What's New in Talos 1.7.0

List of new and shiny features in Talos Linux.

See also upgrade notes for important changes.

Important Changes

  • The default NTP server was updated to time.cloudflare.com instead of pool.ntp.org (only if not specified in the machine configuration).
  • Talos Linux now forces kubelet and kube-proxy to use iptables-nft instead of iptables-legacy.
  • SBC (Single Board Computers) images are no longer part of the Talos release assets, please read SBC before upgrading.
  • Talos clusters created with talosctl cluster create in Docker mode now use a random port for Kubernetes and Talos API.


CA Rotation

Talos Linux now supports rotating the root CA certificate and key for Talos API and Kubernetes API.


Device Selectors

Talos Linux now supports physical: true qualifier for device selectors, it selects non-virtual network interfaces (i.e. en0 is selected, while bond0 is not).

DNS Caching

Talos Linux now provides a caching DNS resolver for host workloads (including host networking pods). Host DNS resolver is enabled by default for clusters created with Talos 1.7.

Time Sync

Default NTP server was updated to be time.cloudflare.com instead of pool.ntp.org. Default server is only used if the user does not specify any NTP servers in the configuration.

Talos Linux can now sync to PTP devices (e.g. provided by the hypervisor) skipping the network time servers. In order to activate PTP sync, set machine.time.servers to the PTP device name (e.g. /dev/ptp0):

      - /dev/ptp0

SideroLink connections can now proxy Wireguard UDP packet over existing HTTP/2 SideroLink API connection (for networks where UDP protocol is filtered, but HTTP is allowed).


API Server Service Account Key

Talos Linux 1.7.0 when generating machine configuration uses RSA key for Kubernetes API Server Service Account instead of ECDSA key to provide better compatibility with external OpenID Connect implementations.


Talos Linux now forces kubelet and kube-proxy to use iptables-nft instead of iptables-legacy (xtables) which was the default before Talos 1.7.0.

Container images based on iptables-wrapper should work without changes, but if there was a direct call to legacy mode of iptables, make sure to update to use iptables-nft.


New Supported Platforms

Talos Linux now supports:

Containers (docker)

The talosctl cluster create command now can create multiple Talos clusters on the same machine. The Kubernetes and Talos APIs are mapped to a random port on the host machine.

Talos Linux now uses provided DNS resolver when running inside a container.


Talos Linux now supports running Talos inside Kubernetes as a pod: e.g. to run controlplane nodes inside existing Kubernetes cluster.


Talos has split the SBC’s (Single Board Computers) into separate repositories. There will not be any more SBC specific release assets as part of Talos release.

The default Talos installer image will stop working for SBC’s and will fail the upgrade, if used, starting from Talos v1.7.0.

The SBC’s images and installers can be generated on the fly using Image Factory or using imager for custom images. The list of official SBC’s images supported by Image Factory can be found in the overlays repository.

In order to upgrade an SBC running Talos 1.6 to Talos 1.7, generate an installer image with an SBC overlay and use it to upgrade the cluster.

System Extensions

Extension Services Configuration

Talos now supports supplying configuration files and environment variables for extension services. The extension service configuration is a separate config document. An example is shown below:

apiVersion: v1alpha1
kind: ExtensionServiceConfig
name: nut-client
  - content: MONITOR ${upsmonHost} 1 remote pass password
    mountPath: /usr/local/etc/nut/upsmon.conf
  - UPS_NAME=ups

For documentation, see Extension Services Config Files.

Note: The use of environmentFile in extension service spec is now deprecated and will be removed in a future release of Talos, use ExtensionServiceConfig instead.

New Extensions

Talos Linux in version v1.7 introduces new extensions:

  • kata-containers
  • spin
  • v4l-uvc-drivers
  • vmtoolsd-guest-agent
  • wasmedge
  • xen-guest-agent


Additional Tags

Talos Linux now supports setting extra tags when sending logs in JSON format:

      - endpoint: "udp://"
        format: "json_lines"
          server: s03-rack07


Talos Linux now starts a basic syslog receiver listening on /dev/log. The receiver can mostly parse both RFC3164 and RFC5424 messages and writes them as JSON formatted message. The logs can be viewed via talosctl logs syslogd.

This is mostly implemented for extension services that log to syslog.


Kubernetes Upgrade

The command talosctl upgrade-k8s now supports specifying custom image references for Kubernetes components via --*-image flags. The default behavior is unchanged, and the flags are optional.


Talos Linux disables by default a KubeSpan feature to harvest additional endpoints from KubeSpan members. This feature turned out to be less helpful than expected and caused unnecessary performance issues.

Previous behavior can be restored with:

        harvestExtraEndpoints: true

Secure Boot ISO

Talos Linux now provides a way to configure systemd-boot ISO ‘secure-boot-enroll’ option while generating a SecureBoot ISO image:

    kind: iso
        sdBootEnrollKeys: force # default is still if-safe
    outFormat: raw

Hardware Watchdog Timers

Talos Linux now supports hardware watchdog timers configuration. If enabled, and the machine becomes unresponsive, the hardware watchdog will reset the machine.

The watchdog can be enabled with the following configuration document:

apiVersion: v1alpha1
kind: WatchdogTimerConfig
device: /dev/watchdog0
timeout: 3m0s

Component Updates

  • Linux: 6.6.28
  • etcd: 3.5.11
  • Kubernetes: 1.30.0
  • containerd: 1.7.15
  • runc: 1.1.12
  • Flannel: 0.24.4

Talos is built with Go 1.22.2.