Release notes

February 28, 2023

Updates

• Adds Bottlerocket support for Container Threat Detection.
• Adds support for scanning multiple images with Image Assurance

Bug fixes

• Fixes "Kibana" menu item rename to "Logs".
• Bug fixes for Container Threat Detection alerts.

February 7, 2023

New and improved Dashboards

Calico Cloud includes new and improved Dashboards that enable operators to define cluster- and namespace-scoped dashboards with new modules for policy usage, application layer and DNS metrics, and much more.

Configure Threat Feeds in the Calico Cloud UI

Calico Cloud includes a new UI that can be used to manage and configure global threat feeds

For more information, see Detect and alert on anomalies and Trace and block suspicious IPs.

Namespace-based policy recommendations

Calico Cloud has improved its policy recommendation engine to add namespace-based recommendations. This enables operators to easily implement microsegmentation for namespaces.

For more information, see Create policy recommendation.

Create custom roles for Calico Cloud users

Calico Cloud adminstrators can now define granular roles and permissions for users using custom role-based access controls.

For more information, see Create and assign custom roles.

Egress gateway improvements

Calico Cloud has improved the probes to check readiness and outbound connectivity of egress gateways. Calico Cloud has also rearchitected egress gateway pods to improve security and make use of a temporary init container to set up packet forwarding.

Image Assurance updates

• CLI Version v1.3.4
• Calico Cloud supports the Image Assurance CLI scanner versions 1.3.0 and later.
• Bug fix: Previously, the scanner returned an error if it reached a size limit while uploading vulnerabilities. This size limit has been removed.

December 13, 2022

Search by CVE in Image Assurance

Image Assurance reporting features now includes a search and filtering capability that allows you to find list items based on a single CVE ID within any Image Assurance reports.

Enable and Disable Container Threat Detection in the Calico Cloud UI

You can now enable or disable Container Threat Detection within the UI. After enabling the feature, you can review the status of which nodes are being monitored by the feature and which nodes of your cluster are unsupported.

New Feature: Calico Cloud Service Status Page

All users can view the status and health of the Calico Cloud service on our new status page: https://status.calicocloud.io.

November 1, 2022

Image Assurance

CLI Version v1.1.2.

New CLI will now check that it is compatible with the latest Image Assurance API.

Container Threat Detection

Release of Container Threat Detection

With Container Threat Detection, you can monitor container activity using eBPF. Enable this feature to receive alerts based on file and process activity for known malicious and suspicious behavior. Alert events can be viewed on the Alerts page in Manager UI.

To get started see, Container Threat Detection

September 26, 2022

New feature: Helm

Calico Cloud now supports installation using Helm.

New feature: Private Registry

Calico Cloud now supports installation from private registries. Note that this is only supported when installing with Helm.

Expanded platform support: RKEv2

Installation works on clusters with Calico deployed by RKEv2.

September 12, 2022

Image Assurance is GA

Image Assurance is now released for general availability.

With Image Assurance, DevOps and platform teams can scan images in public and private registries, including images that are automatically discovered in connected clusters. Image Assurance provides a runtime view into risk, based on known vulnerabilities. It also offers admission controller policies to block resources in Kubernetes from creating containers with vulnerable images from entering your cluster.

Changes from the tech preview version

New Image Assurance CLI scanner Image scanning is now configured and performed by the tigera-scanner CLI. You can integrate tigera-scanner into your CI/CD pipelines to ensure builds are checked by Image Assurance before deployment. You can also use the CLI scanner offline and on-demand for ad hoc scanning and emergency patching.

Export options for vulnerability scan results and runtime views

We've made it easier for platform operators to share Image Assurance scan results and runtime views with these export options:

• Export one row per image or one row per image and CVE.
• Export CSV or JSON files.

To get started see, Image Assurance.

Malware detection is GA

Malware detection is now released for general availability.

Calico Cloud's malware detection identifies malicious files in your cluster and generates alerts. Calico Cloud uses eBPF-based monitoring to log file hashes of programs running in your cluster. If there's a match to known malware from our threat intelligence library, you receive an alert. You can view your alerts on the Alerts page on Manager UI.

To get started see, Malware Detection

July 27, 2022

Improvement: Export logs to a SIEM

To help meet your compliance requirements, we've added documentation to export logs to a SIEM (syslog, Splunk, or Amazon S3). See Export logs to a SIEM.

July 7, 2022

New feature: Distributed Web Application Firewall (WAF) with Envoy

Calico Cloud now includes the option to enable Web Application Firewall (WAF) rulesets when using Envoy as a daemonset. This enables operators to implement an additional layer of security and threat detection for application layer traffic. See Workload-based Web Application Firewall (WAF).

New Feature: Configuration option to use DNS rules with StagedNetworkPolicies

Calico Cloud has added a new configuration option in Felix (DNSPolicyMode) that lets you audit DNS rules with StagedNetworkPolicies. There is a small performance trade off if you enable this option, so we recommended to disabling it when it’s not required. See Felix configuration.

Improvement: Additional predefined RBAC options

Calico Cloud now supports 3 more pre-defined RBAC controls (devops, security and compliance persona) for role assignment.

Improvement: Anomaly detection deployment

Calico Cloud has made the configuration and deployment of anomaly detection jobs for threat detection and performance hotpots more granular, allowing you to selectively enable jobs depending on your use case. See Detect and alert on anomalies.

Improvement: Manager UI now displays cluster installation progress and streaming logs

Calico Cloud now displays information about managed cluster install progress right in the UI.

After you run the install command (Connect Cluster wizard in Managed Clusters), installation progress is automatically displayed along with logs for the managed cluster.

May 10, 2022

New feature: Visibility into usage metrics

Calico Cloud now displays information about cloud usage metrics. This will provide visibility into the node hours and data ingested for consumption-based invoices.

Account owners can click the new "Usage Metrics" button at the bottom of the left navbar to navigate to the new page.

Expanded platform support: AKS with managed Calico

Installation works on clusters with Calico deployed by AKS.

Aprril 26, 2022

New feature: Malware detection

Calico Cloud introduces malware detection in tech preview, which uses eBPF-based monitoring to log observed file hashes of programs running in your Calico Cloud Kubernetes clusters. Malware detection identifies malicious files by comparing observed file hashes with our threat intelligence library of known malware, and generates alerts when malware is detected in your cluster. Alerts can be viewed on the Alerts page of Manager UI.

If you started using Calico Cloud before January 24, 2022, you must upgrade your existing cluster to get malware detection:

1. Navigate to the Managed Clusters page.
2. Select the cluster from the list, and click Reinstall.
3. Copy the updated install script command and run it against your cluster.

April 20, 2022

Improved installation

We’ve updated the Calico Cloud installation process to improve security, reduce dependencies on utilities (such as bash), and allow you to customize the name of your connected clusters.

The Calico Cloud installation process will now require running a kubectl apply command instead of a bash script. Additionally, the installation script has been moved behind an authenticated endpoint. The updated install script is now available on the Managed Clusters page of the Calico Cloud UI.

If you started using Calico Cloud before January 24, 2022, you must upgrade your existing cluster to get these changes:

1. Navigate to the Managed Clusters page.
2. Select the cluster from the list, and click Reinstall.
3. Copy the updated install script command and run it against your cluster.

April 19, 2022

New feature: Image Assurance

Calico Cloud introduces Image Assurance in tech preview, enabling DevOps and platform teams to scan images in public and private registries, and images that are automatically discovered in connected clusters. Image Assurance provides a runtime view into risk, based on discovered vulnerabilities. It also offers admission controller policies to enforce how vulnerable images are used to create resources within Kubernetes.

To get started see, Image Assurance.