What's New in Talos 1.1
Pod Security Admission
Pod Security Admission controller is enabled by default with the following policy:
apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - configuration: apiVersion: pod-security.admission.config.k8s.io/v1alpha1 defaults: audit: restricted audit-version: latest enforce: baseline enforce-version: latest warn: restricted warn-version: latest exemptions: namespaces: - kube-system runtimeClasses:  usernames:  kind: PodSecurityConfiguration name: PodSecurity path: ""
The policy is part of the Talos machine configuration, and it can be modified to suite your needs.
Kubernetes API Server Anonymous Auth
Anonymous authentication is now disabled by default for the
kube-apiserver (CIS compliance).
To enable anonymous authentication, update the machine config with:
cluster: apiServer: extraArgs: anonymous-auth: true
talosctl patch mc and
talosctl edit mc now support
If enabled it just prints out the selected config application mode and the configuration diff.
talosctl patch mc and
talosctl edit mc now support the new mode called
In this mode the config change is applied for a period of time and then reverted back to the state it was before the change.
--timeout parameter can be used to customize the config rollback timeout.
This new mode can be used only with the parts of the config that can be changed without a reboot and can help to check that
the new configuration doesn’t break the node.
Can be especially useful to check network interfaces changes that may lead to the loss of connectivity to the node.
Network Device Selector
Talos machine configuration supports specifying network interfaces by selectors instead of interface name. See documentation for more details.
RockPi 4 variants A and B
Talos now supports RockPi variants A and B in addition to RockPi 4C
Raspberry Pi PoE Hat Fan
Talos now enables the Raspberry Pi PoE fan control by pulling in the poe overlay that works with upstream kernel
IPv6 in Docker-based Talos Clusters
talosctl cluster create now enables IPv6 by default for the Docker containers
created for Talos nodes.
This allows to use IPv6 addresses in Kubernetes networking.
talosctl cluster create fails to work on Linux due to the lack of IPv6 support,
please use the flag
--disable-docker-ipv6 to revert the change.
eudev Default Rules
Drops some default eudev rules that doesn’t make sense in the context of Talos OS. Especially the ones around sound devices, cd-roms and renaming the network interfaces to be predictable.