8
CoreDNS: 1.14.1
Kubernetes: 1.36.0-alpha.1
Flannel CNI plugin: v1.9.0-flannel1
Flannel: 0.28.1
LVM2: 2_03_38
runc: 1.4.0
systemd: 259.1
cryptsetup: 2.8.3
Tenstorrent: 2.7.0
iptables: 1.8.12

Talos is built with Go 1.26.0.

VM Hot-Add Support

Talos now includes udev rules to support hot-adding of CPUs in virtualized environments.

Contributors

  • Andrey Smirnov
  • Mateusz Urbanek
  • Noel Georgi
  • Dmitrii Sharshakov
  • Orzelius
  • Laura Brehm
  • Edward Sammut Alessi
  • Max Makarov
  • Andreas Freund
  • Artem Chernyshev
  • Bryan Lee
  • Fritz Schaal
  • Justin Garrison
  • Mickaël Canévet
  • Nico Berlee
  • Pranav Patil
  • Alexis La Goutte
  • Andras BALI
  • Andrei Kvapil
  • Birger Johan Nordølum
  • Camillo Rossi
  • Christopher Puschmann
  • Daniil Kivenko
  • Dmitrii Sharshakov
  • Florian Ströger
  • Gregor Gruener
  • Jaakko Sirén
  • Jan Paul
  • Jean-Francois Roy
  • Joakim Nohlgård
  • Jonas Lammler
  • Lennard Klein
  • Matthew Sanabria
  • Michal Baumgartner
  • Olav Thoresen
  • Serge van Ginderachter
  • Skye Soss
  • Spencer Smith
  • Sébastien Masset
  • Tim Jones
  • Utku Ozdemir
  • arita
  • dataprolet
  • drew
  • eseiker
  • greenpsi
  • lmacka
  • pranav767

Changes

222 commits

  • 59311a792 release(v1.13.0-alpha.2): prepare release
  • 009f0d6ca chore: update pkgs
  • ba56b0295 feat: include hid-multitouch.ko kernel module in rootfs
  • ae29a0dcc feat: update Linux to 6.18.13
  • 7cf1de279 fix: bring in new version of go-cmd and go-blockdevice
  • c8800b41e fix: update path handling on talosctl cgroups
  • 0a7b6eb2c chore: test extensions
  • 8b1c974a2 refactor: drop termui-widgets library
  • 5baa0028e fix: add owning inventory annotation to talos manifests
  • d3e793d14 fix: stop Kubernetes client from dynamically reloading the certs
  • 6a5a0e3bd feat: support pattern link aliases
  • 9758bd4fe feat: update Go to 1.26
  • e00aed0f6 feat: update Kubernetes v1.36.0-alpha.1
  • si...
Read more
Loading
2 Join discussion