;
};
For critical changes, refer to the [upgrade notes](../configure-your-talos-cluster/lifecycle-management/upgrading-talos).
## Important changes
### `talosctl debug`
Talos Linux now provides a way to run and attach to the [privileged debug container](../troubleshooting/talosctl-debug) with a user-provided container image.
The debug container might be used for troubleshooting and debugging purposes.
### Container Image Signature Verification
Talos now supports machine-wide container [image signature verification](../security/verifying-image-signatures) via the new [`ImageVerificationConfig`](../reference/configuration/security/imageverificationconfig) machine config document.
Any image which gets pulled on the node will be verified against the configured rules, and if no rule matches, it will be pulled without verification.
### NVIDIA GPU Support
Talos switched to using CDI and now supports configuring NVIDIA GPU via the gpu-operator helm chart.
See the [upgrade notes](../configure-your-talos-cluster/lifecycle-management/upgrading-talos#nvidia-gpu-users)
for more details on how to configure NVIDIA GPU support in Talos.
### Flannel CNI with Network Policy Support
Talos Linux now supports optionally deploying Flannel CNI with [network policy support](https://kubernetes.io/docs/concepts/services-networking/network-policies/) enabled.
The network policy implementation is [kube-network-policies](https://github.com/kubernetes-sigs/kube-network-policies/).
To enable Flannel CNI with network policy support, use the following machine configuration patch:
```yaml theme={null}
cluster:
network:
cni:
name: flannel
flannel:
kubeNetworkPoliciesEnabled: true
```
(If the cluster is already running, sync the bootstrap manifests after applying the patch to deploy the new CNI configuration.)
### Kubernetes Bootstrap Manifests
Talos now uses inventory-backed [server-side apply](https://kubernetes.io/docs/reference/using-api/server-side-apply/) when applying bootstrap manifests
(including `extraManifests` and `inlineManifests`).
Purging of unneeded manifests is automatically performed by [`talosctl upgrade-k8s`](../../../kubernetes-guides/advanced-guides/upgrading-kubernetes/).
The switch and inventory backfill is automatic and no action is needed from the user.
### Upgrade Flow
Talos now exposes install and upgrade operations via the `LifecycleService` API, enabling programmatic installs and upgrades through a single, consistent interface.
The legacy upgrade API is deprecated; new integrations should migrate to `LifecycleService` for future compatibility.
`talosctl` upgrades now route through `LifecycleService`, aligning CLI behavior with the new install/upgrade API and unifying the upgrade path.
This change is transparent to users but standardizes the backend used for upgrades.
A user-facing change is that upgrade process (running new boot assets) happens while the machine is still running workloads, followed by a machine reboot wrapped with
Kubernetes node drain and uncordon. Draining the node is now optional.
## Storage Subsystem
### External Volumes
Talos now supports virtiofs-based [external volumes](../configure-your-talos-cluster/storage-and-disk-management/disk-management/external) via the new
[ExternalVolumeConfig](../reference/configuration/block/externalvolumeconfig/)
document.
The virtiofs external volumes are not supported when SELinux is running in [enforcing mode](../security/selinux).
### Negative Max Volume Size
Negative max size represents the amount of space to be left free on the device, rather than the size the volume should consume.
For example:
* a max size of "-10GiB" means the volume can grow to the available space minus 10GiB.
* a max size of "-25%" means the volume can grow to the available space minus 25%.
## Network Subsystem
### KubeSpan Configuration
A new `KubeSpanConfig` document has been introduced to configure KubeSpan settings.
It replaces and deprecates the previous method of configuring KubeSpan via the `.machine.network.kubespan` field.
The old configuration field will continue to work for backward compatibility.
KubeSpan now supports filtering of advertised networks using the `excludeAdvertisedNetworks` field in the `KubeSpanConfig` document.
This allows users to specify a list of CIDRs to exclude from the advertised networks. Please note that routing must be symmetric for any
pair of peers, so if one peer excludes a certain network, the other peer must also exclude it. In other words, for any given pair of peers,
and any pair of their addresses, the traffic should either go through KubeSpan or not, but not one way or the other.
### LinkAliasConfig Pattern-Based Multi-Alias
[`LinkAliasConfig`](../reference/configuration/network/linkaliasconfig/) now supports pattern-based alias names using `%d` format verb (e.g. `net%d`).
When the alias name contains a `%d` format verb, the selector is allowed to match multiple links.
Each matched link receives a sequential alias (e.g. `net0`, `net1`, ...) based on hardware address order
of the links. Links already aliased by a previous config are automatically skipped.
This enables creating stable aliases from any N links using a single config document,
useful for `BondConfig` and `BridgeConfig` member interfaces on varying hardware.
### ProbeConfig
The [`TCPProbeConfig`](../reference/configuration/network/tcpprobeconfig/) configuration document allows to configure TCP probes for network reachability checks.
This allows to define a custom connectivity condition instead of Talos default condition (whether a default gateway exists).
### ResolverConfig
The nameservers configuration in [machine configuration](../reference/configuration/network/resolverconfig/) now overwrites any previous layers (defaults, platform, etc.) when specified.
Previously a smart merge was performed to keep IPv4/IPv6 nameservers from lower layers if the machine configuration specified only one type.
### Routing Rules Support
Talos now supports configuring Linux routing rules via the new [`RoutingRuleConfig`](../reference/configuration/network/routingruleconfig/) machine config document.
### VRF Support
Talos now supports VRF (Virtual Routing and Forwarding) via the new [`VRFConfig`](../reference/configuration/network/vrfconfig/) machine config document.
## Kubernetes
### Component Configuration Extra Arguments
Several Talos configuration fields that previously accepted single string values for extra arguments have been updated to accept slices of strings as well.
This includes fields such as `.cluster.apiServer.extraArgs`.
> Note: If you were relying on the resources EtcdConfigs, KubeletConfigs, ControllerManagerConfigs, SchedulerConfigs or APIServerConfigs, the protobuf format has changed from `map` to `map`.
## Miscellaneous
### Linux Kernel built with ThinLTO
Talos now uses a kernel built using `Clang` compiler, and optimized using ThinLTO. This should bring a small performance improvement,
alongside some hardening features, such as BTI on supported ARM systems.
### Dynamic Linux Kernel Preemption Model
Talos Linux now defaults to dynamic Linux kernel preemption model, the default value `none` matches
previous version, but now with kernel argument `preempt=` the preemption model can be changed.
See [Linux kernel documentation](https://docs.kernel.org/admin-guide/kernel-parameters.html) for more
information on supported values.
This change only applies to amd64 (x86\_64) architecture.
### Container Image Decompression
Talos now ships with `igzip` (amd64) and `pigz` (arm64) to speed up container image decompression.
### `/proc/PID/mem` Access Hardening
A new kernel parameter `proc_mem.force_override=never` has been introduced by default to enhance system security
by preventing unwanted writes to protected process memory via `/proc/PID/mem`.
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.
### Container Device Interface
Talos now enables [CDI](https://github.com/cncf-tags/container-device-interface) by default.
System extensions can bring in dynamic CDI spec files under `/run/cdi`.
### Resource Viewer in Interactive Dashboard
The [interactive dashboard](../deploy-and-manage-workloads/interactive-dashboard/) now includes a resource viewer screen, which provides a way to inspect the running Talos machine state when using the video console is the only option
(e.g. when the network is not working and `talosctl` cannot be used).
### VM Hot-Add Support
Talos now includes udev rules to support hot-adding of CPUs in virtualized environments.
### Talos Imager Enhancements
Talos [`imager`](../platform-specific-installations/boot-assets/#imager) now can run rootless.
The flags `--privileged` and `-v /dev:/dev` are no longer required for `docker run`.
Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
identical disk images.
Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.
### Image APIs Updated
Talos Linux provides new APIs to manage container images on the node: listing, pulling, importing and removing images.
The new pull APIs provide pull progress notifications.
The CLI commands `talosctl image pull`, `talosctl image list` and `talosctl image remove` have been updated to interact with the new APIs.
### Environment Configuration Document
A new [`EnvironmentConfig`](../reference/configuration/runtime/environmentconfig) document has been introduced to allow users to specify environment variables for Talos components.
It replaces and deprecates the previous method of setting environment variables via the `.machine.env` field.
Multiple values for the same environment variable will replace previous values, with the last one taking precedence.
To remove an environment variable, remove it from the `EnvironmentConfig` document and restart the node.
### Image Bundles
The `talosctl images k8s-bundle` command now accepts an optional version override argument.
The `talosctl images talos-bundle` command now accepts optional `--overlays` and `--extensions` flags.
If those are set to `false`, the command will not attempt to reach out to the container registry to fetch the latest versions and digests of the overlays and extensions.
## Component Updates
* Linux: 6.18.24
* containerd: 2.2.3
* runc: 1.4.2
* etcd: 3.6.9
* CoreDNS: 1.14.2
* Kubernetes: 1.36.0
* CNI: 1.9.1
* Flannel CNI plugin: v1.9.1-flannel1
* Flannel: 0.28.2
* LVM2: 2\_03\_38
* systemd: 259.5
* cryptsetup: 2.8.3
* iptables: 1.8.12
* musl: 1.2.6
Talos is built with Go 1.26.2.
## Contributors
* Andrey Smirnov
* Mateusz Urbanek
* Noel Georgi
* Orzelius
* Mickaël Canévet
* Dmitrii Sharshakov
* Laura Brehm
* Artem Chernyshev
* Edward Sammut Alessi
* Fritz Schaal
* Max Makarov
* Andreas Freund
* Bryan Lee
* Justin Garrison
* Nico Berlee
* Pranav Patil
* Spencer Smith
* Utku Ozdemir
* Zadkiel AHARONIAN
* Alexis La Goutte
* Andras BALI
* Andreas Lüdeke
* Andrei Kvapil
* Birger Johan Nordølum
* Camillo Rossi
* Christopher Puschmann
* Daniil Kivenko
* David Orman
* Dmitrii Sharshakov
* Dominik Pitz
* Florian Ströger
* Gregor Gruener
* Jaakko Sirén
* Jan Paul
* Jean-Francois Roy
* Joakim Nohlgård
* Jonas Lammler
* Kai Zhang
* Kevin Tijssen
* Lennard Klein
* Matthew Sanabria
* Michal Baumgartner
* Olav Thoresen
* Serge van Ginderachter
* Skye Soss
* Stanley Chan
* Sébastien Masset
* Tim Jones
* arita
* dataprolet
* drew
* eseiker
* greenpsi
* lmacka
* pranav767
* pythoner6