chore(deps): update dependency talos to v1.12.7

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
TALOS	minor	v1.11.3 → v1.12.7

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

siderolabs/talos (TALOS)

v1.12.7

Compare Source

v1.12.6

Compare Source

Talos 1.12.6 (2026-03-19)

Welcome to the v1.12.6 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.18.18
runc: 1.3.5

Talos is built with Go 1.25.8.

Contributors

• Mickaël Canévet
• Andrey Smirnov
• Dominik Pitz
• Kai Zhang
• Noel Georgi
• Stanley Chan
• Zadkiel AHARONIAN

Changes

21 commits

• @​a1b8bd6 release(v1.12.6): prepare release
• @​72bd570 feat: update Linux to 6.18.18
• @​9d5638f fix: accept image cache volume encryption config
• @​0f018bf fix: panic in hardware.SystemInfoController
• @​c46b898 fix: validate missing apiVersion in config document decoder
• @​c47cad9 fix: pull in a fix for dmesg timestamps
• @​190336a fix: prevent stale discovered volumes reads
• @​217e9bb fix: bring in new version of go-cmd and go-blockdevice
• @​d7779a5 fix: stop pulling wrong platform for images
• @​eb6eb66 fix(machined): support USERDATA legacy fallback in OpenNebula driver
• @​ba20c7c feat(machined): add ONEGATE proxy route and deterministic interface iteration for OpenNebula
• @​739f664 feat(machined): inherit IP6_METHOD from METHOD in OpenNebula driver
• @​93878c0 fix(machined): align OpenNebula hostname precedence with reference
• @​9718d73 feat(machined): add IPv6 alias address support for OpenNebula (ETH_ALIAS_IP6)
• @​b649fb4 feat(machined): support ETH*_IP6_METHOD (static/dhcp/auto/disable) for OpenNebula
• @​c81df6f refactor(machined): extract per-interface IPv4 helper in OpenNebula driver
• @​501924e fix(machined): use ParseFQDN for hostname parsing in OpenNebula
• @​e9331b2 feat(machined): support per-interface route metric for OpenNebula (ETH*_METRIC)
• @​6e78afb feat(machined): add network alias support for OpenNebula (ETH_ALIAS)
• @​9f648b4 feat(machined): merge global and per-interface DNS for OpenNebula
• @​04fba03 feat(machined): add static routes support via ETH*_ROUTES for OpenNebula

Changes from siderolabs/go-cmd

2 commits

• siderolabs/go-cmd@5f31ba9 chore: rekres and update
• siderolabs/go-cmd@fff5698 feat: allow capturing full output to stdout, modernize API

Changes from siderolabs/go-kmsg

3 commits

• siderolabs/go-kmsg@b53b36d chore: rekres and update
• siderolabs/go-kmsg@6f7d20b feat: calculate boot time correctly if the time jumps
• siderolabs/go-kmsg@47655ee feat: support PRINTK_CALLER kmsg logs

Changes from siderolabs/pkgs

4 commits

• siderolabs/pkgs@a92bed5 feat: enable AMD GPU peer-to-peer DMA
• siderolabs/pkgs@09e87a9 feat: backportable deps update
• siderolabs/pkgs@eb965e2 feat(kernel): enable CONFIG_USB_UHCI_HCD on amd64
• siderolabs/pkgs@6804ebd feat: update Linux 6.18.16, NVIDIA, ZFS

Dependency Changes

• github.com/google/go-containerregistry v0.20.6 -> v0.20.7
• github.com/siderolabs/go-blockdevice/v2 v2.0.24 -> v2.0.26
• github.com/siderolabs/go-cmd v0.1.3 -> v0.2.0
• github.com/siderolabs/go-kmsg v0.1.4 -> v0.1.5
• github.com/siderolabs/pkgs v1.12.0-46-ge695c74 -> v1.12.0-50-ga92bed5
• github.com/siderolabs/talos/pkg/machinery v1.12.5 -> v1.12.6
• github.com/spf13/cobra v1.10.1 -> v1.10.2
• golang.org/x/sys v0.41.0 -> v0.42.0
• google.golang.org/grpc v1.78.0 -> v1.79.3

Previous release can be found at v1.12.5

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.8
registry.k8s.io/kube-apiserver:v1.35.2
registry.k8s.io/kube-controller-manager:v1.35.2
registry.k8s.io/kube-scheduler:v1.35.2
registry.k8s.io/kube-proxy:v1.35.2
ghcr.io/siderolabs/kubelet:v1.35.2
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.6
ghcr.io/siderolabs/installer-base:v1.12.6
ghcr.io/siderolabs/imager:v1.12.6
ghcr.io/siderolabs/talos:v1.12.6
ghcr.io/siderolabs/talosctl-all:v1.12.6
ghcr.io/siderolabs/overlays:v1.12.6
ghcr.io/siderolabs/extensions:v1.12.6

v1.12.5

Compare Source

Talos 1.12.5 (2026-03-09)

Welcome to the v1.12.5 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.18.15
Kubernetes: 1.35.2
etcd: 3.6.8

Talos is built with Go 1.25.8.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Dmitrii Sharshakov
• Fritz Schaal
• Jan Paul
• Max Makarov
• Mickaël Canévet
• Nico Berlee
• Orzelius
• Spencer Smith

Changes

19 commits

• @​da6c6e4 release(v1.12.5): prepare release
• @​4f978a7 fix: correctly calculate end ranges for nftables sets
• @​8d52e2d feat: add trusted roots generation to stdpatches
• @​6284877 fix: use correct dhcp option for unicast dhcp renewal
• @​dcf23be fix: ignore image digest when doing upgrade-k8s
• @​f8a2a9b fix(machined): opennebula: process ETH*_ vars regardless of NETWORK context flag
• @​db9ff23 fix: patch with delete for LinkConfigs
• @​e0c38e2 fix: update path handling on talosctl cgroups
• @​ca2d4c1 fix: stop Kubernetes client from dynamically reloading the certs
• @​70ae2f2 refactor: split locate and provision
• @​c3b0484 fix: hold user volumes root mountpoint
• @​d935420 fix: handle raw encryption keys with \n properly
• @​7fe1a47 fix: remove stale endpoints
• @​3ea0888 fix: allow static hosts in /etc/hosts without hostname
• @​5ebb00f fix: switch to better Myers algorithm implementation
• @​2b40379 feat: update etcd to v3.6.8
• @​1ce9328 fix: disks flag parsing and handling in create qemu command
• @​1f989df fix: read multi-doc machine config with newer talosctl
• @​40ba6e3 feat: update Linux 6.18.15, Go 1.25.8

Changes from siderolabs/go-debug

1 commit

• siderolabs/go-debug@47fce68 feat: support Go 1.26, rekres

Changes from siderolabs/pkgs

7 commits

• siderolabs/pkgs@e695c74 feat: update Linux to 6.18.15
• siderolabs/pkgs@7d4ef68 feat: update Linux to 6.18.14
• siderolabs/pkgs@300cd60 feat: update Linux firmware to 2026022
• siderolabs/pkgs@65f9fd3 feat: update Linux to 6.18.13
• siderolabs/pkgs@96fc8e3 feat: enable MLX5 Scalable Functions and TC offload in kernel
• siderolabs/pkgs@f31edf1 feat: add patch for Cilium BPF verifier rejection by the kernel
• siderolabs/pkgs@8b4b129 feat: update Go to 1.25.8

Changes from siderolabs/tools

1 commit

• siderolabs/tools@57916cb feat: update Go to 1.25.8

Dependency Changes

• github.com/docker/cli v29.0.0 -> v29.2.1
• github.com/siderolabs/go-blockdevice/v2 v2.0.23 -> v2.0.24
• github.com/siderolabs/go-debug v0.6.1 -> v0.6.2
• github.com/siderolabs/pkgs v1.12.0-39-gb1fc4c6 -> v1.12.0-46-ge695c74
• github.com/siderolabs/talos/pkg/machinery v1.12.3 -> v1.12.5
• github.com/siderolabs/tools v1.12.0-6-gdc37e09 -> v1.12.0-7-g57916cb
• golang.org/x/net v0.48.0 -> v0.51.0
• golang.org/x/sys v0.40.0 -> v0.41.0
• golang.org/x/term v0.38.0 -> v0.40.0
• golang.org/x/text v0.33.0 -> v0.34.0
• google.golang.org/grpc v1.76.0 -> v1.78.0
• google.golang.org/protobuf v1.36.10 -> v1.36.11
• k8s.io/api v0.35.0 -> v0.35.2
• k8s.io/apiextensions-apiserver v0.35.0 -> v0.35.2
• k8s.io/apiserver v0.35.0 -> v0.35.2
• k8s.io/client-go v0.35.0 -> v0.35.2
• k8s.io/component-base v0.35.0 -> v0.35.2
• k8s.io/kube-scheduler v0.35.0 -> v0.35.2
• k8s.io/kubectl v0.35.0 -> v0.35.2
• k8s.io/kubelet v0.35.0 -> v0.35.2
• k8s.io/pod-security-admission v0.35.0 -> v0.35.2

Previous release can be found at v1.12.4

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.8
registry.k8s.io/kube-apiserver:v1.35.2
registry.k8s.io/kube-controller-manager:v1.35.2
registry.k8s.io/kube-scheduler:v1.35.2
registry.k8s.io/kube-proxy:v1.35.2
ghcr.io/siderolabs/kubelet:v1.35.2
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.5
ghcr.io/siderolabs/installer-base:v1.12.5
ghcr.io/siderolabs/imager:v1.12.5
ghcr.io/siderolabs/talos:v1.12.5
ghcr.io/siderolabs/talosctl-all:v1.12.5
ghcr.io/siderolabs/overlays:v1.12.5
ghcr.io/siderolabs/extensions:v1.12.5

v1.12.4

Compare Source

Talos 1.12.4 (2026-02-13)

Welcome to the v1.12.4 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

KubeSpan Advertised Network Filters

KubeSpan now supports filtering of advertised networks using the excludeAdvertisedNetworks field in the KubeSpanConfig document.
This allows users to specify a list of CIDRs to exclude from the advertised networks. Please note that routing must be symmetric for any
pair of peers, so if one peer excludes a certain network, the other peer must also exclude it. In other words, for any given pair of peers,
and any pair of their addresses, the traffic should either go through KubeSpan or not, but not one way or the other.

Component Updates

Linux: 6.18.9

Talos is built with Go 1.25.7.

Contributors

• Andrey Smirnov
• Daniil Kivenko
• Florian Ströger
• Fritz Schaal
• Mateusz Urbanek

Changes

9 commits

• @​fc8e600 release(v1.12.4): prepare release
• @​14dde14 feat: add filter for KubeSpan advertised networks
• @​c277d01 fix: ignore volumes in wave calculation without provisioning
• @​f90af88 fix: use node podCIDRs for kubespan advertiseKubernetesNetworks
• @​a025ea4 feat: add IPv6 GRE support
• @​9241254 fix: typo with rpi_5 profile name
• @​64f4985 fix: swap volume configuration for min/max size
• @​19354ab feat: update Linux to 6.18.9
• @​639c1c9 fix: mismerge of nft with json support

Changes from siderolabs/discovery-api

2 commits

• siderolabs/discovery-api@9c06846 feat: change the way excluded addresses are specified
• siderolabs/discovery-api@f71a14a feat: add advertised filters to discovery data

Changes from siderolabs/pkgs

4 commits

• siderolabs/pkgs@b1fc4c6 feat: update NVIDIA LTS to 580.126.16
• siderolabs/pkgs@f7a8163 feat: update Linux to 6.18.9
• siderolabs/pkgs@32290ff feat: enable ip6_gre
• siderolabs/pkgs@da46073 feat: enable NFT_BRIDGE config

Dependency Changes

• github.com/siderolabs/discovery-api v0.1.6 -> v0.1.8
• github.com/siderolabs/pkgs v1.12.0-35-g15d5d78 -> v1.12.0-39-gb1fc4c6

Previous release can be found at v1.12.3

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.7
registry.k8s.io/kube-apiserver:v1.35.0
registry.k8s.io/kube-controller-manager:v1.35.0
registry.k8s.io/kube-scheduler:v1.35.0
registry.k8s.io/kube-proxy:v1.35.0
ghcr.io/siderolabs/kubelet:v1.35.0
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.4
ghcr.io/siderolabs/installer-base:v1.12.4
ghcr.io/siderolabs/imager:v1.12.4
ghcr.io/siderolabs/talos:v1.12.4
ghcr.io/siderolabs/talosctl-all:v1.12.4
ghcr.io/siderolabs/overlays:v1.12.4
ghcr.io/siderolabs/extensions:v1.12.4

v1.12.3

Compare Source

Talos 1.12.3 (2026-02-07)

Welcome to the v1.12.3 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.18.8

Talos is built with Go 1.25.7.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Andrei Kvapil
• Gregor Gruener
• Matthew Sanabria

Changes

14 commits

• @​6d6471f release(v1.12.3): prepare release
• @​6578200 feat: update Linux kernel with dm-integrity
• @​b8f8245 fix: add hostname to endpoints
• @​624f9b5 chore: update deps
• @​3aa1539 fix: implement merger for PercentageSize
• @​f17d07c feat: add a helper module to generate standard patches
• @​4a3385d fix: undo CRLF on Windows (talosctl edit)
• @​a842775 feat: add RPi5 to the list of supported SBCs
• @​b8cdb61 fix(talosctl): pass --k8s-endpoint flag to rotate-ca kubernetes rotation
• @​27cbe29 fix: skip empty documents on config decoding
• @​8f49dd2 fix: open the filesystem as read-only
• @​b2a83d1 fix: always set advertised peer URLs
• @​249acdb fix: fallback to /proc/meminfo for memory modules
• @​bc56bdf fix: add warnings to 802.3ad bond

Changes from siderolabs/pkgs

3 commits

• siderolabs/pkgs@15d5d78 chore: update deps
• siderolabs/pkgs@4469bd7 chore: update kernel
• siderolabs/pkgs@51108e5 feat: enable dm-integrity

Changes from siderolabs/tools

2 commits

• siderolabs/tools@dc37e09 chore: update deps
• siderolabs/tools@36fb49a feat: update OpenSSL to 3.6.1

Dependency Changes

• github.com/siderolabs/pkgs v1.12.0-32-g4f8efaf -> v1.12.0-35-g15d5d78
• github.com/siderolabs/talos/pkg/machinery v1.12.2 -> v1.12.3
• github.com/siderolabs/tools v1.12.0-4-g31959f4 -> v1.12.0-6-gdc37e09

Previous release can be found at v1.12.2

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.7
registry.k8s.io/kube-apiserver:v1.35.0
registry.k8s.io/kube-controller-manager:v1.35.0
registry.k8s.io/kube-scheduler:v1.35.0
registry.k8s.io/kube-proxy:v1.35.0
ghcr.io/siderolabs/kubelet:v1.35.0
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.3
ghcr.io/siderolabs/installer-base:v1.12.3
ghcr.io/siderolabs/imager:v1.12.3
ghcr.io/siderolabs/talos:v1.12.3
ghcr.io/siderolabs/talosctl-all:v1.12.3
ghcr.io/siderolabs/overlays:v1.12.3
ghcr.io/siderolabs/extensions:v1.12.3

v1.12.2

Compare Source

Talos 1.12.2 (2026-01-22)

Welcome to the v1.12.2 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

talosctl images talos-bundle can ignore reaching to the registry

The talosctl images talos-bundle command now accepts optional --ovelays and --extensions flags.
If those are set to false, the command will not attempt to reach out to the container registry to fetch the latest versions and digests of the overlays and extensions.

Component Updates

Linux: 6.18.5

Talos is built with Go 1.25.6.

Contributors

• Andrey Smirnov
• Dmitrii Sharshakov
• Andras BALI
• Artem Chernyshev
• Jonas Lammler
• Mateusz Urbanek
• Max Makarov
• Noel Georgi

Changes

21 commits

• @​54e5b43 release(v1.12.2): prepare release
• @​30da0bc fix: oracle platform file format
• @​7ddb37b fix: make OOM expression a bit less sensitive
• @​e438ec2 fix: marshal of FailOverMac property
• @​717ed72 fix: check if the device is not mounted when wiping
• @​c95c9fd fix: wipe the first/last 1MiB in addition to wiping by signatures
• @​52bed35 fix: add talos version to Hetzner Cloud client user agent
• @​0e447a4 fix: make OOM controller more precise by considering separate cgroup PSI
• @​3b974b9 fix: sort mirrors and tls configs when generating the machine config
• @​8b16fe5 feat: add VLAN support to OpenStack platform
• @​eb8480c fix: panic in configpatcher when the whole section is missing
• @​4d44306 fix: wipe disk by signatures
• @​cca4cd2 feat: add it87 hwmon module
• @​d9480ee fix: resolve SideroLink Wireguard endpoint on reconnect
• @​e16c2d5 fix: handle correctly incomplete RegistryTLSConfig
• @​dedd273 fix: bond config via platform
• @​f527cff fix: allow HostnameConfig to be used with incomplete machine config
• @​1091813 fix: lock down etcd listen address to IPv4 localhost
• @​9f8d938 fix: print talosctl images to release notes
• @​95433c1 fix: update VIP config example
• @​919394f feat: update Go to 1.25.6

Changes from siderolabs/pkgs

7 commits

• siderolabs/pkgs@4f8efaf fix: enable pinctrl for Raspberry Pi 5
• siderolabs/pkgs@3a36a01 feat: update NVIDIA LTS and production driver versions
• siderolabs/pkgs@d364d04 feat: update Linux to 6.18.5
• siderolabs/pkgs@a3d6cc4 feat: update Linux firmware to 2026011
• siderolabs/pkgs@40fa324 feat: enable IT87 hwmon module
• siderolabs/pkgs@8b8f314 feat: enable IPV6_MROUTE
• siderolabs/pkgs@3571127 feat: update Go to 1.25.6

Changes from siderolabs/tools

1 commit

• siderolabs/tools@31959f4 feat: update Go to 1.25.6

Dependency Changes

• github.com/klauspost/compress v1.18.2 -> v1.18.3
• github.com/siderolabs/go-blockdevice/v2 v2.0.22 -> v2.0.23
• github.com/siderolabs/pkgs v1.12.0-25-g90ff196 -> v1.12.0-32-g4f8efaf
• github.com/siderolabs/talos/pkg/machinery v1.12.1 -> v1.12.2
• github.com/siderolabs/tools v1.12.0-3-g5df8bae -> v1.12.0-4-g31959f4
• go.uber.org/zap v1.27.0 -> v1.27.1
• golang.org/x/net v0.47.0 -> v0.48.0
• golang.org/x/oauth2 v0.33.0 -> v0.34.0
• golang.org/x/sync v0.18.0 -> v0.19.0
• golang.org/x/sys v0.38.0 -> v0.40.0
• golang.org/x/term v0.37.0 -> v0.38.0
• golang.org/x/text v0.31.0 -> v0.33.0

Previous release can be found at v1.12.1

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.7
registry.k8s.io/kube-apiserver:v1.35.0
registry.k8s.io/kube-controller-manager:v1.35.0
registry.k8s.io/kube-scheduler:v1.35.0
registry.k8s.io/kube-proxy:v1.35.0
ghcr.io/siderolabs/kubelet:v1.35.0
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.2
ghcr.io/siderolabs/installer-base:v1.12.2
ghcr.io/siderolabs/imager:v1.12.2
ghcr.io/siderolabs/talos:v1.12.2
ghcr.io/siderolabs/talosctl-all:v1.12.2
ghcr.io/siderolabs/overlays:v1.12.2
ghcr.io/siderolabs/extensions:v1.12.2

v1.12.1

Compare Source

Talos 1.12.1 (2026-01-05)

Welcome to the v1.12.1 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.18.2

Talos is built with Go 1.25.5.

Contributors

• Mateusz Urbanek
• Andrey Smirnov
• Dmitrii Sharshakov

Changes

7 commits

• @​7ea2ef7 release(v1.12.1): prepare release
• @​78a7856 chore: run rekres and update dependencies
• @​c310671 fix: disable swap for system services
• @​a7e8426 test: skip the source bundle on exact tag
• @​9439841 fix: probe small images correctly
• @​42df716 fix: invalid versions check in talos-bundle
• @​a3e90e4 fix: make upgrade work with SELinux enforcing=1

Changes from siderolabs/pkgs

2 commits

• siderolabs/pkgs@90ff196 chore: run rekres and update dependencies
• siderolabs/pkgs@2b30517 feat: update Linux to 6.18.2

Changes from siderolabs/tools

1 commit

• siderolabs/tools@5df8bae chore: run rekres and update dependencies

Dependency Changes

• github.com/klauspost/compress v1.18.1 -> v1.18.2
• github.com/siderolabs/go-blockdevice/v2 v2.0.20 -> v2.0.22
• github.com/siderolabs/pkgs v1.12.0-23-ge0b78b8 -> v1.12.0-25-g90ff196
• github.com/siderolabs/talos/pkg/machinery v1.12.0 -> v1.12.1
• github.com/siderolabs/tools v1.12.0-2-g7d57df0 -> v1.12.0-3-g5df8bae

Previous release can be found at v1.12.0

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.7
registry.k8s.io/kube-apiserver:v1.35.0
registry.k8s.io/kube-controller-manager:v1.35.0
registry.k8s.io/kube-scheduler:v1.35.0
registry.k8s.io/kube-proxy:v1.35.0
ghcr.io/siderolabs/kubelet:v1.35.0
registry.k8s.io/pause:3.10

v1.12.0

Compare Source

Welcome to the v1.13.0-alpha.2 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Clang built kernel and ThinLTO

Talos now uses a kernel built using Clang compiler, and optimized using ThinLTO. This should bring a small performance improvement,
alongside some hardening features, such as BTI on supported ARM systems.

talosctl debug

Talos Linux now provides a way to run and attach to the privileged debug container with a user-provided container image.
The debug container might be used for troubleshooting and debugging purposes.

Environment Configuration Document

A new EnvironmentConfig document has been introduced to allow users to specify environment variables for Talos components.
It replaces and deprecates the previous method of setting environment variables via the .machine.env field.

Multiple values for the same environment variable will replace previous values, with the last one taking precedence.

To remove an environment variable, remove it from the EnvironmentConfig document and restart the node.

External Volumes

Talos now supports virtiofs-based external volumes via the new
ExternalVolumeConfig
document.

These virtiofs external volumes are not supported when SELinux is running
in enforcing mode.

Extra Arguments accept slices in addition to strings

Several Talos configuration fields that previously accepted single string values for extra arguments have been updated to accept slices of strings as well.
This includes fields such as .cluster.apiServer.extraArgs.

BREAKING: If you were relying on the resources EtcdConfigs, KubeletConfigs, ControllerManagerConfigs, SchedulerConfigs or APIServerConfigs, the protobuf format has changed from map<string,string> to map<string,message>.

Talos Imager Enhancements

Talos imager now supports running rootless. --privileged and -v /dev:/dev are no longer required.

Image APIs Updated

Talos Linux provides new APIs to manage container images on the node: listing, pulling, importing and removing images.
The new pull APIs provides pull progress notifications.

The CLI commands talosctl image pull, talosctl image list and talosctl image remove have been updated to interact with the new APIs.

Talosctl images k8s-bundle subcommand accepts version parameter

The talosctl images k8s-bundle command now accepts an optional version overrides arguments.

Kubernetes server-side apply

Talos now uses inventory backed server-side apply when applying bootsrap manifests (including extraManifests and inlineManifests).
Purging of unneeded manifests is automatically performed.
The switch and inventory backfill is automatic and no action is needed from the user.

KubeSpan Configuration

A new KubeSpanConfig document has been introduced to configure KubeSpan settings.
It replaces and deprecates the previous method of configuring KubeSpan via the .machine.network.kubespan field.

The old configuration field will continue to work for backward compatibility.

KubeSpan Advertised Network Filters

KubeSpan now supports filtering of advertised networks using the excludeAdvertisedNetworks field in the KubeSpanConfig document.
This allows users to specify a list of CIDRs to exclude from the advertised networks. Please note that routing must be symmetric for any
pair of peers, so if one peer excludes a certain network, the other peer must also exclude it. In other words, for any given pair of peers,
and any pair of their addresses, the traffic should either go through KubeSpan or not, but not one way or the other.

LinkAliasConfig Pattern-Based Multi-Alias

LinkAliasConfig now supports pattern-based alias names using %d format verb (e.g. net%d).

When the alias name contains a %d format verb, the selector is allowed to match multiple links.
Each matched link receives a sequential alias (e.g. net0, net1, ...) based on hardware address order
of the links. Links already aliased by a previous config are automatically skipped.

This enables creating stable aliases from any N links using a single config document,
useful for BondConfig and BridgeConfig member interfaces on varying hardware.

Negative Max Volume Size

Negative max size represents the amount of space to be left free on the device, rather than the size the volume should consume.
For example:
* a max size of "-10GiB" means the volume can grow to the available space minus 10GiB.
* a max size of "-25%" means the volume can grow to the available space minus 25%.

Flannel CNI with Network Policy Support

Talos Linux now supports optionally deploying Flannel CNI with network policy support enabled.
The network policy implementation is kube-network-policies.

To enable Flannel CNI with network policy support, use the following machine configuration patch:

cluster:
  network:
    cni:
      name: flannel
      flannel:
        kubeNetworkPoliciesEnabled: true

(If the cluster is already running, sync the bootstrap manifests after applying the patch to deploy the new CNI configuration.)

Container Image Decompression

Talos now ships with igzip (amd64) and pigz (arm64) to speed up container image decompression.

ProbeConfig

The TCPProbeConfig configuration document allows to configure TCP probes for network reachability checks.
This allows to define a custom connectivity condition.

/proc/PID/mem Access Hardening

A new kernel parameter proc_mem.force_override=never has been introduced by default to enhance system security
by preventing unwanted writes to protected process memory via /proc/PID/mem.
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.

Reproducible Disk Images

Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
identical disk images.

Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.

ResolverConfig

The nameservers configuration in machine configuration now overwrites any previous layers (defaults, platform, etc.) when specified.
Previously a smart merge was performed to keep IPv4/IPv6 nameservers from lower layers if the machine configuration specified only one type.

Service Account Issuer configuration

In API Server, passing extra args with service-account-issuer will append them after default value.
This allows easy migration, e.g. by changing .cluster.controlPlane.endpoint to new value, and keeping the old value in
.cluster.apiServer.extraArgs["service-account-issuer"].

talosctl images talos-bundle can ignore reaching to the registry

The talosctl images talos-bundle command now accepts optional --overlays and --extensions flags.
If those are set to false, the command will not attempt to reach out to the container registry to fetch the latest versions and digests of the overlays and extensions.

Component Updates

Linux: 6.18.13
containerd: 2.2.1
etcd: 3.6.8
CoreDNS: 1.14.1
Kubernetes: 1.36.0-alpha.1
Flannel CNI plugin: v1.9.0-flannel1
Flannel: 0.28.1
LVM2: 2_03_38
runc: 1.4.0
systemd: 259.1
cryptsetup: 2.8.3
Tenstorrent: 2.7.0
iptables: 1.8.12

Talos is built with Go 1.26.0.

VM Hot-Add Support

Talos now includes udev rules to support hot-adding of CPUs in virtualized environments.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Noel Georgi
• Dmitrii Sharshakov
• Orzelius
• Laura Brehm
• Edward Sammut Alessi
• Max Makarov
• Andreas Freund
• Artem Chernyshev
• Bryan Lee
• Fritz Schaal
• Justin Garrison
• Mickaël Canévet
• Nico Berlee
• Pranav Patil
• Alexis La Goutte
• Andras BALI
• Andrei Kvapil
• Birger Johan Nordølum
• Camillo Rossi
• Christopher Puschmann
• Daniil Kivenko
• Dmitrii Sharshakov
• Florian Ströger
• Gregor Gruener
• Jaakko Sirén
• Jan Paul
• Jean-Francois Roy
• Joakim Nohlgård
• Jonas Lammler
• Lennard Klein
• Matthew Sanabria
• Michal Baumgartner
• Olav Thoresen
• Serge van Ginderachter
• Skye Soss
• Spencer Smith
• Sébastien Masset
• Tim Jones
• Utku Ozdemir
• arita
• dataprolet
• drew
• eseiker
• greenpsi
• lmacka
• pranav767

Changes

221 commits

• 009f0d6ca chore: update pkgs
• ba56b0295 feat: include hid-multitouch.ko kernel module in rootfs
• ae29a0dcc feat: update Linux to 6.18.13
• 7cf1de279 fix: bring in new version of go-cmd and go-blockdevice
• c8800b41e fix: update path handling on talosctl cgroups
• 0a7b6eb2c chore: test extensions
• 8b1c974a2 refactor: drop termui-widgets library
• 5baa0028e fix: add owning inventory annotation to talos manifests
• d3e793d14 fix: stop Kubernetes client from dynamically reloading the certs
• 6a5a0e3bd feat: support pattern link aliases
• 9758bd4fe feat: update Go to 1.26
• e00aed0f6 feat: update Kubernetes v1.36.0-alpha.1
• f20445ad0 chore: improve logging of disk encryption handling
• f018fbe7b fix: handle raw encryption keys with \n properly
• e5b0eb017 fix: hold user volumes root mountpoint
• 8a0e79774 refactor: split locate and provision
• a59db0e92 fix: improve OpenStack bare metal network configuration reliability
• 659009ad8 fix: remove stale endpoints
• dab0d4783 fix: allow static hosts in /etc/hosts without hostname
• 45f214154 feat: update go-kubernetes to use new Myers diff
• 35ad0448c fix: switch to better Myers algorithm implementation
• 0048464be feat: update etcd to v3.6.8
• 5df10f260 fix: use mcopy instead of diskfs to populate VFAT
• ce53ffa90 fix: disks flag parsing and handling in create qemu command
• 3bd3dd7ca fix: memory overuse in imager VFAT
• f118ee47e fix: read multi-doc machine config with newer talosctl
• 70c6c2154 feat: add filter for KubeSpan advertised networks
• daf18abf4 fix: fix talosctl debug in enforcing mode
• 33b5b2565 fix: ignore volumes in wave calculation without provisioning
• a16392559 feat: add explicit service account support to Talos client
• 4d531884e chore: update dependencies
• 406b8c83c feat: update doc links to docs.siderolabs.com
• 87615f551 feat: implement network policies with Flannel CNI
• 6995bc1b1 chore: update homebrew formula on release
• 7942d5a98 fix: image gc controller config
• 52e8727d0 feat: add IPv6 GRE support
• 9690dbad0 chore: bump tools (including linter)
• 2628eb2ec fix: typo with rpi_5 profile name
• d5ebcd7ca fix: stop building talosctl debug on Windows
• 8b85c7c63 chore: update deps
• d905035b5 fix: swap volume configuration for min/max size
• d43a01ccb feat: implement talosctl debug
• 34a31c979 feat: add mount options support for existing volumes
• 1bf95eed1 feat: improve dashboard uptime display
• 055add7ae release(v1.13.0-alpha.1): prepare release
• 900516e68 chore: update image signer
• 938de566e feat: bump kernel
• 388cec727 feat(overlays): add new overlays
• 9f2dd6312 refactor: api tests
• a90783146 feat: add a helper module to generate standard patches
• 1fec5b23d fix: implement merger for PercentageSize
• 8b245b8f2 feat: implement new image service APIs
• d90c775b8 chore: rename internal talosctl debug air-gapped
• 2165280d0 refactor: change the way one2many proxying is picked
• b1b703dbe chore: move sync logging code to go-kubernetes package
• e48c6d7ab fix: allow to expose a port multiple times in Docker
• 410d8cb57 fix: undo CRLF on Windows (talosctl edit)
• 859d3f03c feat: add RPi5 to the list of supported SBCs
• 0bd48bbc6 fix(talosctl): pass --k8s-endpoint flag to rotate-ca kubernetes rotation
• b9e27ebe7 feat: update Linux kernel with dm-integrity
• 6aa9b0677 fix: skip empty documents on config decoding
• 494492489 fix: always set advertised peer URLs
• 782cc507d fix: open the filesystem as read-only
• 28e61a740 fix: set GRUB prefix correctly on arm64
• a4f1c5239 feat: update GRUB to 2.14
• 562920701 fix: use node podCIDRs for kubespan advertiseKubernetesNetworks
• 39460365c feat: implement layering for ProbeSpec
• b5c760f70 feat: add ProbeConfig for network connectivity probes
• 4b274f761 feat: support aws cert manager in imager
• 417209512 fix: fallback to /proc/meminfo for memory modules
• 7f1147bed fix: add warnings to 802.3ad bond
• ddd6b186e refactor: generate GRUB images
• c7aa266ea fix: overwrite resolver config with machine config
• cf70f05fa fix: oracle platform file format
• 8c7b8f5b7 feat: add support for negative max size
• 77bc3d21f fix: marshal of FailOverMac property
• 38e280c93 fix: make OOM expression a bit less sensitive
• 3d1301640 fix: wipe the first/last 1MiB in addition to wiping by signatures
• 1aa6528ad fix: make OOM controller more precise by considering separate cgroup PSI
• f7072c050 fix: check if the device is not mounted when wiping
• 743c3b94b fix: use correct containerd import path
• f2dd08594 feat: report image pull progress in the console
• 72fe98a06 fix: boot with GRUB
• d4ed13d93 fix: add talos version to Hetzner Cloud client user agent
• 150c41c30 feat: update Linux to 6.18.5
• 01a367891 fix: use append instead of prepend in service-account-issuer
• d1954278a feat: add extraArgs from service-account-issuer
• 91b88f7f9 feat: support multiple values for extraArgs
• 96e604874 fix: add hostname to endpoints
• 7033275a7 refactor: move BootloaderKind into machinery
• 71adaf0ea fix: sort mirrors and tls configs when generating the machine config
• 34f09a300 feat: add VLAN support to OpenStack platform
• 5127ef7c2 fix: wipe disk by signatures
• 415bfaedb fix: panic in configpatcher when the whole section is missing
• e5aca71cd fix: fix healthcheck timeout
• 634b71e2d docs: move talosctl pcap example to Example Block
• 818492731 feat: implement KubeSpan multi-document configuration
• 4d0604b9d chore: remove unrelated machineconfig
• e36863470 feat: add it87 hwmon module
• 308c75090 fix: resolve SideroLink Wireguard endpoint on reconnect
• e4ef494de fix: drop the persist config flag from gen config
• c3176adcf feat: add Environment

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.