Talos
Omni
Kubernetes GuidesBreaking Changes
UEFI Boot
Talos 1.10 now uses thesystemd-boot bootloader and Unified Kernel Images (UKIs) for UEFI systems.
Previously, this was limited to Secure Boot systems.
Upgrades from Talos 1.9 retain the existing bootloader, so this applies only to fresh installations.
UKIs bundle the kernel, initramfs, and kernel command line arguments into a single file, making kernel arguments unmodifiable without upgrading the UKI.
Consequently, the .machine.install.extraKernelArgs field in the machine config is ignored when using systemd-boot.
Ensure the correct platform-specific installer image is used during upgrades or installations, as it includes Talos-specific talos.platform arguments.
Tools like Image Factory and Omni handle this automatically.
Image Factory now supports <platform>-installer images (e.g., aws-installer for Amazon EC2) with the appropriate kernel arguments.
System Extensions
Starting with Talos 1.10,.machine.install.extensions is deprecated and has no effect.
The field remains for compatibility with older versions.
Use Boot Assets instead.
The installer image is now smaller as tools for host-side extension installation have been removed.
cgroups v1
Talos no longer supports cgroupsv1 in non-container mode.
The kernel argument talos.unified_cgroup_hierarchy is ignored.
Note: Talos has defaulted to cgroups v2 for a long time, so this change should not impact most users.
New Features
User Volumes
Talos introduces user disk volumes via theUserVolumeConfig machine config.
The .machine.disks field is deprecated but remains for backward compatibility.
Driver Rebind
A new machine config,PCIDriverRebindConfig, allows rebinding PCI device drivers to different targets.
Ethernet Configuration
Talos now supportsethtool-style Ethernet configuration via EthernetConfig.
Interface status can be checked with talosctl get ethernetstatus.
Dual-Boot Disk Images and ISOs
For x86, Talos provides dual-boot disk and ISO images that use GRUB for legacy BIOS andsystemd-boot for UEFI.
On first boot, Talos determines the boot method and removes the unused bootloader.
For arm64, Talos now uses systemd-boot.
Secure Boot images exclusively use systemd-boot as Secure Boot is UEFI-only.
Imager supports bootloader selection when generating disk images:
SELinux
Talos Linux by default now ships an experimental SELinux policy which protects the base operating system from unauthorized access. The default SELinux mode ispermissive, meaning that violations are logged but not enforced.
See SELinux for details.
Component Updates
- Linux: 6.12.24
- CNI plugins: 1.6.2
- runc: 1.2.6
- containerd: 2.0.5
- etcd: 3.5.20
- Flannel: 0.26.7
- Kubernetes: 1.33.0
- CoreDNS: 1.12.1
Other Changes
auditd
Disable Talos’ built-inauditd service using the kernel parameter talos.auditd.disabled=1.
iSCSI Initiator
Talos now generates/etc/iscsi/initiatorname.iscsi based on node identity, ensuring a deterministic IQN.
Update iSCSI targets to use the new IQN, which can be read with talosctl read /etc/iscsi/initiatorname.iscsi.
NVMe NQN
Talos generates/etc/nvme/hostnqn and /etc/nvme/hostid based on node identity.
The NQN can be read with talosctl read /etc/nvme/hostnqn.
Ingress Firewall
The Ingress Firewall now correctly filters access to Kubernetes NodePort services.kube-apiserver Authorization Config
The .cluster.apiServer.authorizationConfig field now respects the user-defined order of authorizers.
If Node and RBAC are not explicitly specified, they are appended to the end.
Example:
authorization-mode CLI argument does not support this customization.
Fully Bootstrapped Builds
Talos 1.10 is built using [Stageˣ], enhancing reproducibility, auditability, and security. The root filesystem now uses a unified/usr structure, with other directories symlinking to /usr/bin and /usr/lib.
Third-party extensions must adjust their directories accordingly.