v1.11.0-beta.1

[smira]

Talos 1.11.0-beta.1 (2025-08-04)

Welcome to the v1.11.0-beta.1 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Azure

Talos on Azure now defaults to MTU of 1400 bytes for the eth0 interface to avoid packet fragmentation issues.
The default MTU can be overriden with machine configuration.

Boot

Talos increases the boot partition size to 2 GiB to accommodate larger images (with many system extensions included).

Kernel Command Line

Talos now exposes the kernel command line as a KernelCmdline resource (talosctl get cmdline).

Disk Encryption

Disk encryption for system volumes is now managed by the VolumeConfig machine configuration document.
Legacy configuration in valpha1 machine configuration is still supported.

New per-key option lockToSTATE is added to the VolumeConfig document, which allows to lock the volume encryption key to the secret salt in the STATE volume.
So, if the STATE volume is wiped or replaced, the volume encryption key will not be usable anymore.

Disk Wipe

Talos now supports talosctl disk wipe command in maintenance mode (talosctl disk wipe <disk> --insecure).

Early Inline Configuration

Talos now supports passing early inline configuration via the talos.config.early kernel parameter.
This allows to pass the configuration before the platform config source is probed, which is useful for early boot configuration.
The value of this parameter has same format as the talos.config.inline parameter, i.e. it should be base64 encoded and zstd-compressed.

ETCD downgrade API

Added ETCD downgrade API mimicking the ETCD API and etcdctl interfaces.
This API allows to downgrade ETCD cluster (storage format) to a previous version.

IMA support removed

Talos now drops the IMA (Integrity Measurement Architecture) support. This feature was not used in Talos for any meaningful security purpose
and has historically caused performance issues. See #11133 for more details.

Kubernetes Version Validation

Talos now validates Kubernetes version in the image submitted in the machine configuration.
Previously this check was performed only on upgrade, but now it is consistently applied to upgrade, initial provisioning, and machine configuration updates.

This implies that all image references should contain the tag, even if the image is pinned by digest.

Qemu provisioner on MacOS

On MacOS talosctl cluster create command now supports the Qemu provisioner in addition to the Docker provisioner.

Kernel Modules

Talosctl now returns the loaded modules, not the modules configured to be loaded (talosctl get modules).

SBOM

Talos now publishes Software Bill of Materials (SBOM) in the SPDX format.

Swap Suport

Talos now supports swap on block devices.
This feature can be enable by using SwapVolumeConfig document in the machine configuration.

Component Updates

Linux: 6.12.40
Kubernetes: 1.34.0-beta.0
runc: 1.3.0
etcd: 3.6.4
containerd: 2.1.4
Flannel CNI plugin: 1.7.1-flannel1
Flannel: 0.27.2
CoreDNS: 1.12.2
xfsprogs: 6.15.0
systemd-udevd and systemd-boot: 257.7
lvm2: 2.03.33
cryptsetup: 2.8.0

Talos is built with Go 1.24.5.

VMware

Talos VMWare platform now supports arm64 architecture in addition to amd64.

Volumes

Talos now supports raw user volumes, allowing to allocate unformatted disk space as partition.
In addition to that, support for existing volumes has been added, allowing to mount existing partitions without formatting them.

Zswap Support

Talos now supports zswap, a compressed cache for swap pages.
This feature can be enabled by using ZswapConfig document in the machine configuration.

Contributors

• Andrey Smirnov
• Noel Georgi
• Dmitrii Sharshakov
• Orzelius
• Mateusz Urbanek
• Orzelius
• Justin Garrison
• Spencer Smith
• Steve Francis
• Till Hoffmann
• Utku Ozdemir
• Andrew Longwill
• Artem Chernyshev
• Michael Robbins
• Alexandre GV
• Marat Bakeev
• Olav Thoresen
• Thibault VINCENT
• Alvaro "Chamo" Linares Cabre
• Amarachi Iheanacho
• Brian Brookman
• Bryan Mora
• Clément Nussbaumer
• Damien
• David R
• Dennis Marttinen
• Dmitriy Matrenichev
• Joakim Nohlgård
• Jorik Jonker
• Justin Seely
• Luke Cousins
• Marco Mihai Condrache
• Markus Reiter
• Martyn Ranyard
• Michael Moerz
• Mike
• Oguz Kilcan
• Tan Siewert
• Tom Keur
• jvanthienen-gluo
• killcity
• yashutanu

Changes

247 commits

• 5a15ce88b release(v1.11.0-beta.1): prepare release
• 614ca2e22 fix: one more attempt to fix volume mount race on restart
• 4b86dfe6f feat: implement encryption locking to STATE
• 8ae76c320 feat: implement talos.config.early command line arg
• 19f8c605e docs: remove talos API flags from mgmt commands
• fa1d6fef8 feat: bootedentry resource
• 7dee810d4 fix: live reload of TLS client config for discovery client
• a5dc22466 fix: enforce minimum size on user volumes if not set explicitly
• 7836e924d feat: update containerd to 2.1.4
• 5012550ec feat: add F71808E watchdog driver
• 10ddc4cdd fix: grype scan
• d108e0a08 fix(ci): use a random suffix for ami names
• 504225546 fix: issues with reading GPT
• bdaf08dd4 feat: update PCI DB module to v0.3.2
• 667dcebec test: wait for service account test job longer
• ae176a4b7 feat: update etcd to 3.6.4
• 201b6801f fix: issue with volume remount on service restart
• 2a911402b chore: tag aws snapshots created via ci with the image name
• d8bd84b56 docs: add SBOM documentation
• 7eec61993 feat: unify disk encryption configuration
• 4ff2bf9e0 feat: update etcd to v3.5.22
• 31a67d379 fix: do not download artifacts for cron Grype scan
• c6b6e0bb3 docs: rewrite the getting started and prod docs for v1.10 and v1.11
• ca1c656e6 chore(ci): add more nvidia test matrix
• 7a2e0f068 feat: sync pkgs, update Linux to 6.12.40
• 85e7989cf release(v1.11.0-beta.0): prepare release
• 3039162dc feat: update Flannel to v0.27.2
• 7e6052e63 feat: increase boot partition to 2 GiB
• cb7ca17bb feat: implement ExistingVolumeConfig
• a857c696f chore(machined): remove deprecated Endpoints
• a60101c55 fix: fill serial using helpers
• 5420e9979 refactor: output default selection for profiles
• 023a24cd4 test: use Grype to scan SBOM for vulnerabilities
• 96896fddb chore: build less images by default
• 75b5dec06 fix: sd-boot kexec with disk images
• 10546d6f8 feat: update Kuberentes 1.34.0-beta.0
• 3f35b83ae fix: ignore absent extensions SBOM directory
• 9920da3e1 feat: add etcd downgrade API
• c38682279 feat: bump pkgs and tools, read extensions' SBOMs, rekres
• 9c0d2706c docs: add release notes about v3.6.x bug
• d21994210 test: refactor various merge controller tests
• da5a4449f feat: implement raw volume support
• 41adda1cf docs: add secure boot setup mode note for Xen
• 993b4ade8 docs: fix typo in hugo config: pre-releaase
• 130b7fd6e test: fix flaky TestDNS
• 35b45ae6e feat(talosctl): support tpm operation on mac
• 24628db20 feat: update Kubernetes to v1.34.0-alpha.3
• ff68286d1 feat: include hwrandom modules
• a5b07c9a5 test: split tests and lint from the default pipeline
• a957ef416 feat: add SBOMs to the imager container
• 506212a71 feat: include AMD encrypted mem modules into base
• a966321cc fix: add more bootloader probe logs on upgrade
• b38fa568a feat: add validation for secrets bundle
• 2d89bcc71 feat: bump Linux, Go and other packages
• 0b8c180b8 fix: rename instances to referenceCount
• 378fe4f2f feat: support writing EFI boot order
• 9f0792632 fix: improve volume provisioning errors
• b8fcf3c71 fix: change module instance evaluation
• d680e560d docs: create FUNDING.yml
• 641505584 feat: support project quota support for user volumes
• 52656cc3c feat: allow taloscl disk wipe in maintenance mode
• 850579448 feat: export SBOM as resources
• 4f3a2ffab test: update unit-test runner
• d531b682c fix: provide FIPS 140-3 compliance
• 3e3129d36 feat: include packages into SBOM
• 54bd50be3 fix: talos endpoint might not be created in Kubernetes
• 8789a02c3 feat: present loaded kernel modules
• 33ecbaec6 test: update apply config tests
• 7d2fd390c chore: bump Talos version in the Image Factory CI pipeline
• de77f2142 docs: add example for fluentbit config
• 1f1f78106 fix: add limited retries for not found images
• 3d6a2c14e chore: generate and upload signatures on release
• 380141330 feat: expose kernel cmdline as a resource
• 4c6b3b14d docs: document disabling SELinux
• 3a6e5a71e feat: add talosctl mulitarch bundle image
• be671ee6d chore: add sbom step to the release pipeline
• 7fd0e8fc7 release(v1.11.0-alpha.3): prepare release
• 777335f23 chore: improve cloud image uploader resilience
• 14e5eee7d release(v1.11.0-alpha.2): prepare release
• 1e5a008f5 fix: hold user volume mount point across kubelet restarts
• cdad50590 docs: user volumes and kubernetes upgrade updates
• c880835c8 feat: implement zswap support
• 7f0300f10 feat: update dependencies, Kubernetes 1.34.0-alpha.2
• 61afbe3d2 docs: add vc4 documentation
• b9dbdc8e7 fix: etcd recover with multiple advertised addresses
• 19d94c357 feat: update Linux to 6.12.35, containerd to 2.1.3
• 44a1fc3b7 fix: treat context canceled as expected error on image pull
• 4da2dd537 feat: enforce Kubernetes version compatibility
• 6c7f8201a fix: set default MTU on Azure to 1400
• 091cd6989 docs: small yaml typo fix
• 66ecbd48f docs: update support matrix with omni version
• c948d7617 docs: minor fixes for creating kernel modules
• cc14c4a25 docs: add docs for creating kernel modules
• 93bcd3b56 docs: create SBOM for Go dependencies
• 38c4ce415 feat: add user-space InfiniBand modules
• 251dc934f feat: arm64 support for platform vmware
• 09b3ad577 feat: update containerd to 2.1.2
• 0767dd07b chore: enable --with-siderolink-agent on Darwin
• 9642198d7 fix: userspace wireguard library overrides
• 208f0763e chore: fix talosctl build on non-Linux hosts
• 87421af87 docs: expand documentation description
• d32ccfa59 feat: implement swap support
• 8f5cf81db docs: update kvm documentation
• 8e84c8b0f fix: nil pointer deref in quirk
• 6e74a3676 docs: aad ery basic details on how to run on scaleway
• 260d1bc9a fix: correctl close encrypted volumes
• 034ef42af fix: update siderolink library for wgtunnel panic fix
• 3035744a8 fix: correctly predict interface name on darwin
• cfcfad3c4 chore: move checkUnknownKeys function to github.com/siderolabs/gen
• 5ecc53c69 docs: add macos section to developing-talos.md
• b5b35307f chore: update Go to 1.24.4
• fde772d8d feat: update Flannel to 0.27.0
• 81ca27949 release(v1.11.0-alpha.1): prepare release
• 58a868e68 chore: fix renovate config, add release-gate label
• a59aaee84 feat: bump dependencies, Linux 6.12.31
• e954ee30a docs: typo correction: LongHorn -> Longhorn
• aab053394 fix: mashal resource byte slices as strings in YAML
• c7d4191e7 fix: rework the way CRI config generation is waited for
• 0114183de docs: update lastRelease to 1.10.3
• 938b0760a docs: update issue template
• 2a7b735b2 feat: drop IMA support
• 2d5a805b0 fix: typo in DiscoverdVolume spec
• 60c12bad9 feat: support nocloud include url userdata directive
• 0fd622c82 fix(talosctl): correct --help output for dashboard command
• a90c936a1 feat: support qemu provisioner on darwin
• 5322ca0d3 docs: update overlay docs
• a60b6322d fix(ci): drop nebula from extensions test
• dbbb59a67 docs: add note for default dataDirHostPath for Rook
• e26054378 docs: macos qemu provider
• 5d0224093 docs: use the cilium-cli image repo in the job installation manifest
• ff80e4cca docs: fix CIDR name
• a5fd15e8b fix(ci): reproducibility test
• 8f8963e50 docs: update Nexxen brand
• c6b86872d fix(ci): iso reproducibility file permissions
• 995a1dec4 chore: add a check for unsupported darwin flags
• 9db5d0c97 fix: nocloud metadata for hostname
• 3cf325654 feat: modularize more arm64 kernel
• 3524745cc fix: allow any PKI in Talos API
• f438cdb09 chore: use custom dhcpd server on macos qemu
• 11c17fb9a fix: metal-iso reproducibility
• 7fcb89ee3 chore: add darwin vmnet qemu support
• fc1237343 chore: clean up /usr/bin
• b551f32ce feat: update containerd to v2.1.1
• 67f4154f9 docs: update disk-management.md
• 0cb137ad7 fix: make disk size check work on old Talos
• 7c057edd5 fix: use vmdk-convert istead of qemu-img to create VMDK for OVA files
• cd618dad0 chore: update the go-blockdevice package
• 0b99631a0 fix: bump apid memory limit
• 5451f35b1 docs: update virtualbox
• bd4d202a5 refactor: bring owned.State from COSI to simplify tests
• 0b96df574 feat: update containerd to 2.1.0
• e1a939144 docs: fix formatting in disk encryption
• 7a817df1c docs: fix typo
• f35b213b2 test: fix DHCP unicast failures in QEMU environment
• 7064bbf05 docs: fix vmware factory URL
• 78c33bcdb feat: update default Kubernetes to v1.33.1
• da6795266 fix: disable automatic MAC assignment to bridge interfaces
• ca34adf58 chore(ci): drop azure keys
• ea5de19fa fix: selinux detection
• 52c76ea3a fix: consistently apply dynamic grpc proxy dialer
• aa9569e5d chore: refactor cluster create cmd flags
• 1161faa05 docs: fix typo in Cilium docs
• 164745e44 docs: remove preserve flag mention in upgrade notes
• 9a2ecbaaf fix: makefile operating system param
• 118aa69d6 chore: update cloud-image-uploader dependencies
• acdd721cf chore: dump qemu pachine ipam records on darwin
• bb9094534 chore: rotate aws iam credentials
• 0bfa4ae1b chore: update deps for cloud-image-uploader
• 956d7c71b chore: update sops keys
• e2f819d88 test: fix the process runner log collection
• fdac4cfb9 fix: upgrade go-kubernetes for DRA flag bug
• 09d88e1e8 test: fix some flaky tests
• ec1f41a94 chore: make qemu config server bind work on darwin
• 980f4d2b9 feat: bump dependencies
• 95259337e fix: k8s 1.32->1.33 upgrade check
• c3c326b40 fix: improve volume mounter automaton
• 918b94d9a refactor: rewrite disk size check
• ab7e693d7 chore: make qemu lb address bind work on darwin
• 97ceab001 fix: multiple logic issues in platform network config controller
• 46349a9df docs: remove azure image gallery instructions
• 0cfcdd3de docs: fix search on base talos.dev
• 78646b4e0 docs: add registryd debug command
• c6824c211 fix: deny apply config requests without v1alpha1 in "normal" mode
• 7df0408e4 fix: interactive installer config gen
• 881c5d62b fix: suppress duplicate platform config updates
• 66d77888e fix: replace downloaded asset paths correctly in cluster create cmd
• 6bd6c9b5a fix: generate iso greater than 4 gig
• ac140324e fix: skip PCR extension if TPM1.2 is found
• 09ef1f8a4 fix: ignore http proxy on grpc socket dial
• 22a72dc80 chore: split options between three structs
• 22c34a50f fix(ci): provision cron jobs
• b3b20eff3 fix: containerd crashing with sigsegv
• f7891c301 chore: calculate vmnet interface name preemptively
• ae87edffb fix: drop libseccomp from rootfs
• f74a805bb fix: do correct backoff for nocloud reconcile
• 01bb294af fix(ci): provision tests
• e4945be3b docs: add registryd debug command
• d8c670ad3 release(v1.11.0-alpha.0): prepare release
• ace44ea61 test: update hydrophone to 0.7.0
• 3a1163692 chore: cross platform qemu preflight checks
• 7914fb104 chore: move the create command to it's own package
• c8e619608 chore: prepare for release 1.11
• 1299aaa45 chore(ci): add extensions test for Youki runtime
• e50ceb221 docs: activate Talos 1.10 docs
• 9d12aaeb1 test: improve config patch test
• 106a656b6 chore: make qemu provider build on darwin
• 8013aa06c test: replace platform metadata test
• 2b89c2810 fix: relax etcd APIs RBAC requirements
• 1e677587c fix: preserve kubelet image suffix
• 62ab8af45 fix: disk image generation with image cache
• d60626f01 fix: handle encryption type mismatch
• a9109ebd0 feat: allow SideroLink unique token in machine config
• 2ff3a6e40 feat(kernel): add bcache kernel module to core talos
• fa95a2146 fix(ci): bios provision test
• f7c5b86be fix: sync PCR extension with volume provisioning lifecycle
• f90c79474 chore: show bound driver in pcidevices info
• 8db34624c fix: handle correctly changing platform network config
• 77c7a075b feat: update Kubernetes to 1.33.0
• 74f0c48c7 feat: add version compatibility for Talos 1.11
• c4fb7dad0 fix: force DNS runner shutdown on timeout
• c49b4836e docs: hetzner: add note about public iso
• 16ea2b113 docs: add what is new for 1.10
• be3f0c018 fix: fix Gvisor tests with containerd patch
• 37db132b3 chore(ci): add provision test with bios
• ec60b70e7 fix: set media type to OCI for image cache layer
• a471eb31b feat: update Linux 6.12.24, containerd 2.0.5
• 54ad5b872 fix: extension services logging to console
• 601f036ba docs: correct flannel extra args example
• ae94377d1 feat: support encryption config for user volumes
• 9616f6e8d docs: add caveat for kubespan and host ports
• a1d08a362 docs: fixes typo at OpenEBS Mayastor worker patches
• a91e8726e docs: add a dark theme
• c76189c58 fix: grub EFI mount point
• 4ca985c65 fix: grub efi platform install
• b31260281 docs: update storage.md
• 396a29040 feat: add new SBCs
• a902f6580 feat: update Flannel to v0.26.7
• 2bbefec1a docs: use cache in preview
• 6028a8d2d docs: update kubeprism.md
• e51a8ef8c fix: prefer new MountStatus resource
• d9c7e7946 docs: fix search
• b32fa029b feat: update Kubernetes to 1.33.0-rc.1
• f0ea478cb feat: support address priority
• 8cd3c8dc7 test: fix NVIDIA OSS tests
• 62f2d27cd docs: update virtualbox.md
• 141326ea3 docs: fix tabpane styling
• 134aa53cc feat: update base CoreDNS code in host DNS to 1.12.1

Changes since v1.11.0-beta.0

25 commits

• 5a15ce88b release(v1.11.0-beta.1): prepare release
• 614ca2e22 fix: one more attempt to fix volume mount race on restart
• 4b86dfe6f feat: implement encryption locking to STATE
• 8ae76c320 feat: implement talos.config.early command line arg
• 19f8c605e docs: remove talos API flags from mgmt commands
• fa1d6fef8 feat: bootedentry resource
• 7dee810d4 fix: live reload of TLS client config for discovery client
• a5dc22466 fix: enforce minimum size on user volumes if not set explicitly
• 7836e924d feat: update containerd to 2.1.4
• 5012550ec feat: add F71808E watchdog driver
• 10ddc4cdd fix: grype scan
• d108e0a08 fix(ci): use a random suffix for ami names
• 504225546 fix: issues with reading GPT
• bdaf08dd4 feat: update PCI DB module to v0.3.2
• 667dcebec test: wait for service account test job longer
• ae176a4b7 feat: update etcd to 3.6.4
• 201b6801f fix: issue with volume remount on service restart
• 2a911402b chore: tag aws snapshots created via ci with the image name
• d8bd84b56 docs: add SBOM documentation
• 7eec61993 feat: unify disk encryption configuration
• 4ff2bf9e0 feat: update etcd to v3.5.22
• 31a67d379 fix: do not download artifacts for cron Grype scan
• c6b6e0bb3 docs: rewrite the getting started and prod docs for v1.10 and v1.11
• ca1c656e6 chore(ci): add more nvidia test matrix
• 7a2e0f068 feat: sync pkgs, update Linux to 6.12.40

Changes from siderolabs/crypto

5 commits

• siderolabs/crypto@62a079b fix: update TLS config, add tests for TLS interactions
• siderolabs/crypto@c2b4e26 fix: remove code duplication and fix Ed255119 CA generation
• siderolabs/crypto@2a07632 fix: enforce FIPS-140-3 compliance
• siderolabs/crypto@17107ae fix: add generic CSR generator and OpenSSL interop
• siderolabs/crypto@53659fc refactor: split into files

Changes from siderolabs/discovery-client

3 commits

• siderolabs/discovery-client@0bffa6f fix: allow TLS config to be passed as a function
• siderolabs/discovery-client@09c6687 chore: fix project name in release.toml
• siderolabs/discovery-client@71b0c6d fix: add FIPS-140-3 strict compliance

Changes from siderolabs/gen

5 commits

• siderolabs/gen@044d921 feat: add xslices.Deduplicate
• siderolabs/gen@dcb2b74 feat: add panicsafe package
• siderolabs/gen@b36ee43 feat: make xyaml.CheckUnknownKeys public
• siderolabs/gen@3e319e7 feat: implement xyaml.UnmarshalStrict
• siderolabs/gen@7c0324f chore: future-proof HashTrieMap

Changes from siderolabs/go-circular

1 commit

• siderolabs/go-circular@5b39ef8 fix: do not log error if chunk zero was never written

Changes from siderolabs/go-kubernetes

4 commits

• siderolabs/go-kubernetes@7887034 feat: add checks for Kubernetes 1.34 removals
• siderolabs/go-kubernetes@657a74b feat: prepare for Kubernetes 1.34
• siderolabs/go-kubernetes@9070be4 fix: remove DynamicResourceAllocation feature gate
• siderolabs/go-kubernetes@8cb588b fix: k8s 1.32->1.33 upgrade check

Changes from siderolabs/go-pcidb

1 commit

• siderolabs/go-pcidb@9baca16 feat: update PCI DB to the latest version

Changes from siderolabs/pkgs

59 commits

• siderolabs/pkgs@a94734c feat: update containerd to 2.1.4
• siderolabs/pkgs@662c5a4 feat: enable F71808E watchdog driver
• siderolabs/pkgs@48afc2a fix: enable ISCSI IBFT
• siderolabs/pkgs@ddb7b5e feat: update Linux to 6.12.40
• siderolabs/pkgs@5616981 feat: enable bootloader control on amd64
• siderolabs/pkgs@4a840bc chore: allow more than one commit for a PR
• siderolabs/pkgs@e2fbfb1 feat: update tools/toolchain to 1.11.0
• siderolabs/pkgs@383bbb4 feat: update NVIDIA production to 570.158.01
• siderolabs/pkgs@853cf3a feat: bump e2fsprogs, ipxe, kspp, tools
• siderolabs/pkgs@a3f8281 feat: update Linux to 6.12.38
• siderolabs/pkgs@8ed84c5 feat: refactor HW_RANDOM configuration
• siderolabs/pkgs@108099f feat: enable AMD encrypted memory
• siderolabs/pkgs@c97d25e fix: remove erroneous PURLs
• siderolabs/pkgs@90f7c65 fix: bump bldr
• siderolabs/pkgs@a24b40e feat: update Linux to 6.12.36 and firmware
• siderolabs/pkgs@2537e61 docs: more SBOM metadata to cover whole Talos
• siderolabs/pkgs@0f4cbbc feat: update dependencies
• siderolabs/pkgs@9cec45c feat: add SBOM metadata for some packages
• siderolabs/pkgs@03bb94c feat: update dependencies
• siderolabs/pkgs@c613abd fix: iptables url
• siderolabs/pkgs@fae59df fix: download and copy hailo8 firmware
• siderolabs/pkgs@fadf1e2 feat: update containerd to 2.1.2
• siderolabs/pkgs@a0b0da1 feat: enable io.latency cgroup controller
• siderolabs/pkgs@0aaa07a feat: add hailort package
• siderolabs/pkgs@8555e94 chore: use ftpmirror for GNU sources
• siderolabs/pkgs@9fbe2b4 feat: update Go to 1.24.4
• siderolabs/pkgs@79bfa9e feat: update NVIDIA drivers to 570.148.08
• siderolabs/pkgs@c8b8bd8 feat: bump dependencies
• siderolabs/pkgs@54bf03e feat: update Linux to 6.12.31
• siderolabs/pkgs@93b3aaa feat: add patch for CephFS IMA performance regression
• siderolabs/pkgs@ebd6627 feat: disable IMA support
• siderolabs/pkgs@8aad53b feat: add CONFIG_NFT_CONNLIMIT to kernel
• siderolabs/pkgs@7a299fa feat: update Linux to 6.12.30
• siderolabs/pkgs@8c4603e feat: move more configs to modules on arm64
• siderolabs/pkgs@7b1183b feat(kernel): enable IB user-space management and RDMA
• siderolabs/pkgs@1b1430e fix: drop pcre2 binaries
• siderolabs/pkgs@487610c fix: drop broken symlinks
• siderolabs/pkgs@f31d518 fix: clean up some binaries
• siderolabs/pkgs@0f74b9b feat: update containerd to v2.1.1
• siderolabs/pkgs@89b4037 fix: tenstorrent pkg name
• siderolabs/pkgs@a14b544 chore: drop qemu-tools vmdk support
• siderolabs/pkgs@2563e47 feat: add tenstorrent package
• siderolabs/pkgs@2a1c42f fix(renovate): flannel config
• siderolabs/pkgs@bfa69a8 feat: add open-vmdk package
• siderolabs/pkgs@9f1ba1f fix: bring back updated containerd gvisor patch
• siderolabs/pkgs@1567cb6 feat: update Linux 6.12.28, firmware
• siderolabs/pkgs@9bc66e6 feat: update containerd to 2.1.0
• siderolabs/pkgs@c6b54e0 feat: enable zswap
• siderolabs/pkgs@4cd7084 feat: update dependencies
• siderolabs/pkgs@a3fcbf8 feat(kernel): enable panthor driver
• siderolabs/pkgs@74d1665 feat: update ZFS to 2.3.2
• siderolabs/pkgs@ddc866b feat: update Linux to 6.12.27
• siderolabs/pkgs@a347857 fix: build containerd with Go 1.23
• siderolabs/pkgs@74da85c fix: containerd build doesn't need seccomp
• siderolabs/pkgs@4effa05 fix: downgrade libseccomp to 2.5.5
• siderolabs/pkgs@9cea00b feat: update Linux to 6.12.25
• siderolabs/pkgs@cb108a5 feat(kernel): enable bcache module
• siderolabs/pkgs@d042432 fix: backport sandbox fix for Gvisor
• siderolabs/pkgs@fa625dc feat: update Linux 6.12.24, containerd 2.0.5

Changes from siderolabs/siderolink

3 commits

• siderolabs/siderolink@5f46f65 feat: handle panics in goroutines
• siderolabs/siderolink@d09ff45 fix: race in wait value
• siderolabs/siderolink@d2a79e0 fix: clean up device on failure

Changes from siderolabs/tools

10 commits

• siderolabs/tools@1d451f3 feat: update toolchain to 1.11.0
• siderolabs/tools@650b916 chore: bump toolchain, update names in SBOM
• siderolabs/tools@594704b feat: bump dependencies
• siderolabs/tools@4818702 docs: add SBOM metadata for packages copied to pkgs
• siderolabs/tools@542a03c feat: update dependencies
• siderolabs/tools@0554e87 chore: use ftpmirror for GNU sources
• siderolabs/tools@1dfd14b feat: update Go to 1.24.4
• siderolabs/tools@af3fd64 feat: update dependencies
• siderolabs/tools@e35234b feat: update dependencies
• siderolabs/tools@c96a4e6 chore: update toolchain to the latest version

Dependency Changes

• cloud.google.com/go/compute/metadata v0.6.0 -> v0.7.0
• github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 -> v1.18.1
• github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0 -> v1.10.1
• github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates v1.3.1 -> v1.4.0
• github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1 -> v1.4.0
• github.com/aws/aws-sdk-go-v2/config v1.29.14 -> v1.29.17
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 -> v1.16.32
• github.com/aws/aws-sdk-go-v2/service/kms v1.38.3 -> v1.41.2
• github.com/aws/smithy-go v1.22.3 -> v1.22.4
• github.com/containerd/containerd/api v1.8.0 -> v1.9.0
• github.com/containerd/containerd/v2 v2.0.5 -> v2.1.4
• github.com/containernetworking/plugins v1.6.2 -> v1.7.1
• github.com/cosi-project/runtime v0.10.2 -> v1.10.7
• github.com/detailyang/go-fallocate 432fa640bd2e new
• github.com/docker/cli v28.0.4 -> v28.3.3
• github.com/docker/docker v28.0.4 -> v28.3.3
• github.com/equinix-ms/go-vmw-guestrpc v0.1.1 new
• github.com/foxboron/go-uefi 69fb7dba244f -> a3183a1bfc84
• github.com/g0rbe/go-chattr v1.0.1 new
• github.com/google/cadvisor v0.52.1 -> v0.53.0
• github.com/google/cel-go v0.24.1 -> v0.26.0
• github.com/google/go-containerregistry v0.20.3 -> v0.20.6
• github.com/google/go-tpm v0.9.3 -> v0.9.5
• github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.1 -> v2.3.2
• github.com/hetznercloud/hcloud-go/v2 v2.21.0 -> v2.22.0
• github.com/jsimonetti/rtnetlink/v2 v2.0.3 -> v2.0.5
• github.com/klauspost/cpuid/v2 v2.2.10 -> v2.3.0
• github.com/linode/go-metadata v0.2.1 -> v0.2.2
• github.com/miekg/dns v1.1.65 -> v1.1.67
• github.com/pkg/xattr v0.4.10 -> v0.4.12
• github.com/prometheus/procfs v0.16.0 -> v0.17.0
• github.com/rivo/tview 949945f8d922 -> a4a78f1e05cb
• github.com/safchain/ethtool v0.5.10 -> v0.6.1
• github.com/scaleway/scaleway-sdk-go v1.0.0-beta.33 -> v1.0.0-beta.34
• github.com/siderolabs/crypto v0.5.1 -> v0.6.3
• github.com/siderolabs/discovery-client v0.1.11 -> v0.1.13
• github.com/siderolabs/gen v0.8.0 -> v0.8.5
• github.com/siderolabs/go-blockdevice/v2 v2.0.16 -> v2.0.19
• github.com/siderolabs/go-circular v0.2.2 -> v0.2.3
• github.com/siderolabs/go-kubernetes v0.2.21 -> v0.2.25
• github.com/siderolabs/go-pcidb v0.3.1 -> v0.3.2
• github.com/siderolabs/pkgs v1.10.0-5-g48dba3e -> v1.11.0-6-ga94734c
• github.com/siderolabs/siderolink v0.3.13 -> v0.3.15
• github.com/siderolabs/talos/pkg/machinery v1.10.0 -> v1.11.0-beta.1
• github.com/siderolabs/tools v1.10.0 -> v1.11.0
• github.com/spf13/pflag v1.0.6 -> v1.0.7
• go.etcd.io/etcd/api/v3 v3.5.21 -> v3.6.4
• go.etcd.io/etcd/client/pkg/v3 v3.5.21 -> v3.6.4
• go.etcd.io/etcd/client/v3 v3.5.21 -> v3.6.4
• go.etcd.io/etcd/etcdutl/v3 v3.5.21 -> v3.6.4
• golang.org/x/net v0.39.0 -> v0.42.0
• golang.org/x/oauth2 v0.29.0 -> v0.30.0
• golang.org/x/sync v0.13.0 -> v0.16.0
• golang.org/x/sys v0.32.0 -> v0.34.0
• golang.org/x/term v0.31.0 -> v0.33.0
• golang.org/x/text v0.24.0 -> v0.27.0
• golang.org/x/time v0.11.0 -> v0.12.0
• google.golang.org/grpc v1.71.1 -> v1.73.0
• k8s.io/api v0.33.0 -> v0.34.0-beta.0
• k8s.io/apimachinery v0.33.0 -> v0.34.0-beta.0
• k8s.io/apiserver v0.33.0 -> v0.34.0-beta.0
• k8s.io/client-go v0.33.0 -> v0.34.0-beta.0
• k8s.io/component-base v0.33.0 -> v0.34.0-beta.0
• k8s.io/cri-api v0.33.0 -> v0.34.0-beta.0
• k8s.io/kube-scheduler v0.33.0 -> v0.34.0-beta.0
• k8s.io/kubectl v0.33.0 -> v0.34.0-beta.0
• k8s.io/kubelet v0.33.0 -> v0.34.0-beta.0
• k8s.io/pod-security-admission v0.33.0 -> v0.34.0-beta.0
• k8s.io/utils 4c0f3b243397 new
• sigs.k8s.io/hydrophone b92baf7e0b04 -> v0.7.0
• sigs.k8s.io/yaml v1.4.0 -> v1.5.0

Previous release can be found at v1.10.0

Images

ghcr.io/siderolabs/flannel:v0.27.2
registry.k8s.io/coredns/coredns:v1.12.2
gcr.io/etcd-development/etcd:v3.6.4
registry.k8s.io/kube-apiserver:v1.34.0-beta.0
registry.k8s.io/kube-controller-manager:v1.34.0-beta.0
registry.k8s.io/kube-scheduler:v1.34.0-beta.0
registry.k8s.io/kube-proxy:v1.34.0-beta.0
ghcr.io/siderolabs/kubelet:v1.34.0-beta.0
ghcr.io/siderolabs/installer:v1.11.0-beta.1
registry.k8s.io/pause:3.10

---

This discussion was created from the release v1.11.0-beta.1.

[nberlee]

On a worker node with kubeprism enabled I have this error

 [talos] kubernetes endpoint watch error {"component": "controller-runtime", "controller": "k8s.EndpointController", "error": "failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io \"kubernetes\" is forbidden: User \"system:node:rk1-4\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" in the namespace \"default\""}

Endpointslices is a new one to me. I don't have the node error as I do have discovery without k8s enabled.
talosctl get members -n <thisnode> also works

Is this expected with Kubernetes 1.33 ? This happens to be on beta.0 and beta.1. I don't have 1.11 yet on my CP nodes. Maybe thats the problem. If so you may ignore it.

EDIT: Nevermind, I found this RBAC: https://github.com/siderolabs/talos/blob/a857c696faf6432b3e9d7ef338ae2e1cfc637301/internal/app/machined/pkg/controllers/k8s/templates/talos-nodes-rbac-template.yaml

[smira]

yes, Talos upgrade sequence should always start with a control plane machines.

This error is not critical though as long as you have Discovery Service enabled.

[smira]

Caution

This release contains a bug (#11502) which prevents machine boot with encrypted STATE. We will do a follow up beta.2 next week.