Skip to content

Releases: siderolabs/talos

v1.13.0-beta.0

18 Mar 14:11
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v1.13.0-beta.0
This tag was signed with the committer’s verified signature.
shanduur Mateusz Urbanek
GPG key ID: F16F84591E26D77F
Verified
Learn about vigilant mode.
a544aea
This commit was signed with the committer’s verified signature.
shanduur Mateusz Urbanek
GPG key ID: F16F84591E26D77F
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.13.0-beta.0 Pre-release
Pre-release

Talos 1.13.0-beta.0 (2026-03-18)

Welcome to the v1.13.0-beta.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Clang built kernel and ThinLTO

Talos now uses a kernel built using Clang compiler, and optimized using ThinLTO. This should bring a small performance improvement,
alongside some hardening features, such as BTI on supported ARM systems.

Container Device Interface

Talos now enables CDI by default and extension/extension services can bring in dynamic
CDI spec files under /run/cdi.

talosctl debug

Talos Linux now provides a way to run and attach to the privileged debug container with a user-provided container image.
The debug container might be used for troubleshooting and debugging purposes.

Environment Configuration Document

A new EnvironmentConfig document has been introduced to allow users to specify environment variables for Talos components.
It replaces and deprecates the previous method of setting environment variables via the .machine.env field.

Multiple values for the same environment variable will replace previous values, with the last one taking precedence.

To remove an environment variable, remove it from the EnvironmentConfig document and restart the node.

External Volumes

Talos now supports virtiofs-based external volumes via the new
ExternalVolumeConfig
document.

These virtiofs external volumes are not supported when SELinux is running
in enforcing mode.

Extra Arguments accept slices in addition to strings

Several Talos configuration fields that previously accepted single string values for extra arguments have been updated to accept slices of strings as well.
This includes fields such as .cluster.apiServer.extraArgs.

BREAKING: If you were relying on the resources EtcdConfigs, KubeletConfigs, ControllerManagerConfigs, SchedulerConfigs or APIServerConfigs, the protobuf format has changed from map<string,string> to map<string,message>.

Container Image Signature Verification

Talos now supports machine-wide container image signature verification via the new ImageVerificationConfig machine config document.

Any image which gets pulled on the node will be verified against the configured rules, and if no rule matches, it will be pulled without verification.

Talos Imager Enhancements

Talos imager now supports running rootless. --privileged and -v /dev:/dev are no longer required.

Image APIs Updated

Talos Linux provides new APIs to manage container images on the node: listing, pulling, importing and removing images.
The new pull APIs provides pull progress notifications.

The CLI commands talosctl image pull, talosctl image list and talosctl image remove have been updated to interact with the new APIs.

Talosctl images k8s-bundle subcommand accepts version parameter

The talosctl images k8s-bundle command now accepts an optional version overrides arguments.

Install and Upgrade API

Talos now exposes install and upgrade operations via the LifecycleService API, enabling programmatic installs and upgrades through a single, consistent interface.
The legacy upgrade API is deprecated; new integrations should migrate to LifecycleService for future compatibility.

Kubernetes server-side apply

Talos now uses inventory backed server-side apply when applying bootsrap manifests (including extraManifests and inlineManifests).
Purging of unneeded manifests is automatically performed.
The switch and inventory backfill is automatic and no action is needed from the user.

Dynamic Linux Kernel Preemption Model

Talos Linux now defaults to dynamic Linux kernel preemption model, the default value none matches
previous version, but now with kernel argument preempt= the preemption model can be changed.

See Linux kernel documentation for more
information on supported values.

This change only applies to amd64 (x86_64) architecture.

KubeSpan Configuration

A new KubeSpanConfig document has been introduced to configure KubeSpan settings.
It replaces and deprecates the previous method of configuring KubeSpan via the .machine.network.kubespan field.

The old configuration field will continue to work for backward compatibility.

KubeSpan Advertised Network Filters

KubeSpan now supports filtering of advertised networks using the excludeAdvertisedNetworks field in the KubeSpanConfig document.
This allows users to specify a list of CIDRs to exclude from the advertised networks. Please note that routing must be symmetric for any
pair of peers, so if one peer excludes a certain network, the other peer must also exclude it. In other words, for any given pair of peers,
and any pair of their addresses, the traffic should either go through KubeSpan or not, but not one way or the other.

LinkAliasConfig Pattern-Based Multi-Alias

LinkAliasConfig now supports pattern-based alias names using %d format verb (e.g. net%d).

When the alias name contains a %d format verb, the selector is allowed to match multiple links.
Each matched link receives a sequential alias (e.g. net0, net1, ...) based on hardware address order
of the links. Links already aliased by a previous config are automatically skipped.

This enables creating stable aliases from any N links using a single config document,
useful for BondConfig and BridgeConfig member interfaces on varying hardware.

Negative Max Volume Size

Negative max size represents the amount of space to be left free on the device, rather than the size the volume should consume.
For example:
* a max size of "-10GiB" means the volume can grow to the available space minus 10GiB.
* a max size of "-25%" means the volume can grow to the available space minus 25%.

Flannel CNI with Network Policy Support

Talos Linux now supports optionally deploying Flannel CNI with network policy support enabled.
The network policy implementation is kube-network-policies.

To enable Flannel CNI with network policy support, use the following machine configuration patch:

cluster:
  network:
    cni:
      name: flannel
      flannel:
        kubeNetworkPoliciesEnabled: true

(If the cluster is already running, sync the bootstrap manifests after applying the patch to deploy the new CNI configuration.)

NVIDIA GPU Support

Talos switched to using CDI and now supports configuring NVIDIA GPU via the gpu-operator helm chart.
See the documentation on upgrade notes
for more details on how to configure NVIDIA GPU support in Talos.

Container Image Decompression

Talos now ships with igzip (amd64) and pigz (arm64) to speed up container image decompression.

ProbeConfig

The TCPProbeConfig configuration document allows to configure TCP probes for network reachability checks.
This allows to define a custom connectivity condition.

/proc/PID/mem Access Hardening

A new kernel parameter proc_mem.force_override=never has been introduced by default to enhance system security
by preventing unwanted writes to protected process memory via /proc/PID/mem.
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.

Reproducible Disk Images

Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
identical disk images.

Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.

ResolverConfig

The nameservers configuration in machine configuration now overwrites any previous layers (defaults, platform, etc.) when specified.
Previously a smart merge was performed to keep IPv4/IPv6 nameservers from lower layers if the machine configuration specified only one type.

Routing Rules Support

Talos now supports routing rules via the new RoutingRuleConfig machine config document.

Service Account Issuer configuration

In API Server, passing extra args with service-account-issuer will append them after default value.
This allows easy migration, e.g. by changing .cluster.controlPlane.endpoint to new value, and keeping the old value in
.cluster.apiServer.extraArgs["service-account-issuer"].

talosctl images talos-bundle can ignore reaching to the registry

The talosctl images talos-bundle command now accepts optional --overlays and --extensions flags.
If those are set to false, the command will not attempt to reach out to the container registry to fetch the latest versions and digests of the overlays and extensions.

Lifecycle Upgrade in talosctl

talosctl upgrades now route through LifecycleService, aligning CLI behavior with the new install/upgrade API and unifying the upgrade path.
This change is transparent to users but standardizes the backend used for upgrades.

Component Updates

Linux: 6.18.18
containerd: 2.2.2
etcd: 3.6.8
CoreDNS: 1.14.2
Kubernetes: 1.36.0-alpha.2
Flannel CNI plugin: v1.9.0-flannel1
Flannel: 0.28.1
...

Read more
Loading
0 Join discussion

v1.12.5

09 Mar 15:16
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v1.12.5
This tag was signed with the committer’s verified signature.
smira Andrey Smirnov
GPG key ID: 322C6F63F594CE7C
Verified
Learn about vigilant mode.
da6c6e4
This commit was signed with the committer’s verified signature.
smira Andrey Smirnov
GPG key ID: 322C6F63F594CE7C
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.12.5 Latest
Latest

Talos 1.12.5 (2026-03-09)

Welcome to the v1.12.5 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.18.15
Kubernetes: 1.35.2
etcd: 3.6.8

Talos is built with Go 1.25.8.

Contributors

  • Andrey Smirnov
  • Mateusz Urbanek
  • Dmitrii Sharshakov
  • Fritz Schaal
  • Jan Paul
  • Max Makarov
  • Mickaël Canévet
  • Nico Berlee
  • Orzelius
  • Spencer Smith

Changes

19 commits

  • da6c6e461 release(v1.12.5): prepare release
  • 4f978a747 fix: correctly calculate end ranges for nftables sets
  • 8d52e2dbe feat: add trusted roots generation to stdpatches
  • 628487715 fix: use correct dhcp option for unicast dhcp renewal
  • dcf23be4f fix: ignore image digest when doing upgrade-k8s
  • f8a2a9b7a fix(machined): opennebula: process ETH*_ vars regardless of NETWORK context flag
  • db9ff23ae fix: patch with delete for LinkConfigs
  • e0c38e2ae fix: update path handling on talosctl cgroups
  • ca2d4c146 fix: stop Kubernetes client from dynamically reloading the certs
  • 70ae2f274 refactor: split locate and provision
  • c3b04844e fix: hold user volumes root mountpoint
  • d935420b2 fix: handle raw encryption keys with \n properly
  • 7fe1a47af fix: remove stale endpoints
  • 3ea08888a fix: allow static hosts in /etc/hosts without hostname
  • 5ebb00fdc fix: switch to better Myers algorithm implementation
  • 2b4037935 feat: update etcd to v3.6.8
  • 1ce9328e4 fix: disks flag parsing and handling in create qemu command
  • 1f989dfb0 fix: read multi-doc machine config with newer talosctl
  • 40ba6e3ec feat: update Linux 6.18.15, Go 1.25.8

Changes from siderolabs/go-debug

1 commit

Changes from siderolabs/pkgs

7 commits

Changes from siderolabs/tools

1 commit

Dependency Changes

  • github.com/docker/cli v29.0.0 -> v29.2.1
  • github.com/siderolabs/go-blockdevice/v2 v2.0.23 -> v2.0.24
  • github.com/siderolabs/go-debug v0.6.1 -> v0.6.2
  • github.com/siderolabs/pkgs v1.12.0-39-gb1fc4c6 -> v1.12.0-46-ge695c74
  • github.com/siderolabs/talos/pkg/machinery v1.12.3 -> v1.12.5
  • github.com/siderolabs/tools v1.12.0-6-gdc37e09 -> v1.12.0-7-g57916cb
  • golang.org/x/net v0.48.0 -> v0.51.0
  • golang.org/x/sys v0.40.0 -> v0.41.0
  • golang.org/x/term v0.38.0 -> v0.40.0
  • golang.org/x/text v0.33.0 -> v0.34.0
  • google.golang.org/grpc v1.76.0 -> v1.78.0
  • google.golang.org/protobuf v1.36.10 -> v1.36.11
  • k8s.io/api v0.35.0 -> v0.35.2
  • k8s.io/apiextensions-apiserver v0.35.0 -> v0.35.2
  • k8s.io/apiserver v0.35.0 -> v0.35.2
  • k8s.io/client-go v0.35.0 -> v0.35.2
  • k8s.io/component-base v0.35.0 -> v0.35.2
  • k8s.io/kube-scheduler v0.35.0 -> v0.35.2
  • k8s.io/kubectl v0.35.0 -> v0.35.2
  • k8s.io/kubelet v0.35.0 -> v0.35.2
  • k8s.io/pod-security-admission v0.35.0 -> v0.35.2

Previous release can be found at v1.12.4

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.8
registry.k8s.io/kube-apiserver:v1.35.2
registry.k8s.io/kube-controller-manager:v1.35.2
registry.k8s.io/kube-scheduler:v1.35.2
registry.k8s.io/kube-proxy:v1.35.2
ghcr.io/siderolabs/kubelet:v1.35.2
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.5
ghcr.io/siderolabs/installer-base:v1.12.5
ghcr.io/siderolabs/imager:v1.12.5
ghcr.io/siderolabs/talos:v1.12.5
ghcr.io/siderolabs/talosctl-all:v1.12.5
ghcr.io/siderolabs/overlays:v1.12.5
ghcr.io/siderolabs/extensions:v1.12.5
Assets 60
1 Join discussion

v1.13.0-alpha.2

25 Feb 11:05
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v1.13.0-alpha.2
This tag was signed with the committer’s verified signature.
shanduur Mateusz Urbanek
GPG key ID: F16F84591E26D77F
Verified
Learn about vigilant mode.
59311a7
This commit was signed with the committer’s verified signature.
shanduur Mateusz Urbanek
GPG key ID: F16F84591E26D77F
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.13.0-alpha.2 Pre-release
Pre-release

Talos 1.13.0-alpha.2 (2026-02-25)

Welcome to the v1.13.0-alpha.2 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Clang built kernel and ThinLTO

Talos now uses a kernel built using Clang compiler, and optimized using ThinLTO. This should bring a small performance improvement,
alongside some hardening features, such as BTI on supported ARM systems.

talosctl debug

Talos Linux now provides a way to run and attach to the privileged debug container with a user-provided container image.
The debug container might be used for troubleshooting and debugging purposes.

Environment Configuration Document

A new EnvironmentConfig document has been introduced to allow users to specify environment variables for Talos components.
It replaces and deprecates the previous method of setting environment variables via the .machine.env field.

Multiple values for the same environment variable will replace previous values, with the last one taking precedence.

To remove an environment variable, remove it from the EnvironmentConfig document and restart the node.

External Volumes

Talos now supports virtiofs-based external volumes via the new
ExternalVolumeConfig
document.

These virtiofs external volumes are not supported when SELinux is running
in enforcing mode.

Extra Arguments accept slices in addition to strings

Several Talos configuration fields that previously accepted single string values for extra arguments have been updated to accept slices of strings as well.
This includes fields such as .cluster.apiServer.extraArgs.

BREAKING: If you were relying on the resources EtcdConfigs, KubeletConfigs, ControllerManagerConfigs, SchedulerConfigs or APIServerConfigs, the protobuf format has changed from map<string,string> to map<string,message>.

Talos Imager Enhancements

Talos imager now supports running rootless. --privileged and -v /dev:/dev are no longer required.

Image APIs Updated

Talos Linux provides new APIs to manage container images on the node: listing, pulling, importing and removing images.
The new pull APIs provides pull progress notifications.

The CLI commands talosctl image pull, talosctl image list and talosctl image remove have been updated to interact with the new APIs.

Talosctl images k8s-bundle subcommand accepts version parameter

The talosctl images k8s-bundle command now accepts an optional version overrides arguments.

Kubernetes server-side apply

Talos now uses inventory backed server-side apply when applying bootsrap manifests (including extraManifests and inlineManifests).
Purging of unneeded manifests is automatically performed.
The switch and inventory backfill is automatic and no action is needed from the user.

KubeSpan Configuration

A new KubeSpanConfig document has been introduced to configure KubeSpan settings.
It replaces and deprecates the previous method of configuring KubeSpan via the .machine.network.kubespan field.

The old configuration field will continue to work for backward compatibility.

KubeSpan Advertised Network Filters

KubeSpan now supports filtering of advertised networks using the excludeAdvertisedNetworks field in the KubeSpanConfig document.
This allows users to specify a list of CIDRs to exclude from the advertised networks. Please note that routing must be symmetric for any
pair of peers, so if one peer excludes a certain network, the other peer must also exclude it. In other words, for any given pair of peers,
and any pair of their addresses, the traffic should either go through KubeSpan or not, but not one way or the other.

LinkAliasConfig Pattern-Based Multi-Alias

LinkAliasConfig now supports pattern-based alias names using %d format verb (e.g. net%d).

When the alias name contains a %d format verb, the selector is allowed to match multiple links.
Each matched link receives a sequential alias (e.g. net0, net1, ...) based on hardware address order
of the links. Links already aliased by a previous config are automatically skipped.

This enables creating stable aliases from any N links using a single config document,
useful for BondConfig and BridgeConfig member interfaces on varying hardware.

Negative Max Volume Size

Negative max size represents the amount of space to be left free on the device, rather than the size the volume should consume.
For example:
* a max size of "-10GiB" means the volume can grow to the available space minus 10GiB.
* a max size of "-25%" means the volume can grow to the available space minus 25%.

Flannel CNI with Network Policy Support

Talos Linux now supports optionally deploying Flannel CNI with network policy support enabled.
The network policy implementation is kube-network-policies.

To enable Flannel CNI with network policy support, use the following machine configuration patch:

cluster:
  network:
    cni:
      name: flannel
      flannel:
        kubeNetworkPoliciesEnabled: true

(If the cluster is already running, sync the bootstrap manifests after applying the patch to deploy the new CNI configuration.)

Container Image Decompression

Talos now ships with igzip (amd64) and pigz (arm64) to speed up container image decompression.

ProbeConfig

The TCPProbeConfig configuration document allows to configure TCP probes for network reachability checks.
This allows to define a custom connectivity condition.

/proc/PID/mem Access Hardening

A new kernel parameter proc_mem.force_override=never has been introduced by default to enhance system security
by preventing unwanted writes to protected process memory via /proc/PID/mem.
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.

Reproducible Disk Images

Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
identical disk images.

Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.

ResolverConfig

The nameservers configuration in machine configuration now overwrites any previous layers (defaults, platform, etc.) when specified.
Previously a smart merge was performed to keep IPv4/IPv6 nameservers from lower layers if the machine configuration specified only one type.

Service Account Issuer configuration

In API Server, passing extra args with service-account-issuer will append them after default value.
This allows easy migration, e.g. by changing .cluster.controlPlane.endpoint to new value, and keeping the old value in
.cluster.apiServer.extraArgs["service-account-issuer"].

talosctl images talos-bundle can ignore reaching to the registry

The talosctl images talos-bundle command now accepts optional --overlays and --extensions flags.
If those are set to false, the command will not attempt to reach out to the container registry to fetch the latest versions and digests of the overlays and extensions.

Component Updates

Linux: 6.18.13
containerd: 2.2.1
etcd: 3.6.8
CoreDNS: 1.14.1
Kubernetes: 1.36.0-alpha.1
Flannel CNI plugin: v1.9.0-flannel1
Flannel: 0.28.1
LVM2: 2_03_38
runc: 1.4.0
systemd: 259.1
cryptsetup: 2.8.3
Tenstorrent: 2.7.0
iptables: 1.8.12

Talos is built with Go 1.26.0.

VM Hot-Add Support

Talos now includes udev rules to support hot-adding of CPUs in virtualized environments.

Contributors

  • Andrey Smirnov
  • Mateusz Urbanek
  • Noel Georgi
  • Dmitrii Sharshakov
  • Orzelius
  • Laura Brehm
  • Edward Sammut Alessi
  • Max Makarov
  • Andreas Freund
  • Artem Chernyshev
  • Bryan Lee
  • Fritz Schaal
  • Justin Garrison
  • Mickaël Canévet
  • Nico Berlee
  • Pranav Patil
  • Alexis La Goutte
  • Andras BALI
  • Andrei Kvapil
  • Birger Johan Nordølum
  • Camillo Rossi
  • Christopher Puschmann
  • Daniil Kivenko
  • Dmitrii Sharshakov
  • Florian Ströger
  • Gregor Gruener
  • Jaakko Sirén
  • Jan Paul
  • Jean-Francois Roy
  • Joakim Nohlgård
  • Jonas Lammler
  • Lennard Klein
  • Matthew Sanabria
  • Michal Baumgartner
  • Olav Thoresen
  • Serge van Ginderachter
  • Skye Soss
  • Spencer Smith
  • Sébastien Masset
  • Tim Jones
  • Utku Ozdemir
  • arita
  • dataprolet
  • drew
  • eseiker
  • greenpsi
  • lmacka
  • pranav767

Changes

222 commits

  • 59311a792 release(v1.13.0-alpha.2): prepare release
  • 009f0d6ca chore: update pkgs
  • ba56b0295 feat: include hid-multitouch.ko kernel module in rootfs
  • ae29a0dcc feat: update Linux to 6.18.13
  • 7cf1de279 fix: bring in new version of go-cmd and go-blockdevice
  • c8800b41e fix: update path handling on talosctl cgroups
  • 0a7b6eb2c chore: test extensions
  • 8b1c974a2 refactor: drop termui-widgets library
  • 5baa0028e fix: add owning inventory annotation to talos manifests
  • d3e793d14 fix: stop Kubernetes client from dynamically reloading the certs
  • 6a5a0e3bd feat: support pattern link aliases
  • 9758bd4fe feat: update Go to 1.26
  • e00aed0f6 feat: update Kubernetes v1.36.0-alpha.1
  • si...
Read more
Loading
2 Join discussion

v1.12.4

13 Feb 11:14
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v1.12.4
This tag was signed with the committer’s verified signature.
smira Andrey Smirnov
GPG key ID: 322C6F63F594CE7C
Verified
Learn about vigilant mode.
fc8e600
This commit was signed with the committer’s verified signature.
smira Andrey Smirnov
GPG key ID: 322C6F63F594CE7C
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.12.4

Talos 1.12.4 (2026-02-13)

Welcome to the v1.12.4 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

KubeSpan Advertised Network Filters

KubeSpan now supports filtering of advertised networks using the excludeAdvertisedNetworks field in the KubeSpanConfig document.
This allows users to specify a list of CIDRs to exclude from the advertised networks. Please note that routing must be symmetric for any
pair of peers, so if one peer excludes a certain network, the other peer must also exclude it. In other words, for any given pair of peers,
and any pair of their addresses, the traffic should either go through KubeSpan or not, but not one way or the other.

Component Updates

Linux: 6.18.9

Talos is built with Go 1.25.7.

Contributors

  • Andrey Smirnov
  • Daniil Kivenko
  • Florian Ströger
  • Fritz Schaal
  • Mateusz Urbanek

Changes

9 commits

  • fc8e600ba release(v1.12.4): prepare release
  • 14dde14eb feat: add filter for KubeSpan advertised networks
  • c277d0119 fix: ignore volumes in wave calculation without provisioning
  • f90af88d8 fix: use node podCIDRs for kubespan advertiseKubernetesNetworks
  • a025ea46c feat: add IPv6 GRE support
  • 924125420 fix: typo with rpi_5 profile name
  • 64f49851a fix: swap volume configuration for min/max size
  • 19354ab58 feat: update Linux to 6.18.9
  • 639c1c928 fix: mismerge of nft with json support

Changes from siderolabs/discovery-api

2 commits

Changes from siderolabs/pkgs

4 commits

Dependency Changes

  • github.com/siderolabs/discovery-api v0.1.6 -> v0.1.8
  • github.com/siderolabs/pkgs v1.12.0-35-g15d5d78 -> v1.12.0-39-gb1fc4c6

Previous release can be found at v1.12.3

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.7
registry.k8s.io/kube-apiserver:v1.35.0
registry.k8s.io/kube-controller-manager:v1.35.0
registry.k8s.io/kube-scheduler:v1.35.0
registry.k8s.io/kube-proxy:v1.35.0
ghcr.io/siderolabs/kubelet:v1.35.0
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.4
ghcr.io/siderolabs/installer-base:v1.12.4
ghcr.io/siderolabs/imager:v1.12.4
ghcr.io/siderolabs/talos:v1.12.4
ghcr.io/siderolabs/talosctl-all:v1.12.4
ghcr.io/siderolabs/overlays:v1.12.4
ghcr.io/siderolabs/extensions:v1.12.4
Loading
0 Join discussion

v1.12.3

07 Feb 19:16
@github-actions github-actions
v1.12.3
This tag was signed with the committer’s verified signature.
shanduur Mateusz Urbanek
GPG key ID: F16F84591E26D77F
Verified
Learn about vigilant mode.
6d6471f
This commit was signed with the committer’s verified signature.
shanduur Mateusz Urbanek
GPG key ID: F16F84591E26D77F
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.12.3

Talos 1.12.3 (2026-02-07)

Welcome to the v1.12.3 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.18.8

Talos is built with Go 1.25.7.

Contributors

  • Andrey Smirnov
  • Mateusz Urbanek
  • Andrei Kvapil
  • Gregor Gruener
  • Matthew Sanabria

Changes

14 commits

  • 6d6471f69 release(v1.12.3): prepare release
  • 65782007e feat: update Linux kernel with dm-integrity
  • b8f824525 fix: add hostname to endpoints
  • 624f9b52a chore: update deps
  • 3aa153992 fix: implement merger for PercentageSize
  • f17d07cb7 feat: add a helper module to generate standard patches
  • 4a3385dfb fix: undo CRLF on Windows (talosctl edit)
  • a842775a8 feat: add RPi5 to the list of supported SBCs
  • b8cdb6100 fix(talosctl): pass --k8s-endpoint flag to rotate-ca kubernetes rotation
  • 27cbe29cc fix: skip empty documents on config decoding
  • 8f49dd220 fix: open the filesystem as read-only
  • b2a83d12a fix: always set advertised peer URLs
  • 249acdbb5 fix: fallback to /proc/meminfo for memory modules
  • bc56bdff7 fix: add warnings to 802.3ad bond

Changes from siderolabs/pkgs

3 commits

Changes from siderolabs/tools

2 commits

Dependency Changes

  • github.com/siderolabs/pkgs v1.12.0-32-g4f8efaf -> v1.12.0-35-g15d5d78
  • github.com/siderolabs/talos/pkg/machinery v1.12.2 -> v1.12.3
  • github.com/siderolabs/tools v1.12.0-4-g31959f4 -> v1.12.0-6-gdc37e09

Previous release can be found at v1.12.2

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.7
registry.k8s.io/kube-apiserver:v1.35.0
registry.k8s.io/kube-controller-manager:v1.35.0
registry.k8s.io/kube-scheduler:v1.35.0
registry.k8s.io/kube-proxy:v1.35.0
ghcr.io/siderolabs/kubelet:v1.35.0
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.3
ghcr.io/siderolabs/installer-base:v1.12.3
ghcr.io/siderolabs/imager:v1.12.3
ghcr.io/siderolabs/talos:v1.12.3
ghcr.io/siderolabs/talosctl-all:v1.12.3
ghcr.io/siderolabs/overlays:v1.12.3
ghcr.io/siderolabs/extensions:v1.12.3
Loading
0 Join discussion

v1.13.0-alpha.1

03 Feb 16:53
@github-actions github-actions
v1.13.0-alpha.1
This tag was signed with the committer’s verified signature. The key has expired.
frezbo Noel Georgi
GPG key ID: 21A9F444075C9E36
Expired
Verified
Learn about vigilant mode.
055add7
This commit was signed with the committer’s verified signature. The key has expired.
frezbo Noel Georgi
GPG key ID: 21A9F444075C9E36
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.13.0-alpha.1 Pre-release
Pre-release

Talos 1.13.0-alpha.1 (2026-02-03)

Welcome to the v1.13.0-alpha.1 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Environment Configuration Document

A new EnvironmentConfig document has been introduced to allow users to specify environment variables for Talos components.
It replaces and deprecates the previous method of setting environment variables via the .machine.env field.

Multiple values for the same environment variable will replace previous values, with the last one taking precedence.

To remove an environment variable, remove it from the EnvironmentConfig document and restart the node.

External Volumes

Talos now supports virtiofs-based external volumes via the new
ExternalVolumeConfig
document.

These virtiofs external volumes are not supported when SELinux is running
in enforcing mode.

Extra Arguments accept slices in addition to strings

Several Talos configuration fields that previously accepted single string values for extra arguments have been updated to accept slices of strings as well.
This includes fields such as .cluster.apiServer.extraArgs.

BREAKING: If you were relying on the resources EtcdConfigs, KubeletConfigs, ControllerManagerConfigs, SchedulerConfigs or APIServerConfigs, the protobuf format has changed from map<string,string> to map<string,message>.

Talos Imager Enhancements

Talos imager now supports running rootless. --privileged and -v /dev:/dev are no longer required.

Talosctl images k8s-bundle subcommand accepts version parameter

The talosctl images k8s-bundle command now accepts an optional version overrides arguments.

Kubernetes server-side apply

Talos now uses inventory backed server-side apply when applying bootsrap manifests (including extraManifests and inlineManifests).
Purging of unneeded manifests is automatically performed.
The switch and inventory backfill is automatic and no action is needed from the user.

KubeSpan Configuration

A new KubeSpanConfig document has been introduced to configure KubeSpan settings.
It replaces and deprecates the previous method of configuring KubeSpan via the .machine.network.kubespan field.

The old configuration field will continue to work for backward compatibility.

Negative Max Volume Size

Negative max size represents the amount of space to be left free on the device, rather than the size the volume should consume.
For example:
* a max size of "-10GiB" means the volume can grow to the available space minus 10GiB.
* a max size of "-25%" means the volume can grow to the available space minus 25%.

Container Image Decompression

Talos now ships with igzip (amd64) and pigz (arm64) to speed up container image decompression.

ProbeConfig

The TCPProbeConfig configuration document allows to configure TCP probes for network reachability checks.
This allows to define a custom connectivity condition.

/proc/PID/mem Access Hardening

A new kernel parameter proc_mem.force_override=never has been introduced by default to enhance system security
by preventing unwanted writes to protected process memory via /proc/PID/mem.
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.

Reproducible Disk Images

Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
identical disk images.

Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.

ResolverConfig

The nameservers configuration in machine configuration now overwrites any previous layers (defaults, platform, etc.) when specified.
Previously a smart merge was performed to keep IPv4/IPv6 nameservers from lower layers if the machine configuration specified only one type.

Service Account Issuer configuration

In API Server, passing extra args with service-account-issuer will append them after default value.
This allows easy migration, e.g. by changing .cluster.controlPlane.endpoint to new value, and keeping the old value in
.cluster.apiServer.extraArgs["service-account-issuer"].

talosctl images talos-bundle can ignore reaching to the registry

The talosctl images talos-bundle command now accepts optional --overlays and --extensions flags.
If those are set to false, the command will not attempt to reach out to the container registry to fetch the latest versions and digests of the overlays and extensions.

Component Updates

Linux: 6.18.8
containerd: 2.2.1
etcd: 3.6.7
CoreDNS: 1.13.2
Kubernetes: 1.35.0
Flannel CNI plugin: v1.9.0-flannel1
LVM2: 2_03_38
runc: 1.4.0
systemd: 259
cryptsetup: 2.8.3

Talos is built with Go 1.25.6.

VM Hot-Add Support

Talos now includes udev rules to support hot-adding of CPUs in virtualized environments.

Contributors

  • Andrey Smirnov
  • Mateusz Urbanek
  • Noel Georgi
  • Dmitrii Sharshakov
  • Orzelius
  • Laura Brehm
  • Bryan Lee
  • Edward Sammut Alessi
  • Alexis La Goutte
  • Andras BALI
  • Andrei Kvapil
  • Artem Chernyshev
  • Birger Johan Nordølum
  • Camillo Rossi
  • Christopher Puschmann
  • Florian Ströger
  • Gregor Gruener
  • Jaakko Sirén
  • Jean-Francois Roy
  • Joakim Nohlgård
  • Jonas Lammler
  • Justin Garrison
  • Lennard Klein
  • Matthew Sanabria
  • Max Makarov
  • Michal Baumgartner
  • Mickaël Canévet
  • Olav Thoresen
  • Pranav Patil
  • Serge van Ginderachter
  • Skye Soss
  • Spencer Smith
  • Tim Jones
  • dataprolet
  • eseiker
  • pranav767

Changes

177 commits

  • 055add7ae release(v1.13.0-alpha.1): prepare release
  • 900516e68 chore: update image signer
  • 938de566e feat: bump kernel
  • 388cec727 feat(overlays): add new overlays
  • 9f2dd6312 refactor: api tests
  • a90783146 feat: add a helper module to generate standard patches
  • 1fec5b23d fix: implement merger for PercentageSize
  • 8b245b8f2 feat: implement new image service APIs
  • d90c775b8 chore: rename internal talosctl debug air-gapped
  • 2165280d0 refactor: change the way one2many proxying is picked
  • b1b703dbe chore: move sync logging code to go-kubernetes package
  • e48c6d7ab fix: allow to expose a port multiple times in Docker
  • 410d8cb57 fix: undo CRLF on Windows (talosctl edit)
  • 859d3f03c feat: add RPi5 to the list of supported SBCs
  • 0bd48bbc6 fix(talosctl): pass --k8s-endpoint flag to rotate-ca kubernetes rotation
  • b9e27ebe7 feat: update Linux kernel with dm-integrity
  • 6aa9b0677 fix: skip empty documents on config decoding
  • 494492489 fix: always set advertised peer URLs
  • 782cc507d fix: open the filesystem as read-only
  • 28e61a740 fix: set GRUB prefix correctly on arm64
  • a4f1c5239 feat: update GRUB to 2.14
  • 562920701 fix: use node podCIDRs for kubespan advertiseKubernetesNetworks
  • 39460365c feat: implement layering for ProbeSpec
  • b5c760f70 feat: add ProbeConfig for network connectivity probes
  • 4b274f761 feat: support aws cert manager in imager
  • 417209512 fix: fallback to /proc/meminfo for memory modules
  • 7f1147bed fix: add warnings to 802.3ad bond
  • ddd6b186e refactor: generate GRUB images
  • c7aa266ea fix: overwrite resolver config with machine config
  • cf70f05fa fix: oracle platform file format
  • 8c7b8f5b7 feat: add support for negative max size
  • 77bc3d21f fix: marshal of FailOverMac property
  • 38e280c93 fix: make OOM expression a bit less sensitive
  • 3d1301640 fix: wipe the first/last 1MiB in addition to wiping by signatures
  • 1aa6528ad fix: make OOM controller more precise by considering separate cgroup PSI
  • f7072c050 fix: check if the device is not mounted when wiping
  • 743c3b94b fix: use correct containerd import path
  • f2dd08594 feat: report image pull progress in the console
  • 72fe98a06 fix: boot with GRUB
  • d4ed13d93 fix: add talos version to Hetzner Cloud client user agent
  • 150c41c30 feat: update Linux to 6.18.5
  • 01a367891 fix: use append instead of prepend in service-account-issuer
  • d1954278a feat: add extraArgs from service-account-issuer
  • 91b88f7f9 feat: support multiple values for extraArgs
  • 96e604874 fix: add hostname to endpoints
  • 7033275a7 refactor: move BootloaderKind into machinery
  • 71adaf0ea fix: sort mirrors and tls configs when generating the machine config
  • 34f09a300 feat: add VLAN support to OpenStack platform
  • 5127ef7c2 fix: wipe disk by signatures
  • 415bfaedb fix: panic in configpatcher when the whole section is missing
  • e5aca71cd fix: fix healthcheck timeout
  • 634b71e2d docs: move talosctl pcap example to Example Block
  • 818492731 fe...
Read more
Loading
1 Join discussion

v1.12.2

22 Jan 09:27
@github-actions github-actions
v1.12.2
This tag was signed with the committer’s verified signature.
smira Andrey Smirnov
GPG key ID: 322C6F63F594CE7C
Verified
Learn about vigilant mode.
54e5b43
This commit was signed with the committer’s verified signature.
smira Andrey Smirnov
GPG key ID: 322C6F63F594CE7C
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.12.2

Talos 1.12.2 (2026-01-22)

Welcome to the v1.12.2 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

talosctl images talos-bundle can ignore reaching to the registry

The talosctl images talos-bundle command now accepts optional --ovelays and --extensions flags.
If those are set to false, the command will not attempt to reach out to the container registry to fetch the latest versions and digests of the overlays and extensions.

Component Updates

Linux: 6.18.5

Talos is built with Go 1.25.6.

Contributors

  • Andrey Smirnov
  • Dmitrii Sharshakov
  • Andras BALI
  • Artem Chernyshev
  • Jonas Lammler
  • Mateusz Urbanek
  • Max Makarov
  • Noel Georgi

Changes

21 commits

  • 54e5b438d release(v1.12.2): prepare release
  • 30da0bc19 fix: oracle platform file format
  • 7ddb37b1f fix: make OOM expression a bit less sensitive
  • e438ec23e fix: marshal of FailOverMac property
  • 717ed7265 fix: check if the device is not mounted when wiping
  • c95c9fd06 fix: wipe the first/last 1MiB in addition to wiping by signatures
  • 52bed358d fix: add talos version to Hetzner Cloud client user agent
  • 0e447a431 fix: make OOM controller more precise by considering separate cgroup PSI
  • 3b974b99e fix: sort mirrors and tls configs when generating the machine config
  • 8b16fe50b feat: add VLAN support to OpenStack platform
  • eb8480c4c fix: panic in configpatcher when the whole section is missing
  • 4d44306dd fix: wipe disk by signatures
  • cca4cd269 feat: add it87 hwmon module
  • d9480eef2 fix: resolve SideroLink Wireguard endpoint on reconnect
  • e16c2d5bb fix: handle correctly incomplete RegistryTLSConfig
  • dedd273df fix: bond config via platform
  • f527cff23 fix: allow HostnameConfig to be used with incomplete machine config
  • 10918136c fix: lock down etcd listen address to IPv4 localhost
  • 9f8d938db fix: print talosctl images to release notes
  • 95433c167 fix: update VIP config example
  • 919394fee feat: update Go to 1.25.6

Changes from siderolabs/pkgs

7 commits

Changes from siderolabs/tools

1 commit

Dependency Changes

  • github.com/klauspost/compress v1.18.2 -> v1.18.3
  • github.com/siderolabs/go-blockdevice/v2 v2.0.22 -> v2.0.23
  • github.com/siderolabs/pkgs v1.12.0-25-g90ff196 -> v1.12.0-32-g4f8efaf
  • github.com/siderolabs/talos/pkg/machinery v1.12.1 -> v1.12.2
  • github.com/siderolabs/tools v1.12.0-3-g5df8bae -> v1.12.0-4-g31959f4
  • go.uber.org/zap v1.27.0 -> v1.27.1
  • golang.org/x/net v0.47.0 -> v0.48.0
  • golang.org/x/oauth2 v0.33.0 -> v0.34.0
  • golang.org/x/sync v0.18.0 -> v0.19.0
  • golang.org/x/sys v0.38.0 -> v0.40.0
  • golang.org/x/term v0.37.0 -> v0.38.0
  • golang.org/x/text v0.31.0 -> v0.33.0

Previous release can be found at v1.12.1

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.7
registry.k8s.io/kube-apiserver:v1.35.0
registry.k8s.io/kube-controller-manager:v1.35.0
registry.k8s.io/kube-scheduler:v1.35.0
registry.k8s.io/kube-proxy:v1.35.0
ghcr.io/siderolabs/kubelet:v1.35.0
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.2
ghcr.io/siderolabs/installer-base:v1.12.2
ghcr.io/siderolabs/imager:v1.12.2
ghcr.io/siderolabs/talos:v1.12.2
ghcr.io/siderolabs/talosctl-all:v1.12.2
ghcr.io/siderolabs/overlays:v1.12.2
ghcr.io/siderolabs/extensions:v1.12.2
Loading
6 Join discussion

v1.12.1

05 Jan 13:14
@github-actions github-actions
v1.12.1
This tag was signed with the committer’s verified signature.
shanduur Mateusz Urbanek
GPG key ID: F16F84591E26D77F
Verified
Learn about vigilant mode.
7ea2ef7
This commit was signed with the committer’s verified signature.
shanduur Mateusz Urbanek
GPG key ID: F16F84591E26D77F
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.12.1

Talos 1.12.1 (2026-01-05)

Welcome to the v1.12.1 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.18.2

Talos is built with Go 1.25.5.

Contributors

  • Mateusz Urbanek
  • Andrey Smirnov
  • Dmitrii Sharshakov

Changes

7 commits

  • 7ea2ef7cf release(v1.12.1): prepare release
  • 78a785604 chore: run rekres and update dependencies
  • c31067173 fix: disable swap for system services
  • a7e8426cf test: skip the source bundle on exact tag
  • 943984167 fix: probe small images correctly
  • 42df71637 fix: invalid versions check in talos-bundle
  • a3e90e445 fix: make upgrade work with SELinux enforcing=1

Changes from siderolabs/pkgs

2 commits

Changes from siderolabs/tools

1 commit

Dependency Changes

  • github.com/klauspost/compress v1.18.1 -> v1.18.2
  • github.com/siderolabs/go-blockdevice/v2 v2.0.20 -> v2.0.22
  • github.com/siderolabs/pkgs v1.12.0-23-ge0b78b8 -> v1.12.0-25-g90ff196
  • github.com/siderolabs/talos/pkg/machinery v1.12.0 -> v1.12.1
  • github.com/siderolabs/tools v1.12.0-2-g7d57df0 -> v1.12.0-3-g5df8bae

Previous release can be found at v1.12.0

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.7
registry.k8s.io/kube-apiserver:v1.35.0
registry.k8s.io/kube-controller-manager:v1.35.0
registry.k8s.io/kube-scheduler:v1.35.0
registry.k8s.io/kube-proxy:v1.35.0
ghcr.io/siderolabs/kubelet:v1.35.0
registry.k8s.io/pause:3.10
Loading
2 Join discussion

v1.13.0-alpha.0

25 Dec 15:33
@github-actions github-actions
v1.13.0-alpha.0
This tag was signed with the committer’s verified signature.
smira Andrey Smirnov
GPG key ID: 322C6F63F594CE7C
Verified
Learn about vigilant mode.
c76484e
This commit was signed with the committer’s verified signature.
smira Andrey Smirnov
GPG key ID: 322C6F63F594CE7C
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.13.0-alpha.0 Pre-release
Pre-release

Talos 1.13.0-alpha.0 (2025-12-25)

Welcome to the v1.13.0-alpha.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

External Volumes

Talos now supports virtiofs-based external volumes via the new
ExternalVolumeConfig
document.

These virtiofs external volumes are not supported when SELinux is running
in enforcing mode.

Talos Imager Enhancements

Talos imager now supports running rootless. --privileged and -v /dev:/dev are no longer required.

Container Image Decompression

Talos now ships with igzip (amd64) and pigz (arm64) to speed up container image decompression.

/proc/PID/mem Access Hardening

A new kernel parameter proc_mem.force_override=never has been introduced by default to enhance system security
by preventing unwanted writes to protected process memory via /proc/PID/mem.
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.

Reproducible Disk Images

Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
identical disk images.

Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.

Component Updates

Linux: 6.18.2
containerd: 2.2.1
etcd: 3.6.7
CoreDNS: 1.13.2
Kubernetes: 1.35.0
Flannel CNI plugin: v1.9.0-flannel1
LVM2: 2_03_38
runc: 1.4.0
systemd: 259
cryptsetup: 2.8.3

Talos is built with Go 1.25.5.

VM Hot-Add Support

Talos now includes udev rules to support hot-adding of CPUs in virtualized environments.

Contributors

  • Andrey Smirnov
  • Mateusz Urbanek
  • Noel Georgi
  • Dmitrii Sharshakov
  • Laura Brehm
  • Bryan Lee
  • Edward Sammut Alessi
  • Birger Johan Nordølum
  • Christopher Puschmann
  • Jaakko Sirén
  • Jean-Francois Roy
  • Joakim Nohlgård
  • Justin Garrison
  • Lennard Klein
  • Michal Baumgartner
  • Orzelius
  • Serge van Ginderachter
  • Skye Soss
  • dataprolet
  • eseiker
  • pranav767

Changes

96 commits

  • c76484e58 release(v1.13.0-alpha.0): prepare release
  • f0d8a6851 test: skip the source bundle on exact tag
  • c57701d65 fix: remove interactive installer
  • 43937c1cd feat: update Linux and systemd
  • 72a194df8 feat: add VM CPU hot-add rules
  • f09ae1e0d fix: probe small images correctly
  • 8f2b33799 feat: imager support rootless builds
  • c7525a97e feat: support creating filesystems from folder
  • e2bffb5ce chore: refactor imager code so it's more clear
  • 0fb50dbd0 fix: invalid versions check in talos-bundle
  • b5dd56032 test: upgrade versions in upgrade tests
  • 3dfa4d6e4 fix: make upgrade work with SELinux enforcing=1
  • 786c8e2ee feat: ship pigz/igzip in rootfs to speed up image decompression
  • 48d242918 feat: update containerd to 2.2.1
  • 536541afe fix: mount volume mount/unmount race
  • 39117d457 feat: update dependencies
  • f0f420725 fix: bond setting change detection
  • 8d6a7a867 feat: update Kubernetes to 1.35.0
  • 845a0d09c feat: update etcd 3.6.7, CoreDNS 1.13.2
  • b95912e04 feat: enforce proc_mem.force_override=never by default
  • 681f3e84c test: run virtiofs tests only when virtiofsd is running
  • 0592ff0cd fix: drop the Omni API URL check on IP address
  • a4879a5fa feat: update Linux to 6.18.1
  • 43b43ff18 docs: split talosctl commands into groups
  • 6d17c18bf feat: enable Powercap and Intel RAPL
  • 884e76662 docs: fix the talosctl cluster create help output
  • 6dc31be4f fix: exclude new Virtual IPs configured with new config
  • 94905c73e feat(talosctl): support running qemu x86 on Mac
  • f871ab241 fix: provide json support in nft binary
  • 694f45413 feat: external volumes
  • 39feb16d2 fix: update containerd 2.2.0 with cgroups patch
  • 82027eb9b fix: bond configuration with new settings
  • 121b13b8f fix: disable kexec on arm64
  • 7eaa725d0 fix: selection of boot entry
  • 949bdb90a feat: add Secure Boot to CloudStack platform config
  • 798143a88 fix: discard better klog message from Kubernetes client
  • 008cd0986 fix: disable kexec in talosctl cluster create on arm64
  • bb62b29ed chore: prepare talos for 1.13
  • c0935030a chore: fork reference docs for 1.13.x
  • e387e48b3 fix: do not override DNS on MacOS
  • 1e7e87fb1 fix: rework NFT rules for KubeSpan
  • 51bcfb567 feat: rename image default and source bundle
  • 585abe944 feat: update Kubernetes to v1.35.0-rc.1
  • f301e3e9b fix: update KubeSpan MSS clamping
  • 74c1df6f4 test: propagate MTU size to QEMU in talosctl cluster create
  • d347ca1af fix: update CNI plugins to 1.9.0
  • e3f8196b4 chore: update Grype and Syft
  • e1b8ab323 docs: add misssing period
  • cd04c3dde docs: update release notes
  • fc8ae3249 docs: add omni join token example to create qemu command
  • 9fa00773c chore: update go-blockdevice
  • ba13b6786 fix: correct condition to use UKI cmdline in GRUB
  • d2ce3f47f docs: drop machine.network example
  • cf087c1e0 test: bird2 extension
  • 13df94388 fix: adapt SELinuxSuite.TestNoPtrace to new strace version
  • 861787c38 fix: mark secureboot as supported for metal
  • 04e3e87ad fix: clean up kubelet mounts
  • 21057903a fix: clear provisioning data on SideroLink config change
  • 0f9f4c05f feat: update Kubernetes to 1.35.0-rc.0
  • d4309d7b1 fix: add a timeout for DNS resolving for NTP
  • dd6c1089c feat: update Linux to 6.18.0
  • e9a30bf9a test: revert add direct connectivity CA rotation test
  • cc95562bc fix: don't disable LACP by default
  • c9fe4679b test: add platform acquire/not valid config unit-test
  • 5a03a7a20 chore: fix longhorn test
  • a0cfc3527 feat: implement logs persistence
  • 51b732bea fix: selection of boot entry
  • 18f8ac369 feat: update Kubernetes to 1.35.0-beta.0
  • 92fa7c5e4 chore: update pkgs for NVIDIA 580.105.08
  • f489299b6 chore: correct condition for running k8s integration tests
  • ab149750d chore: update tools/pkgs to 1.13.0-alpha.0
  • 87ff9f860 test: fix the image-factory test to pass IF endpoint
  • 2ffe538e7 test: add direct connectivity CA rotation test
  • 70f6b80e0 chore(ci): skip multipath extension tests
  • 561cfb60c chore: update pkgs and tools version
  • 2f42202a7 fix: simplify OOM expression
  • 7b06ae8c2 test: fix flaky LinkSpec/Wireguard test
  • e715f3871 feat: present kernel log as talosctl logs kernel
  • e2ee39b8a fix: support specifying patch file without '@' symbol
  • e202b1f9e fix: trim trailing dots from certificate SANs
  • 7f7079f9c fix: assign value of multicast setting properly
  • eba96141e feat: update etcd to 3.6.6
  • 9945ceef3 docs: add API Server Cipher Suites changelog
  • 9ed488d09 feat: update TLS cipher suites for API server
  • f1c04e4d6 feat: generate mirrors patch
  • a89108995 fix: add CA subject to generated certificate
  • 35dd612a5 fix: add more resilient move
  • 83675838f feat: extend flags of cache-cert-gen
  • 80ab7a064 chore: remove spammy 'clean up unused volumes' logs
  • 74d35900a chore: disable k8s integration tests for 1GiB worker nodes
  • 4f6218674 feat: support TALOS_HOME env var
  • 0c59b3ea3 feat: add multicast to linkconfig
  • 6db06f4d5 feat: implement multicast setting
  • eeded98f5 fix: add riscv64 talosctl to release artifacts
  • a6bbae91b fix: fix typos across the project
  • 83f2bdb9c feat: support relative voume size

Changes from siderolabs/pkgs

33 commits

Read more
Loading
1 Join discussion

v1.10.9

24 Dec 10:48
@github-actions github-actions
v1.10.9
This tag was signed with the committer’s verified signature.
smira Andrey Smirnov
GPG key ID: 322C6F63F594CE7C
Verified
Learn about vigilant mode.
c48f7ed
This commit was signed with the committer’s verified signature.
smira Andrey Smirnov
GPG key ID: 322C6F63F594CE7C
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.10.9

Talos 1.10.9 (2025-12-24)

Welcome to the v1.10.9 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

etcd Zombine Members

See this blog post for more details.

This release includes an update to etcd v3.5.26 to ensure that upgrades to Talos v1.11 and later (which default to etcd v3.6) will not be blocked by the presence of zombine members in the etcd cluster.

Please note that etcd version can also be configured via the machine configuration with any version of Talos Linux.

Component Updates

Linux: 6.12.63
runc: 1.2.9
etcd: 3.5.26

Talos is built with Go 1.24.11.

Contributors

  • Andrey Smirnov
  • Dmitrii Sharshakov

Changes

9 commits

  • c48f7ede0 release(v1.10.9): prepare release
  • 4c4c8551f test: bump memory for OpenEBS test
  • 51c680ae2 test: backport test fixes for CRI seccomp profile
  • 0f42034b0 fix: adapt SELinuxSuite.TestNoPtrace to new strace version
  • a705f8e8c fix: clear provisioning data on SideroLink config change
  • 92c42efc7 chore: update Go modules
  • b7c49777f fix: disable kexec on arm64
  • 45ed535c7 feat: update default etcd to 3.5.26
  • 74ba66803 feat: update pkgs and tools

Changes from siderolabs/pkgs

1 commit

Changes from siderolabs/tools

1 commit

Dependency Changes

  • github.com/containernetworking/plugins v1.6.2 -> v1.9.0
  • github.com/safchain/ethtool v0.5.10 -> v0.6.2
  • github.com/siderolabs/pkgs v1.10.0-37-g71b336d -> v1.10.0-38-g3f85dc8
  • github.com/siderolabs/talos/pkg/machinery v1.10.8 -> v1.10.9
  • github.com/siderolabs/tools v1.10.0-7-g39357c8 -> v1.10.0-8-g11b0a3d
  • github.com/stretchr/testify v1.10.0 -> v1.11.1
  • go.etcd.io/etcd/api/v3 v3.5.21 -> v3.5.26
  • go.etcd.io/etcd/client/pkg/v3 v3.5.21 -> v3.5.26
  • go.etcd.io/etcd/client/v3 v3.5.21 -> v3.5.26
  • go.etcd.io/etcd/etcdutl/v3 v3.5.21 -> v3.5.26
  • golang.org/x/net v0.42.0 -> v0.47.0
  • golang.org/x/sync v0.16.0 -> v0.18.0
  • golang.org/x/sys v0.34.0 -> v0.38.0
  • golang.org/x/term v0.33.0 -> v0.37.0
  • golang.org/x/text v0.27.0 -> v0.31.0
  • google.golang.org/protobuf v1.36.6 -> v1.36.7

Previous release can be found at v1.10.8

Images

ghcr.io/siderolabs/flannel:v0.26.7
registry.k8s.io/coredns/coredns:v1.12.1
gcr.io/etcd-development/etcd:v3.5.26
registry.k8s.io/kube-apiserver:v1.33.6
registry.k8s.io/kube-controller-manager:v1.33.6
registry.k8s.io/kube-scheduler:v1.33.6
registry.k8s.io/kube-proxy:v1.33.6
ghcr.io/siderolabs/kubelet:v1.33.6
ghcr.io/siderolabs/installer:v1.10.9
registry.k8s.io/pause:3.10
Loading
0 Join discussion