> ## Documentation Index
> Fetch the complete documentation index at: https://docs.siderolabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# What's New in Talos 1.10.0

> Discover the latest features and updates in Talos Linux 1.10.

export const VersionWarningBanner = () => {
  const latestVersion = "v1.13";
  const [latestUrl, setLatestUrl] = useState(null);
  const [currentVersion, setCurrentVersion] = useState(null);
  const [isBeta, setIsBeta] = useState(false);
  const parseVersion = v => v.replace("v", "").split(".").map(Number);
  const isGreaterVersion = (a, b) => {
    const [aMajor, aMinor] = parseVersion(a);
    const [bMajor, bMinor] = parseVersion(b);
    if (aMajor > bMajor) return true;
    if (aMajor === bMajor && aMinor > bMinor) return true;
    return false;
  };
  useEffect(() => {
    if (typeof window === "undefined") return;
    const {pathname, hash, search} = window.location;
    const match = pathname.match(/\/talos\/(v\d+\.\d+)\//);
    if (!match) return;
    const detectedVersion = match[1];
    if (detectedVersion === latestVersion) return;
    setCurrentVersion(detectedVersion);
    if (isGreaterVersion(detectedVersion, latestVersion)) {
      setIsBeta(true);
    }
    const newPath = pathname.replace(`/talos/${detectedVersion}/`, `/talos/${latestVersion}/`);
    setLatestUrl(`${newPath}${search}${hash}`);
  }, []);
  if (!latestUrl || !currentVersion) return null;
  return <div className="not-prose sticky top-6 z-50 my-6">
      <div className="border border-yellow-500/30 bg-yellow-500/10 px-4 py-3 rounded-xl">
        <div className="text-sm">
          {isBeta ? <>
              ⚠️ You are viewing a <strong>beta version</strong> of Talos ({currentVersion}).
              This version may be unstable.
              <a href={latestUrl} className="ml-2 underline text-yellow-400 hover:text-yellow-300 font-medium">
                View latest stable version {latestVersion} →
              </a>
            </> : <>
              ⚠️ You are viewing an older version of Talos ({currentVersion}).
              <a href={latestUrl} className="ml-2 underline text-yellow-400 hover:text-yellow-300 font-medium">
                View the latest version {latestVersion} →
              </a>
            </>}
        </div>
      </div>
    </div>;
};

<VersionWarningBanner />

For critical changes, refer to the [upgrade notes](../configure-your-talos-cluster/lifecycle-management/upgrading-talos).

## Breaking Changes

### UEFI Boot

Talos 1.10 now uses the `systemd-boot` [bootloader](../platform-specific-installations/bare-metal-platforms/bootloader) and [Unified Kernel Images (UKIs)](https://uapi-group.org/specifications/specs/unified_kernel_image/) for UEFI systems.
Previously, this was limited to Secure Boot systems.
Upgrades from Talos 1.9 retain the existing bootloader, so this applies only to fresh installations.

UKIs bundle the kernel, initramfs, and kernel command line arguments into a single file, making kernel arguments unmodifiable without upgrading the UKI.
Consequently, the `.machine.install.extraKernelArgs` field in the machine config is ignored when using `systemd-boot`.

Ensure the correct platform-specific `installer` image is used during upgrades or installations, as it includes Talos-specific `talos.platform` arguments.
Tools like [Image Factory](https://factory.talos.dev/) and [Omni](https://www.siderolabs.com/platform/saas-for-kubernetes/) handle this automatically.
Image Factory now supports `<platform>-installer` images (e.g., `aws-installer` for Amazon EC2) with the appropriate kernel arguments.

### System Extensions

Starting with Talos 1.10, `.machine.install.extensions` is deprecated and has no effect.
The field remains for compatibility with older versions.
Use [Boot Assets](../platform-specific-installations/boot-assets) instead.
The `installer` image is now smaller as tools for host-side extension installation have been removed.

### `cgroups` v1

Talos no longer supports `cgroupsv1` in non-container mode.
The kernel argument `talos.unified_cgroup_hierarchy` is ignored.

> Note: Talos has defaulted to `cgroups` v2 for a long time, so this change should not impact most users.

## New Features

### User Volumes

Talos introduces [user disk volumes](../configure-your-talos-cluster/storage-and-disk-management/disk-management#user-volumes) via the [`UserVolumeConfig`](../reference/configuration/block/uservolumeconfig) machine config.
The `.machine.disks` field is deprecated but remains for backward compatibility.

### Driver Rebind

A new machine config, [`PCIDriverRebindConfig`](../reference/configuration/hardware/pcidriverrebindconfig), allows rebinding PCI device drivers to different targets.

### Ethernet Configuration

Talos now supports `ethtool`-style [Ethernet configuration](../networking/ethernet-config) via [`EthernetConfig`](../reference/configuration/network/ethernetconfig).
Interface status can be checked with `talosctl get ethernetstatus`.

### Dual-Boot Disk Images and ISOs

For x86, Talos provides dual-boot disk and ISO images that use GRUB for legacy BIOS and `systemd-boot` for UEFI.
On first boot, Talos determines the boot method and removes the unused bootloader.

For arm64, Talos now uses `systemd-boot`.
Secure Boot images exclusively use `systemd-boot` as Secure Boot is UEFI-only.

[Imager](../platform-specific-installations/boot-assets) supports bootloader selection when generating disk images:

```yaml theme={null}
output:
  kind: image
  imageOptions:
    bootloader: sd-boot # supported options are sd-boot, grub, dual-boot
```

### SELinux

Talos Linux by default now ships an experimental SELinux policy which protects the base operating system from unauthorized access.
The default SELinux mode is `permissive`, meaning that violations are logged but not enforced.
See [SELinux](../security/selinux) for details.

## Component Updates

* Linux: 6.12.24
* CNI plugins: 1.6.2
* runc: 1.2.6
* containerd: 2.0.5
* etcd: 3.5.20
* Flannel: 0.26.7
* Kubernetes: 1.33.0
* CoreDNS: 1.12.1

Talos is built with Go 1.24.2.

## Other Changes

### auditd

Disable Talos' built-in `auditd` service using the kernel parameter `talos.auditd.disabled=1`.

### iSCSI Initiator

Talos now generates `/etc/iscsi/initiatorname.iscsi` based on node identity, ensuring a deterministic IQN.
Update iSCSI targets to use the new IQN, which can be read with `talosctl read /etc/iscsi/initiatorname.iscsi`.

### NVMe NQN

Talos generates `/etc/nvme/hostnqn` and `/etc/nvme/hostid` based on node identity.
The NQN can be read with `talosctl read /etc/nvme/hostnqn`.

### Ingress Firewall

The Ingress Firewall now correctly filters access to Kubernetes NodePort services.

### `kube-apiserver` Authorization Config

The `.cluster.apiServer.authorizationConfig` field now respects the user-defined order of authorizers.
If `Node` and `RBAC` are not explicitly specified, they are appended to the end.

Example:

```yaml theme={null}
cluster:
  apiServer:
    authorizationConfig:
      - type: Node
        name: Node
      - type: Webhook
        name: Webhook
        webhook:
          connectionInfo:
            type: InClusterConfig
        ...
      - type: RBAC
        name: rbac
```

The `authorization-mode` CLI argument does not support this customization.

### Fully Bootstrapped Builds

Talos 1.10 is built using [\[Stageˣ\]](https://stagex.tools/), enhancing reproducibility, auditability, and security.
The root filesystem now uses a unified `/usr` structure, with other directories symlinking to `/usr/bin` and `/usr/lib`.
Third-party extensions must adjust their directories accordingly.