Calico Cloud release notes
December 3, 2024 (version 20.3.0)
New features and enhancements
Image Assurance scan result management
In this release, you can more easily manage your Image Assurance scan results by deleting results you don't need. On the All Scan Results page, select the checkbox next to result item, and then click Actions > Delete. You can also select multiple results and delete them as a bulk action.
Support for Windows nodes on EKS
We've expanded our support for Windows nodes to include hybrid clusters on Amazon Elastic Kubernetes Service.
Search by policy name or namespace
Calico Cloud now includes search-to-filter capabilities on the policy board and listing pages, which helps you find a specific policy or a subset of policies more quickly.
Envoy deployment as a sidecar
Calico Cloud now provides the ability to deploy Envoy as a sidecar so application layer policy and logging are compatible with other features such as egress gateways, Wireguard for data-in-transit encryption, and Calico’s eBPF dataplane.
For more information, see Application layer policy and L7 logs.
Configurable rules for deep packet inspection
Calico Cloud now provides the ability for administrators to configure and customize the Snort rules that are used in deep packet inspection. This gives customers greater control over the types of rules that are evaluated. It also ensures that they can effectively tune and selectively enable rules to phase their deep packet inspection and network-based threat detection.
For more information, see Deep packet inspection.
Calico early networking (for dual ToR) preserves post-boot default routes
Calico Cloud includes improvements so that early network configuration will be superseded by any BGPPeer or BGPConfiguration resources after successful startup
For more information see Deploy a dual ToR cluster.
Enhancements
- Guardian will respect HTTP proxy environment variables when set on the deployment by mutating webhook configurations.
- Enhanced filtering options in the endpoints page of the Manager UI.
- Performance improvements to Image Assurance processes.
Deprecated and removed features
- All compliance reporting features are deprecated and will be removed in a future release. We're building a new compliance reporting system that will eventually replace the current one.
November 6, 2024 (version 20.2.0)
New features and enhancements
Image Assurance scan result management
In this release, you can more easily manage your Image Assurance scan results by deleting results you don't need. On the All Scan Results page, select the checkbox next to result item, and then click Actions > Delete. You can also select multiple results and delete them as a bulk action.
Enhancements
- Various detector improvements, including better handling of historical data and a detector export function.
- Improved webhooks with ability to send global alerts.
- Reduced memory usage for clusters with many
ConfigMap
resources.
Bug fixes
- Fixed an issue with the Image Assurance CLI scanner to ensure it takes CVE exceptions into account when scanning multiple images from the command line at the same time.
October 1, 2024 (version 20.1.0)
New features and enhancements
View and manage detectors for Container Threat Detection
We've provided better access to the detectors we use as part of our Container Threat Detection system. You can now view the complete list of detectors and turn them on or off as you see fit. Detectors can also be configured as part of a new RuntimeSecurity custom resource.
For more information, see Update detector settings.
Create Security Event exceptions for known processes
We added a way to create Security Event exceptions for processes in your cluster that you know to be safe. This can be a helpful way to eliminate noise and false positives in your alerts.
For more information, see Exclude a process from Security Events alerts.
Added EPSS data to Image Assurance results
Image Assurance scans results now include information using the Exploit Prediction Scoring System (EPSS). EPSS scores help you determine the likelihood that a given vulnerability will be exploited in the near future. Being able to view this information and filter scan results by EPSS score can help you judge the risk of vulnerabilities and prioritize your remediation efforts.
Enhancements
- Functional and performance improvements to Image Assurance scan results filtering.
September 20, 2024 (version 20.0.1)
Bug fixes
- Fixed an issue so that guardian picks up refreshed Service Account tokens which caused an issue on some AKS configurations due to a token expiration change.
September 10, 2024 (version 20.0.0)
New features and enhancements
Helm customizations
We've added new options for customizing Helm installations:
- You can now enable or disable the Compliance and Packet Capture features at installation.
- For many Calico Cloud components, you can specify node selectors, tolerations, and resource requests and limits.
For more information, see Connect a cluster to Calico Cloud and Install Calico Cloud as part of an automated workflow
Automatic Calico Cloud access for connected IdP groups
We made it easier for administrators to control access to Calico Cloud by managing users in their existing identity provider groups. When you add an identity provider, users who have memberships of one or more IdP Groups that have been enabled on Calico Cloud can log in without needing to be invited individually.
To enable automatic access for your IdP group members, open a support ticket.
Support for ARM64
This release adds support for clusters running on ARM64 architectures.
Support for Kubernetes 1.30
This release adds support for Kubernetes 1.30.
Deprecated and removed features
- The honeypods feature has been removed from this release.
Version support
You can now install or upgrade to the following versions:
- Calico Cloud 20
- Calico Cloud 19
- Calico Cloud 18
Calico Cloud versions 17 and earlier are no longer supported.
For information about upgrading, see Upgrade Calico Cloud.
July 23, 2024 (version 19.4.1)
Bug fixes
- For AKS clusters with managed Calico, AKS changed the resources deployed which causes the installer to fail or for existing clusters the operator will stop managing resources. We made changes to the Calico Cloud installation to deploy additional resources needed to allow normal operation to continue and installs to proceed.
July 9, 2024 (version 19.4.0)
New features and enhancements
Bulk vulnerability exceptions for Image Assurance
We added a way to efficiently add large numbers of vulnerability exceptions to your Image Assurance scan results. Instead of creating exceptions one by one, you can add them all at once by uploading a CSV file with the vulnerability definitions.
For more information, see Exclude vulnerabilities from scan results.
Bug fixes
- Previously, defining new values for the crawdad daemon by using the ImageAssurance custom resource had no effect, and the default values remained in place. This problem is now fixed.
- We fixed a bug that caused problems during Helm upgrades from Calico Cloud versions earlier than 19.1.0.
June 11, 2024 (version 19.3.0)
New features and enhancements
Jira integration for Image Assurance scan results
We added a way to create and assign Jira issues directly from your Image Assurance scan results page. You can filter and prioritize vulnerabilities, and then assign the remediation work to members of your team. Calico Cloud populates the information you need, including a CSV file with detailed information about the vulnerabilities in your packages.
For more information, see Creating Jira issues for scan results
Security events dashboard
A new dashboard summarizes security events and helps practitioners easily understand how events map across namespaces, MITRE techniques, event types, and attack phases. This allows first responders to quickly make sense of potential threats, engage the right stakeholders, and start the incident response and investigation process.
For more information, see Security event management.
Exceptions for security events
Calico Cloud now allows users to create exceptions for Security Events with varying levels of scope, from excluding an entire namespace to a specific deployment or workload. This gives operators a way to tune the runtime threat detection they have deployed and focus their investigations and response on critical applications and infrastructure.
For more information, see Security event management.
New flow logs panel for Endpoints and View Policy pages
Calico Cloud has added new entry points to view flow logs directly from the Endpoints listing and View Policy pages in the UI. Users can easily see which endpoints are involved in denied traffic, filter on those workloads, and click a link to open a panel that shows associated flows. A similar link has been added for View Policy pages, which allows users to quickly see the flows that have been recently evaluated by that policy to make sense of denied traffic or updates to rules.
Security Events in Service Graph
Calico Cloud now includes a new tab for Security Events which has taken the Alerts. Most runtime threat detection features now generate Security Events, and their inclusion Service Graph enables users to automatically filter events based on where they are occurring in a cluster.
Security Events IP addresses enriched with ASN and geolocation
For security events that contain external IP addresses, Calico Cloud now automatically performs a geolocation lookup. Understanding the country of origin for an IP address can often be the quickest and easiest way to distinguish legitimate traffic from malicious traffic.
Extend Workload-based WAF to Ingress Gateways
This latest release enables operators to plug-in a modifiedsimplified version of WAF to their own instances of Envoy. This allows users to deploy this version of WAF at the edge of their cluster integrated with an Ingress Gateway (if based on Envoy), with fully customizable rules based on OWASP CoreRuleSet 4.0 and powered by the Coraza engine.
For more information, see Deploying WAF with an ingress gateway .
Specifying resource requests and limits in Calico Cloud components
Calico Cloud now provides the ability to set resource requests and limits for the components that run as part of Calico Cloud. Please see documentation for specific guidance on setting these limits.
Known issues
- It is no longer supported to uninstall Calico Cloud on a cluster that before connecting to Calico Cloud it had Calico managed with AddonManager. This includes AKS clusters that had Calico installed and managed by AKS.
Bug fixes
- Fixed an issue where occasionally the status of a cluster would not be updated when the cluster connected resulting in auth tokens and license not being updated in the cluster.
April 30, 2024 (version 19.2.0)
New features and enhancements
Automated installation with client credentials
You can now generate and manage client credentials that you can use to automate the Calico Cloud installation process. With persistent API keys, you can build repeatable installation commands that connect your clusters as part of an automated workflow.
For more information, see Install Calico Cloud as part of an automated workflow.
Feature options for Helm installations
For Helm installations, you can now configure some feature options during installation. You can enable or disable Image Assurance, Container Threat Detection, and the Security Posture Dashboard by adding optional parameters to your Helm command.
For more information, see Connect a cluster to Calico Cloud.
Namespace exclusions for image scanning and runtime view
We added the ability to exclude namespaces from image scanning and runtime view. By excluding certain namespaces, you can reduce noise in your scan results and focus attention on higher priority workloads.
For more information, see Configure exclusions for image scanning.
April 2, 2024 (version 19.1.0)
Bug fixes
- We fixed a problem that caused the Image Assurance operator to stop working when it reached its memory limit.
February 28, 2024 (version 19.0.0)
New features and enhancements
Improved flow log filtering for destination domains
We’ve updated the Felix parameter (dest_domains
) for DNS policy to make it easy to find only domain names that the deployment connected to (not all the domain names that got translated to the same IP address).
For more information, see Flow log data types.
New flow logs panel on Endpoints page
We've updated the Endpoints page in Manager UI with a new flow logs panel so you can view and filter Endpoints associated with denied traffic. Flow log metadata includes the source, destination, ports, protocols, and other key forms. We've also updated the Policy Board to highlight policies with denied traffic.
Improvements to security events dashboard
We've added the following improvements to the Security events dashboard:
-
Jira and Slack webhook integration for security event alerts
By configuring security event alerts, you can push security event alerts to Slack, Jira, or an external HTTP endpoint of your choice. This lets incident response and security teams to use native tools to respond to security event alerts.
-
Added threat feed alerts
If you have implemented global threat feeds for suspicious activity (domains or suspicious IPs), alerts are now visible in the Security Overview dashboard. For more information on threat feeds, see Trace and block suspicious IPs.
Deprecated and removed features
- The AWS security groups integration is removed in this release.
- The ingress log collection feature is removed in this release.
January 31, 2024 (version 18.3.0)
New features and enhancements
Assign custom roles to users automatically with Entra ID (formerly Azure AD) groups
We've added the ability to link custom roles in Calico Cloud to your organization's Entra ID groups. You can define and modify group membership in Entra ID, and Calico Cloud will automatically grant role-based access to users based on that group membership.
For more information, see Create a custom role for an Entra ID group.
Export custom roles
In this release you can export custom roles from a managed cluster and apply them to another managed cluster. Previously, if you wanted to duplicate roles in multiple clusters, you needed to create them manually for each cluster. Now there is a process to apply those roles quickly and accurately in all clusters.
For more information, see Creating and assigning custom roles.
Windows node support for Azure Kubernetes Service
We've added support for Windows nodes in AKS clusters.
VXLAN support for cluster mesh and federation
We've expanded our support of cluster mesh to clusters using VXLAN for networking. Cluster mesh can be used to federate services and endpoints to authorize cross-cluster communication with Calico Cloud network policies.
For more information, see Configure federated endpoint identity and services.
Support for Azure CNI with overlay networking for AKS
We now officially support AKS clusters that are using overlay networking. This option is useful if you've exhausted your IP addresses. This option augments existing support for Azure CNI with no overlay (where a VNET IP address is assigned to every pod).
Support for Kubernetes 1.28
This release adds support for Kubernetes 1.28.
Deprecated and removed features
- The anomaly detection feature is removed in this release. If you enabled this feature, you will now stop receiving anomaly detection alerts.
- The AWS security groups integration is deprecated in this release. It will be removed in a future release.
- The ingress log collection feature is deprecated in this release. It will be removed in future release.
Bug fixes
- We fixed a problem that stopped diagnostics from being collected after a failed installation.
December 21, 2023 (version 18.2.0)
New features and enhancements
Security Posture Overview dashboard
We've added a new Security Posture Overview dashboard that helps you assess the security posture of your cluster. Using a list of prioritized recommended actions, you can start to take steps to reduce your risk over time. Because the dashboard is based on existing Calico Cloud data, no configuration is required. You can start improving the security posture of your Kubernetes cluster immediately.
For more information, see Security Posture Overview dashboard
Support for RKE2
This release comes with support for connecting RKE2 clusters to Calico Cloud.
Known issues
- You can't connect RKE2 clusters to Calico Cloud if you enabled the Image Assurance runtime view feature on any of your managed clusters. As a workaround, disable runtime view before connecting your RKE2 cluster.
Bug fixes
- Code changes to the Kubernetes controller-runtime led to intermittent errors in how the Container Threat Detection status was displayed in Manager UI. We modified the Runtime Security operator to account for these changes.
November 29, 2023 (version 18.1.0)
New features and enhancements
- We limited the permissions that are assigned to the Calico Cloud installer. Previously, the installer had cluster administrator privileges. Now the installer gets access only to what is required to install Calico Cloud.
- Image Assurance. We added a filter that lets you sort your list of running images by severity rating.
Known issues
- If you update your cluster to a previous version of Calico Cloud (18.0.0 or earlier), you may see an erroneous message about a failed installation that took place before the successful installation. This failed installation message can be disregarded.
Bug fixes
- Fixed an issue that caused security events generated by AKS managed clusters to be missing pod and namespace information.
- Fixed an issue that caused some pods on managed clusters to crash-loop after upgrading clusters that also have Dynatrace running.
October 23, 2023 (version 18.0.0)
New features and enhancements
Image Assurance registry scanner
The Image Assurance feature adds the ability to scan images in container registries at any time, on any infrastructure, including Kubernetes. This is ideal protection for images that don’t go through a pipeline (for example, third-party images), but are published to a registry. If CVEs are missed in your build pipeline, you can catch them before they are deployed.
For more information, see Scan images in container registries.
Security event management
We've added a new Security event management dashboard for threat detection. Security events provides context for suspicious activity detected in your cluster. Combined with the Kubernetes context, you can see what workloads are affected.
For more information, see Security event management.
New performance optimizations for egress gateways
Calico Cloud includes new performance options for egress gateway policies that can be used to ensure that application client and gateway pods are on the same cluster node.
For more information, see Optimize egress networking for workloads with long-lived TCP connections.
Configurable XFF headers for Envoy
We've added support for XFF to propagate the original IP address when proxying application layer traffic with Envoy within a Kubernetes cluster.
For more information, see Installation reference.
Alert-only mode for workload-based Web Application Firewall (WAF)
We've added a new default mode for WAF that is monitor/event only. This allows operators and security teams to verify the accuracy of configured rules before actively blocking traffic.
For more information, see Web application firewall.
Enhancements
- You can now remove disconnected clusters from the list of managed clusters. See Cluster management.
Known issues
-
The policy recommendation tool is not displaying policy recommendations. There is currently no workaround, but the issue will be fixed in an upcoming release.
-
Using a bookmarked link to log in to the Calico Cloud UI in this release causes the following problems:
- Image Assurance configuration page fails to load
- The Manager UI shows the enterprise license countdown at the top of the screen even for paid customers
If you are experiencing any login issues, go to https://calicocloud.io and log back in.
- Calico panics if kube-proxy or other components are using native
nftables
rules instead of theiptables-nft
compatibility shim. Until Calico supports native nftables mode, we recommend that you continue to use the iptables-nft compatibility layer for all components. (The compatibility layer was the only option before Kubernetes v1.29 added alpha-levelnftables
support.) Do not run Calico in "legacy" iptables mode on a system that is also usingnftables
. Although this combination does not panic or fail (at least on kernels that support both), the interaction betweeniptables
"legacy" mode andnftables
is confusing: bothiptables
andnftables
rules can be executed on the same packet, leading to policy verdicts being "overturned". Note that this issue applies to all previous versions of Calico Cloud.
Bug fixes
- We fixed an issue that caused a bad error message to appear when you changed a Calico Cloud user's role.
September 11, 2023 (version 17.1.1)
New features and enhancements
- We redesigned a section of the Image Assurance UI to make it easier to see how vulnerable an image is.
- We made improvements to the way Container Threat Detection processes large volumes of alerts.
Bug fixes
- We fixed a problem that caused the user interface to crash when a user attempted to edit a policy.
- We fixed a problem that prevented certain images from being scanned.
September 5, 2023 (version 17.1.0)
New features and enhancements
Improvements to software versioning for Calico Cloud installations on managed clusters
We've made it easier to see what version of Calico Cloud you're running or installing on a managed cluster. Now you can:
- view the Calico Cloud version number for each connected cluster from the Managed Clusters page
- see when an update is available for a managed cluster
- select a specific Calico Cloud version to install when you connect a cluster
Security Events UI page
Alerts corresponding to detections generated by container threat detection will now be published to the Security Events UI page, found within the Threat Defense left navigation menu item.
On this page, for every security event detected, users can view:
- security event name
- security event type
- severity level
- a description of what suspicious activity has been detected
- impacted assets (pod and namespace)
- attack vector type
- Mitre tactic and techniques associated with the detection
- mitigation recommendation
- additional metadata and context associated with the detection.
Alerts will continue to also appear on the Alerts UI page.
For more information, see Security event management.
Bug fixes
- Runtime Security alerts now correctly show the generated_time as the time the alert was generated. Previously they incorrectly showed the time when the underlying event which caused the alert was generated.
- Runtime Security alerts now correctly show the associated Mitre information.
Known issues
- Enabling WAF and Container Threat Detection through the UI is not possible for clusters running Kubernetes v1.27+. Both features can be enabled using kubectl.
- If you connected your cluster to Calico Cloud using Helm before the release of version 17.1.0, reinstalling or upgrading to any version of Calico Cloud may result in an error: "Error: rendered manifests contain a resource that already exists."
Previously, the
installers.operator.calicocloud.io
custom resource definition (CRD) installed by Helm required manual upgrades. After the release of Calico Cloud 17.1.0, this CRD is updated automatically, but this change causes errors the first time you attempt to reinstall or upgrade Calico Cloud on a cluster that was connected using Helm before the release of Calico Cloud 17.1.0.
As a workaround, label the CRD so that it is managed by Helm by running the following command:
kubectl patch crd installers.operator.calicocloud.io -p '{"metadata": {"annotations": {"meta.helm.sh/release-name":"calico-cloud-crds","meta.helm.sh/release-namespace":"calico-cloud"},"labels":{"app.kubernetes.io/managed-by":"Helm"}}}'
This allows you to successfully reinstall or upgrade to Calico Cloud by following the procedure in Upgrade Calico Cloud.
Security updates
- Runtime security upgraded to golang 1.20.7, which includes security updates.
- We rebuilt
cc-operator
andcc-cni-config-scanner
, which has reduced the number of CVEs.
August 21, 2023 (version 17.0.0)
New features and enhancements
New policy recommendations engine for namespace isolation
Calico Cloud has added a new policy recommendations engine that automatically generates staged policies for namespace isolation within your cluster. Policy recommendations.
Destination-based routing for egress gateways
Calico Cloud introduces a new mode for egress gateways that can leverage destination-based routing. Destination-based routing for egress gateways allows operators associated with a destination that is external to a Kubernetes cluster (for example, IP address or CIDR), to a specific egress gateway deployment. Egress gateways.
Support for DNS rules in clusters using NodeLocal DNSCache
Calico Cloud has added support for DNS rules in clusters using NodeLocal DNSCache. Also related, there is new documentation on using Calico policy to secure DNS traffic within the cluster with NodeLocal DNSCache enabled. Use NodeLocal DNSCache in your cluster.
Improved UI for configuring Workload-based Web Application Firewall (WAF)
Calico Cloud includes updates to the UI that allows you to select which services are enabled for the Workload-based Web Application Firewall. Web application firewall.
Wireguard support for AKS and EKS with Calico CNI
Calico Cloud now offers official support for Wireguard when using Microsoft AKS or Amazon EKS with Calico CNI. This mode of deployment offers performance benefits and a more efficient routing table compared to using cloud provider CNIs. Encrypt data in transit.
Additional custom roles for Calico Cloud
You can now create custom role-based access controls for two new roles: "Usage Metrics" and "Image Assurance Admin".
Image Assurance improvements
- A containerized version of Image Assurance scanner is now available to integrate into your CI/CD platform. See Image Assurance containerized scanner to pull the latest image.
- Substantial UI improvements including a new package-centric view of images
Known issues
- The canvas on Service Graph may zoom and pan unexpectedly when modifying Views or Layers
- Dragging tiers to modify their order is currently not working in the UI, though you can still change its order when editing a tier
- Policy recommendations may generate rules with ports and protocols for intra-namespace traffic. This will be modified in the next patch release to exclude ports and protocols and provide an option to Allow or Pass this traffic.
June 6, 2023
New features and enhancements
In-cluster scanning with Image Assurance
Calico Cloud now includes the ability to scan and monitor the images running in your Kubernetes clusters for new vulnerabilities. In-cluster scanning will scan any new images not previously scanned, and continuously monitor the BOM (Bill of Materials) for running images that have prior scan results.
New detectors for container threat detection
We've added several new detectors for container threat detection. These detectors help identify unsanctioned use of network tools, task scheduling, container admin and Docker commands, and much more. Calico Cloud now includes over 40 different detectors across each category of the MITRE ATT&CK Matrix.
May 2, 2023
This release includes a number of performance improvements and bug fixes.
April 24, 2023
Depreciated support for RKE, RKE2
Calico Cloud no longer supports installation on RKE or RKE2.
April 11, 2023
New features and enhancements
Updates to Managed Clusters
The Managed Clusters page has been redesigned to make it easier and more intuitive to search and filter your clusters.
Egress gateways for AKS and Azure
Calico Cloud adds egress gateway support for Microsoft Azure and AKS. Egress gateways allow you to identify the namespaces associated with egress traffic outside of your cluster. Egress gateways for AKS and Azure.
UI for workload-based Web Application Firewall (WAF)
Calico Cloud includes a new UI to enable and configure a workload-based Web Application Firewall. For more information, see Workload-based web application firewall.
Application layer policy with Envoy
Calico Cloud now includes support for application layer policy with Envoy, enabling platform operators to define authorization rules in Calico Cloud policies for protocols such as HTTP and gRPC. For more information, see Application layer policies.
Service Graph performance optimizations
Calico Cloud added several optimizations to improve the performance of Service Graph for clusters with larger numbers of namespaces.
Improvements to Envoy to accommodate advanced ingress controllers
Calico Cloud improves its Envoy deployment so you can use this feature in clusters with ingress controllers that perform advanced load balancing. For more information, see Workload-based web application firewall.
Improved Calico Cloud component security
Calico Cloud components were updated with more restrictive access for pods and containers using the Kubernetes security context:
- Non-root context whenever possible
- Root context and privilege escalation are used only when necessary
- Added
drop ALL capabilities
for pod security - Enabled
RuntimeDefault
as the default seccomp profile for all workloads
February 28, 2023
New features and enhancements
- Adds Bottlerocket support for Container Threat Detection.
- Adds support for scanning multiple images with Image Assurance
Bug fixes
- Fixes "Kibana" menu item rename to "Logs".
- Bug fixes for Container Threat Detection alerts.
February 7, 2023
New features and enhancements
New and improved Dashboards
Calico Cloud includes new and improved Dashboards that enable operators to define cluster* and namespace-scoped dashboards with new modules for policy usage, application layer and DNS metrics, and much more.
Configure Threat Feeds in the Calico Cloud UI
Calico Cloud includes a new UI that can be used to manage and configure global threat feeds
For more information, see Trace and block suspicious IPs.
Namespace-based policy recommendations
Calico Cloud has improved its policy recommendation engine to add namespace-based recommendations. This enables operators to easily implement microsegmentation for namespaces.
For more information, see Create policy recommendation.
Create custom roles for Calico Cloud users
Calico Cloud administrators can now define granular roles and permissions for users using custom role-based access controls.
For more information, see Create and assign custom roles.
Egress gateway improvements
Calico Cloud has improved the probes to check readiness and outbound connectivity of egress gateways. Calico Cloud has also rearchitected egress gateway pods to improve security and make use of a temporary init container to set up packet forwarding.
Image Assurance updates
- CLI Version v1.3.4
- Calico Cloud supports the Image Assurance CLI scanner versions 1.3.0 and later.
- Bug fix: Previously, the scanner returned an error if it reached a size limit while uploading vulnerabilities. This size limit has been removed.
December 13, 2022
New features and enhancements
Search by CVE in Image Assurance
Image Assurance reporting features now includes a search and filtering capability that allows you to find list items based on a single CVE ID within any Image Assurance reports.
Enable and disable Container Threat Detection in the Calico Cloud UI
You can now enable or disable Container Threat Detection within the UI. After enabling the feature, you can review the status of which nodes are being monitored by the feature and which nodes of your cluster are unsupported.
New Feature: Calico Cloud Service Status Page
All users can view the status and health of the Calico Cloud service on our new status page: https://status.calicocloud.io.
November 1, 2022
Image Assurance
CLI Version v1.1.2.
New CLI will now check that it is compatible with the latest Image Assurance API.
Container Threat Detection
Release of Container Threat Detection
With Container Threat Detection, you can monitor container activity using eBPF. Enable this feature to receive alerts based on file and process activity for known malicious and suspicious behavior. Alert events can be viewed on the Alerts page in Manager UI.
To get started, see Container Threat Detection
September 26, 2022
New feature: Helm
Calico Cloud now supports installation using Helm.
New feature: Private Registry
Calico Cloud now supports installation from private registries. Note that this is only supported when installing with Helm.
Expanded platform support: RKEv2
Installation works on clusters with Calico deployed by RKEv2.
September 12, 2022
Image Assurance is GA
Image Assurance is now released for general availability.
With Image Assurance, DevOps and platform teams can scan images in public and private registries, including images that are automatically discovered in connected clusters. Image Assurance provides a runtime view into risk, based on known vulnerabilities. It also offers admission controller policies to block resources in Kubernetes from creating containers with vulnerable images from entering your cluster.
Changes from the tech preview version
New Image Assurance CLI scanner
Image scanning is now configured and performed by the tigera-scanner
CLI.
You can integrate tigera-scanner
into your CI/CD pipelines to ensure builds are checked by Image Assurance before deployment.
You can also use the CLI scanner offline and on-demand for ad hoc scanning and emergency patching.
Export options for vulnerability scan results and runtime views
We've made it easier for platform operators to share Image Assurance scan results and runtime views with these export options:
- Export one row per image or one row per image and CVE.
- Export CSV or JSON files.
To get started, see Image Assurance.
Malware detection is GA
Malware detection is now released for general availability.
Calico Cloud's malware detection identifies malicious files in your cluster and generates alerts. Calico Cloud uses eBPF-based monitoring to log file hashes of programs running in your cluster. If there's a match to known malware from our threat intelligence library, you receive an alert. You can view your alerts on the Alerts page on Manager UI.
To get started, see Malware Detection)
July 27, 2022
Improvement: Export logs to a SIEM
To help meet your compliance requirements, we've added documentation to export logs to a SIEM (syslog, Splunk, or Amazon S3). See Export logs to a SIEM.
July 7, 2022
New feature: Distributed Web Application Firewall (WAF) with Envoy
Calico Cloud now includes the option to enable Web Application Firewall (WAF) rule sets when using Envoy as a daemonset. This enables operators to implement an additional layer of security and threat detection for application layer traffic. See Workload-based Web Application Firewall (WAF).
New Feature: Configuration option to use DNS rules with StagedNetworkPolicies
Calico Cloud has added a new configuration option in Felix (DNSPolicyMode
) that lets you audit DNS rules with StagedNetworkPolicies. There is a small performance trade off if you enable this option, so we recommended to disabling it when it’s not required. See Felix configuration.
Improvement: Additional predefined RBAC options
Calico Cloud now supports 3 more pre-defined RBAC controls (devops, security and compliance persona) for role assignment.
Improvement: Anomaly detection deployment
Calico Cloud has made the configuration and deployment of anomaly detection jobs for threat detection and performance hotspots more granular, allowing you to selectively enable jobs depending on your use case.
Improvement: Manager UI now displays cluster installation progress and streaming logs
Calico Cloud now displays information about managed cluster install progress right in the UI.
After you run the install command (Connect Cluster wizard in Managed Clusters), installation progress is automatically displayed along with logs for the managed cluster.
May 10, 2022
New feature: Visibility into usage metrics
Calico Cloud now displays information about cloud usage metrics. This will provide visibility into the node hours and data ingested for consumption-based invoices.
Account owners can click the new "Usage Metrics" button at the bottom of the left navbar to navigate to the new page.
Expanded platform support: AKS with managed Calico
Installation works on clusters with Calico deployed by AKS.
April 26, 2022
New feature: Malware detection
Calico Cloud introduces malware detection in tech preview, which uses eBPF-based monitoring to log observed file hashes of programs running in your Calico Cloud Kubernetes clusters. Malware detection identifies malicious files by comparing observed file hashes with our threat intelligence library of known malware, and generates alerts when malware is detected in your cluster. Alerts can be viewed on the Alerts page of Manager UI.
If you started using Calico Cloud before January 24, 2022, you must upgrade your existing cluster to get malware detection:
- Navigate to the Managed Clusters page.
- Select the cluster from the list, and click Reinstall.
- Copy the updated install script command and run it against your cluster.
April 20, 2022
Improved installation
We’ve updated the Calico Cloud installation process to improve security, reduce dependencies on utilities (such as bash), and allow you to customize the name of your connected clusters.
The Calico Cloud installation process will now require running a kubectl apply
command instead of a bash script. Additionally, the installation script has been moved behind an authenticated endpoint. The updated install script is now available on the Managed Clusters page of the Calico Cloud UI.
If you started using Calico Cloud before January 24, 2022, you must upgrade your existing cluster to get these changes:
- Navigate to the Managed Clusters page.
- Select the cluster from the list, and click Reinstall.
- Copy the updated install script command and run it against your cluster.
April 19, 2022
New feature: Image Assurance
Calico Cloud introduces Image Assurance in tech preview, enabling DevOps and platform teams to scan images in public and private registries, and images that are automatically discovered in connected clusters. Image Assurance provides a runtime view into risk, based on discovered vulnerabilities. It also offers admission controller policies to enforce how vulnerable images are used to create resources within Kubernetes.
To get started, see Image Assurance.