chore(deps): update dependency talos to v1.13.2

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
TALOS	minor	v1.11.3 → v1.13.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

siderolabs/talos (TALOS)

v1.13.2

Compare Source

Talos 1.13.2 (2026-05-12)

Welcome to the v1.13.2 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Etcd: 3.6.11
Linux: 6.18.29

Talos is built with Go 1.26.3.

Contributors

• Noel Georgi

Changes

1 commit

• @​c5d7c65 release(v1.13.2): prepare release

Dependency Changes

• github.com/siderolabs/talos/pkg/machinery v1.13.1 -> v1.13.2

Previous release can be found at v1.13.1

Images

ghcr.io/siderolabs/flannel:v0.28.4
registry.k8s.io/coredns/coredns:v1.14.2
registry.k8s.io/etcd:v3.6.11
registry.k8s.io/pause:3.10.1
registry.k8s.io/kube-apiserver:v1.36.0
registry.k8s.io/kube-controller-manager:v1.36.0
registry.k8s.io/kube-scheduler:v1.36.0
registry.k8s.io/kube-proxy:v1.36.0
ghcr.io/siderolabs/kubelet:v1.36.0
registry.k8s.io/networking/kube-network-policies:v1.0.0
ghcr.io/siderolabs/installer:v1.13.2
ghcr.io/siderolabs/installer-base:v1.13.2
ghcr.io/siderolabs/imager:v1.13.2
ghcr.io/siderolabs/talos:v1.13.2
ghcr.io/siderolabs/talosctl-all:v1.13.2
ghcr.io/siderolabs/overlays:v1.13.2
ghcr.io/siderolabs/extensions:v1.13.2

v1.13.0

Compare Source

Welcome to the v1.14.0-alpha.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Default Installer Image

The default installer image has been updated to use the Image Factory.

Host DNS Configuration

HostDNS configuration was moved from the v1alpha1 config .machine.features.hostDNS field to the new hostDNS in the ResolverConfig document.

NTS for Time Synchronization

Talos now supports Network Time Security (NTS) for secure time synchronization.
This feature enhances the security of NTP by providing cryptographic authentication of time sources.

NTS is enabled by default (without any configuration sources) for the default time.cloudflare.com time server
NTS can be enabled for custom time servers via the new useNTS field in the TimeServerConfig document.

TLS 1.3 Minimum Version

Talos now runs etcd and kube-apiserver with a minimum TLS version of 1.3, improving security by leveraging the latest TLS features and cipher suites.
Custom settings for cipher suites have been removed, as they are ignored when TLS 1.3 is used, which simplifies configuration and ensures the use of modern, secure defaults.

Component Updates

Linux: 6.18.25
Kubernetes: 1.36.0

Talos is built with Go 1.26.2.

Contributors

• Andrey Smirnov
• Noel Georgi
• Mateusz Urbanek
• Utku Ozdemir
• Orzelius
• Oguz Kilcan
• buckaroo
• Ansgar Dahlen
• Benoît Knecht
• David Orman
• Dharsan Baskar
• Dmitrii Sharshakov
• Dmitriy Matrenichev
• Edward Sammut Alessi
• Erwan Leboucher
• Kevin Tijssen
• Nico Berlee
• Zadkiel AHARONIAN

Changes

103 commits

• 8a037a56e test: fix flaky tests
• 08c81d838 feat: bump kernel to 6.18.25
• fe40b6e58 fix(ci): fetch empty pr labels
• 837a9ed07 feat: move host DNS config into ResolverConfig
• 96a8ecd1e feat: default to factory installer image
• f19eef78b fix: revert add extraArgs from service-account-issuer
• 6821225b6 fix: revert use append instead of prepend in service-account-issuer
• b43c3a124 feat: add quirk for talosctl factory downloads
• df0b9a8da refactor: make all controller unit-test follow modern patterns
• c2948cef2 feat: support auth for Image Factory in cluster create
• 560bcf0ca feat: enforce TLS 1.3 minmum version for Kubernetes components
• 3db14309e fix(talosctl): ensure uncordon runs after reboot/upgrade errors
• ecf2fa855 feat: update Kubernetes to v1.36.0
• 71557eadd fix(ci): skip misc jobs not on pull request
• 026313b7c docs: rename security-insights.yml to lowercase for LFX detection
• dc4ffd490 fix(ci): fix jobs not interpolating matrix due to condition
• 25e2f37e2 chore: generate comments for fields in resource proto
• 149592fa5 fix: watch kubelet's kubeconfig and time out for cache sync
• 1f315e6e9 feat: update Linux to 6.18.23
• 0198eedc2 feat: add NTS (Network Time Security) support for NTP time sync
• 6830a8b97 fix(ci): matrix jobs cleanups
• 71aeb347f test: fix OOM test flake
• 9b9542cc5 test: fix a flake in the manifest sync test
• 863d882b6 test: add image verification for factory.talos.dev
• bba0b4aee chore(ci): nvidia update helm values
• 3399ff4de fix: propagate route table down to the resource
• c684ec60e chore: prepare for Talos 1.14 release
• ed9545d0d chore(ci): bump gpu operator version
• 4de3e4393 fix(ci): cron triggered workflows
• 212182e6f chore: bump container registry library
• c028db0b8 fix: do not flip machine stage to rebooting during shutdown
• 6ce62d9e8 fix(ci): workflow runs with workflow_run
• 509cd9733 fix: boot entry detection
• 5e3f30188 feat(ci): rework to schedule daily runs after a cron
• 7fa4d3919 fix: zfs extensions test
• 1ef8e630a test: allow more tests to run in FIPS strict mode
• bdcc9321b fix: reduce memory dashboard usage
• 2d177af82 chore: update Syft to v1.42.4+patches
• 0d8362119 fix: return failed precondition on upgrade when not installed
• be58eafab fix: wrong slot of encryption key was logged
• 015081c76 feat: update dependencies
• 9fbb7c95d fix: audit trustd code for security
• 986e97fc7 feat: update Flannel to 0.28.4
• f3817d1d1 chore: update sign images to support image name suffix
• e776721f3 feat: update Kubernetes 1.36.0-rc.1
• f6e7346fa fix: encode extra args fields in resources with new id
• 3c7bb80ba chore: bump tools
• 3ba35c9b9 chore(ci): nvidia try UKI boot
• e3e8f01ca chore: bump tools
• 181584a5f fix: handle boot failure
• c464c7e88 fix: upgrade API in maintenance mode (legacy)
• b7512d912 feat: update Kubernetes to 1.36.0-rc.0
• 4ba11156f refactor: allow overriding out image name suffix
• c81aa125c fix: panic in reading PCR values
• 6a3ab87c5 feat(ci): add nvidia arm64 matrix
• 21f459aab fix(talosctl): always use default GRPC dial options
• ca208e514 fix: validate hostDNS forwarding requires hostDNS to be enabled
• 9fcb9e05b feat: bump go to 1.26.2
• 0bfdf7f70 fix: create correct blackhole routes for IPv4
• 52b920032 feat: add client-side Kubernetes node drain to reboot and upgrade commands
• 968ec1e0c refactor: propagate NAME properly, allow to set on build
• acc69c346 fix: set the minimum TLS version to 1.3
• 0cfa6e302 chore: bump some tool dependencies
• 4229bb9d2 feat: add dis-vulncheck tool
• d697f5538 fix: don't set xattrs while decompressing extensions
• 34fb2cbe5 refactor: remove manual shell completion and replace with cobra completion
• 79fa2e300 feat: allow more nvidia and nvme files from extensions
• 414f78a29 feat: allow glibc ld files in etc
• 1bbba4301 feat: update Flannel to v0.28.2
• 55815e0fa fix: handle ISOs with zeroes in volume labels
• 7b6ab0c1c feat: add flag to force fallback to legacy upgrade
• 5e24d5265 feat: add resource view to talosctl dashboard
• 649ab7fe4 fix: add os:meta:writer role to the dashboard
• 10cdfa909 fix: drop talosctl install
• 087ced85f fix: unseal with "slow" TPM
• 11ab0a8c5 fix: drop unused type from ExternalVolume schema
• e2df0f6ce fix: always grow disks
• 919d8c365 chore: drop debug shell
• 783a35851 fix: add metal-agent mode to runtime capabilities
• 37b2221cc docs: add SECURITY-INSIGHTS.yml for OSPS Baseline QA-04.01
• bed2bd414 feat: add graceful power off support to QEMU VM launcher
• 3400059cc fix: incorrect route source for on-link routes
• b3dfbf743 feat: bump musl to 1.2.6
• 4227921b3 test: fix the PKI mismatch test flake
• f2bc2dcc6 feat: update NVIDIA production drivers to 595.58.03
• aa5946dd3 test: fix cron failures for provision-1 & provision-2
• 1dd701efa fix: allow blockdevice wipe in maintenance mode
• 786bf00ab feat: add --platform=all support to image cache-create
• e1f645e3c feat: validate luks headers for tampering
• ad72c7300 test: improve maintenance API provision tests
• 70cefab6a test: fix the flakes in tests with trusted roots
• aacff17f4 test: bump memory for Flannel netpolicy tests
• 9c3459114 feat: update Linux to 6.18.19, CNI to 1.9.1
• 038cb8735 feat: enforce PID check on connections to services over file sockets
• e2b2dd3ea chore: update go-kubernetes library
• 9597714f6 fix: add symlinks nvidia-ctk and nvidia-cdi-hook in /usr/bin
• 8ac47d677 fix: unset rlimits for extension services
• b1a02f368 feat: update Kubernetes to 1.36.0-beta.0
• 362fdc9ec feat: update etcd to 3.6.9
• 0a47f40b3 fix(machined): clear stale bond ARP/NS targets on decode
• 86344639f fix: update diff library to v1.0.1
• eff89d1ed fix: panics in diff algorithms
• 8e1c8a7a9 test: fix the apid test against AWS/GCP

Changes from siderolabs/go-kubeconfig

2 commits

• d0b8f82 chore: rekres and bump deps
• c356eeb fix: fix context conflict detection add New() constructor

Changes from siderolabs/grpc-proxy

3 commits

• d670c42 chore: bump dependencies
• 8614c71 chore: bump deps
• 80677e0 fix: propagate the headers before the message

Changes from siderolabs/pkgs

22 commits

• 6a53a93 feat: bump kernel to 6.18.25
• f567bce feat: disable more stuff in Kconfig
• ffd9790 feat: bump kernel to 6.18.24
• b7c709a feat: bump deps
• e5e5b3c feat: update Linux to 6.18.23
• 1a4cd20 fix: renovate config
• d0ed6ed feat: update dependencies
• 6ea49c7 fix: support disabling module signature verification
• 6520ec4 feat: update containerd to 2.2.3
• 37ce992 feat: enable CONFIG_UHID and CONFIG_INPUT_JOYDEV as modules
• cddd934 feat: update backportable dependencies
• 32e4077 feat: update OpenSSL
• 2d241e7 feat: update Go to 1.26.2 and small deps updates
• 7f540ce feat: disable dynamic SCS
• 3bef043 feat: update runc to 1.4.2
• c6e6f10 feat: update Linux to 6.18.21
• a9e8afa fix: libarchive install prefix
• e4d0113 feat: update for musl 1.2.6
• 9142603 feat: update NVIDIA production to 595.58.03
• 22fa669 feat: update Linux to 6.18.19
• 03680ae feat: update containerd patch verifier role
• bdc239e feat: enable CHECKPOINT_RESTORE option

Changes from siderolabs/proto-codec

1 commit

• 9b8a14e chore: bump dependencies

Changes from siderolabs/siderolink

1 commit

• 0a1933c chore: bump dependencies

Changes from siderolabs/tools

7 commits

• 44ad18c feat: bump deps
• f3d0dd9 fix: renovate configs
• 4ac4449 feat: update dependencies
• 027744f feat: bump OpenSSL to 3.6.2
• 7067f1f feat: update util-linux to 2.41.4
• 6cb3e56 feat: update Go to 1.26.2
• 9186c5f feat: update musl to 1.2.6

Dependency Changes

• github.com/aws/aws-sdk-go-v2/config v1.32.12 -> v1.32.14
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 -> v1.18.21
• github.com/aws/aws-sdk-go-v2/service/acm v1.37.22 -> v1.38.1
• github.com/aws/aws-sdk-go-v2/service/kms v1.50.3 -> v1.50.4
• github.com/aws/smithy-go v1.24.2 -> v1.25.0
• github.com/beevik/nts v0.3.0 new
• github.com/containerd/containerd/v2 v2.2.2 -> v2.2.3
• github.com/fatih/color v1.18.0 -> v1.19.0
• github.com/florianl/go-tc v0.4.7 -> v0.4.8
• github.com/hetznercloud/hcloud-go/v2 v2.36.0 -> v2.37.0
• github.com/insomniacslk/dhcp 5adc3eb -> 11b94ed
• github.com/mdlayher/genetlink v1.3.2 -> v1.4.0
• github.com/mdlayher/netlink v1.9.0 -> v1.11.0
• github.com/pelletier/go-toml/v2 v2.2.4 -> v2.3.0
• github.com/siderolabs/go-kubeconfig v0.1.1 -> v0.1.2
• github.com/siderolabs/grpc-proxy v0.5.1 -> v0.5.2
• github.com/siderolabs/pkgs v1.13.0 -> v1.14.0-alpha.0-20-g6a53a93
• github.com/siderolabs/proto-codec v0.1.3 -> v0.1.4
• github.com/siderolabs/siderolink v0.3.15 -> v0.3.16
• github.com/siderolabs/talos/pkg/machinery v1.13.0 -> v1.13.0-beta.0
• github.com/siderolabs/tools v1.13.0 -> v1.14.0-alpha.0-6-g44ad18c
• github.com/sigstore/cosign/v3 v3.0.5 -> v3.0.6
• go.etcd.io/etcd/api/v3 v3.6.9 -> v3.6.10
• go.etcd.io/etcd/client/pkg/v3 v3.6.9 -> v3.6.10
• go.etcd.io/etcd/client/v3 v3.6.9 -> v3.6.10
• go.etcd.io/etcd/etcdutl/v3 v3.6.9 -> v3.6.10
• google.golang.org/grpc v1.79.3 -> v1.80.0
• k8s.io/api v0.35.3 -> v0.35.4
• k8s.io/apiextensions-apiserver v0.35.3 -> v0.35.4
• k8s.io/apimachinery v0.35.3 -> v0.35.4
• k8s.io/apiserver v0.35.3 -> v0.35.4
• k8s.io/client-go v0.35.3 -> v0.35.4
• k8s.io/component-base v0.35.3 -> v0.35.4
• k8s.io/cri-api v0.35.3 -> v0.35.4
• k8s.io/kube-scheduler v0.35.3 -> v0.35.4
• k8s.io/kubectl v0.35.3 -> v0.35.4
• k8s.io/kubelet v0.35.3 -> v0.35.4
• k8s.io/pod-security-admission v0.35.3 -> v0.35.4
• kernel.org/pub/linux/libs/security/libcap/cap v1.2.77 -> v1.2.78

Previous release can be found at v1.13.0

v1.12.7

Compare Source

Talos 1.12.7 (2026-04-24)

Welcome to the v1.12.7 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.18.24
containerd: 2.1.7
etcd: 3.6.9
Kubernetes: v1.35.4

Talos is built with Go 1.25.9.

Contributors

• Noel Georgi
• Andrey Smirnov
• Mateusz Urbanek
• Orzelius
• Utku Ozdemir

Changes

19 commits

• @​91c6399 release(v1.12.7): prepare release
• @​3b228ca feat: bring in apparmor profile files
• @​1a05b4a feat: update kubernetes to v1.35.4
• @​b796be0 feat: bump pkgs, spdystream
• @​a75ce6f feat: bump pkgs, tools
• @​c1ea8db test: fix OOM test flake
• @​d5b691b fix: watch kubelet's kubeconfig and time out for cache sync
• @​27655c5 fix: propagate route table down to the resource
• @​fcda84b fix: boot entry detection
• @​330561c fix: do not flip machine stage to rebooting during shutdown
• @​8ef4488 fix: zfs extensions test
• @​8bc593d fix: wrong slot of encryption key was logged
• @​89f5615 fix: panic in reading PCR values
• @​317deed feat: add dis-vulncheck tool
• @​0654a7f fix: handle ISOs with zeroes in volume labels
• @​e16007b fix: unseal with "slow" TPM
• @​388a56b fix: incorrect route source for on-link routes
• @​7e42474 test: fix the flakes in tests with trusted roots
• @​d52ebe2 feat: update etcd to 3.6.9

Changes from siderolabs/pkgs

8 commits

• siderolabs/pkgs@86d6af1 fix: install apparmor parser require config files
• siderolabs/pkgs@d6b125f feat: bump systemd
• siderolabs/pkgs@191632c feat: bump kernel to 6.18.24
• siderolabs/pkgs@13cbc68 feat: bump tools, toolchain and containerd
• siderolabs/pkgs@709678d feat: update Linux to 6.18.23
• siderolabs/pkgs@34de6db fix: support disabling module signature verification
• siderolabs/pkgs@e30789a feat: update backportable dependencies
• siderolabs/pkgs@830d895 feat: update Linux to 6.18.21

Changes from siderolabs/tools

3 commits

• siderolabs/tools@bbd753d feat: bump toolchain
• siderolabs/tools@61955e9 feat: bump OpenSSL to 3.6.2
• siderolabs/tools@23de89f feat: update util-linux to 2.41.4

Dependency Changes

• github.com/siderolabs/go-blockdevice/v2 v2.0.26 -> v2.0.28
• github.com/siderolabs/pkgs v1.12.0-50-ga92bed5 -> v1.12.0-58-g86d6af1
• github.com/siderolabs/talos/pkg/machinery v1.12.6 -> v1.12.7
• github.com/siderolabs/tools v1.12.0-7-g57916cb -> v1.12.0-10-gbbd753d
• go.etcd.io/etcd/api/v3 v3.6.6 -> v3.6.9
• go.etcd.io/etcd/client/pkg/v3 v3.6.6 -> v3.6.9
• go.etcd.io/etcd/client/v3 v3.6.6 -> v3.6.9
• go.etcd.io/etcd/etcdutl/v3 v3.6.6 -> v3.6.9
• k8s.io/api v0.35.2 -> v0.35.4
• k8s.io/apiextensions-apiserver v0.35.2 -> v0.35.4
• k8s.io/apimachinery v0.35.2 -> v0.35.4
• k8s.io/apiserver v0.35.2 -> v0.35.4
• k8s.io/client-go v0.35.2 -> v0.35.4
• k8s.io/component-base v0.35.2 -> v0.35.4
• k8s.io/cri-api v0.35.2 -> v0.35.4
• k8s.io/kube-scheduler v0.35.2 -> v0.35.4
• k8s.io/kubectl v0.35.2 -> v0.35.4
• k8s.io/kubelet v0.35.2 -> v0.35.4
• k8s.io/pod-security-admission v0.35.2 -> v0.35.4

Previous release can be found at v1.12.6

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.9
registry.k8s.io/kube-apiserver:v1.35.4
registry.k8s.io/kube-controller-manager:v1.35.4
registry.k8s.io/kube-scheduler:v1.35.4
registry.k8s.io/kube-proxy:v1.35.4
ghcr.io/siderolabs/kubelet:v1.35.4
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.7
ghcr.io/siderolabs/installer-base:v1.12.7
ghcr.io/siderolabs/imager:v1.12.7
ghcr.io/siderolabs/talos:v1.12.7
ghcr.io/siderolabs/talosctl-all:v1.12.7
ghcr.io/siderolabs/overlays:v1.12.7
ghcr.io/siderolabs/extensions:v1.12.7

v1.12.6

Compare Source

Talos 1.12.6 (2026-03-19)

Welcome to the v1.12.6 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.18.18
runc: 1.3.5

Talos is built with Go 1.25.8.

Contributors

• Mickaël Canévet
• Andrey Smirnov
• Dominik Pitz
• Kai Zhang
• Noel Georgi
• Stanley Chan
• Zadkiel AHARONIAN

Changes

21 commits

• @​a1b8bd6 release(v1.12.6): prepare release
• @​72bd570 feat: update Linux to 6.18.18
• @​9d5638f fix: accept image cache volume encryption config
• @​0f018bf fix: panic in hardware.SystemInfoController
• @​c46b898 fix: validate missing apiVersion in config document decoder
• @​c47cad9 fix: pull in a fix for dmesg timestamps
• @​190336a fix: prevent stale discovered volumes reads
• @​217e9bb fix: bring in new version of go-cmd and go-blockdevice
• @​d7779a5 fix: stop pulling wrong platform for images
• @​eb6eb66 fix(machined): support USERDATA legacy fallback in OpenNebula driver
• @​ba20c7c feat(machined): add ONEGATE proxy route and deterministic interface iteration for OpenNebula
• @​739f664 feat(machined): inherit IP6_METHOD from METHOD in OpenNebula driver
• @​93878c0 fix(machined): align OpenNebula hostname precedence with reference
• @​9718d73 feat(machined): add IPv6 alias address support for OpenNebula (ETH_ALIAS_IP6)
• @​b649fb4 feat(machined): support ETH*_IP6_METHOD (static/dhcp/auto/disable) for OpenNebula
• @​c81df6f refactor(machined): extract per-interface IPv4 helper in OpenNebula driver
• @​501924e fix(machined): use ParseFQDN for hostname parsing in OpenNebula
• @​e9331b2 feat(machined): support per-interface route metric for OpenNebula (ETH*_METRIC)
• @​6e78afb feat(machined): add network alias support for OpenNebula (ETH_ALIAS)
• @​9f648b4 feat(machined): merge global and per-interface DNS for OpenNebula
• @​04fba03 feat(machined): add static routes support via ETH*_ROUTES for OpenNebula

Changes from siderolabs/go-cmd

2 commits

• siderolabs/go-cmd@5f31ba9 chore: rekres and update
• siderolabs/go-cmd@fff5698 feat: allow capturing full output to stdout, modernize API

Changes from siderolabs/go-kmsg

3 commits

• siderolabs/go-kmsg@b53b36d chore: rekres and update
• siderolabs/go-kmsg@6f7d20b feat: calculate boot time correctly if the time jumps
• siderolabs/go-kmsg@47655ee feat: support PRINTK_CALLER kmsg logs

Changes from siderolabs/pkgs

4 commits

• siderolabs/pkgs@a92bed5 feat: enable AMD GPU peer-to-peer DMA
• siderolabs/pkgs@09e87a9 feat: backportable deps update
• siderolabs/pkgs@eb965e2 feat(kernel): enable CONFIG_USB_UHCI_HCD on amd64
• siderolabs/pkgs@6804ebd feat: update Linux 6.18.16, NVIDIA, ZFS

Dependency Changes

• github.com/google/go-containerregistry v0.20.6 -> v0.20.7
• github.com/siderolabs/go-blockdevice/v2 v2.0.24 -> v2.0.26
• github.com/siderolabs/go-cmd v0.1.3 -> v0.2.0
• github.com/siderolabs/go-kmsg v0.1.4 -> v0.1.5
• github.com/siderolabs/pkgs v1.12.0-46-ge695c74 -> v1.12.0-50-ga92bed5
• github.com/siderolabs/talos/pkg/machinery v1.12.5 -> v1.12.6
• github.com/spf13/cobra v1.10.1 -> v1.10.2
• golang.org/x/sys v0.41.0 -> v0.42.0
• google.golang.org/grpc v1.78.0 -> v1.79.3

Previous release can be found at v1.12.5

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.8
registry.k8s.io/kube-apiserver:v1.35.2
registry.k8s.io/kube-controller-manager:v1.35.2
registry.k8s.io/kube-scheduler:v1.35.2
registry.k8s.io/kube-proxy:v1.35.2
ghcr.io/siderolabs/kubelet:v1.35.2
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.6
ghcr.io/siderolabs/installer-base:v1.12.6
ghcr.io/siderolabs/imager:v1.12.6
ghcr.io/siderolabs/talos:v1.12.6
ghcr.io/siderolabs/talosctl-all:v1.12.6
ghcr.io/siderolabs/overlays:v1.12.6
ghcr.io/siderolabs/extensions:v1.12.6

v1.12.5

Compare Source

Talos 1.12.5 (2026-03-09)

Welcome to the v1.12.5 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.18.15
Kubernetes: 1.35.2
etcd: 3.6.8

Talos is built with Go 1.25.8.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Dmitrii Sharshakov
• Fritz Schaal
• Jan Paul
• Max Makarov
• Mickaël Canévet
• Nico Berlee
• Orzelius
• Spencer Smith

Changes

19 commits

• @​da6c6e4 release(v1.12.5): prepare release
• @​4f978a7 fix: correctly calculate end ranges for nftables sets
• @​8d52e2d feat: add trusted roots generation to stdpatches
• @​6284877 fix: use correct dhcp option for unicast dhcp renewal
• @​dcf23be fix: ignore image digest when doing upgrade-k8s
• @​f8a2a9b fix(machined): opennebula: process ETH*_ vars regardless of NETWORK context flag
• @​db9ff23 fix: patch with delete for LinkConfigs
• @​e0c38e2 fix: update path handling on talosctl cgroups
• @​ca2d4c1 fix: stop Kubernetes client from dynamically reloading the certs
• @​70ae2f2 refactor: split locate and provision
• @​c3b0484 fix: hold user volumes root mountpoint
• @​d935420 fix: handle raw encryption keys with \n properly
• @​7fe1a47 fix: remove stale endpoints
• @​3ea0888 fix: allow static hosts in /etc/hosts without hostname
• @​5ebb00f fix: switch to better Myers algorithm implementation
• @​2b40379 feat: update etcd to v3.6.8
• @​1ce9328 fix: disks flag parsing and handling in create qemu command
• @​1f989df fix: read multi-doc machine config with newer talosctl
• @​40ba6e3 feat: update Linux 6.18.15, Go 1.25.8

Changes from siderolabs/go-debug

1 commit

• siderolabs/go-debug@47fce68 feat: support Go 1.26, rekres

Changes from siderolabs/pkgs

7 commits

• siderolabs/pkgs@e695c74 feat: update Linux to 6.18.15
• siderolabs/pkgs@7d4ef68 feat: update Linux to 6.18.14
• siderolabs/pkgs@300cd60 feat: update Linux firmware to 2026022
• siderolabs/pkgs@65f9fd3 feat: update Linux to 6.18.13
• siderolabs/pkgs@96fc8e3 feat: enable MLX5 Scalable Functions and TC offload in kernel
• siderolabs/pkgs@f31edf1 feat: add patch for Cilium BPF verifier rejection by the kernel
• siderolabs/pkgs@8b4b129 feat: update Go to 1.25.8

Changes from siderolabs/tools

1 commit

• siderolabs/tools@57916cb feat: update Go to 1.25.8

Dependency Changes

• github.com/docker/cli v29.0.0 -> v29.2.1
• github.com/siderolabs/go-blockdevice/v2 v2.0.23 -> v2.0.24
• github.com/siderolabs/go-debug v0.6.1 -> v0.6.2
• github.com/siderolabs/pkgs v1.12.0-39-gb1fc4c6 -> v1.12.0-46-ge695c74
• github.com/siderolabs/talos/pkg/machinery v1.12.3 -> v1.12.5
• github.com/siderolabs/tools v1.12.0-6-gdc37e09 -> v1.12.0-7-g57916cb
• golang.org/x/net v0.48.0 -> v0.51.0
• golang.org/x/sys v0.40.0 -> v0.41.0
• golang.org/x/term v0.38.0 -> v0.40.0
• golang.org/x/text v0.33.0 -> v0.34.0
• google.golang.org/grpc v1.76.0 -> v1.78.0
• google.golang.org/protobuf v1.36.10 -> v1.36.11
• k8s.io/api v0.35.0 -> v0.35.2
• k8s.io/apiextensions-apiserver v0.35.0 -> v0.35.2
• k8s.io/apiserver v0.35.0 -> v0.35.2
• k8s.io/client-go v0.35.0 -> v0.35.2
• k8s.io/component-base v0.35.0 -> v0.35.2
• k8s.io/kube-scheduler v0.35.0 -> v0.35.2
• k8s.io/kubectl v0.35.0 -> v0.35.2
• k8s.io/kubelet v0.35.0 -> v0.35.2
• k8s.io/pod-security-admission v0.35.0 -> v0.35.2

Previous release can be found at v1.12.4

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.8
registry.k8s.io/kube-apiserver:v1.35.2
registry.k8s.io/kube-controller-manager:v1.35.2
registry.k8s.io/kube-scheduler:v1.35.2
registry.k8s.io/kube-proxy:v1.35.2
ghcr.io/siderolabs/kubelet:v1.35.2
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.5
ghcr.io/siderolabs/installer-base:v1.12.5
ghcr.io/siderolabs/imager:v1.12.5
ghcr.io/siderolabs/talos:v1.12.5
ghcr.io/siderolabs/talosctl-all:v1.12.5
ghcr.io/siderolabs/overlays:v1.12.5
ghcr.io/siderolabs/extensions:v1.12.5

v1.12.4

Compare Source

Talos 1.12.4 (2026-02-13)

Welcome to the v1.12.4 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

KubeSpan Advertised Network Filters

KubeSpan now supports filtering of advertised networks using the excludeAdvertisedNetworks field in the KubeSpanConfig document.
This allows users to specify a list of CIDRs to exclude from the advertised networks. Please note that routing must be symmetric for any
pair of peers, so if one peer excludes a certain network, the other peer must also exclude it. In other words, for any given pair of peers,
and any pair of their addresses, the traffic should either go through KubeSpan or not, but not one way or the other.

Component Updates

Linux: 6.18.9

Talos is built with Go 1.25.7.

Contributors

• Andrey Smirnov
• Daniil Kivenko
• Florian Ströger
• Fritz Schaal
• Mateusz Urbanek

Changes

9 commits

• @​fc8e600 release(v1.12.4): prepare release
• @​14dde14 feat: add filter for KubeSpan advertised networks
• @​c277d01 fix: ignore volumes in wave calculation without provisioning
• @​f90af88 fix: use node podCIDRs for kubespan advertiseKubernetesNetworks
• @​a025ea4 feat: add IPv6 GRE support
• @​9241254 fix: typo with rpi_5 profile name
• @​64f4985 fix: swap volume configuration for min/max size
• @​19354ab feat: update Linux to 6.18.9
• @​639c1c9 fix: mismerge of nft with json support

Changes from siderolabs/discovery-api

2 commits

• siderolabs/discovery-api@9c06846 feat: change the way excluded addresses are specified
• siderolabs/discovery-api@f71a14a feat: add advertised filters to discovery data

Changes from siderolabs/pkgs

4 commits

• siderolabs/pkgs@b1fc4c6 feat: update NVIDIA LTS to 580.126.16
• siderolabs/pkgs@f7a8163 feat: update Linux to 6.18.9
• siderolabs/pkgs@32290ff feat: enable ip6_gre
• siderolabs/pkgs@da46073 feat: enable NFT_BRIDGE config

Dependency Changes

• github.com/siderolabs/discovery-api v0.1.6 -> v0.1.8
• github.com/siderolabs/pkgs v1.12.0-35-g15d5d78 -> v1.12.0-39-gb1fc4c6

Previous release can be found at v1.12.3

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.7
registry.k8s.io/kube-apiserver:v1.35.0
registry.k8s.io/kube-controller-manager:v1.35.0
registry.k8s.io/kube-scheduler:v1.35.0
registry.k8s.io/kube-proxy:v1.35.0
ghcr.io/siderolabs/kubelet:v1.35.0
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.4
ghcr.io/siderolabs/installer-base:v1.12.4
ghcr.io/siderolabs/imager:v1.12.4
ghcr.io/siderolabs/talos:v1.12.4
ghcr.io/siderolabs/talosctl-all:v1.12.4
ghcr.io/siderolabs/overlays:v1.12.4
ghcr.io/siderolabs/extensions:v1.12.4

v1.12.3

Compare Source

Talos 1.12.3 (2026-02-07)

Welcome to the v1.12.3 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.18.8

Talos is built with Go 1.25.7.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Andrei Kvapil
• Gregor Gruener
• Matthew Sanabria

Changes

14 commits

• @​6d6471f release(v1.12.3): prepare release
• @​6578200 feat: update Linux kernel with dm-integrity
• @​b8f8245 fix: add hostname to endpoints
• @​624f9b5 chore: update deps
• @​3aa1539 fix: implement merger for PercentageSize
• @​f17d07c feat: add a helper module to generate standard patches
• @​4a3385d fix: undo CRLF on Windows (talosctl edit)
• @​a842775 feat: add RPi5 to the list of supported SBCs
• @​b8cdb61 fix(talosctl): pass --k8s-endpoint flag to rotate-ca kubernetes rotation
• @​27cbe29 fix: skip empty documents on config decoding
• @​8f49dd2 fix: open the filesystem as read-only
• @​b2a83d1 fix: always set advertised peer URLs
• @​249acdb fix: fallback to /proc/meminfo for memory modules
• @​bc56bdf fix: add warnings to 802.3ad bond

Changes from siderolabs/pkgs

3 commits

• siderolabs/pkgs@15d5d78 chore: update deps
• siderolabs/pkgs@4469bd7 chore: update kernel
• siderolabs/pkgs@51108e5 feat: enable dm-integrity

Changes from siderolabs/tools

2 commits

• siderolabs/tools@dc37e09 chore: update deps
• siderolabs/tools@36fb49a feat: update OpenSSL to 3.6.1

Dependency Changes

• github.com/siderolabs/pkgs v1.12.0-32-g4f8efaf -> v1.12.0-35-g15d5d78
• github.com/siderolabs/talos/pkg/machinery v1.12.2 -> v1.12.3
• github.com/siderolabs/tools v1.12.0-4-g31959f4 -> v1.12.0-6-gdc37e09

Previous release can be found at v1.12.2

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.7
registry.k8s.io/kube-apiserver:

> ✂ **Note**
> 
> PR body was truncated to here.


</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/peak-scale/tool-suite).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNTkuNCIsInVwZGF0ZWRJblZlciI6IjQzLjE3OS4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->