mirror of
https://github.com/siderolabs/talos.git
synced 2026-04-08 07:11:07 +02:00
ceec42f2a5
Also clean up some imports in go.mod, reduce replaced modules. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit 9c34591144f1e2fc759fdc6d56694541eb9f241a)
317 lines
13 KiB
TOML
317 lines
13 KiB
TOML
# commit to be tagged for new release
|
|
commit = "HEAD"
|
|
|
|
project_name = "Talos"
|
|
github_repo = "siderolabs/talos"
|
|
match_deps = "^github.com/((talos-systems|siderolabs)/[a-zA-Z0-9-]+)$"
|
|
ignore_deps = ["github.com/coredns/coredns"]
|
|
|
|
# previous release
|
|
previous = "v1.12.0"
|
|
|
|
pre_release = true
|
|
|
|
preface = """
|
|
"""
|
|
|
|
[notes]
|
|
[notes.updates]
|
|
title = "Component Updates"
|
|
description = """\
|
|
Linux: 6.18.19
|
|
containerd: 2.2.2
|
|
etcd: 3.6.9
|
|
CoreDNS: 1.14.2
|
|
Kubernetes: 1.36.0-beta.0
|
|
CNI: 1.9.1
|
|
Flannel CNI plugin: v1.9.0-flannel1
|
|
Flannel: 0.28.1
|
|
LVM2: 2_03_38
|
|
runc: 1.4.1
|
|
systemd: 259.5
|
|
cryptsetup: 2.8.3
|
|
Tenstorrent: 2.7.0
|
|
iptables: 1.8.12
|
|
|
|
Talos is built with Go 1.26.1.
|
|
"""
|
|
|
|
[notes.external_volumes]
|
|
title = "External Volumes"
|
|
description = """\
|
|
Talos now supports virtiofs-based external volumes via the new
|
|
[ExternalVolumeConfig](https://www.talos.dev/v1.13/reference/configuration/block/externalvolumeconfig/)
|
|
document.
|
|
|
|
These virtiofs external volumes are not supported when SELinux is running
|
|
in enforcing mode.
|
|
"""
|
|
|
|
[notes.procpidmem]
|
|
title = "/proc/PID/mem Access Hardening"
|
|
description = """\
|
|
A new kernel parameter `proc_mem.force_override=never` has been introduced by default to enhance system security
|
|
by preventing unwanted writes to protected process memory via `/proc/PID/mem`.
|
|
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.
|
|
"""
|
|
|
|
[notes.pigz]
|
|
title = "Container Image Decompression"
|
|
description = """\
|
|
Talos now ships with `igzip` (amd64) and `pigz` (arm64) to speed up container image decompression.
|
|
"""
|
|
|
|
[notes.imager]
|
|
title = "Talos Imager Enhancements"
|
|
description = """\
|
|
Talos imager now supports running rootless. `--privileged` and `-v /dev:/dev` are no longer required.
|
|
"""
|
|
|
|
[notes.reproducible_images]
|
|
title = "Reproducible Disk Images"
|
|
description = """\
|
|
Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
|
|
identical disk images.
|
|
|
|
Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
|
|
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.
|
|
"""
|
|
|
|
[notes.vm]
|
|
title = "VM Hot-Add Support"
|
|
description = """\
|
|
Talos now includes udev rules to support hot-adding of CPUs in virtualized environments.
|
|
"""
|
|
|
|
[notest.interactive-installer]
|
|
title = "Interactive Installer Removal"
|
|
description = """\
|
|
The interactive installer mode has been removed from `talosctl apply-config` (`--mode=interactive`).
|
|
It has been deprecated since Talos v1.12.0, and now fully removed.
|
|
The related `GenerateConfiguration` API method has also been removed.
|
|
Users are encouraged to use other installation methods, such as using pre-generated configuration files, or using Omni.
|
|
"""
|
|
|
|
[notes.k8s_ssa]
|
|
title = "Kubernetes server-side apply"
|
|
description = """\
|
|
Talos now uses inventory backed server-side apply when applying bootsrap manifests (including `extraManifests` and `inlineManifests`).
|
|
Purging of unneeded manifests is automatically performed.
|
|
The switch and inventory backfill is automatic and no action is needed from the user.
|
|
"""
|
|
|
|
[notes.talosctl_images_talos_bundle]
|
|
title = "`talosctl images talos-bundle` can ignore reaching to the registry"
|
|
description = """\
|
|
The `talosctl images talos-bundle` command now accepts optional `--overlays` and `--extensions` flags.
|
|
If those are set to `false`, the command will not attempt to reach out to the container registry to fetch the latest versions and digests of the overlays and extensions.
|
|
"""
|
|
|
|
[notes.images_k8s_bundle]
|
|
title = "Talosctl images k8s-bundle subcommand accepts version parameter"
|
|
description = """\
|
|
The `talosctl images k8s-bundle` command now accepts an optional version overrides arguments.
|
|
"""
|
|
|
|
[notes.environment_config]
|
|
title = "Environment Configuration Document"
|
|
description = """\
|
|
A new `EnvironmentConfig` document has been introduced to allow users to specify environment variables for Talos components.
|
|
It replaces and deprecates the previous method of setting environment variables via the `.machine.env` field.
|
|
|
|
Multiple values for the same environment variable will replace previous values, with the last one taking precedence.
|
|
|
|
To remove an environment variable, remove it from the `EnvironmentConfig` document and restart the node.
|
|
"""
|
|
|
|
[notes.kubespan]
|
|
title = "KubeSpan Configuration"
|
|
description = """\
|
|
A new `KubeSpanConfig` document has been introduced to configure KubeSpan settings.
|
|
It replaces and deprecates the previous method of configuring KubeSpan via the `.machine.network.kubespan` field.
|
|
|
|
The old configuration field will continue to work for backward compatibility.
|
|
"""
|
|
|
|
[notes.link_alias_config]
|
|
title = "LinkAliasConfig Pattern-Based Multi-Alias"
|
|
description = """\
|
|
`LinkAliasConfig` now supports pattern-based alias names using `%d` format verb (e.g. `net%d`).
|
|
|
|
When the alias name contains a `%d` format verb, the selector is allowed to match multiple links.
|
|
Each matched link receives a sequential alias (e.g. `net0`, `net1`, ...) based on hardware address order
|
|
of the links. Links already aliased by a previous config are automatically skipped.
|
|
|
|
This enables creating stable aliases from any N links using a single config document,
|
|
useful for `BondConfig` and `BridgeConfig` member interfaces on varying hardware.
|
|
"""
|
|
|
|
[notes.extraArgs]
|
|
title = "Extra Arguments accept slices in addition to strings"
|
|
description = """\
|
|
Several Talos configuration fields that previously accepted single string values for extra arguments have been updated to accept slices of strings as well.
|
|
This includes fields such as `.cluster.apiServer.extraArgs`.
|
|
|
|
BREAKING: If you were relying on the resources EtcdConfigs, KubeletConfigs, ControllerManagerConfigs, SchedulerConfigs or APIServerConfigs, the protobuf format has changed from `map<string,string>` to `map<string,message>`.
|
|
"""
|
|
|
|
[notes.serviceAccountIssuer]
|
|
title = "Service Account Issuer configuration"
|
|
description = """\
|
|
In API Server, passing extra args with `service-account-issuer` will append them after default value.
|
|
This allows easy migration, e.g. by changing `.cluster.controlPlane.endpoint` to new value, and keeping the old value in
|
|
`.cluster.apiServer.extraArgs["service-account-issuer"]`.
|
|
"""
|
|
|
|
[notes.negativeMaxVolumeSize]
|
|
title = "Negative Max Volume Size"
|
|
description = """\
|
|
Negative max size represents the amount of space to be left free on the device, rather than the size the volume should consume.
|
|
For example:
|
|
* a max size of "-10GiB" means the volume can grow to the available space minus 10GiB.
|
|
* a max size of "-25%" means the volume can grow to the available space minus 25%.
|
|
"""
|
|
|
|
[notes.resolver_config]
|
|
title = "ResolverConfig"
|
|
description = """\
|
|
The nameservers configuration in machine configuration now overwrites any previous layers (defaults, platform, etc.) when specified.
|
|
Previously a smart merge was performed to keep IPv4/IPv6 nameservers from lower layers if the machine configuration specified only one type.
|
|
"""
|
|
|
|
[notes.kernel_preempt]
|
|
title = "Dynamic Linux Kernel Preemption Model"
|
|
description = """\
|
|
Talos Linux now defaults to dynamic Linux kernel preemption model, the default value `none` matches
|
|
previous version, but now with kernel argument `preempt=` the preemption model can be changed.
|
|
|
|
See [Linux kernel documentation](https://docs.kernel.org/admin-guide/kernel-parameters.html) for more
|
|
information on supported values.
|
|
|
|
This change only applies to amd64 (x86_64) architecture.
|
|
"""
|
|
|
|
[notes.probe_config]
|
|
title = "ProbeConfig"
|
|
description = """\
|
|
The TCPProbeConfig configuration document allows to configure TCP probes for network reachability checks.
|
|
This allows to define a custom connectivity condition.
|
|
"""
|
|
|
|
[notes.images]
|
|
title = "Image APIs Updated"
|
|
description = """\
|
|
Talos Linux provides new APIs to manage container images on the node: listing, pulling, importing and removing images.
|
|
The new pull APIs provides pull progress notifications.
|
|
|
|
The CLI commands `talosctl image pull`, `talosctl image list` and `talosctl image remove` have been updated to interact with the new APIs.
|
|
"""
|
|
|
|
[notes.debug]
|
|
title = "talosctl debug"
|
|
description = """\
|
|
Talos Linux now provides a way to run and attach to the privileged debug container with a user-provided container image.
|
|
The debug container might be used for troubleshooting and debugging purposes.
|
|
"""
|
|
|
|
[notes.network-policy]
|
|
title = "Flannel CNI with Network Policy Support"
|
|
description = """\
|
|
Talos Linux now supports optionally deploying Flannel CNI with [network policy support](https://kubernetes.io/docs/concepts/services-networking/network-policies/) enabled.
|
|
The network policy implementation is [kube-network-policies](https://github.com/kubernetes-sigs/kube-network-policies/).
|
|
|
|
To enable Flannel CNI with network policy support, use the following machine configuration patch:
|
|
|
|
```yaml
|
|
cluster:
|
|
network:
|
|
cni:
|
|
name: flannel
|
|
flannel:
|
|
kubeNetworkPoliciesEnabled: true
|
|
```
|
|
|
|
(If the cluster is already running, sync the bootstrap manifests after applying the patch to deploy the new CNI configuration.)
|
|
"""
|
|
|
|
[notes.kubespan-filters]
|
|
title = "KubeSpan Advertised Network Filters"
|
|
description = """\
|
|
KubeSpan now supports filtering of advertised networks using the `excludeAdvertisedNetworks` field in the `KubeSpanConfig` document.
|
|
This allows users to specify a list of CIDRs to exclude from the advertised networks. Please note that routing must be symmetric for any
|
|
pair of peers, so if one peer excludes a certain network, the other peer must also exclude it. In other words, for any given pair of peers,
|
|
and any pair of their addresses, the traffic should either go through KubeSpan or not, but not one way or the other.
|
|
"""
|
|
|
|
[notes.clang-thinlto]
|
|
title = "Clang built kernel and ThinLTO"
|
|
description = """\
|
|
Talos now uses a kernel built using Clang compiler, and optimized using ThinLTO. This should bring a small performance improvement,
|
|
alongside some hardening features, such as BTI on supported ARM systems.
|
|
"""
|
|
|
|
[notes.vrf]
|
|
title = "VRF Support"
|
|
description = """\
|
|
Talos now supports VRF (Virtual Routing and Forwarding) via the new `VRFConfig` machine config document.
|
|
"""
|
|
|
|
[notes.image_signatures]
|
|
title = "Container Image Signature Verification"
|
|
description = """\
|
|
Talos now supports machine-wide container image signature verification via the new `ImageVerificationConfig` machine config document.
|
|
|
|
Any image which gets pulled on the node will be verified against the configured rules, and if no rule matches, it will be pulled without verification.
|
|
"""
|
|
|
|
[notest.blackhole_routes]
|
|
title = "Blackhole Route Support"
|
|
description = """\
|
|
Talos now supports blackhole routes via the new `BlackholeRouteConfig` machine config document.
|
|
"""
|
|
|
|
[notes.install_upgrade_api]
|
|
title = "Install and Upgrade API"
|
|
description = """\
|
|
Talos now exposes install and upgrade operations via the `LifecycleService` API, enabling programmatic installs and upgrades through a single, consistent interface.
|
|
The legacy upgrade API is deprecated; new integrations should migrate to `LifecycleService` for future compatibility.
|
|
"""
|
|
|
|
[notes.talosctl_upgrade_lifecycle]
|
|
title = "Lifecycle Upgrade in talosctl"
|
|
description = """\
|
|
`talosctl` upgrades now route through `LifecycleService`, aligning CLI behavior with the new install/upgrade API and unifying the upgrade path.
|
|
This change is transparent to users but standardizes the backend used for upgrades.
|
|
"""
|
|
|
|
[notes.container_device_interface]
|
|
title = "Container Device Interface"
|
|
description = """\
|
|
Talos now enables [CDI](https://github.com/cncf-tags/container-device-interface) by default and extension/extension services can bring in dynamic
|
|
CDI spec files under `/run/cdi`.
|
|
"""
|
|
|
|
[notes.nvidia]
|
|
title = "NVIDIA GPU Support"
|
|
description = """\
|
|
Talos switched to using CDI and now supports configuring NVIDIA GPU via the gpu-operator helm chart.
|
|
See the documentation on [upgrade notes](https://docs.siderolabs.com/talos/v1.13/configure-your-talos-cluster/lifecycle-management/upgrading-talos#after-upgrade-to)
|
|
for more details on how to configure NVIDIA GPU support in Talos.
|
|
"""
|
|
|
|
[notes.routing_rules]
|
|
title = "Routing Rules Support"
|
|
description = """\
|
|
Talos now supports routing rules via the new `RoutingRuleConfig` machine config document.
|
|
"""
|
|
|
|
[make_deps]
|
|
|
|
[make_deps.tools]
|
|
variable = "TOOLS"
|
|
repository = "github.com/siderolabs/tools"
|
|
|
|
[make_deps.pkgs]
|
|
variable = "PKGS"
|
|
repository = "github.com/siderolabs/pkgs"
|