Release notes

Calico Open Source v3.26.4

Release archive with Kubernetes manifests, Docker images and binaries.

16 November 2023

Bug fixes

• ebpf: fixed host access to self and a service that redirects to self without CTLB.calico #8198 (@tomastigera)
• Fix incorrect conversion to 16-bit offset in the BPF assembler.Fail if the value would wrap.calico #8178 (@fasaxc)

Calico Open Source v3.26.3

Release archive with Kubernetes manifests, Docker images and binaries.

11 October 2023

Bug fixes

• Updated Typha deployment tolerations on Helm charts so Typha can be scheduled on any node.calico #8065 (@coutinhop)
• Corrected policy for OpenStack security group with noremote_ip_prefix.calico #8034 (@nelljerram)
• Moved Felix TLS handshake to per-connection goroutine.calico #7994 (@fasaxc)
• Fixed panic when running ‘calicoctl get nodes’ when AS number was not present in the default BGP configuration.calico #7860 (@coutinhop)
• When running Calico in policy-only mode, do not write the IP annotations to the node. (@skmatti)calico #7824 (@tobiasgiese)
• Don’t write AS number to node if running withCALICO_NETWORKING_BACKEND=none.calico #7824 (@tobiasgiese)

Other changes

• Kube controllers run as a non-root user in s390x builds by defaultcalico #7956 (@liudalibj)

Calico Open Source v3.26.1

Release archive with Kubernetes manifests, Docker images and binaries.

20 Jun 2023

Bug fixes

• Fix an issue with OpenShift violations of the restricted pod security profilecalico #7768 (@MichalFupso)
• Calico’s integration code for OpenStack has been updated for OpenStack Yoga.calico #7746 (@nelljerram)
• eBPF: FixapplyOnforward=false in global policiescalico #7724 (@tomastigera)

Other changes

• Build separate FIPS-compliant images to support TLS 1.3calico #7749 (@sridhartigera)

Calico Open Source v3.26.0

Release archive with Kubernetes manifests, Docker images and binaries.

24 May 2023

Improved Security

Permissions for core Calico components have been separated and reduced to the minimum required for each component. This change allows us to tweak permissions on the CNI plugin itself regardless of the permissions required to manage the dataplane.

Pull Requests:

• Separate calico-node and calico-cni-plugin service accountscalico #7106 (@MichalFupso)

Performance Enhancements

Calico now utilizes kernel-side route filtering in order to reduce CPU usage in systems with many different pods.

Pull Requests:

• Performance: use kernel-side route filtering when listing routes in the interface monitor. Dramatically reduces CPU usage (and garbage collection) on systems with many interfaces/routes.calico #7375 (@fasaxc)
• Performance: use kernel-side route filtering when listing routes. Dramatically reduces CPU usage (and garbage collection) on systems with many interfaces/pods/routes.calico #7364 (@fasaxc)

Windows Server 2022 Support

Calico now supports Windows Server 2022.

OpenStack Yoga Support

Calico now supports OpenStack Yoga.

Pull Requests:

• OpenStack: Support newer, more scalable version of etcd servercalico #7147 (@nelljerram)

Bug fixes

General

• Fix ‘error while loading shared libraries: libresolv.so.2: cannot open shared object file’ on csi-node-driver-registrar.calico #7587 (@coutinhop)
• Fix the auto iptables detection if ip_tables.ko preloaded on RHEL/CentOS 8.calico #7111 (@yankay)
• Update pin to use fixed calico/bird image to fix node ST failures.calico #7562 (@coutinhop)
• Prevents Node kube-controller’s internal pod cache from getting out-of-sync thus leaking memory.calico #7433 (@dilyevsky)
• Fix high CPU usage in syncL2RoutesForLink: ignore incomplete ARP entries when cleaning up the FDB table. Prevents us from telling the kernel to delete an FDB entry with no HwAddr, which fails triggering a retry loop.calico #7421 (@detailyang)
• Ensure that veths are created with the proper default values from the kernel.calico #7358 (@radixo)
• Fix that the tunnel IP allocator did not respond to changes in the IP pool’s allowedUses field.calico #7357 (@fasaxc)
• s390x: Fix image mislabel in CNI, Typha and kube-controllers.calico #7333 (@huoqifeng)
• Remove usage of deprecated ‘—logtostderr’ command line flag.calico #7294 (@coutinhop)
• Fix that Calico API server would reuse UUIDs from the underlying CRD objects that underpin the datamodel (thus confusing Kubernetes ownership tracking and ArgoCD). This will result in the apparent UUIDs of calico “v3” resources changing over upgrade. This was unavoidable in order to split them from the underlying CRD UUIDs.calico #7291 (@fasaxc)
• Fix generation ofoperator-crds.yaml manifest.calico #7216 (@caseydavenport)
• Fix that, if a Typha client loads the list of Typha instances just before they all get upgraded, it takes 30s+ to time out. Reload the list of Typha instances between each connection attempt.calico #7176 (@fasaxc)

eBPF

• eBPF: prevents infinite restarts when we switch to ebpf after kube-proxy was in IPVS mode.calico #7174 (@StevenTigera)

Other changes

General

• When running Calico in policy-only mode, do not write the IP annotations to the node.calico #7632 (@mgleung)
• Introduce new BGPFilter resource.calico #7271 (@Josh-Tigera)
• Enable s390x architecture support.calico #7249 (@huoqifeng)
• ocp.tgz now hosted on GitHub.calico #7189 (@caseydavenport)
• Replace misleading BUG: logs in the Typha client.calico #7172 (@fasaxc)
• Add ability to set the deny action as REJECT instead of DROP.calico #5735 (@olljanat)

eBPF

• ebpf: rules that mark established flows from before ebpf was turned on are installed asap to make transition smoothercalico #7526 (@tomastigera)
• ebpf: BPFEnforceRPF is Loose by default to avoid issues in some environments. If Strict option is required,it has to be set explicitly and the BPFDataIfacePattern may need to be changed accordingly to avoid attaching to “slave” devices.calico #7518 (@tomastigera)
• ebpf: Jumpmap version incremented to prevent failures when upgrading from earlier calico versionscalico #7484 (@tomastigera)
• ebpf: Topology Aware Hints supported when/where provided by k8s.calico #7241 (@StevenTigera)
• ebpf: Setting BPFDSROptoutCIDRs to a list of CIDRs allows clients from these CIDRs to opt out from DSR when DSR is enabled. We recommend enabling DSR and setting BPFDSROptoutCIDRs to 168.63.129.16/32 in AKS.calico #7211 (@tomastigera)