What's New in Talos 1.12.0 - Sidero Documentation

For critical changes, refer to the upgrade notes.

Important Changes

Network Configuration

Talos v1.12 introduces new network configuration documents. These changes follow the new “multi-doc” configuration concept, and allow more granular machine configuration. Asides from providing more granular/flexible configuration, the new “multi-doc” configuration documents can be applied at any time, including maintenance mode, and can also be embedded into the boot image, or supplied via the talos.config.early kernel command line argument. The new documents replace the previous network configuration under .machine.network, including:

hostname: replaced by HostnameConfig
interfaces replaced by:
nameservers, searchDomains, disableSearchDomain: replaced by ResolverConfig
extraHostEntries: replaced by StaticHostConfig

This change does not affect KubeSpan configuration, which still resides under .machine.network The previous configuration (machine.network) (with the exception of KubeSpan configuration) is now deprecated, but supported for backwards compatibility.

New User Volume Types

The UserVolumeConfig document has been extended with a new volumeType field to specify the type of user volume.

`directory`

When volumeType is set to directory, provisioning and filesystem operations are skipped, and a directory is created under /var/mnt/<name>. The directory type enables lightweight storage volumes backed by a host directory, eliminating the need for a full block device partition. When volumeType is set to directory:

A directory is created at /var/mnt/<name>
provisioning, filesystem, and encryption are not allowed

Note: This mode does not provide filesystem-level isolation and inherits the EPHEMERAL partition capacity limits. It should not be used for workloads requiring predictable storage quotas.

`disk`

When volumeType is set to disk, Talos provisions a user volume on the disk that matches the diskSelector criteria. When volumeType is set to disk:

Size-specific settings are not allowed in the provisioning block (minSize, maxSize, grow)

Disk Encryption

TPM Encryption

Talos versions prior to v1.12 used PCR 7 state and signed policies locked to PCR 11 for TPM-based disk encryption. Talos now supports configuring which PCR states are used for TPM-based disk encryption via the options.pcrs field in the tpm section of the disk encryption configuration. If no options are specified, Talos defaults to using PCR 7 for backward compatibility with existing installations. This change improves compatibility with systems that may have varying PCR 7 states due to UEFI Secure Boot configurations, and allows users to disable locking to PCR 7 state entirely if desired. Signed PCR policies remain bound to PCR 11. You can view the currently used PCRs with the talosctl get volumestatus <volume> -o yaml command.

Device Mapper Names

Talos Linux now consistently provides mapped names for encrypted volumes in the format /dev/mapper/luks2-<volume-id>. This change should not affect system or user volumes but allows for easier identification of encrypted volumes, particularly raw encrypted volumes.

Logging

The kernel log (dmesg) is now also available as the service log named kernel (accessible via talosctl logs kernel). Talos now stores system component logs in /var/log with automatic log rotation, keeping the two most recent log files. This change enables collecting logs from Talos just like any other Linux system.

GRUB Kernel Command Line

Talos Linux introduces a new machine configuration option, .machine.install.grubUseUKICmdline, to control whether GRUB should use the kernel command line provided by the boot assets (UKI) or the command line constructed by Talos itself (legacy behavior). This option defaults to true for new installations, meaning GRUB will use the command line from the UKI, making it easier to customize kernel parameters via boot asset generation. For existing installations upgrading to v1.12, this option defaults to false to preserve the legacy behavior. This change unifies the kernel command line across UEFI (systemd-boot) and BIOS (GRUB) boot modes.

CRI Registry Configuration

The CRI registry configuration in v1alpha1 legacy machine configuration under .machine.registries is now deprecated but remains supported for backward compatibility. New configuration documents — RegistryMirrorConfig, RegistryAuthConfig, and RegistryTLSConfig—should be used instead.

Out of Memory (OOM) Handling

Talos now includes a userspace OOM handler, which automatically evicts workloads based on memory pressure. The OOM handler can be configured via the OOMConfig document.

Kubernetes

API Server Cipher Suites

The Kubernetes API server in Talos has been updated to use a more secure set of TLS cipher suites by default. This aligns with the best practices documented in the CIS 1.12 benchmark. You can still expand the list of supported cipher suites via the cluster.apiServer.extraArgs."tls-cipher-suites" machine configuration field if needed.

etcd

The etcd container image is now pulled from registry.k8s.io/etcd instead of gcr.io/etcd-development/etcd.

Machine Configuration

Ethernet Configuration

The Ethernet configuration now includes a wakeOnLAN field to enable Wake-on-LAN (WOL) support. This field allows you to enable WOL and specify the desired WOL modes.

Deprecations

Talos now ignores the following machine configuration fields:

machine.features.rbac (locked to true)
machine.features.apidCheckExtKeyUsage (locked to true)
cluster.apiServer.disablePodSecurityPolicy (locked to true)

These fields were removed from the default machine configuration schema in v1.12 and are now always set to the locked values listed above.

Embedding Machine Configuration

Talos Linux now supports embedding machine configuration directly into the boot image.

Miscellaneous

Extra Binaries

Talos Linux now includes the nft binary in the rootfs to support CNIs that invoke the nft command.

Talos Force Reboot

Talos now supports a “force” reboot mode, which allows you to skip graceful userland termination. This is useful when a userland service (e.g., the kubelet) becomes stuck during graceful shutdown, preventing the regular reboot flow from completing. Additionally, talosctl has been updated to support this feature via the talosctl reboot --mode force command.

Kernel Module Signature Verification

Talos now supports optionally disabling kernel module signature verification by setting the module.sig_enforce=0 kernel parameter. By default, kernel module signature verification is enabled (module.sig_enforce=1). When using Factory or Imager, supply the -module.sig_enforce module.sig_enforce=0 kernel parameters to disable module signature enforcement. This change provides an easier way to load custom kernel modules, though it does reduce system security.

Kernel Security Posture Profile (KSPP)

Talos now enables a stricter set of KSPP sysctl settings by default. You can view the list of overridden settings using the talosctl get kernelparamstatus command.

`talosctl image cache-serve`

talosctl includes a new image cache-serve subcommand. It allows you to serve the created OCI image registry over HTTP/HTTPS. It is a read-only registry, meaning images cannot be pushed to it; however, the backing storage can be updated by re-running the cache-create command. Additionally, talosctl image cache-create has some changes:

New flag --layout: accepts oci (default) or flat:
- oci preserves the current behavior
- flat does not repack the artifact layer but moves it to a destination directory, allowing it to be served by talosctl image cache-serve
Modified flag --platform: now accepts multiple OS/architecture combinations:
- comma-separated (--platform=linux/amd64,linux/arm64)
- multiple instances (--platform=linux/amd64 --platform=linux/arm64)

UEFI Boot

When using UEFI boot with systemd-boot as the bootloader (on new Talos installations from version 1.10 onwards), Talos will no longer modify the UEFI boot order. Talos 1.11 introduced a fix to create a UEFI boot entry and set it as the first boot entry; however, this behavior caused issues on some systems. To avoid further issues, Talos will now only create the UEFI boot entry if it does not exist and will not modify the boot order.

Component Updates

Linux: 6.18.0
Kubernetes: 1.35.0
CNI Plugins: 1.8.0
cryptsetup: 2.8.1
LVM2: 2_03_37
systemd-udevd: 257.8
runc: 1.3.4
CoreDNS: 1.13.1
etcd: 3.6.6
Flannel: 0.27.4
Flannel CNI plugin: v1.8.0-flannel2
containerd: 2.1.5

Talos is built with Go 1.25.5.

Contributors

Andrey Smirnov
Mateusz Urbanek
Noel Georgi
Dmitrii Sharshakov
Amarachi Iheanacho
Orzelius
Laura Brehm
Oguz Kilcan
Justin Garrison
Artem Chernyshev
Utku Ozdemir
Bryan Lee
Edward Sammut Alessi
George Gaál
Jorik Jonker
Michael Smith
Nicole Hubbard
459below
Adrian L Lange
Alp Celik
Andrew Longwill
Birger Johan Nordølum
Chris Sanders
Dmitry
Febrian
Florian Grignon
Fred Heinecke
Giau. Tran Minh
Grzegorz Rozniecki
Guillaume LEGRAIN
Hector Monsalve
Joakim Nohlgård
Lennard Klein
Markus Freitag
Max Makarov
Mike Beaumont
Misha Aksenov
MrMrRubic
Olivier Doucet
Pranav
Sammy ETUR
Serge Logvinov
Serge van Ginderachter
Skye Soss
Skyler Mäntysaari
SuitDeer
Tom
aurh1l
frozenprocess
frozensprocess
kassad
leppeK
samoreno
theschles
winnie

Overview

Getting Started

Platform specific installation

Deploying and managing workloads

Networking

Security

Build and extend Talos

Configure your Talos cluster

Advanced guides

Reference

Troubleshooting and support

Learn more

​Important Changes

​Network Configuration

​New User Volume Types

​directory

​disk

​Disk Encryption

​TPM Encryption

​Device Mapper Names

​Logging

​GRUB Kernel Command Line

​CRI Registry Configuration

​Out of Memory (OOM) Handling

​Kubernetes

​API Server Cipher Suites

​etcd

​Machine Configuration

​Ethernet Configuration

​Deprecations

​Embedding Machine Configuration

​Miscellaneous

​Extra Binaries

​Talos Force Reboot

​Kernel Module Signature Verification

​Kernel Security Posture Profile (KSPP)

​talosctl image cache-serve

​UEFI Boot

​Component Updates

​Contributors