Release notes
To select a different version, click Releases in the top navigation bar.
with Kubernetes manifests, Docker images and binaries.
07 Nov 2022
- ebpf: fix cleaning ifstate when iface goes down (@tomastigera)
- Fixed issue when Calico Windows hostprocess installation would fail to clean up a previous manual install of Calico Windows. calico #6957 (@coutinhop)
v3.24.4
Release archive with Kubernetes manifests, Docker images and binaries.
01 Nov 2022
Bug fixes
- Fix that Calico would try to use the IPV6 VXLAN or Wireguard tunnel devices for its BGP connections. calico #6930 (@coutinhop)
- Fix to Windows install script to ensure that nssm binary is in the correct path (@song-jiang)
- Fix that Calico would try to use the VXLAN tunnel device for its BGP connections. calico #6903 (@caseydavenport)
Component | Version |
---|---|
calico/typha | |
calico/ctl | v3.24.4 |
calico/node | |
calico/cni | v3.24.4 |
calico/apiserver | |
calico/kube-controllers | v3.24.4 |
calico/flannel-migration-controller | |
calico/windows | v3.24.4 |
networking-calico | |
docker.io/flannelcni/flannel | v0.15.1 |
calico/dikastes | |
calico/pod2daemon-flexvol | v3.24.4 |
calico/csi |
with Kubernetes manifests, Docker images and binaries.
21 Oct 2022
Bug fixes
- Fix an issue that caused annotations and labels to be overwritten during a calicoctl patch command (@mgleung)
Other changes
- Retain OpenSSL FIPS dependent files in calico-node image. (@hjiawei)
- Match full interface names in IP auto-detection default exclude list. calico #6878 (@neoaggelos)
- Update Windows NSSM version (@song-jiang)
v3.24.2
17 Oct 2022
Bug fixes
- Updated documentation list of images to pull for deploying from private registry (now includes node-driver-registrar) calico #6817 (@Josh-Tigera)
- Fix issues with OCP installs using the wrong operator manifest. (@mgleung)
- Fix calicoctl IPAM handle release in KDD mode calico #6652 (@fasaxc)
- Update golang to 1.18.7 calico #6825 (@Behnam-Shobiri)
- Allow Calico to set MTU in OpenStack (@neiljerram)
- Update multiple golang dependencies. calico #6720 (@Behnam-Shobiri)
- Update the go version used to build the binaries from 1.18.5 to 1.18.6 (@Behnam-Shobiri)
- The vxlanEnabled attribute from FelixConfiguration is now ignored for IPv6 VXLAN pools, allowing VXLAN to have IPv4 enabled independently from IPv6. calico #6700 (@coutinhop)
- Use exponential backoff for kube-controllers health check timeout, retry sooner if failed. (@caseydavenport)
Component | Version |
---|---|
calico/typha | v3.24.2 |
calico/ctl | |
calico/node | v3.24.2 |
calico/cni | |
calico/apiserver | v3.24.2 |
calico/kube-controllers | |
calico/flannel-migration-controller | v3.24.2 |
calico/windows | |
networking-calico | v3.24.2 |
docker.io/flannelcni/flannel | |
calico/dikastes | v3.24.2 |
calico/pod2daemon-flexvol | |
calico/csi | v3.24.2 |
Release archive with Kubernetes manifests, Docker images and binaries.
29 Aug 2022
Bug fixes
- Fixes missing permissions for the CSI driver in the OCP operator manifests. calico #6616 (@mgleung)
- Ensure that the flexvolume binary is statically linked (@rene-dekker)
- Update Installation CRD to include new CSI changes introduced by recent operator API changes. calico #6602 (@Josh-Tigera)
Other changes
- Bump K8S_VERSION and KUBECTL_VERSION to v1.24.3 in metadata.mk calico #6607 (@coutinhop)
- Retry kube-controllers initialization on failure (@tmjd)
v3.24.0
with Kubernetes manifests, Docker images and binaries.
18 Aug 2022
IPv6 wireguard support
Calico now supports wireguard encryption for IPv6 networks.
Pull Requests:
- Add IPv6 support to wireguard. (@coutinhop)
- Skip ipv6 vxlan route update with wireguard manager calico #6073 (@song-jiang)
IPAM API enhancements
Pull Requests:
- Add the API for accessing block affinities with read-only permissions. calico #6420 (@mgleung)
- Add IPAMConfiguration to projectcalico.org/v3 API (@song-jiang)
We have added more fields to the operator API in order to allow for more fine-grained tweaks to an operator-installed Calico deployment. Some of the newly exposed configuration fields include:
- Annotations and labels
- Node affinity and node selectors
- Tolerations
- minReadySeconds
- Container resource limits and requests Details and discussion can be found on the .
Pull Requests:
- Support configuring IP pool DisableBGPExport with env variables calico #6391 (@lmm)
- Ability to configure labels / annotations for the tigera-operator pod via helm (@agaffney)
- Add tolerations and node selectors to the operator helm chart calico #6158 (@redref)
Ability to split IP pools
We have added commands to the utility to allow for safely splitting IP pools into smaller pools. IP pools can only be split by powers of 2 in order to ensure equal splits of IP addresses. Child IP pools must also be large enough to contain the IPAM blocks of the parent IP pool.
Pull Requests:
- Add calicoctl command to split IP pools. calico #6308 (@mgleung)
Transition from pod security policies to pod security standards
Calico no longer installs pod security policies (deprecated in Kubernetes 1.21) and now deploys pod security standards. Operator installations of Calico should automatically transition any deployments on Kubernetes 1.25+.
Pull Requests:
- Remove tigera-operator PodSecurityPolicy, as policy/v1beta1 is removed in Kubernetes v1.25+ (@caseydavenport)
- Remove apiserver PodSecurityPolicy, as policy/v1beta1 is removed in Kubernetes v1.25+ calico #6270 (@caseydavenport)
Bug fixes
General
- Set IPIPMode and VXLANMode to the default “Never” if they are empty strings in IPPools. (@coutinhop)
- Fix nil error logged from kube-controllers health reporter calico #6514 (@caseydavenport)
- Fix that kube-controllers health checks didn’t include a timeout on HTTP calls (@caseydavenport)
- Fix issue in L3RouteResolver CIDRTrie which could result in crashes when the IPv6 trie had a node with a /63 prefix. calico #6511 (@coutinhop)
- Fix occasional incorrect withdrawal of Service IPs over BGP when changing BGPConfiguration. (@caseydavenport)
- Remove API-level defaulting for FloatingIPs field - use code default instead calico #6415 (@caseydavenport)
- Fix missing serviceaccount token creation RBAC for etcd-mode clusters, and canal clusters. (@caseydavenport)
- Increase timeout when deleting workloads veth device in order to avoid false positives under heavy load. calico #6356 (@fasaxc)
- Fix parsing of apiserver CLI flags (@cyclinder)
- Fix lookups of locally defined hostnames from within Calico containers due to missing nsswitch.conf calico #6326 (@caseydavenport)
- Fix serviceaccount token generation for canal (introduced in v3.23.2) (@caseydavenport)
- Fix L3RouteResolver incorrectly outputting “Some nodes share IP address, route calculation may choose wrong node.” log messages. calico #6298 (@coutinhop)
- Fix calico/node and typha version skew bug between Calico v3.22 and v3.22+ (@caseydavenport)
- Update the netlink library to fix a panic bug caused by unsafe pointer usage. calico #6295 (@fasaxc)
- Fix WorkloadSourceSpoofing validation in FelixConfiguration (@AloysAugustin)
- calico will only distribute routes to a Pod if its IP address falls within a IP pool, But this won’t work for VXLAN mode (only BGP mode). calico #6245 (@cyclinder)
- Set preserveUnknownFields to false in Calico CRDs in order to allow updating from old versions. (@freecaykes)
- Fix IP address truncation when using autodetection method “k8s-internal-ip” calico #6228 (@Josh-Tigera)
- Fix possible context leaks (@hjiawei)
- Fix that a combination of node deletions and workload IP relocation previously could result in multiple nodes having the same CIDR. calico #6185 (@robbrockbank)
- Fix that some components failed to seed the simple (math/rand) random number generator before use. One side effect of this was that several components would always choose the same Typha to connect to. (@fasaxc)
- Remove some unused libraries from produced container images calico #6125 (@ScheererJ)
- Fix that BGPPeer resources that identified a Calico node by IP address were handled asymmetrically in IPv4+IPv6 clusters. In the forward direction, a peering for the IP was generated but in the reverse direction a peering for both IPv6 and IPv4 addresses was generated. (@fasaxc)
- Fix helm upgrade instructions calico #6117 (@caseydavenport)
- Ignore v prefix when comparing cluster and client version in calicoctl (@lou-lan)
- Ignore blocks that are not confirmed to a host calico #6003 (@caseydavenport)
eBPF
- ebpf: explicitly ACCEPT approved traffic in INPUT to avoid drops in default-DROP environments. calico #6327 (@tomastigera)
- ebpf: WG traffic is allowed by the HEP programs in case of a conflicting policy. (@tomastigera)
- eBPF: Retry setting RPF when device isn’t ready calico #6304 (@tomastigera)
- ebpf: we drop packets that are about to be redirected to a workload endpoint that does not have a tc attached program yet, hence is unprotected. (@tomastigera)
Windows
- Fix issues with the windows node names in GCE (@lmm)
Wireguard
- Limit rate of logging ‘Wireguard is not supported’ to fix log spam issues. (@coutinhop)
- Handle errors correctly in wireguard tunnel IP setting on the node calico #6185 (@robbrockbank)
- When there is no allocated Wireguard interface IP and host encryption is enabled the host IP is used as the device IP. This ensures source IP selection will choose the correct host IP when routing over Wireguard (@robbrockbank)
- Don’t allocate wireguard device IPs for managed cloud non-calico CNI calico #6185 (@robbrockbank)
Other changes
General
- Update the base images to alpine 3.16 for the flexvolume and CSI driver (@mgleung)
- Update pacakges from UBI repo for CVE fixes calico #6380 (@caseydavenport)
- Add new node-role.kubernetes.io/control-plane taints (@frezbo)
- Update UBI base image to 8.6 calico #6347 (@caseydavenport)
- Build ppc64le image for calico/apiserver. (@yussufsh)
- Add HTTP /terminate endpoint for graceful termination of Dikastes sidecar container to facilitate Kubernetes Job completion calico #6268 (@Josh-Tigera)
- Update the ipset package from 7.1 to 7.11 for ARM builds (@ScOut3R)
- Documentation updated to use static per-patch raw.githubuercontent.com manifest links. calico #6261 (@caseydavenport)
- Add new Pod annotation for assigning specified MAC address to container veth (@Josh-Tigera)
- Update flannel daemonset default value for migration controller calico #6229 (@caseydavenport)
- Explicitly copy necessary libs from UBI instead of whole /lib and /lib64 dirs for the typha, dikastes, flexvol, kube-controllers, flannel-migration controller images (@coutinhop)
- Reduce the number of libraries included within the calico/cni image. calico #6217 (@freecaykes)
- Reduce the number of libraries included within the calico/apiserver image (@freecaykes)
- calicoctl ipam check/release now look for and clean up unused IPAM handles. calico #6155 (@fasaxc)
- Updating a couple of dependencies for Calico (including, spf13/viper, spf13/cobra and etcd related dependencies). Updating the dependencies would also help us with our CVE scan process. (@Behnam-Shobiri)
- compiled using go-1.18 calico #6131 (@tomastigera)
- Update Kubernetes dependency to v1.24 (@caseydavenport)
- Add IPv6 support for flannel migration. calico #6088 (@coutinhop)
- Operator monitors BGP configuration resource to trigger rolling updates as needed (@caseydavenport)
- go version update to 1.17.9 calico #6000 (@doublek)
- AKS BYO instructions now install the Calico API server by default. (@song-jiang)
- Attach SHA256SUMS as part of release, including checksums for all release artifacts. calico #5960 (@caseydavenport)
- Manifests can now be accessed via immutable github links. (@caseydavenport)
- Calico now uses the TokenRequest API to generate and refresh a token for the CNI plugin. This ensures that the token remains valid even when the calico-node daemonset is restarted. calico #5910 (@ScheererJ)
- Added dummy routetable for network policy only mode (@juanfresia)
eBPF
- Add support to dump bpf policies attached to an interface (@sridhartigera)
- ebpf: Conntrack table gets upgraded to version 3 calico #6223 (@sridhartigera)
- eBPF: Add counters to eBPF programs, and add support to calico-bpf to work with those counters. (@mazdakn)
- cni dumps stack when and where ADD or DEL panics calico #6195 (@tomastigera)
- eBPF: Move mount of BPFfs and cgroupv2 to a dedicated init container with elevated privileges; enter the root cgroup namespace to mount cgroupv2 in order to allow the CTLB to be installed system-wide. Reduce the mount privileges of the main calico-node container. (@mazdakn)
- Remove special case eBPF on EKS documentation; current versions of EKS use a new enough kernel for eBPF. calico #6008 (@fasaxc)
- ebpf: RPF checks enforced in BPF (@sridhartigera)
- ebpf: host does not require CTLB to access cluster IPs calico #5879 (@tomastigera)
Windows
- Windows quickstart install script creates calico service account token secret if missing calico #6467 (@lmm)
- Update platform detection in windows installation for EC2 to use IMDSv2 (@backjo)
- Windows install script now auto-detects networking backend via ippools calico #6010 (@lmm)
Wireguard
Component | Version |
---|---|
calico/typha | v3.24.0 |
calico/ctl | |
calico/node | v3.24.0 |
calico/cni | |
calico/apiserver | v3.24.0 |
calico/kube-controllers | |
calico/flannel-migration-controller | v3.24.0 |
calico/windows | |
networking-calico | v3.24.0 |
docker.io/flannelcni/flannel | |
calico/dikastes | v3.24.0 |
calico/pod2daemon-flexvol | |
calico/csi | v3.24.0 |
calico/node-driver-registrar |