v1.14.0-alpha.1

[smira]

Talos 1.14.0-alpha.1 (2026-05-28)

Welcome to the v1.14.0-alpha.1 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

DNS over TLS (DoT) and DNS over HTTPS (DoH) Support

Talos now supports DNS over TLS (DoT) and DNS over HTTPS (DoH) for secure DNS resolution.
These features allow Talos to encrypt DNS queries and responses, enhancing privacy and security for DNS traffic.
The DNS protocol can be configured on a per-name server basis in the ResolverConfig document, allowing for flexible configuration of DNS resolution.

noexec on EPHEMERAL (/var)

The EPHEMERAL volume (/var) is now mounted with noexec in addition to the existing nosuid and nodev,
blocking binary execution from /var.

Workloads that exec binaries placed under /var will break.
For example, Longhorn v1's instance-manager exec's engine binaries the engine-image DaemonSet drops under /var/lib/longhorn/engine-binaries/,
which now fails with permission denied. Affected users can opt out via a VolumeConfig document:

apiVersion: v1alpha1
kind: VolumeConfig
name: EPHEMERAL
mount:
  secure: false

NOTE: Setting secure: false will also disable nosuid and nodev, which may have security implications. Use with caution.

Upgrade note: apply this VolumeConfig patch before upgrading, otherwise affected workloads will fail after the next reboot. Longhorn v2 (SPDK data engine) runs the data plane inside the instance manager process and is not affected.

Btrfs Support

Talos now supports mounting and provisioning btrfs filesystem for user volumes and existing volumes.

Support for btrfs is enabled by installing btrfs system extension.

Default Installer Image

The default installer image has been updated to use the Image Factory.
The ghcr.io/siderolabs/installer image is no longer published with releases; use the Image Factory installer image instead.

DHCP Search Domains

DHCPv4 search domains are now applied to the resolver configuration.

etcd

Talos is now compatible with etcd v3.6.x only (the default version was etcd 3.6.x since Talos v1.11).

Flannel CNI

Talos now configures Flannel with the EnableNFTables option enabled, which uses nftables native backend instead of iptables-nft compatibility layer.

Host DNS Configuration

HostDNS configuration was moved from the v1alpha1 config .machine.features.hostDNS field to the new hostDNS in the ResolverConfig document.

HTTP Probe Support

Talos now supports HTTP network probes, allowing for monitoring of HTTP endpoints.
HTTP responses with status 200-399 are considered successful, while connection and transport errors are treated as failures.

Image Cache Configuration

Talos now supports a new ImageCacheConfig document for configuring the Image Cache feature, replacing the old machine.features.imageCache field in the v1alpha1 config.
Old configuration is still supported for backwards compatibility.

Kubernetes Multi-document Configuration

Talos introduces new multi-document Kubernetes configuration, which allows for more flexible and modular configuration of Kubernetes components.
Talos still supports the old v1alpha1 config for backwards compatibility, but new features and fields will only be available in the new multi-document format.

List of changes:

• Deprecated .cluster.secretboxEncryptionSecret in the v1alpha1 config; use the KubeEtcdEncryptionConfig document for full etcd encryption configuration.
• Deprecated .cluster.controllerManager in the v1alpha1 config; use the KubeControllerManagerConfig document for kube-controller-manager configuration.
• Deprecated .cluster.scheduler in the v1alpha1 config; use the KubeSchedulerConfig document for kube-scheduler configuration.

LVM Status

Talos now provides detailed LVM status information, allowing for better monitoring and management of LVM volumes.
New resources LVMPhysicalVolumeStatus, LVMVolumeGroupStatus, and LVMLogicalVolumeStatus expose PV, VG, and LV details.
DiscoveredVolume resources for logical volumes are listed by their kernel name (e.g. dm-0). To resolve the <vg>/<lv> for a given device, use the Disks or BlockSymlinks resources, which carry the udev-managed symlinks (e.g. /dev/disk/by-id/dm-name-<vg>-<lv>).

LVM Wipe

Talos now provides the ability to securely wipe LVM metadata from logical volumes, volume groups, and physical volumes.
This feature allows for selective wiping of logical volumes, volume groups, and physical volumes.

With talosctl wipe lv/vg/pv <name>, users can wipe LVM metadata from a specific logical volume, volume group, or physical volume.

NTS for Time Synchronization

Talos now supports Network Time Security (NTS) for secure time synchronization.
This feature enhances the security of NTP by providing cryptographic authentication of time sources.

NTS is enabled by default (without any configuration sources) for the default time.cloudflare.com time server
NTS can be enabled for custom time servers via the new useNTS field in the TimeServerConfig document.

ICMP send_redirects Disabled by Default

Talos now sets net.ipv4.conf.all.send_redirects=0 and net.ipv4.conf.default.send_redirects=0 by default,
preventing the node from emitting ICMP redirect messages. This aligns with CIS Benchmark recommendations and
does not affect normal Kubernetes pod or service traffic. Nodes that deliberately act as L3 gateways relying
on ICMP redirects can override this via machine.sysctls.

TLS 1.3 Minimum Version

Talos now runs etcd and kube-apiserver with a minimum TLS version of 1.3, improving security by leveraging the latest TLS features and cipher suites.
Custom settings for cipher suites have been removed, as they are ignored when TLS 1.3 is used, which simplifies configuration and ensures the use of modern, secure defaults.

Component Updates

Linux: 6.18.33
Kubernetes: 1.36.1
containerd: 2.3.1

Talos is built with Go 1.26.3.

Contributors

• Andrey Smirnov
• Noel Georgi
• Mateusz Urbanek
• Utku Ozdemir
• Erwan Leboucher
• Maja Bojarska
• Lukasz Raczylo
• Orzelius
• Dmitrii Sharshakov
• Dmitriy Matrenichev
• Oguz Kilcan
• buckaroo
• immanuwell
• Ansgar Dahlen
• Artem Chernyshev
• Benoît Knecht
• David Orman
• Dharsan Baskar
• Edward Sammut Alessi
• Filip Boye-Kofi
• Kevin Tijssen
• Mickaël Canévet
• Nico Berlee
• YANG JOO WOONG
• Zadkiel AHARONIAN
• appkins
• kastakhov

Changes

220 commits

• 027c93d25 release(v1.14.0-alpha.1): prepare release
• 4eb862d09 feat: add LVMService for VG/LV/PV removal
• b88f16a52 fix: use POSIX shell idioms for error propagation
• 5290eb374 fix: suppress ICMP redirects by default
• 7b4aba2e5 fix: marshal kube-scheduler config correctly with int types
• 894be9bf5 fix: touch rootfs files with SOURCE_DATE_EPOCH
• cde82224e fix: ignore cgroups with zero rank in OOM handler
• bc0372411 fix: bring in a change to BCM2712_MIP
• f572c33f1 chore: fail on makefile error
• e317d4b47 fix: drop modprobe path and enforce usermode helper
• 89e53f610 fix(machined): make built-in mod state always 'permanent'
• cfbec9bd5 test: skip UEFI vars wipe if TPM is enabled
• 1e31deda3 fix: create parent directories when extracting tar archives
• 14dc188bd chore: verify go-containerregistry preserves symlinks
• 951922dfb fix: guard apply config API call
• 3e173adf4 feat: move kube-controller-manager config to multi-doc
• b5cda3438 fix: reset QEMU UEFI variable store when disk is wiped
• 4a17ac6ac chore: script for tracking fixes made in upstream toolchain/tools/pkgs
• d71edeead feat: add LVM status resource definitions
• 4aeba1cde fix: perform backwards-compatible kernel args cleanup
• 9b7b2bf36 feat: implement support for btrfs user volumes
• 03ee8ee3a feat(machined): support instance tags on Akamai
• d19f9ade0 fix: memorymodules resource reporting
• a6edcf6f3 chore: move out adv library
• 40e66eac7 fix: bump Go golang.org/x modules
• e23ca4a0a chore(ci): add upgrade tests for trustedboot
• e3003c0ec chore: bump tpm nonce size to match the algorithm used
• 8fd04da1f feat: add bnxt_re module to the rootfs
• 1cfab00f1 fix: update etcd experimental args
• ad96fc6ae fix: relax hostname config validation
• efd735334 chore(ci): add missing labels, move release metadata check to job
• 9ec045059 feat: update containerd to 2.3.1
• 42f4144a1 feat: introduce new KubeSchedulerConfig
• f2b7f39db refactor: move Args type out of config/v1alpha1
• b959dcb3e fix: bump Kubernetes to 1.36.1 in one more place
• 8ecc77f1a feat: update default Kubernetes version to 1.36.1
• cbd9c3745 chore: rekres to secure slack workflows
• 6a92fc653 test: update Canal version used in the tests
• be12d3d08 feat: support 4k sector size disk images
• a7e8f4c28 chore(ci): fix cloud image upload job name
• 4319399f6 feat: introduce more modular Linux kernel
• ed5df89f6 feat(ci): rotate credentials
• a6a984ff7 chore(ci): fix the job conditions
• ecb7d4588 feat: enable Flannel nftables mode
• 9919ff781 feat: update Linux to 6.18.32
• 1a7d136e4 feat: add Azure Secure Boot imager profile
• df68e7391 feat: implement kernel module status resource
• e98ee99d4 fix: streamline config validation flow
• d7f0a2fd4 feat: update Linux to 6.18.31
• 2b66e25a5 chore: update image signer
• 5aa1795f9 chore: drop e2e step dependencies
• d42b3b396 feat: update Linux to 6.18.30
• c3f6f3507 feat: implement static host resolving via host DNS
• 2f06a68ef refactor: split host DNS handler
• e99c5be5a feat: implement DNS over HTTP(S)
• cf6065238 chore: stop publishing installer to ghcr
• 0edabd29c fix: restore some shared (and some lower tier slave) mount propagation
• f1578dc63 fix: image verification issue with registry.k8s.io
• 46b1f8a24 fix: rework how scheduler config is marshaled
• 820a9fa59 chore: fix typos in comments
• 649a384a9 feat: move more kernel stuff to modules
• 4f3ab2012 chore(ci): try fixing homebrew action
• 600c0ab5d feat(ci): validate that extensions PKGS and TOOLS sync with talos
• 76080416b feat: redact more machine config secrets and audit redactors
• aabf63957 docs: drop controlplane endpoint examples
• b48a2bef4 test: relax kernel-default routing rule assertion
• d2208b034 refactor(talosctl): propagate command context throughout, handle interrupts
• 0760b5c28 fix: normalize source name for syft consistency
• c49ac0ec2 docs: document release policy
• ec7e6ef9f feat: bump in-toto indirect dependency
• 21858a674 feat: update kernel to 6.18.29
• 5a49dc61d feat: migrate Image Cache config to multi-doc
• 574298ec1 fix: handle empty GCP operation errors
• 366b10b79 feat: dockerfile improvements
• 9a1d9d0af feat: bump go 1.26.3
• 6eec1c229 feat: support DNS over TLS for upstream resolvers
• dee139aef feat: revert update CoreDNS to 1.14.3
• 087bc4c18 chore: lint packages under tools
• 9e7516fae fix: clarify documentation for image verification pattern
• 41c8e9dc4 feat: bump dependencies
• 2b6c06ef5 feat: update CoreDNS to 1.14.3
• 6b6f7978b feat: update containerd to 2.3.0
• f9c4f90da feat(ci): longhorn v2 ublk tests
• 84d169c62 fix: make dnsd retry listening
• 689974bd5 fix: volume mount permissions
• ff0f66bdf fix: skip reserved routing rule priorities
• 850e2c754 feat: drop fakeroot, use go helper
• 0c1bd701a feat: add golangci-lint fmt target
• 53bd66956 feat: support conditional start of IPv6 dns servers
• b31d93e0d feat: auto-enroll SecureBoot keys for disk images
• 849a68006 test: update pkgs to test new extensions
• c30a6dfcb fix: preserve DHCP DNS servers
• 5b81b20d3 feat: apply DHCP search domains
• 4e5ff8fa2 fix(ci): zfs test
• 14abe5140 fix: handle gateways which are not on-link routes in dhcp4
• e1f759af8 chore: fix lint issues automatically
• 664c5f643 chore: update tools
• c64df2b61 fix: add missing kernel modules in rootfs
• f73c24594 feat: run depmod with verification on rootfs build
• 1371596d7 fix: provide proper AWS platform metadata
• 4f11f021d feat: implement etcd encryption config (kube-apiserver)
• 876f83643 feat: add support for HTTP Probes
• 9b776d598 feat: update etcd to 3.6.11
• 631a1bc5e fix: bring in hardened kernel
• a349dac03 fix: stale discovered volume children
• 13ce01879 fix: re-enable kexec on arm64
• 32539d4ac fix: deadlock in the makefs ext4 with populated source
• 0f3e1966a fix: panic in Kubernetes manifest sync
• 3bae01ac1 fix: do not pick up a system disk from a loop device
• dedb7a96c fix(talosctl): protect k8sNames map writes with mutex
• cc2be213a fix: drop explicit platform matcher
• 1dffebaf2 fix: mount throws EPERM on virtiofs with SELinux
• 48a481c29 fix: replace Canal manifest with a more recent one
• 6a445406e fix: make lacp active nilable
• 0d1d95c7d fix: bump go-kmsg to fix the timestamp drift
• bd344fd53 fix: reset the ticker when the KubeSpan is disabled/enabled
• 462015bcd release(v1.14.0-alpha.0): prepare release
• 8a037a56e test: fix flaky tests
• 08c81d838 feat: bump kernel to 6.18.25
• fe40b6e58 fix(ci): fetch empty pr labels
• 837a9ed07 feat: move host DNS config into ResolverConfig
• 96a8ecd1e feat: default to factory installer image
• f19eef78b fix: revert add extraArgs from service-account-issuer
• 6821225b6 fix: revert use append instead of prepend in service-account-issuer
• b43c3a124 feat: add quirk for talosctl factory downloads
• df0b9a8da refactor: make all controller unit-test follow modern patterns
• c2948cef2 feat: support auth for Image Factory in cluster create
• 560bcf0ca feat: enforce TLS 1.3 minmum version for Kubernetes components
• 3db14309e fix(talosctl): ensure uncordon runs after reboot/upgrade errors
• ecf2fa855 feat: update Kubernetes to v1.36.0
• 71557eadd fix(ci): skip misc jobs not on pull request
• 026313b7c docs: rename security-insights.yml to lowercase for LFX detection
• dc4ffd490 fix(ci): fix jobs not interpolating matrix due to condition
• 25e2f37e2 chore: generate comments for fields in resource proto
• 149592fa5 fix: watch kubelet's kubeconfig and time out for cache sync
• 1f315e6e9 feat: update Linux to 6.18.23
• 0198eedc2 feat: add NTS (Network Time Security) support for NTP time sync
• 6830a8b97 fix(ci): matrix jobs cleanups
• 71aeb347f test: fix OOM test flake
• 9b9542cc5 test: fix a flake in the manifest sync test
• 863d882b6 test: add image verification for factory.talos.dev
• bba0b4aee chore(ci): nvidia update helm values
• 3399ff4de fix: propagate route table down to the resource
• c684ec60e chore: prepare for Talos 1.14 release
• ed9545d0d chore(ci): bump gpu operator version
• 4de3e4393 fix(ci): cron triggered workflows
• 212182e6f chore: bump container registry library
• c028db0b8 fix: do not flip machine stage to rebooting during shutdown
• 6ce62d9e8 fix(ci): workflow runs with workflow_run
• 509cd9733 fix: boot entry detection
• 5e3f30188 feat(ci): rework to schedule daily runs after a cron
• 7fa4d3919 fix: zfs extensions test
• 1ef8e630a test: allow more tests to run in FIPS strict mode
• bdcc9321b fix: reduce memory dashboard usage
• 2d177af82 chore: update Syft to v1.42.4+patches
• 0d8362119 fix: return failed precondition on upgrade when not installed
• be58eafab fix: wrong slot of encryption key was logged
• 015081c76 feat: update dependencies
• 9fbb7c95d fix: audit trustd code for security
• 986e97fc7 feat: update Flannel to 0.28.4
• f3817d1d1 chore: update sign images to support image name suffix
• e776721f3 feat: update Kubernetes 1.36.0-rc.1
• f6e7346fa fix: encode extra args fields in resources with new id
• 3c7bb80ba chore: bump tools
• 3ba35c9b9 chore(ci): nvidia try UKI boot
• e3e8f01ca chore: bump tools
• 181584a5f fix: handle boot failure
• c464c7e88 fix: upgrade API in maintenance mode (legacy)
• b7512d912 feat: update Kubernetes to 1.36.0-rc.0
• 4ba11156f refactor: allow overriding out image name suffix
• c81aa125c fix: panic in reading PCR values
• 6a3ab87c5 feat(ci): add nvidia arm64 matrix
• 21f459aab fix(talosctl): always use default GRPC dial options
• ca208e514 fix: validate hostDNS forwarding requires hostDNS to be enabled
• 9fcb9e05b feat: bump go to 1.26.2
• 0bfdf7f70 fix: create correct blackhole routes for IPv4
• 52b920032 feat: add client-side Kubernetes node drain to reboot and upgrade commands
• 968ec1e0c refactor: propagate NAME properly, allow to set on build
• acc69c346 fix: set the minimum TLS version to 1.3
• 0cfa6e302 chore: bump some tool dependencies
• 4229bb9d2 feat: add dis-vulncheck tool
• d697f5538 fix: don't set xattrs while decompressing extensions
• 34fb2cbe5 refactor: remove manual shell completion and replace with cobra completion
• 79fa2e300 feat: allow more nvidia and nvme files from extensions
• 414f78a29 feat: allow glibc ld files in etc
• 1bbba4301 feat: update Flannel to v0.28.2
• 55815e0fa fix: handle ISOs with zeroes in volume labels
• 7b6ab0c1c feat: add flag to force fallback to legacy upgrade
• 5e24d5265 feat: add resource view to talosctl dashboard
• 649ab7fe4 fix: add os:meta:writer role to the dashboard
• 10cdfa909 fix: drop talosctl install
• 087ced85f fix: unseal with "slow" TPM
• 11ab0a8c5 fix: drop unused type from ExternalVolume schema
• e2df0f6ce fix: always grow disks
• 919d8c365 chore: drop debug shell
• 783a35851 fix: add metal-agent mode to runtime capabilities
• 37b2221cc docs: add SECURITY-INSIGHTS.yml for OSPS Baseline QA-04.01
• bed2bd414 feat: add graceful power off support to QEMU VM launcher
• 3400059cc fix: incorrect route source for on-link routes
• b3dfbf743 feat: bump musl to 1.2.6
• 4227921b3 test: fix the PKI mismatch test flake
• f2bc2dcc6 feat: update NVIDIA production drivers to 595.58.03
• aa5946dd3 test: fix cron failures for provision-1 & provision-2
• 1dd701efa fix: allow blockdevice wipe in maintenance mode
• 786bf00ab feat: add --platform=all support to image cache-create
• e1f645e3c feat: validate luks headers for tampering
• ad72c7300 test: improve maintenance API provision tests
• 70cefab6a test: fix the flakes in tests with trusted roots
• aacff17f4 test: bump memory for Flannel netpolicy tests
• 9c3459114 feat: update Linux to 6.18.19, CNI to 1.9.1
• 038cb8735 feat: enforce PID check on connections to services over file sockets
• e2b2dd3ea chore: update go-kubernetes library
• 9597714f6 fix: add symlinks nvidia-ctk and nvidia-cdi-hook in /usr/bin
• 8ac47d677 fix: unset rlimits for extension services
• b1a02f368 feat: update Kubernetes to 1.36.0-beta.0
• 362fdc9ec feat: update etcd to 3.6.9
• 0a47f40b3 fix(machined): clear stale bond ARP/NS targets on decode
• 86344639f fix: update diff library to v1.0.1
• eff89d1ed fix: panics in diff algorithms
• 8e1c8a7a9 test: fix the apid test against AWS/GCP

Changes since v1.14.0-alpha.0

116 commits

• 027c93d25 release(v1.14.0-alpha.1): prepare release
• 4eb862d09 feat: add LVMService for VG/LV/PV removal
• b88f16a52 fix: use POSIX shell idioms for error propagation
• 5290eb374 fix: suppress ICMP redirects by default
• 7b4aba2e5 fix: marshal kube-scheduler config correctly with int types
• 894be9bf5 fix: touch rootfs files with SOURCE_DATE_EPOCH
• cde82224e fix: ignore cgroups with zero rank in OOM handler
• bc0372411 fix: bring in a change to BCM2712_MIP
• f572c33f1 chore: fail on makefile error
• e317d4b47 fix: drop modprobe path and enforce usermode helper
• 89e53f610 fix(machined): make built-in mod state always 'permanent'
• cfbec9bd5 test: skip UEFI vars wipe if TPM is enabled
• 1e31deda3 fix: create parent directories when extracting tar archives
• 14dc188bd chore: verify go-containerregistry preserves symlinks
• 951922dfb fix: guard apply config API call
• 3e173adf4 feat: move kube-controller-manager config to multi-doc
• b5cda3438 fix: reset QEMU UEFI variable store when disk is wiped
• 4a17ac6ac chore: script for tracking fixes made in upstream toolchain/tools/pkgs
• d71edeead feat: add LVM status resource definitions
• 4aeba1cde fix: perform backwards-compatible kernel args cleanup
• 9b7b2bf36 feat: implement support for btrfs user volumes
• 03ee8ee3a feat(machined): support instance tags on Akamai
• d19f9ade0 fix: memorymodules resource reporting
• a6edcf6f3 chore: move out adv library
• 40e66eac7 fix: bump Go golang.org/x modules
• e23ca4a0a chore(ci): add upgrade tests for trustedboot
• e3003c0ec chore: bump tpm nonce size to match the algorithm used
• 8fd04da1f feat: add bnxt_re module to the rootfs
• 1cfab00f1 fix: update etcd experimental args
• ad96fc6ae fix: relax hostname config validation
• efd735334 chore(ci): add missing labels, move release metadata check to job
• 9ec045059 feat: update containerd to 2.3.1
• 42f4144a1 feat: introduce new KubeSchedulerConfig
• f2b7f39db refactor: move Args type out of config/v1alpha1
• b959dcb3e fix: bump Kubernetes to 1.36.1 in one more place
• 8ecc77f1a feat: update default Kubernetes version to 1.36.1
• cbd9c3745 chore: rekres to secure slack workflows
• 6a92fc653 test: update Canal version used in the tests
• be12d3d08 feat: support 4k sector size disk images
• a7e8f4c28 chore(ci): fix cloud image upload job name
• 4319399f6 feat: introduce more modular Linux kernel
• ed5df89f6 feat(ci): rotate credentials
• a6a984ff7 chore(ci): fix the job conditions
• ecb7d4588 feat: enable Flannel nftables mode
• 9919ff781 feat: update Linux to 6.18.32
• 1a7d136e4 feat: add Azure Secure Boot imager profile
• df68e7391 feat: implement kernel module status resource
• e98ee99d4 fix: streamline config validation flow
• d7f0a2fd4 feat: update Linux to 6.18.31
• 2b66e25a5 chore: update image signer
• 5aa1795f9 chore: drop e2e step dependencies
• d42b3b396 feat: update Linux to 6.18.30
• c3f6f3507 feat: implement static host resolving via host DNS
• 2f06a68ef refactor: split host DNS handler
• e99c5be5a feat: implement DNS over HTTP(S)
• cf6065238 chore: stop publishing installer to ghcr
• 0edabd29c fix: restore some shared (and some lower tier slave) mount propagation
• f1578dc63 fix: image verification issue with registry.k8s.io
• 46b1f8a24 fix: rework how scheduler config is marshaled
• 820a9fa59 chore: fix typos in comments
• 649a384a9 feat: move more kernel stuff to modules
• 4f3ab2012 chore(ci): try fixing homebrew action
• 600c0ab5d feat(ci): validate that extensions PKGS and TOOLS sync with talos
• 76080416b feat: redact more machine config secrets and audit redactors
• aabf63957 docs: drop controlplane endpoint examples
• b48a2bef4 test: relax kernel-default routing rule assertion
• d2208b034 refactor(talosctl): propagate command context throughout, handle interrupts
• 0760b5c28 fix: normalize source name for syft consistency
• c49ac0ec2 docs: document release policy
• ec7e6ef9f feat: bump in-toto indirect dependency
• 21858a674 feat: update kernel to 6.18.29
• 5a49dc61d feat: migrate Image Cache config to multi-doc
• 574298ec1 fix: handle empty GCP operation errors
• 366b10b79 feat: dockerfile improvements
• 9a1d9d0af feat: bump go 1.26.3
• 6eec1c229 feat: support DNS over TLS for upstream resolvers
• dee139aef feat: revert update CoreDNS to 1.14.3
• 087bc4c18 chore: lint packages under tools
• 9e7516fae fix: clarify documentation for image verification pattern
• 41c8e9dc4 feat: bump dependencies
• 2b6c06ef5 feat: update CoreDNS to 1.14.3
• 6b6f7978b feat: update containerd to 2.3.0
• f9c4f90da feat(ci): longhorn v2 ublk tests
• 84d169c62 fix: make dnsd retry listening
• 689974bd5 fix: volume mount permissions
• ff0f66bdf fix: skip reserved routing rule priorities
• 850e2c754 feat: drop fakeroot, use go helper
• 0c1bd701a feat: add golangci-lint fmt target
• 53bd66956 feat: support conditional start of IPv6 dns servers
• b31d93e0d feat: auto-enroll SecureBoot keys for disk images
• 849a68006 test: update pkgs to test new extensions
• c30a6dfcb fix: preserve DHCP DNS servers
• 5b81b20d3 feat: apply DHCP search domains
• 4e5ff8fa2 fix(ci): zfs test
• 14abe5140 fix: handle gateways which are not on-link routes in dhcp4
• e1f759af8 chore: fix lint issues automatically
• 664c5f643 chore: update tools
• c64df2b61 fix: add missing kernel modules in rootfs
• f73c24594 feat: run depmod with verification on rootfs build
• 1371596d7 fix: provide proper AWS platform metadata
• 4f11f021d feat: implement etcd encryption config (kube-apiserver)
• 876f83643 feat: add support for HTTP Probes
• 9b776d598 feat: update etcd to 3.6.11
• 631a1bc5e fix: bring in hardened kernel
• a349dac03 fix: stale discovered volume children
• 13ce01879 fix: re-enable kexec on arm64
• 32539d4ac fix: deadlock in the makefs ext4 with populated source
• 0f3e1966a fix: panic in Kubernetes manifest sync
• 3bae01ac1 fix: do not pick up a system disk from a loop device
• dedb7a96c fix(talosctl): protect k8sNames map writes with mutex
• cc2be213a fix: drop explicit platform matcher
• 1dffebaf2 fix: mount throws EPERM on virtiofs with SELinux
• 48a481c29 fix: replace Canal manifest with a more recent one
• 6a445406e fix: make lacp active nilable
• 0d1d95c7d fix: bump go-kmsg to fix the timestamp drift
• bd344fd53 fix: reset the ticker when the KubeSpan is disabled/enabled

Changes from siderolabs/go-adv

2 commits

• siderolabs/go-adv@3818a65 feat: initial implementation
• siderolabs/go-adv@95e583c Initial commit

Changes from siderolabs/go-kmsg

1 commit

• siderolabs/go-kmsg@65e97cb fix: boot time offset calculation

Changes from siderolabs/go-kubeconfig

2 commits

• siderolabs/go-kubeconfig@d0b8f82 chore: rekres and bump deps
• siderolabs/go-kubeconfig@c356eeb fix: fix context conflict detection add New() constructor

Changes from siderolabs/go-kubernetes

2 commits

• siderolabs/go-kubernetes@38c182f fix: normalize the changeset to be keyed without apiVersion
• siderolabs/go-kubernetes@ca35008 feat: update k8s api to 0.36.0

Changes from siderolabs/go-smbios

1 commit

• siderolabs/go-smbios@063f5dc chore: rekres + new testdata

Changes from siderolabs/grpc-proxy

3 commits

• siderolabs/grpc-proxy@d670c42 chore: bump dependencies
• siderolabs/grpc-proxy@8614c71 chore: bump deps
• siderolabs/grpc-proxy@80677e0 fix: propagate the headers before the message

Changes from siderolabs/pkgs

71 commits

• siderolabs/pkgs@f9134e5 fix: enable CONFIG_BCM2712_MIP as built-in in arm64 kernel config
• siderolabs/pkgs@285c6ae fix: set usermode static helper to machine
• siderolabs/pkgs@bd2a754 feat: pre-generate drbd patches using spatch out of tree
• siderolabs/pkgs@898844e feat: update Linux to 6.18.33
• siderolabs/pkgs@a8dfbf7 fix: disable kernel modprobe path
• siderolabs/pkgs@c542950 fix: pull in tools with zstd sbom
• siderolabs/pkgs@c0ec8f3 feat: enable PPP and INFINIBAND_BNXT_RE
• siderolabs/pkgs@c62c4e1 feat: update containerd to 2.3.1
• siderolabs/pkgs@270f9f8 chore: update deps
• siderolabs/pkgs@4f7feb4 feat: enable more options for CRI-U checkpoint/restore
• siderolabs/pkgs@87994f7 feat: move autoloadable stuff as modules
• siderolabs/pkgs@80c27f3 fix: drop legacy network protocols
• siderolabs/pkgs@fbb7360 feat: drop legacy iptables/ebtables support
• siderolabs/pkgs@eac5f86 feat: bump kernel 6.18.32
• siderolabs/pkgs@d616f6c feat: update Linux to 6.18.31
• siderolabs/pkgs@02bcfce fix: macb silent TX stall on BCM2712/RP1 (v2 patches from netdev)
• siderolabs/pkgs@12ca698 feat: update ZFS & NVIDIA LTS
• siderolabs/pkgs@9fff943 feat: update Linux to 6.18.30
• siderolabs/pkgs@c5a1685 feat: move HWMON as modules
• siderolabs/pkgs@b2a45fb feat: move CONFIG_INTEL_IOATDMA as a module
• siderolabs/pkgs@ea8d35f feat: move ACPI device drivers as modules
• siderolabs/pkgs@501ba58 feat: move HID quirks as modules
• siderolabs/pkgs@b35312c feat: move PS/2 mouse drivers as modules
• siderolabs/pkgs@3a5d9d7 feat: move IPMI driver to be a module
• siderolabs/pkgs@792a69a feat: disable AGP drivers
• siderolabs/pkgs@99990b4 feat: move Hyper-V drivers as modules
• siderolabs/pkgs@fb697d6 feat: move Xen frontend drivers as modules
• siderolabs/pkgs@1df1713 feat: move ATA / MMC controllers as modules
• siderolabs/pkgs@f7f9341 feat: move USB class drivers as modules
• siderolabs/pkgs@ba873e9 feat: move USB host controllers as modules
• siderolabs/pkgs@8f25baa feat: move virtio bus stuff as modules
• siderolabs/pkgs@d0c5480 feat: bump kernel to 6.18.29
• siderolabs/pkgs@dfb09f0 feat: bump kernel 6.18.28
• siderolabs/pkgs@c97bc24 feat: update Go to 1.26.3
• siderolabs/pkgs@dfe8926 feat: add btrfsprogs
• siderolabs/pkgs@06ff9dc feat: update Linux to 6.18.27
• siderolabs/pkgs@2265fc9 feat(kernel): backport two PCI bridge realloc fixes from v6.19
• siderolabs/pkgs@5a21d99 feat: bump dependencies
• siderolabs/pkgs@cb3f406 feat: update containerd to 2.3.0
• siderolabs/pkgs@e192574 feat: update Linux to 6.18.26
• siderolabs/pkgs@e5e6cb8 feat: update DRBD to 9.3.2
• siderolabs/pkgs@77538b1 feat: update NVIDIA drivers
• siderolabs/pkgs@adeaafc feat: preserve System.map on kernel builds
• siderolabs/pkgs@c77f985 fix: disable legacy framebuffer drivers
• siderolabs/pkgs@8f3ef77 fix: enable safesetid LSM
• siderolabs/pkgs@f82d3af fix: disable CONFIG_DEVPORT
• siderolabs/pkgs@b189a96 fix: disable crypto user API
• siderolabs/pkgs@9a718f6 docs: list net macb silent TX stall fixes in kernel/build/patches/README.md
• siderolabs/pkgs@ca3599f fix: macb silent TX stall on BCM2712/RP1 (RFC patches from netdev)
• siderolabs/pkgs@6a53a93 feat: bump kernel to 6.18.25
• siderolabs/pkgs@f567bce feat: disable more stuff in Kconfig
• siderolabs/pkgs@ffd9790 feat: bump kernel to 6.18.24
• siderolabs/pkgs@b7c709a feat: bump deps
• siderolabs/pkgs@e5e5b3c feat: update Linux to 6.18.23
• siderolabs/pkgs@1a4cd20 fix: renovate config
• siderolabs/pkgs@d0ed6ed feat: update dependencies
• siderolabs/pkgs@6ea49c7 fix: support disabling module signature verification
• siderolabs/pkgs@6520ec4 feat: update containerd to 2.2.3
• siderolabs/pkgs@37ce992 feat: enable CONFIG_UHID and CONFIG_INPUT_JOYDEV as modules
• siderolabs/pkgs@cddd934 feat: update backportable dependencies
• siderolabs/pkgs@32e4077 feat: update OpenSSL
• siderolabs/pkgs@2d241e7 feat: update Go to 1.26.2 and small deps updates
• siderolabs/pkgs@7f540ce feat: disable dynamic SCS
• siderolabs/pkgs@3bef043 feat: update runc to 1.4.2
• siderolabs/pkgs@c6e6f10 feat: update Linux to 6.18.21
• siderolabs/pkgs@a9e8afa fix: libarchive install prefix
• siderolabs/pkgs@e4d0113 feat: update for musl 1.2.6
• siderolabs/pkgs@9142603 feat: update NVIDIA production to 595.58.03
• siderolabs/pkgs@22fa669 feat: update Linux to 6.18.19
• siderolabs/pkgs@03680ae feat: update containerd patch verifier role
• siderolabs/pkgs@bdc239e feat: enable CHECKPOINT_RESTORE option

Changes from siderolabs/proto-codec

1 commit

• siderolabs/proto-codec@9b8a14e chore: bump dependencies

Changes from siderolabs/siderolink

1 commit

• siderolabs/siderolink@0a1933c chore: bump dependencies

Changes from siderolabs/tools

13 commits

• siderolabs/tools@f9f37df fix: add proper name for zlib-ng sbom
• siderolabs/tools@aa45c41 fix: add SBOM for zstd library
• siderolabs/tools@808f34f feat: update Go to 1.26.3
• siderolabs/tools@5dfe83d feat: drop fakeroot and policycoreutils
• siderolabs/tools@618fd20 feat: add Python wheel package
• siderolabs/tools@df3c1b7 feat: bump dependencies
• siderolabs/tools@44ad18c feat: bump deps
• siderolabs/tools@f3d0dd9 fix: renovate configs
• siderolabs/tools@4ac4449 feat: update dependencies
• siderolabs/tools@027744f feat: bump OpenSSL to 3.6.2
• siderolabs/tools@7067f1f feat: update util-linux to 2.41.4
• siderolabs/tools@6cb3e56 feat: update Go to 1.26.2
• siderolabs/tools@9186c5f feat: update musl to 1.2.6

Dependency Changes

• codeberg.org/miekg/dns v0.6.75 new
• github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0 -> v1.21.1
• github.com/aws/aws-sdk-go-v2 v1.41.7 new
• github.com/aws/aws-sdk-go-v2/config v1.32.12 -> v1.32.17
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 -> v1.18.23
• github.com/aws/aws-sdk-go-v2/service/acm v1.37.22 -> v1.38.3
• github.com/aws/aws-sdk-go-v2/service/kms v1.50.3 -> v1.51.1
• github.com/aws/smithy-go v1.24.2 -> v1.25.1
• github.com/beevik/nts v0.3.0 new
• github.com/containerd/containerd/api v1.10.0 -> v1.11.1
• github.com/containerd/containerd/v2 v2.2.2 -> v2.3.1
• github.com/containerd/platforms v1.0.0-rc.2 -> v1.0.0-rc.4
• github.com/cosi-project/runtime v1.14.1 -> v1.16.1
• github.com/docker/cli v29.4.0 -> v29.4.3
• github.com/fatih/color v1.18.0 -> v1.19.0
• github.com/florianl/go-tc v0.4.7 -> v0.4.8
• github.com/fsnotify/fsnotify v1.9.0 -> v1.10.1
• github.com/gdamore/tcell/v2 v2.13.8 -> v2.13.9
• github.com/hetznercloud/hcloud-go/v2 v2.36.0 -> v2.37.0
• github.com/insomniacslk/dhcp 5adc3eb26f91 -> 11b94ed970f2
• github.com/klauspost/compress v1.18.5 -> v1.18.6
• github.com/mattn/go-isatty v0.0.20 -> v0.0.22
• github.com/mdlayher/ethtool v0.5.1 -> v0.6.0
• github.com/mdlayher/genetlink v1.3.2 -> v1.4.0
• github.com/mdlayher/netlink v1.9.0 -> v1.11.1
• github.com/moby/moby/api v1.54.1 -> v1.54.2
• github.com/moby/moby/client v0.4.0 -> v0.4.1
• github.com/pelletier/go-toml/v2 v2.2.4 -> v2.3.1
• github.com/siderolabs/go-adv v1.0.0 new
• github.com/siderolabs/go-blockdevice/v2 v2.0.28 -> v2.0.29
• github.com/siderolabs/go-kmsg v0.1.5 -> v0.1.6
• github.com/siderolabs/go-kubeconfig v0.1.1 -> v0.1.2
• github.com/siderolabs/go-kubernetes v0.2.36 -> v0.2.37
• github.com/siderolabs/go-smbios v0.3.3 -> v0.3.4
• github.com/siderolabs/grpc-proxy v0.5.1 -> v0.5.2
• github.com/siderolabs/pkgs v1.13.0 -> v1.14.0-alpha.0-69-gf9134e5
• github.com/siderolabs/proto-codec v0.1.3 -> v0.1.4
• github.com/siderolabs/siderolink v0.3.15 -> v0.3.16
• github.com/siderolabs/talos/pkg/machinery v1.13.0 -> v1.14.0-alpha.1
• github.com/siderolabs/tools v1.13.0 -> v1.14.0-alpha.0-12-gf9f37df
• github.com/sigstore/cosign/v3 v3.0.5 -> v3.0.6
• go.etcd.io/etcd/api/v3 v3.6.9 -> v3.6.11
• go.etcd.io/etcd/client/pkg/v3 v3.6.9 -> v3.6.11
• go.etcd.io/etcd/client/v3 v3.6.9 -> v3.6.11
• go.etcd.io/etcd/etcdutl/v3 v3.6.9 -> v3.6.11
• go.uber.org/zap v1.27.1 -> v1.28.0
• golang.org/x/net v0.53.0 -> v0.55.0
• golang.org/x/sys v0.43.0 -> v0.45.0
• golang.org/x/term v0.42.0 -> v0.43.0
• golang.org/x/text v0.36.0 -> v0.37.0
• google.golang.org/grpc v1.79.3 -> v1.81.0
• k8s.io/api v0.35.3 -> v0.36.1
• k8s.io/apiextensions-apiserver v0.35.3 -> v0.36.1
• k8s.io/apimachinery v0.35.3 -> v0.36.1
• k8s.io/apiserver v0.35.3 -> v0.36.1
• k8s.io/client-go v0.35.3 -> v0.36.1
• k8s.io/component-base v0.35.3 -> v0.36.1
• k8s.io/cri-api v0.35.3 -> v0.36.1
• k8s.io/kube-scheduler v0.35.3 -> v0.36.1
• k8s.io/kubectl v0.35.3 -> v0.36.1
• k8s.io/kubelet v0.35.3 -> v0.36.1
• k8s.io/pod-security-admission v0.35.3 -> v0.36.1
• kernel.org/pub/linux/libs/security/libcap/cap v1.2.77 -> v1.2.78

Previous release can be found at v1.13.0

Images

ghcr.io/siderolabs/flannel:v0.28.4
registry.k8s.io/coredns/coredns:v1.14.2
registry.k8s.io/etcd:v3.6.11
registry.k8s.io/pause:3.10.2
registry.k8s.io/kube-apiserver:v1.36.1
registry.k8s.io/kube-controller-manager:v1.36.1
registry.k8s.io/kube-scheduler:v1.36.1
registry.k8s.io/kube-proxy:v1.36.1
ghcr.io/siderolabs/kubelet:v1.36.1
registry.k8s.io/networking/kube-network-policies:v1.0.0
ghcr.io/siderolabs/installer:v1.14.0-alpha.1
ghcr.io/siderolabs/installer-base:v1.14.0-alpha.1
ghcr.io/siderolabs/imager:v1.14.0-alpha.1
ghcr.io/siderolabs/talos:v1.14.0-alpha.1
ghcr.io/siderolabs/talosctl-all:v1.14.0-alpha.1
ghcr.io/siderolabs/overlays:v1.14.0-alpha.1
ghcr.io/siderolabs/extensions:v1.14.0-alpha.1

---

This discussion was created from the release v1.14.0-alpha.1.