Talos 1.12.1 (2026-01-05)

Welcome to the v1.12.1 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.18.2

Talos is built with Go 1.25.5.

Contributors

• Mateusz Urbanek
• Andrey Smirnov
• Dmitrii Sharshakov

Changes

Changes from siderolabs/pkgs

Changes from siderolabs/tools

Dependency Changes

• github.com/klauspost/compress v1.18.1 -> v1.18.2
• github.com/siderolabs/go-blockdevice/v2 v2.0.20 -> v2.0.22
• github.com/siderolabs/pkgs v1.12.0-23-ge0b78b8 -> v1.12.0-25-g90ff196
• github.com/siderolabs/talos/pkg/machinery v1.12.0 -> v1.12.1
• github.com/siderolabs/tools v1.12.0-2-g7d57df0 -> v1.12.0-3-g5df8bae

Previous release can be found at v1.12.0

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.7
registry.k8s.io/kube-apiserver:v1.35.0
registry.k8s.io/kube-controller-manager:v1.35.0
registry.k8s.io/kube-scheduler:v1.35.0
registry.k8s.io/kube-proxy:v1.35.0
ghcr.io/siderolabs/kubelet:v1.35.0
registry.k8s.io/pause:3.10

Talos 1.13.0-alpha.0 (2025-12-25)

Welcome to the v1.13.0-alpha.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

External Volumes

Talos now supports virtiofs-based external volumes via the new
ExternalVolumeConfig
document.

These virtiofs external volumes are not supported when SELinux is running
in enforcing mode.

Talos Imager Enhancements

Talos imager now supports running rootless. --privileged and -v /dev:/dev are no longer required.

Container Image Decompression

Talos now ships with igzip (amd64) and pigz (arm64) to speed up container image decompression.

/proc/PID/mem Access Hardening

A new kernel parameter proc_mem.force_override=never has been introduced by default to enhance system security
by preventing unwanted writes to protected process memory via /proc/PID/mem.
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.

Reproducible Disk Images

Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
identical disk images.

Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.

Component Updates

Linux: 6.18.2
containerd: 2.2.1
etcd: 3.6.7
CoreDNS: 1.13.2
Kubernetes: 1.35.0
Flannel CNI plugin: v1.9.0-flannel1
LVM2: 2_03_38
runc: 1.4.0
systemd: 259
cryptsetup: 2.8.3

Talos is built with Go 1.25.5.

VM Hot-Add Support

Talos now includes udev rules to support hot-adding of CPUs in virtualized environments.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Noel Georgi
• Dmitrii Sharshakov
• Laura Brehm
• Bryan Lee
• Edward Sammut Alessi
• Birger Johan Nordølum
• Christopher Puschmann
• Jaakko Sirén
• Jean-Francois Roy
• Joakim Nohlgård
• Justin Garrison
• Lennard Klein
• Michal Baumgartner
• Orzelius
• Serge van Ginderachter
• Skye Soss
• dataprolet
• eseiker
• pranav767

Changes

Changes from siderolabs/pkgs

Talos 1.10.9 (2025-12-24)

Welcome to the v1.10.9 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

etcd Zombine Members

See this blog post for more details.

This release includes an update to etcd v3.5.26 to ensure that upgrades to Talos v1.11 and later (which default to etcd v3.6) will not be blocked by the presence of zombine members in the etcd cluster.

Please note that etcd version can also be configured via the machine configuration with any version of Talos Linux.

Component Updates

Linux: 6.12.63
runc: 1.2.9
etcd: 3.5.26

Talos is built with Go 1.24.11.

Contributors

• Andrey Smirnov
• Dmitrii Sharshakov

Changes

Changes from siderolabs/pkgs

Changes from siderolabs/tools

Dependency Changes

• github.com/containernetworking/plugins v1.6.2 -> v1.9.0
• github.com/safchain/ethtool v0.5.10 -> v0.6.2
• github.com/siderolabs/pkgs v1.10.0-37-g71b336d -> v1.10.0-38-g3f85dc8
• github.com/siderolabs/talos/pkg/machinery v1.10.8 -> v1.10.9
• github.com/siderolabs/tools v1.10.0-7-g39357c8 -> v1.10.0-8-g11b0a3d
• github.com/stretchr/testify v1.10.0 -> v1.11.1
• go.etcd.io/etcd/api/v3 v3.5.21 -> v3.5.26
• go.etcd.io/etcd/client/pkg/v3 v3.5.21 -> v3.5.26
• go.etcd.io/etcd/client/v3 v3.5.21 -> v3.5.26
• go.etcd.io/etcd/etcdutl/v3 v3.5.21 -> v3.5.26
• golang.org/x/net v0.42.0 -> v0.47.0
• golang.org/x/sync v0.16.0 -> v0.18.0
• golang.org/x/sys v0.34.0 -> v0.38.0
• golang.org/x/term v0.33.0 -> v0.37.0
• golang.org/x/text v0.27.0 -> v0.31.0
• google.golang.org/protobuf v1.36.6 -> v1.36.7

Previous release can be found at v1.10.8

Images

ghcr.io/siderolabs/flannel:v0.26.7
registry.k8s.io/coredns/coredns:v1.12.1
gcr.io/etcd-development/etcd:v3.5.26
registry.k8s.io/kube-apiserver:v1.33.6
registry.k8s.io/kube-controller-manager:v1.33.6
registry.k8s.io/kube-scheduler:v1.33.6
registry.k8s.io/kube-proxy:v1.33.6
ghcr.io/siderolabs/kubelet:v1.33.6
ghcr.io/siderolabs/installer:v1.10.9
registry.k8s.io/pause:3.10

Talos 1.12.0 (2025-12-22)

Welcome to the v1.12.0 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

What's New

See also What's new in Talos v1.12.0 in the documentation for a summary of the most notable changes in this release.

API Server Cipher Suites

The Kubernetes API server in Talos has been updated to use a more secure set of TLS cipher suites by default.
This is in line with a set of best practices documented in CIS 1.12 benchmark.

You can still expand the list of supported cipher suites via the cluster.apiServer.extraArgs."tls-cipher-suites" machine configuration field if needed.

New User Volume type - bind

New field in UserVolumeConfig - volumeType that defaults to partition, but can be set to directory.
When set to directory, provisioning and filesystem operations are skipped and a directory is created under /var/mnt/<name>.

The directory type enables lightweight storage volumes backed by a host directory, instead of requiring a full block device partition.

When volumeType = "directory":

• A directory is created at /var/mnt/<metadata.name>;
• provisioning, filesystem and encryption are prohibited.

Note: this mode does not provide filesystem-level isolation and inherits the EPHEMERAL partition capacity limits.
It should not be used for workloads requiring predictable storage quotas.

Disk Encryption

Talos versions prior to v1.12 used the state of PCR 7 and signed policies locked to PCR 11 for TPM based disk encryption.

Talos now supports configuring which PCRs states are to be used for TPM based disk encryption via the options.pcrs
field in the tpm section of the disk encryption configuration.

If user doesn't specify any options Talos defaults to using PCR 7 for backwards compatibility with existing installations.

This change was made to improve compatibility with systems that may have varying states in PCR 7 due to UEFI Secure Boot configurations
and users may wish to disable locking to PCR 7 state entirely.

Signed PCR policies will still be bound to PCR 11.

The currently used PCR's can be seen with talosctl get volumestatus <volume> -o yaml command.

New User Volume type - disk

volumeType in UserVolumeConfig can be set to disk.
When set to disk, a full block device is used for the volume.

When volumeType = "disk":

• Size specific settings are not allowed in the provisioning block (minSize, maxSize, grow).

Embedded Config

Talos Linux now supports embedding the machine configuration directly into the boot image.

etcd

etcd container image is now pulled from registry.k8s.io/etcd instead of gcr.io/etcd-development/etcd.

Ethernet Configuration

The Ethernet configuration now includes a wakeOnLAN field to enable Wake-on-LAN (WOL) support.
This field can be set to enable WOL and specify the desired WOL modes.

Extra Binaries

Talos Linux now ships with nft binary in the rootfs to support CNIs which shell out to nft command.

Feature Lock

Talos now ignores the following machine configuration fields:

• machine.features.rbac (locked to true)
• machine.features.apidCheckExtKeyUsage (locked to true)
• cluster.apiServer.disablePodSecurityPolicy (locked to true)

These fields were removed from the default machine configuration schema in v1.12 and are now always set to the locked values above.

Talos force reboot

Talos now supports a "force" reboot mode, which allows skipping the graceful userland termination.
It can be used in situations where a userland service (e.g. the kubelet) gets stuck during graceful shutdown, causing the regular reboot flow to fail.

In addition, talosctl was updated to support this feature via talosctl reboot --mode force.

GRUB

Talos Linux introduces new machine configuration option .machine.install.grubUseUKICmdline to control whether GRUB should use the kernel command line
provided by the boot assets (UKI) or to use the command line constructed by Talos itself (legacy behavior).

This option defaults to true for new installations, which means that GRUB will use the command line from the UKI, making it easier to customize kernel parameters via boot asset generation.
For existing installations upgrading to v1.12, this option will default to false to preserve the legacy behavior.

Kernel Log

The kernel log (dmesg) is now also available as the service log named kernel (talosctl logs kernel).

Kernel Module

Talos now supports optionally disabling kernel module signature verification by setting module.sig_enforce=0 kernel parameter.
By default module signature verification is enabled (module.sig_enforce=1).
When using Factory or Imager supply as -module.sig_enfore module.sig_enforce=0 kernel parameters to disable module signature enforcement.

Kernel Security Posture Profile (KSPP)

Talos now enables a stricter set of KSPP sysctl settings by default.
The list of overridden settings is available with talosctl get kernelparamstatus command.

Encrypted Volumes

Talos Linux now consistently provides mapped names for encrypted volumes in the format /dev/mapper/luks2-<volume-id>.
This change should not affect system or user volumes, but might allow easier identification of encrypted volumes,
and specifically for raw encrypted volumes.

Network Configuration

The network configuration under .machine.network (with the exception of KubeSpan) has been deprecated, but it is still supported for backwards compatibility.
See documentation for more information.

Persistent logs

Talos now stores system component logs in /var/log, featuring automatic log rotation and keeping two most
recent log files. This change allows collecting logs from Talos like on any other Linux system.

CRI Registry Configuration

The CRI registry configuration in v1apha1 legacy machine configuration under .machine.registries is now deprecated, but still supported for backwards compatibility.
New configuration documents RegistryMirrorConfig, RegistryAuthConfig and RegistryTLSConfig should be used instead.

talosctl image cache-serve

talosctl includes new subcommand image cache-serve.
It allows serving the created OCI image registry over HTTP/HTTPS.
It is a read-only registry, meaning images cannot be pushed to it, but the backing storage can be updated by re-running the cache-create command;

Additionally talosctl image cache-create has some changes:

• new flag --layout: oci (default), flat:
  • oci preserves current behavior;
  • flat does not repack artifact layer, but moves it to a destination directory, allowing it to be served by talosctl image cache-serve;
• changed flag --platform: now can accept multiple os/arch combinations:
  • comma separated (--platform=linux/amd64,linux/arm64);
  • multiple instances (--platform=linux/amd64 --platform=linux/arm64);

UEFI Boot

When using UEFI boot with systemd-boot as bootloader (on new installs of Talos from 1.10+ onwards), Talos will now not touch the UEFI boot order.
Talos 1.11 made a fix to create UEFI boot entry and set the boot order as first entry, but this behavior caused issues on some systems.
To avoid further issues, Talos will now only create the UEFI boot entry if it does not exist, but will not modify the boot order.

Component Updates

Linux: 6.18.1
Kubernetes: 1.35.0
CNI Plugins: 1.9.0
cryptsetup: 2.8.1
LVM2: 2_03_37
systemd-udevd: 257.8
etcd: 3.6.7
CoreDNS: 1.13.2
Flannel: 0.27.4
Flannel CNI plugin: v1.8.0-flannel2
runc: 1.3.4
containerd: 2.1.6
zfs: 2.4.0

Talos is built with Go 1.25.5.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Noel Georgi
• Dmitrii Sharshakov
• Amarachi Iheanacho
• Orzelius
• Laura Brehm
• Oguz Kilcan
• Justin Garrison
• Artem Chernyshev
• Utku Ozdemir
• Bryan Lee
• George Gaál
• Jorik Jonker
• Michael Smith
• Nicole Hubbard
• 459below
• Adrian L Lange
• Alp Celik
• Andrew Longwill
• Birger Johan Nordølum
• Chris Sanders
• Christopher Puschmann
• Dmitry
• Edward Sammut Alessi
• Febrian
• Florian Grignon
• Fred Heinecke
• Giau. Tran Minh
• Grzegorz Rozniecki
• Guillaume LEGRAIN
• Hector Monsalve
• Jaakko Sirén
• Jean-Francois Roy
• Joakim Nohlgård
• Lennard Klein
• Markus Freitag
• Max Makarov
• Mike Beaumont
• Misha Aksenov
• MrMrRubic
• Olivier Doucet
• Pranav
• Sammy ETUR
• Serge Logvinov
• Serge van Ginderachter
• Skye Soss
• Skyler Mäntysaari
• SuitDeer
• Tom
• aurh1l
• eseiker
• frozenprocess
• frozensprocess
• kassad
• leppeK
• samoreno
• theschles
• winnie

Changes

Talos 1.11.6 (2025-12-16)

Welcome to the v1.11.6 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

UEFI Boot

When using UEFI boot with systemd-boot as bootloader (on new installs of Talos from 1.10+ onwards), Talos will now not touch the UEFI boot order.
Talos 1.11 made a fix to create UEFI boot entry and set the boot order as first entry, but this behavior caused issues on some systems.
To avoid further issues, Talos will now only create the UEFI boot entry if it does not exist, but will not modify the boot order.

Component Updates

Linux: 6.12.62
runc: 1.3.4

Talos is built with Go 1.24.11.

Contributors

• Andrey Smirnov
• Noel Georgi
• Dmitrii Sharshakov

Changes

Changes from siderolabs/pkgs

Changes from siderolabs/tools

Dependency Changes

• github.com/containernetworking/plugins v1.7.1 -> v1.9.0
• github.com/safchain/ethtool v0.6.1 -> v0.6.2
• github.com/siderolabs/pkgs v1.11.0-29-gaee690b -> v1.11.0-36-g49ee0fe
• github.com/siderolabs/talos/pkg/machinery v1.11.5 -> v1.11.6
• github.com/siderolabs/tools v1.11.0-4-g05ee846 -> v1.11.0-5-g7f05320
• github.com/stretchr/testify v1.10.0 -> v1.11.1
• golang.org/x/net v0.43.0 -> v0.47.0
• golang.org/x/sync v0.16.0 -> v0.19.0
• golang.org/x/sys v0.35.0 -> v0.39.0
• golang.org/x/term v0.34.0 -> v0.38.0
• golang.org/x/text v0.28.0 -> v0.32.0

Previous release can be found at v1.11.5

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.12.4
gcr.io/etcd-development/etcd:v3.6.5
registry.k8s.io/kube-apiserver:v1.34.1
registry.k8s.io/kube-controller-manager:v1.34.1
registry.k8s.io/kube-scheduler:v1.34.1
registry.k8s.io/kube-proxy:v1.34.1
ghcr.io/siderolabs/kubelet:v1.34.1
ghcr.io/siderolabs/installer:v1.11.6
registry.k8s.io/pause:3.10

Talos 1.12.0-rc.1 (2025-12-15)

Welcome to the v1.12.0-rc.1 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

API Server Cipher Suites

The Kubernetes API server in Talos has been updated to use a more secure set of TLS cipher suites by default.
This is in line with a set of best practices documented in CIS 1.12 benchmark.

You can still expand the list of supported cipher suites via the cluster.apiServer.extraArgs."tls-cipher-suites" machine configuration field if needed.

New User Volume type - bind

New field in UserVolumeConfig - volumeType that defaults to partition, but can be set to directory.
When set to directory, provisioning and filesystem operations are skipped and a directory is created under /var/mnt/<name>.

The directory type enables lightweight storage volumes backed by a host directory, instead of requiring a full block device partition.

When volumeType = "directory":

• A directory is created at /var/mnt/<metadata.name>;
• provisioning, filesystem and encryption are prohibited.

Note: this mode does not provide filesystem-level isolation and inherits the EPHEMERAL partition capacity limits.
It should not be used for workloads requiring predictable storage quotas.

Disk Encryption

Talos versions prior to v1.12 used the state of PCR 7 and signed policies locked to PCR 11 for TPM based disk encryption.

Talos now supports configuring which PCRs states are to be used for TPM based disk encryption via the options.pcrs
field in the tpm section of the disk encryption configuration.

If user doesn't specify any options Talos defaults to using PCR 7 for backwards compatibility with existing installations.

This change was made to improve compatibility with systems that may have varying states in PCR 7 due to UEFI Secure Boot configurations
and users may wish to disable locking to PCR 7 state entirely.

Signed PCR policies will still be bound to PCR 11.

The currently used PCR's can be seen with talosctl get volumestatus <volume> -o yaml command.

New User Volume type - disk

volumeType in UserVolumeConfig can be set to disk.
When set to disk, a full block device is used for the volume.

When volumeType = "disk":

• Size specific settings are not allowed in the provisioning block (minSize, maxSize, grow).

Embedded Config

Talos Linux now supports embedding the machine configuration directly into the boot image.

etcd

etcd container image is now pulled from registry.k8s.io/etcd instead of gcr.io/etcd-development/etcd.

Ethernet Configuration

The Ethernet configuration now includes a wakeOnLAN field to enable Wake-on-LAN (WOL) support.
This field can be set to enable WOL and specify the desired WOL modes.

Extra Binaries

Talos Linux now ships with nft binary in the rootfs to support CNIs which shell out to nft command.

Feature Lock

Talos now ignores the following machine configuration fields:

• machine.features.rbac (locked to true)
• machine.features.apidCheckExtKeyUsage (locked to true)
• cluster.apiServer.disablePodSecurityPolicy (locked to true)

These fields were removed from the default machine configuration schema in v1.12 and are now always set to the locked values above.

Talos force reboot

Talos now supports a "force" reboot mode, which allows skipping the graceful userland termination.
It can be used in situations where a userland service (e.g. the kubelet) gets stuck during graceful shutdown, causing the regular reboot flow to fail.

In addition, talosctl was updated to support this feature via talosctl reboot --mode force.

GRUB

Talos Linux introduces new machine configuration option .machine.install.grubUseUKICmdline to control whether GRUB should use the kernel command line
provided by the boot assets (UKI) or to use the command line constructed by Talos itself (legacy behavior).

This option defaults to true for new installations, which means that GRUB will use the command line from the UKI, making it easier to customize kernel parameters via boot asset generation.
For existing installations upgrading to v1.12, this option will default to false to preserve the legacy behavior.

Kernel Log

The kernel log (dmesg) is now also available as the service log named kernel (talosctl logs kernel).

Kernel Module

Talos now supports optionally disabling kernel module signature verification by setting module.sig_enforce=0 kernel parameter.
By default module signature verification is enabled (module.sig_enforce=1).
When using Factory or Imager supply as -module.sig_enfore module.sig_enforce=0 kernel parameters to disable module signature enforcement.

Kernel Security Posture Profile (KSPP)

Talos now enables a stricter set of KSPP sysctl settings by default.
The list of overridden settings is available with talosctl get kernelparamstatus command.

Encrypted Volumes

Talos Linux now consistently provides mapped names for encrypted volumes in the format /dev/mapper/luks2-<volume-id>.
This change should not affect system or user volumes, but might allow easier identification of encrypted volumes,
and specifically for raw encrypted volumes.

Network Configuration

The network configuration under .machine.network (with the exception of KubeSpan) has been deprecated, but it is still supported for backwards compatibility.
See documentation for more information.

Persistent logs

Talos now stores system component logs in /var/log, featuring automatic log rotation and keeping two most
recent log files. This change allows collecting logs from Talos like on any other Linux system.

CRI Registry Configuration

The CRI registry configuration in v1apha1 legacy machine configuration under .machine.registries is now deprecated, but still supported for backwards compatibility.
New configuration documents RegistryMirrorConfig, RegistryAuthConfig and RegistryTLSConfig should be used instead.

talosctl image cache-serve

talosctl includes new subcommand image cache-serve.
It allows serving the created OCI image registry over HTTP/HTTPS.
It is a read-only registry, meaning images cannot be pushed to it, but the backing storage can be updated by re-running the cache-create command;

Additionally talosctl image cache-create has some changes:

• new flag --layout: oci (default), flat:
  • oci preserves current behavior;
  • flat does not repack artifact layer, but moves it to a destination directory, allowing it to be served by talosctl image cache-serve;
• changed flag --platform: now can accept multiple os/arch combinations:
  • comma separated (--platform=linux/amd64,linux/arm64);
  • multiple instances (--platform=linux/amd64 --platform=linux/arm64);

UEFI Boot

When using UEFI boot with systemd-boot as bootloader (on new installs of Talos from 1.10+ onwards), Talos will now not touch the UEFI boot order.
Talos 1.11 made a fix to create UEFI boot entry and set the boot order as first entry, but this behavior caused issues on some systems.
To avoid further issues, Talos will now only create the UEFI boot entry if it does not exist, but will not modify the boot order.

Component Updates

Linux: 6.18.0
Kubernetes: 1.35.0-rc.0
CNI Plugins: 1.9.0
cryptsetup: 2.8.1
LVM2: 2_03_37
systemd-udevd: 257.8
runc: 1.3.2
CoreDNS: 1.13.1
etcd: 3.6.6
Flannel: 0.27.4
Flannel CNI plugin: v1.8.0-flannel2
runc: 1.3.4
containerd: 2.1.5
zfs: 2.4.0-rc.5

Talos is built with Go 1.25.5.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Noel Georgi
• Dmitrii Sharshakov
• Amarachi Iheanacho
• Orzelius
• Laura Brehm
• Oguz Kilcan
• Justin Garrison
• Artem Chernyshev
• Utku Ozdemir
• Bryan Lee
• George Gaál
• Jorik Jonker
• Michael Smith
• Nicole Hubbard
• 459below
• Adrian L Lange
• Alp Celik
• Andrew Longwill
• Birger Johan Nordølum
• Chris Sanders
• Christopher Puschmann
• Dmitry
• Edward Sammut Alessi
• Febrian
• Florian Grignon
• Fred Heinecke
• Giau. Tran Minh
• Grzegorz Rozniecki
• Guillaume LEGRAIN
• Hector Monsalve
• Jaakko Sirén
• Jean-Francois Roy
• Joakim Nohlgård
• Lennard Klein
• Markus Freitag
• Max Makarov
• Mike Beaumont
• Misha Aksenov
• MrMrRubic
• Olivier Doucet
• Pranav
• Sammy ETUR
• Serge Logvinov
• Serge van Ginderachter
• Skye Soss
• Skyler Mäntysaari
• SuitDeer
• Tom
• aurh1l
• frozenprocess
• frozensprocess
• kassad
• leppeK
• samoreno
• theschles
• winnie

Changes

Talos 1.12.0-rc.0 (2025-12-09)

Welcome to the v1.12.0-rc.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

API Server Cipher Suites

The Kubernetes API server in Talos has been updated to use a more secure set of TLS cipher suites by default.
This is in line with a set of best practices documented in CIS 1.12 benchmark.

You can still expand the list of supported cipher suites via the cluster.apiServer.extraArgs."tls-cipher-suites" machine configuration field if needed.

New User Volume type - bind

New field in UserVolumeConfig - volumeType that defaults to partition, but can be set to directory.
When set to directory, provisioning and filesystem operations are skipped and a directory is created under /var/mnt/<name>.

The directory type enables lightweight storage volumes backed by a host directory, instead of requiring a full block device partition.

When volumeType = "directory":

• A directory is created at /var/mnt/<metadata.name>;
• provisioning, filesystem and encryption are prohibited.

Note: this mode does not provide filesystem-level isolation and inherits the EPHEMERAL partition capacity limits.
It should not be used for workloads requiring predictable storage quotas.

Disk Encryption

Talos versions prior to v1.12 used the state of PCR 7 and signed policies locked to PCR 11 for TPM based disk encryption.

Talos now supports configuring which PCRs states are to be used for TPM based disk encryption via the options.pcrs
field in the tpm section of the disk encryption configuration.

If user doesn't specify any options Talos defaults to using PCR 7 for backwards compatibility with existing installations.

This change was made to improve compatibility with systems that may have varying states in PCR 7 due to UEFI Secure Boot configurations
and users may wish to disable locking to PCR 7 state entirely.

Signed PCR policies will still be bound to PCR 11.

The currently used PCR's can be seen with talosctl get volumestatus <volume> -o yaml command.

New User Volume type - disk

volumeType in UserVolumeConfig can be set to disk.
When set to disk, a full block device is used for the volume.

When volumeType = "disk":

• Size specific settings are not allowed in the provisioning block (minSize, maxSize, grow).

Embedded Config

Talos Linux now supports embedding the machine configuration directly into the boot image.

etcd

etcd container image is now pulled from registry.k8s.io/etcd instead of gcr.io/etcd-development/etcd.

Ethernet Configuration

The Ethernet configuration now includes a wakeOnLAN field to enable Wake-on-LAN (WOL) support.
This field can be set to enable WOL and specify the desired WOL modes.

Extra Binaries

Talos Linux now ships with nft binary in the rootfs to support CNIs which shell out to nft command.

Feature Lock

Talos now ignores the following machine configuration fields:

• machine.features.rbac (locked to true)
• machine.features.apidCheckExtKeyUsage (locked to true)
• cluster.apiServer.disablePodSecurityPolicy (locked to true)

These fields were removed from the default machine configuration schema in v1.12 and are now always set to the locked values above.

Talos force reboot

Talos now supports a "force" reboot mode, which allows skipping the graceful userland termination.
It can be used in situations where a userland service (e.g. the kubelet) gets stuck during graceful shutdown, causing the regular reboot flow to fail.

In addition, talosctl was updated to support this feature via talosctl reboot --mode force.

GRUB

Talos Linux introduces new machine configuration option .machine.install.grubUseUKICmdline to control whether GRUB should use the kernel command line
provided by the boot assets (UKI) or to use the command line constructed by Talos itself (legacy behavior).

This option defaults to true for new installations, which means that GRUB will use the command line from the UKI, making it easier to customize kernel parameters via boot asset generation.
For existing installations upgrading to v1.12, this option will default to false to preserve the legacy behavior.

Kernel Log

The kernel log (dmesg) is now also available as the service log named kernel (talosctl logs kernel).

Kernel Module

Talos now supports optionally disabling kernel module signature verification by setting module.sig_enforce=0 kernel parameter.
By default module signature verification is enabled (module.sig_enforce=1).
When using Factory or Imager supply as -module.sig_enfore module.sig_enforce=0 kernel parameters to disable module signature enforcement.

Kernel Security Posture Profile (KSPP)

Talos now enables a stricter set of KSPP sysctl settings by default.
The list of overridden settings is available with talosctl get kernelparamstatus command.

Encrypted Volumes

Talos Linux now consistently provides mapped names for encrypted volumes in the format /dev/mapper/luks2-<volume-id>.
This change should not affect system or user volumes, but might allow easier identification of encrypted volumes,
and specifically for raw encrypted volumes.

Network Configuration

The network configuration under .machine.network (with the exception of KubeSpan) has been deprecated, but it is still supported for backwards compatibility.
See documentation for more information.

Persistent logs

Talos now stores system component logs in /var/log, featuring automatic log rotation and keeping two most
recent log files. This change allows collecting logs from Talos like on any other Linux system.

CRI Registry Configuration

The CRI registry configuration in v1apha1 legacy machine configuration under .machine.registries is now deprecated, but still supported for backwards compatibility.
New configuration documents RegistryMirrorConfig, RegistryAuthConfig and RegistryTLSConfig should be used instead.

talosctl image cache-serve

talosctl includes new subcommand image cache-serve.
It allows serving the created OCI image registry over HTTP/HTTPS.
It is a read-only registry, meaning images cannot be pushed to it, but the backing storage can be updated by re-running the cache-create command;

Additionally talosctl image cache-create has some changes:

• new flag --layout: oci (default), flat:
  • oci preserves current behavior;
  • flat does not repack artifact layer, but moves it to a destination directory, allowing it to be served by talosctl image cache-serve;
• changed flag --platform: now can accept multiple os/arch combinations:
  • comma separated (--platform=linux/amd64,linux/arm64);
  • multiple instances (--platform=linux/amd64 --platform=linux/arm64);

UEFI Boot

When using UEFI boot with systemd-boot as bootloader (on new installs of Talos from 1.10+ onwards), Talos will now not touch the UEFI boot order.
Talos 1.11 made a fix to create UEFI boot entry and set the boot order as first entry, but this behavior caused issues on some systems.
To avoid further issues, Talos will now only create the UEFI boot entry if it does not exist, but will not modify the boot order.

Component Updates

Linux: 6.18.0
Kubernetes: 1.35.0-rc.0
CNI Plugins: 1.8.0
cryptsetup: 2.8.1
LVM2: 2_03_37
systemd-udevd: 257.8
runc: 1.3.2
CoreDNS: 1.13.1
etcd: 3.6.6
Flannel: 0.27.4
Flannel CNI plugin: v1.8.0-flannel2
runc: 1.3.4
containerd: 2.1.5

Talos is built with Go 1.25.5.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Noel Georgi
• Dmitrii Sharshakov
• Amarachi Iheanacho
• Orzelius
• Laura Brehm
• Oguz Kilcan
• Justin Garrison
• Artem Chernyshev
• Utku Ozdemir
• Bryan Lee
• George Gaál
• Jorik Jonker
• Michael Smith
• Nicole Hubbard
• 459below
• Adrian L Lange
• Alp Celik
• Andrew Longwill
• Birger Johan Nordølum
• Chris Sanders
• Dmitry
• Edward Sammut Alessi
• Febrian
• Florian Grignon
• Fred Heinecke
• Giau. Tran Minh
• Grzegorz Rozniecki
• Guillaume LEGRAIN
• Hector Monsalve
• Joakim Nohlgård
• Lennard Klein
• Markus Freitag
• Max Makarov
• Mike Beaumont
• Misha Aksenov
• MrMrRubic
• Olivier Doucet
• Pranav
• Sammy ETUR
• Serge Logvinov
• Serge van Ginderachter
• Skye Soss
• Skyler Mäntysaari
• SuitDeer
• Tom
• aurh1l
• frozenprocess
• frozensprocess
• kassad
• leppeK
• samoreno
• theschles
• winnie

Changes

Talos 1.12.0-beta.1 (2025-12-01)

Welcome to the v1.12.0-beta.1 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

API Server Cipher Suites

The Kubernetes API server in Talos has been updated to use a more secure set of TLS cipher suites by default.
This is in line with a set of best practices documented in CIS 1.12 benchmark.

You can still expand the list of supported cipher suites via the cluster.apiServer.extraArgs."tls-cipher-suites" machine configuration field if needed.

New User Volume type - bind

New field in UserVolumeConfig - volumeType that defaults to partition, but can be set to directory.
When set to directory, provisioning and filesystem operations are skipped and a directory is created under /var/mnt/<name>.

The directory type enables lightweight storage volumes backed by a host directory, instead of requiring a full block device partition.

When volumeType = "directory":

• A directory is created at /var/mnt/<metadata.name>;
• provisioning, filesystem and encryption are prohibited.

Note: this mode does not provide filesystem-level isolation and inherits the EPHEMERAL partition capacity limits.
It should not be used for workloads requiring predictable storage quotas.

Disk Encryption

Talos versions prior to v1.12 used the state of PCR 7 and signed policies locked to PCR 11 for TPM based disk encryption.

Talos now supports configuring which PCRs states are to be used for TPM based disk encryption via the options.pcrs
field in the tpm section of the disk encryption configuration.

If user doesn't specify any options Talos defaults to using PCR 7 for backwards compatibility with existing installations.

This change was made to improve compatibility with systems that may have varying states in PCR 7 due to UEFI Secure Boot configurations
and users may wish to disable locking to PCR 7 state entirely.

Signed PCR policies will still be bound to PCR 11.

The currently used PCR's can be seen with talosctl get volumestatus <volume> -o yaml command.

New User Volume type - disk

volumeType in UserVolumeConfig can be set to disk.
When set to disk, a full block device is used for the volume.

When volumeType = "disk":

• Size specific settings are not allowed in the provisioning block (minSize, maxSize, grow).

Embedded Config

Talos Linux now supports embedding the machine configuration directly into the boot image.

etcd

etcd container image is now pulled from registry.k8s.io/etcd instead of gcr.io/etcd-development/etcd.

Ethernet Configuration

The Ethernet configuration now includes a wakeOnLAN field to enable Wake-on-LAN (WOL) support.
This field can be set to enable WOL and specify the desired WOL modes.

Extra Binaries

Talos Linux now ships with nft binary in the rootfs to support CNIs which shell out to nft command.

Feature Lock

Talos now ignores the following machine configuration fields:

• machine.features.rbac (locked to true)
• machine.features.apidCheckExtKeyUsage (locked to true)
• cluster.apiServer.disablePodSecurityPolicy (locked to false)

These fields were removed from the default machine configuration schema in v1.12 and are now always set to the locked values above.

Talos force reboot

Talos now supports a "force" reboot mode, which allows skipping the graceful userland termination.
It can be used in situations where a userland service (e.g. the kubelet) gets stuck during graceful shutdown, causing the regular reboot flow to fail.

In addition, talosctl was updated to support this feature via talosctl reboot --mode force.

GRUB

Talos Linux introduces new machine configuration option .machine.install.grubUseUKICmdline to control whether GRUB should use the kernel command line
provided by the boot assets (UKI) or to use the command line constructed by Talos itself (legacy behavior).

This option defaults to true for new installations, which means that GRUB will use the command line from the UKI, making it easier to customize kernel parameters via boot asset generation.
For existing installations upgrading to v1.12, this option will default to false to preserve the legacy behavior.

Kernel Log

The kernel log (dmesg) is now also available as the service log named kernel (talosctl logs kernel).

Kernel Module

Talos now supports optionally disabling kernel module signature verification by setting module.sig_enforce=0 kernel parameter.
By default module signature verification is enabled (module.sig_enforce=1).
When using Factory or Imager supply as -module.sig_enfore module.sig_enforce=0 kernel parameters to disable module signature enforcement.

Kernel Security Posture Profile (KSPP)

Talos now enables a stricter set of KSPP sysctl settings by default.
The list of overridden settings is available with talosctl get kernelparamstatus command.

Encrypted Volumes

Talos Linux now consistently provides mapped names for encrypted volumes in the format /dev/mapper/luks2-<volume-id>.
This change should not affect system or user volumes, but might allow easier identification of encrypted volumes,
and specifically for raw encrypted volumes.

Network Configuration

The network configuration under .machine.network (with the exception of KubeSpan) has been deprecated, but it is still supported for backwards compatibility.
New configuration documents were created to replace it, they will be documented in the future.

CRI Registry Configuration

The CRI registry configuration in v1apha1 legacy machine configuration under .machine.registries is now deprecated, but still supported for backwards compatibility.
New configuration documents RegistryMirrorConfig, RegistryAuthConfig and RegistryTLSConfig should be used instead.

talosctl image cache-serve

talosctl includes new subcommand image cache-serve.
It allows serving the created OCI image registry over HTTP/HTTPS.
It is a read-only registry, meaning images cannot be pushed to it, but the backing storage can be updated by re-running the cache-create command;

Additionally talosctl image cache-create has some changes:

• new flag --layout: oci (default), flat:
  • oci preserves current behavior;
  • flat does not repack artifact layer, but moves it to a destination directory, allowing it to be served by talosctl image cache-serve;
• changed flag --platform: now can accept multiple os/arch combinations:
  • comma separated (--platform=linux/amd64,linux/arm64);
  • multiple instances (--platform=linux/amd64 --platform=linux/arm64);

UEFI Boot

When using UEFI boot with systemd-boot as bootloader (on new installs of Talos from 1.10+ onwards), Talos will now not touch the UEFI boot order.
Talos 1.11 made a fix to create UEFI boot entry and set the boot order as first entry, but this behavior caused issues on some systems.
To avoid further issues, Talos will now only create the UEFI boot entry if it does not exist, but will not modify the boot order.

Component Updates

Linux: 6.17.9
Kubernetes: 1.35.0-alpha.3
CNI Plugins: 1.8.0
cryptsetup: 2.8.1
LVM2: 2_03_37
systemd-udevd: 257.8
runc: 1.3.2
CoreDNS: 1.13.1
etcd: 3.6.6
Flannel: 0.27.4
Flannel CNI plugin: v1.8.0-flannel2
runc: 1.3.3
containerd: 2.1.5

Talos is built with Go 1.25.4.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Noel Georgi
• Dmitrii Sharshakov
• Amarachi Iheanacho
• Orzelius
• Laura Brehm
• Oguz Kilcan
• Justin Garrison
• Artem Chernyshev
• Utku Ozdemir
• Bryan Lee
• George Gaál
• Jorik Jonker
• Michael Smith
• Nicole Hubbard
• 459below
• Adrian L Lange
• Alp Celik
• Andrew Longwill
• Birger Johan Nordølum
• Chris Sanders
• Dmitry
• Febrian
• Florian Grignon
• Fred Heinecke
• Giau. Tran Minh
• Grzegorz Rozniecki
• Guillaume LEGRAIN
• Hector Monsalve
• Lennard Klein
• Markus Freitag
• Max Makarov
• Mike Beaumont
• Misha Aksenov
• MrMrRubic
• Olivier Doucet
• Pranav
• Sammy ETUR
• Serge Logvinov
• Skye Soss
• Skyler Mäntysaari
• SuitDeer
• Tom
• aurh1l
• frozenprocess
• frozensprocess
• kassad
• leppeK
• samoreno
• theschles
• winnie

Changes

Talos 1.10.8 (2025-11-18)

Welcome to the v1.10.8 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.12.58
Kubernetes: 1.33.6
Runc: v1.2.8
Containerd: v2.0.7

Talos is built with Go 1.24.10.

Contributors

• Noel Georgi
• Andrey Smirnov
• Markus Freitag

Changes

Changes from siderolabs/pkgs

Changes from siderolabs/tools

Dependency Changes

• github.com/containerd/containerd/v2 v2.0.5 -> v2.0.7
• github.com/siderolabs/pkgs v1.10.0-34-g88700c7 -> v1.10.0-37-g71b336d
• github.com/siderolabs/talos/pkg/machinery v1.10.7 -> v1.10.8
• github.com/siderolabs/tools v1.10.0-6-g306d9d9 -> v1.10.0-7-g39357c8
• github.com/ulikunitz/xz v0.5.12 -> v0.5.15
• golang.org/x/net v0.41.0 -> v0.42.0
• golang.org/x/term v0.32.0 -> v0.33.0
• golang.org/x/time v0.11.0 -> v0.12.0
• k8s.io/api v0.33.4 -> v0.33.6
• k8s.io/apiserver v0.33.4 -> v0.33.6
• k8s.io/client-go v0.33.4 -> v0.33.6
• k8s.io/component-base v0.33.4 -> v0.33.6
• k8s.io/kube-scheduler v0.33.4 -> v0.33.6
• k8s.io/kubectl v0.33.4 -> v0.33.6
• k8s.io/kubelet v0.33.4 -> v0.33.6
• k8s.io/pod-security-admission v0.33.4 -> v0.33.6

Previous release can be found at v1.10.7

Images

ghcr.io/siderolabs/flannel:v0.26.7
registry.k8s.io/coredns/coredns:v1.12.1
gcr.io/etcd-development/etcd:v3.5.21
registry.k8s.io/kube-apiserver:v1.33.6
registry.k8s.io/kube-controller-manager:v1.33.6
registry.k8s.io/kube-scheduler:v1.33.6
registry.k8s.io/kube-proxy:v1.33.6
ghcr.io/siderolabs/kubelet:v1.33.6
ghcr.io/siderolabs/installer:v1.10.8
registry.k8s.io/pause:3.10

Talos 1.12.0-beta.0 (2025-11-14)

Welcome to the v1.12.0-beta.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

New User Volume type - bind

New field in UserVolumeConfig - volumeType that defaults to partition, but can be set to directory.
When set to directory, provisioning and filesystem operations are skipped and a directory is created under /var/mnt/<name>.

The directory type enables lightweight storage volumes backed by a host directory, instead of requiring a full block device partition.

When volumeType = "directory":

• A directory is created at /var/mnt/<metadata.name>;
• provisioning, filesystem and encryption are prohibited.

Note: this mode does not provide filesystem-level isolation and inherits the EPHEMERAL partition capacity limits.
It should not be used for workloads requiring predictable storage quotas.

Disk Encryption

Talos versions prior to v1.12 used the state of PCR 7 and signed policies locked to PCR 11 for TPM based disk encryption.

Talos now supports configuring which PCRs states are to be used for TPM based disk encryption via the options.pcrs
field in the tpm section of the disk encryption configuration.

If user doesn't specify any options Talos defaults to using PCR 7 for backwards compatibility with existing installations.

This change was made to improve compatibility with systems that may have varying states in PCR 7 due to UEFI Secure Boot configurations
and users may wish to disable locking to PCR 7 state entirely.

Signed PCR policies will still be bound to PCR 11.

The currently used PCR's can be seen with talosctl get volumestatus <volume> -o yaml command.

New User Volume type - disk

volumeType in UserVolumeConfig can be set to disk.
When set to disk, a full block device is used for the volume.

When volumeType = "disk":

• Size specific settings are not allowed in the provisioning block (minSize, maxSize, grow).

Embedded Config

Talos Linux now supports embedding the machine configuration directly into the boot image.

etcd

etcd container image is now pulled from registry.k8s.io/etcd instead of gcr.io/etcd-development/etcd.

Ethernet Configuration

The Ethernet configuration now includes a wakeOnLAN field to enable Wake-on-LAN (WOL) support.
This field can be set to enable WOL and specify the desired WOL modes.

Extra Binaries

Talos Linux now ships with nft binary in the rootfs to support CNIs which shell out to nft command.

Feature Lock

Talos now ignores the following machine configuration fields:

• machine.features.rbac (locked to true)
• machine.features.apidCheckExtKeyUsage (locked to true)
• cluster.apiServer.disablePodSecurityPolicy (locked to false)

These fields were removed from the default machine configuration schema in v1.12 and are now always set to the locked values above.

Talos force reboot

Talos now supports a "force" reboot mode, which allows skipping the graceful userland termination.
It can be used in situations where a userland service (e.g. the kubelet) gets stuck during graceful shutdown, causing the regular reboot flow to fail.

In addition, talosctl was updated to support this feature via talosctl reboot --mode force.

GRUB

Talos Linux introduces new machine configuration option .machine.install.grubUseUKICmdline to control whether GRUB should use the kernel command line
provided by the boot assets (UKI) or to use the command line constructed by Talos itself (legacy behavior).

This option defaults to true for new installations, which means that GRUB will use the command line from the UKI, making it easier to customize kernel parameters via boot asset generation.
For existing installations upgrading to v1.12, this option will default to false to preserve the legacy behavior.

Kernel Module

Talos now supports optionally disabling kernel module signature verification by setting module.sig_enforce=0 kernel parameter.
By default module signature verification is enabled (module.sig_enforce=1).
When using Factory or Imager supply as -module.sig_enfore module.sig_enforce=0 kernel parameters to disable module signature enforcement.

Kernel Security Posture Profile (KSPP)

Talos now enables a stricter set of KSPP sysctl settings by default.
The list of overridden settings is available with talosctl get kernelparamstatus command.

Encrypted Volumes

Talos Linux now consistently provides mapped names for encrypted volumes in the format /dev/mapper/luks2-<volume-id>.
This change should not affect system or user volumes, but might allow easier identification of encrypted volumes,
and specifically for raw encrypted volumes.

Network Configuration

The network configuration under .machine.network (with the exception of KubeSpan) has been deprecated, but it is still supported for backwards compatibility.
New configuration documents were created to replace it, they will be documented in the future.

CRI Registry Configuration

The CRI registry configuration in v1apha1 legacy machine configuration under .machine.registries is now deprecated, but still supported for backwards compatibility.
New configuration documents RegistryMirrorConfig, RegistryAuthConfig and RegistryTLSConfig should be used instead.

talosctl image cache-serve

talosctl includes new subcommand image cache-serve.
It allows serving the created OCI image registry over HTTP/HTTPS.
It is a read-only registry, meaning images cannot be pushed to it, but the backing storage can be updated by re-running the cache-create command;

Additionally talosctl image cache-create has some changes:

• new flag --layout: oci (default), flat:
  • oci preserves current behavior;
  • flat does not repack artifact layer, but moves it to a destination directory, allowing it to be served by talosctl image cache-serve;
• changed flag --platform: now can accept multiple os/arch combinations:
  • comma separated (--platform=linux/amd64,linux/arm64);
  • multiple instances (--platform=linux/amd64 --platform=linux/arm64);

UEFI Boot

When using UEFI boot with systemd-boot as bootloader (on new installs of Talos from 1.10+ onwards), Talos will now not touch the UEFI boot order.
Talos 1.11 made a fix to create UEFI boot entry and set the boot order as first entry, but this behavior caused issues on some systems.
To avoid further issues, Talos will now only create the UEFI boot entry if it does not exist, but will not modify the boot order.

Component Updates

Linux: 6.17.7
Kubernetes: 1.35.0-alpha.3
CNI Plugins: 1.8.0
cryptsetup: 2.8.1
LVM2: 2_03_34
systemd-udevd: 257.8
runc: 1.3.2
CoreDNS: 1.13.1
etcd: 3.6.5
Flannel: 0.27.4
Flannel CNI plugin: v1.8.0-flannel2
runc: 1.3.3
containerd: 2.1.5

Talos is built with Go 1.25.4.

Contributors

• Andrey Smirnov
• Noel Georgi
• Mateusz Urbanek
• Dmitrii Sharshakov
• Amarachi Iheanacho
• Orzelius
• Oguz Kilcan
• Laura Brehm
• Justin Garrison
• Artem Chernyshev
• Utku Ozdemir
• George Gaál
• Jorik Jonker
• Michael Smith
• Nicole Hubbard
• 459below
• Adrian L Lange
• Alp Celik
• Andrew Longwill
• Chris Sanders
• Dmitry
• Febrian
• Florian Grignon
• Fred Heinecke
• Giau. Tran Minh
• Grzegorz Rozniecki
• Guillaume LEGRAIN
• Hector Monsalve
• Markus Freitag
• Max Makarov
• Mike Beaumont
• Misha Aksenov
• MrMrRubic
• Olivier Doucet
• Pranav
• Sammy ETUR
• Serge Logvinov
• Skyler Mäntysaari
• SuitDeer
• Tom
• aurh1l
• frozenprocess
• frozensprocess
• kassad
• leppeK
• samoreno
• theschles
• winnie

Changes