Calico Cloud release notes

April 1, 2025 (version 21.1.0)

Updated pricing structure

We've updated our pricing structure to make it easier to understand and manage. Now we calculate usage based on your vCPU hours, rather than node hours. And we stopped charging for log data ingestion.

When you upgrade, you'll notice a few changes:

• The previous metrics (node hours and ingested log data) are gone.
• The historical consumption data will continue to show your older metrics.

For more information, see Usage and billing.

Changes to version availability

Beginning with this release, users will not have access to versions of Calico Cloud that are older than the latest version at the time they joined. For example, if you start using Calico Cloud with version 21.1.0, you will not be able to install version 19.4.0 or version 20.0.0. As new versions are released, you will have access to all versions released after the version you joined with.

Deprecated and removed features

The Image Assurance and container threat detection features are deprecated and will be removed in a future release. Not all users will be able to use these deprecated features from this version onward:

• For users who start using Calico Cloud in April 2025 or later, these feature are not available.
• Legacy users, who started using Calico Cloud before April 2025, can continue to use these features until they are removed in a future release.

This split availability applies also to the compliance reports feature, which was deprecated in release 20.3.0.

Upgrade instructions for users of deprecated features

By default, new installations and upgrades to Calico Cloud 21.1.0 will disable Image Assurance, container threat detection, and compliance reporting.

Additional steps are required to enable these features for legacy users who started using Calico Cloud before April 2025.

For more information, see Install Calico Cloud and Upgrade Calico Cloud.

March 10, 2025 (version 21.0.0)

New features and enhancements

Custom dashboards (tech preview)

You can now build your own dashboard visualizations by creating new charts and queries in a custom dashboard. For simple changes, you can import one of the many standard charts and make edits to the query parameters as needed. Advanced users can create custom charts from scratch to display information from our flow, DNS, and L7 logs.

For more information, see Create a custom dashboard.

Introducing Calico Ingress Gateway (tech-preview)

Calico Cloud now includes the ability to deploy Calico Ingress Gateway which is an Enterprise hardened, 100% upstream distribution of Envoy Gateway. Envoy Gateway is an implementation of the Kubernetes Gateway API with several extensions that provide advanced security and traffic management features.

For more information, see Configure an ingress gateway.

IPAM for load balancers

Calico CLoud now extends its IPAM capabilities to support service LoadBalancer IP allocation, providing a centralized, automated approach to managing LoadBalancer IPs within Kubernetes clusters.

For more information, see LoadBalancer IP address management.

Version support

You can now install or upgrade to the following versions:

• Calico Cloud 21
• Calico Cloud 20
• Calico Cloud 19

Calico Cloud versions 18 and earlier are no longer supported.

For information about upgrading, see Upgrade Calico Cloud.

Deprecated and removed features

• The admission controller feature, which had been in tech preview, was removed.

Enhancements

• We improved how the web console performs in cases where there are a large number of policy tiers for managed clusters. To see these optimizations, make sure your managed clusters are running Calico Cloud 21.0.0 or later.

February 11, 2025 (version 20.4.0)

New features and enhancements

Exporting custom dashboard cards as CSV files

You can now export data from your custom dashboard cards as CSV files. This allows you to analyze the exported data using spreadsheet software or data analysis libraries.

Support for Kubernetes 1.31

This release adds support for Kubernetes 1.31.

Control-plane label customization for AKS

We added support for customizing the namespace labels on AKS clusters. By default we apply a control-plane label to namespaces so that they are exempt from Azure Policy. If you wish to apply Azure Policy to our namespaces, you can now override this label.

January 9, 2025 (web console update)

New features and enhancements

Secure web console access with IP allowlists

We've added support for restricting access to the web console by IP address. You can now define a list of allowed IP addresses or ranges. For example, you can allow users to access the web console only from your corporate network.

To configure an IP allowlist, open a support ticket.

December 19, 2024 (version 20.3.1)

Bug fixes

• Previously, updating Calico Cloud introduced breaking changes for some users who had defined network policy tiers with orders higher than the default value. This was caused by a change to the default tier order to 1,000,000. Now, during upgrades, the installation script checks to see whether the change in default tier order will cause problems. If necessary, the script blocks the new installation and prompts the user to adjust their tier order.
• Fixed an issue so that guardian picks up refreshed Service Account tokens which caused an issue on some AKS configurations due to a token expiration change.

December 17, 2024 (web console update)

New features and enhancements

Dashboards (tech preview)

We added a set of dashboards to help you understand the activity in your cluster. Each dashboard is made up of graphs, charts, and diagrams that visually represent the data in your logs.

You can also create your own arrangement by creating a custom dashboard. With a custom dashboard, you can combine and arrange cards from any of the other dashboards.

For more information, see Dashboards.

December 3, 2024 (version 20.3.0)

upgrade notice

Because of a breaking change, this version is no longer available. Upgrade instead to Calico Cloud 20.3.1 or later.

New features and enhancements

Image Assurance scan result management

In this release, you can more easily manage your Image Assurance scan results by deleting results you don't need. On the All Scan Results page, select the checkbox next to result item, and then click Actions > Delete. You can also select multiple results and delete them as a bulk action.

Support for Windows nodes on EKS

We've expanded our support for Windows nodes to include hybrid clusters on Amazon Elastic Kubernetes Service.

Search by policy name or namespace

Calico Cloud now includes search-to-filter capabilities on the policy board and listing pages, which helps you find a specific policy or a subset of policies more quickly.

Envoy deployment as a sidecar

Calico Cloud now provides the ability to deploy Envoy as a sidecar so application layer policy and logging are compatible with other features such as egress gateways, Wireguard for data-in-transit encryption, and Calico’s eBPF data plane.

For more information, see Application layer policy and L7 logs.

Configurable rules for deep packet inspection

Calico Cloud now provides the ability for administrators to configure and customize the Snort rules that are used in deep packet inspection. This gives customers greater control over the types of rules that are evaluated. It also ensures that they can effectively tune and selectively enable rules to phase their deep packet inspection and network-based threat detection.

For more information, see Deep packet inspection.

Calico early networking (for dual ToR) preserves post-boot default routes

Calico Cloud includes improvements so that early network configuration will be superseded by any BGPPeer or BGPConfiguration resources after successful startup

For more information see Deploy a dual ToR cluster.

Enhancements

• Guardian will respect HTTP proxy environment variables when set on the deployment by mutating webhook configurations.
• Enhanced filtering options in the endpoints page of the web console.
• Performance improvements to Image Assurance processes.

Deprecated and removed features

• All compliance reporting features are deprecated and will be removed in a future release. We're building a new compliance reporting system that will eventually replace the current one.

Updating

• Breaking change: Previously, the default tier had no order and was always evaluated last. Starting with Calico Cloud 20.3.0, the default tier now has an order of 1,000,000. When upgrading, you must ensure that existing tiers have a lower order or else policy decisions may be affected. For more information, see Get started with policy tiers.

November 6, 2024 (version 20.2.0)

New features and enhancements

Image Assurance scan result management

In this release, you can more easily manage your Image Assurance scan results by deleting results you don't need. On the All Scan Results page, select the checkbox next to result item, and then click Actions > Delete. You can also select multiple results and delete them as a bulk action.

Enhancements

• Various detector improvements, including better handling of historical data and a detector export function.
• Improved webhooks with ability to send global alerts.
• Reduced memory usage for clusters with many ConfigMap resources.

Bug fixes

• Fixed an issue with the Image Assurance CLI scanner to ensure it takes CVE exceptions into account when scanning multiple images from the command line at the same time.

October 1, 2024 (version 20.1.0)

New features and enhancements

View and manage detectors for Container Threat Detection

We've provided better access to the detectors we use as part of our Container Threat Detection system. You can now view the complete list of detectors and turn them on or off as you see fit. Detectors can also be configured as part of a new RuntimeSecurity custom resource.

For more information, see Update detector settings.

Create Security Event exceptions for known processes

We added a way to create Security Event exceptions for processes in your cluster that you know to be safe. This can be a helpful way to eliminate noise and false positives in your alerts.

For more information, see Exclude a process from Security Events alerts.

Added EPSS data to Image Assurance results

Image Assurance scans results now include information using the Exploit Prediction Scoring System (EPSS). EPSS scores help you determine the likelihood that a given vulnerability will be exploited in the near future. Being able to view this information and filter scan results by EPSS score can help you judge the risk of vulnerabilities and prioritize your remediation efforts.

Enhancements

• Functional and performance improvements to Image Assurance scan results filtering.

September 20, 2024 (version 20.0.1)

Bug fixes

• Fixed an issue so that guardian picks up refreshed Service Account tokens which caused an issue on some AKS configurations due to a token expiration change.

September 10, 2024 (version 20.0.0)

New features and enhancements

Helm customizations

We've added new options for customizing Helm installations:

• You can now enable or disable the Compliance and Packet Capture features at installation.
• For many Calico Cloud components, you can specify node selectors, tolerations, and resource requests and limits.

For more information, see Connect a cluster to Calico Cloud and Install Calico Cloud as part of an automated workflow

Automatic Calico Cloud access for connected IdP groups

We made it easier for administrators to control access to Calico Cloud by managing users in their existing identity provider groups. When you add an identity provider, users who have memberships of one or more IdP Groups that have been enabled on Calico Cloud can log in without needing to be invited individually.

To enable automatic access for your IdP group members, open a support ticket.

Support for ARM64

This release adds support for clusters running on ARM64 architectures.

Support for Kubernetes 1.30

This release adds support for Kubernetes 1.30.

Deprecated and removed features

• The honeypods feature has been removed from this release.

Version support

You can now install or upgrade to the following versions:

• Calico Cloud 20
• Calico Cloud 19
• Calico Cloud 18

Calico Cloud versions 17 and earlier are no longer supported.

For information about upgrading, see Upgrade Calico Cloud.

July 23, 2024 (version 19.4.1)

Bug fixes

• For AKS clusters with managed Calico, AKS changed the resources deployed which causes the installer to fail or for existing clusters the operator will stop managing resources. We made changes to the Calico Cloud installation to deploy additional resources needed to allow normal operation to continue and installs to proceed.

July 9, 2024 (version 19.4.0)

New features and enhancements

Bulk vulnerability exceptions for Image Assurance

We added a way to efficiently add large numbers of vulnerability exceptions to your Image Assurance scan results. Instead of creating exceptions one by one, you can add them all at once by uploading a CSV file with the vulnerability definitions.

For more information, see Exclude vulnerabilities from scan results.

Bug fixes

• Previously, defining new values for the crawdad daemon by using the ImageAssurance custom resource had no effect, and the default values remained in place. This problem is now fixed.
• We fixed a bug that caused problems during Helm upgrades from Calico Cloud versions earlier than 19.1.0.

June 11, 2024 (version 19.3.0)

New features and enhancements

Jira integration for Image Assurance scan results

We added a way to create and assign Jira issues directly from your Image Assurance scan results page. You can filter and prioritize vulnerabilities, and then assign the remediation work to members of your team. Calico Cloud populates the information you need, including a CSV file with detailed information about the vulnerabilities in your packages.

For more information, see Creating Jira issues for scan results

Security events dashboard

A new dashboard summarizes security events and helps practitioners easily understand how events map across namespaces, MITRE techniques, event types, and attack phases. This allows first responders to quickly make sense of potential threats, engage the right stakeholders, and start the incident response and investigation process.

For more information, see Security event management.

Exceptions for security events

Calico Cloud now allows users to create exceptions for Security Events with varying levels of scope, from excluding an entire namespace to a specific deployment or workload. This gives operators a way to tune the runtime threat detection they have deployed and focus their investigations and response on critical applications and infrastructure.

For more information, see Security event management.

New flow logs panel for Endpoints and View Policy pages

Calico Cloud has added new entry points to view flow logs directly from the Endpoints listing and View Policy pages in the UI. Users can easily see which endpoints are involved in denied traffic, filter on those workloads, and click a link to open a panel that shows associated flows. A similar link has been added for View Policy pages, which allows users to quickly see the flows that have been recently evaluated by that policy to make sense of denied traffic or updates to rules.

Security Events in Service Graph

Calico Cloud now includes a new tab for Security Events which has taken the Alerts. Most runtime threat detection features now generate Security Events, and their inclusion Service Graph enables users to automatically filter events based on where they are occurring in a cluster.

Security Events IP addresses enriched with ASN and geolocation

For security events that contain external IP addresses, Calico Cloud now automatically performs a geolocation lookup. Understanding the country of origin for an IP address can often be the quickest and easiest way to distinguish legitimate traffic from malicious traffic.

Extend Workload-based WAF to Ingress Gateways

This latest release enables operators to plug-in a modifiedsimplified version of WAF to their own instances of Envoy. This allows users to deploy this version of WAF at the edge of their cluster integrated with an Ingress Gateway (if based on Envoy), with fully customizable rules based on OWASP CoreRuleSet 4.0 and powered by the Coraza engine.

For more information, see Deploying WAF with an ingress gateway .

Specifying resource requests and limits in Calico Cloud components

Calico Cloud now provides the ability to set resource requests and limits for the components that run as part of Calico Cloud. Please see documentation for specific guidance on setting these limits.

Known issues

• It is no longer supported to uninstall Calico Cloud on a cluster that before connecting to Calico Cloud it had Calico managed with AddonManager. This includes AKS clusters that had Calico installed and managed by AKS.

Bug fixes

• Fixed an issue where occasionally the status of a cluster would not be updated when the cluster connected resulting in auth tokens and license not being updated in the cluster.

April 30, 2024 (version 19.2.0)

New features and enhancements

Automated installation with client credentials

You can now generate and manage client credentials that you can use to automate the Calico Cloud installation process. With persistent API keys, you can build repeatable installation commands that connect your clusters as part of an automated workflow.

For more information, see Install Calico Cloud as part of an automated workflow.

Feature options for Helm installations

For Helm installations, you can now configure some feature options during installation. You can enable or disable Image Assurance, Container Threat Detection, and the Security Posture Dashboard by adding optional parameters to your Helm command.

For more information, see Connect a cluster to Calico Cloud.

Namespace exclusions for image scanning and runtime view

We added the ability to exclude namespaces from image scanning and runtime view. By excluding certain namespaces, you can reduce noise in your scan results and focus attention on higher priority workloads.

For more information, see Configure exclusions for image scanning.

April 2, 2024 (version 19.1.0)

Bug fixes

• We fixed a problem that caused the Image Assurance operator to stop working when it reached its memory limit.

February 28, 2024 (version 19.0.0)

New features and enhancements

Improved flow log filtering for destination domains

We’ve updated the Felix parameter (dest_domains) for DNS policy to make it easy to find only domain names that the deployment connected to (not all the domain names that got translated to the same IP address). For more information, see Flow log data types.

New flow logs panel on Endpoints page

We've updated the Endpoints page in the web console with a new flow logs panel so you can view and filter Endpoints associated with denied traffic. Flow log metadata includes the source, destination, ports, protocols, and other key forms. We've also updated the Policy Board to highlight policies with denied traffic.

Improvements to security events dashboard

We've added the following improvements to the Security events dashboard:

• Jira and Slack webhook integration for security event alerts

  By configuring security event alerts, you can push security event alerts to Slack, Jira, or an external HTTP endpoint of your choice. This lets incident response and security teams to use native tools to respond to security event alerts.

• Added threat feed alerts

  If you have implemented global threat feeds for suspicious activity (domains or suspicious IPs), alerts are now visible in the Security Overview dashboard. For more information on threat feeds, see Trace and block suspicious IPs.

Deprecated and removed features

• The AWS security groups integration is removed in this release.
• The ingress log collection feature is removed in this release.

January 31, 2024 (version 18.3.0)

New features and enhancements

Assign custom roles to users automatically with Entra ID (formerly Azure AD) groups

We've added the ability to link custom roles in Calico Cloud to your organization's Entra ID groups. You can define and modify group membership in Entra ID, and Calico Cloud will automatically grant role-based access to users based on that group membership.

For more information, see Create a custom role for an Entra ID group.

Export custom roles

In this release you can export custom roles from a managed cluster and apply them to another managed cluster. Previously, if you wanted to duplicate roles in multiple clusters, you needed to create them manually for each cluster. Now there is a process to apply those roles quickly and accurately in all clusters.

For more information, see Creating and assigning custom roles.

Windows node support for Azure Kubernetes Service

We've added support for Windows nodes in AKS clusters.

VXLAN support for cluster mesh and federation

We've expanded our support of cluster mesh to clusters using VXLAN for networking. Cluster mesh can be used to federate services and endpoints to authorize cross-cluster communication with Calico Cloud network policies.

For more information, see Configure federated endpoint identity and services.

Support for Azure CNI with overlay networking for AKS

We now officially support AKS clusters that are using overlay networking. This option is useful if you've exhausted your IP addresses. This option augments existing support for Azure CNI with no overlay (where a VNET IP address is assigned to every pod).

Support for Kubernetes 1.28

This release adds support for Kubernetes 1.28.

Deprecated and removed features

• The anomaly detection feature is removed in this release. If you enabled this feature, you will now stop receiving anomaly detection alerts.
• The AWS security groups integration is deprecated in this release. It will be removed in a future release.
• The ingress log collection feature is deprecated in this release. It will be removed in future release.

Bug fixes

• We fixed a problem that stopped diagnostics from being collected after a failed installation.

December 21, 2023 (version 18.2.0)

New features and enhancements

Security Posture Overview dashboard

We've added a new Security Posture Overview dashboard that helps you assess the security posture of your cluster. Using a list of prioritized recommended actions, you can start to take steps to reduce your risk over time. Because the dashboard is based on existing Calico Cloud data, no configuration is required. You can start improving the security posture of your Kubernetes cluster immediately.

Support for RKE2

This release comes with support for connecting RKE2 clusters to Calico Cloud.

Known issues

• You can't connect RKE2 clusters to Calico Cloud if you enabled the Image Assurance runtime view feature on any of your managed clusters. As a workaround, disable runtime view before connecting your RKE2 cluster.

Bug fixes

• Code changes to the Kubernetes controller-runtime led to intermittent errors in how the Container Threat Detection status was displayed in the web console. We modified the Runtime Security operator to account for these changes.

November 29, 2023 (version 18.1.0)

New features and enhancements

• We limited the permissions that are assigned to the Calico Cloud installer. Previously, the installer had cluster administrator privileges. Now the installer gets access only to what is required to install Calico Cloud.
• Image Assurance. We added a filter that lets you sort your list of running images by severity rating.

Known issues

• If you update your cluster to a previous version of Calico Cloud (18.0.0 or earlier), you may see an erroneous message about a failed installation that took place before the successful installation. This failed installation message can be disregarded.

Bug fixes

• Fixed an issue that caused security events generated by AKS managed clusters to be missing pod and namespace information.
• Fixed an issue that caused some pods on managed clusters to crash-loop after upgrading clusters that also have Dynatrace running.

October 23, 2023 (version 18.0.0)

New features and enhancements

Image Assurance registry scanner

The Image Assurance feature adds the ability to scan images in container registries at any time, on any infrastructure, including Kubernetes. This is ideal protection for images that don’t go through a pipeline (for example, third-party images), but are published to a registry. If CVEs are missed in your build pipeline, you can catch them before they are deployed.

For more information, see Scan images in container registries.

Security event management

We've added a new Security event management dashboard for threat detection. Security events provides context for suspicious activity detected in your cluster. Combined with the Kubernetes context, you can see what workloads are affected.

For more information, see Security event management.

New performance optimizations for egress gateways

Calico Cloud includes new performance options for egress gateway policies that can be used to ensure that application client and gateway pods are on the same cluster node.

For more information, see Optimize egress networking for workloads with long-lived TCP connections.

Configurable XFF headers for Envoy

We've added support for XFF to propagate the original IP address when proxying application layer traffic with Envoy within a Kubernetes cluster.

For more information, see Installation reference.

Alert-only mode for workload-based Web Application Firewall (WAF)

We've added a new default mode for WAF that is monitor/event only. This allows operators and security teams to verify the accuracy of configured rules before actively blocking traffic.

For more information, see Web application firewall.

Enhancements

• You can now remove disconnected clusters from the list of managed clusters. See Cluster management.

Known issues

• The policy recommendation tool is not displaying policy recommendations. There is currently no workaround, but the issue will be fixed in an upcoming release.

• Using a bookmarked link to log in to the Calico Cloud UI in this release causes the following problems:

• Image Assurance configuration page fails to load
• the web console shows the enterprise license countdown at the top of the screen even for paid customers

If you are experiencing any login issues, go to https://calicocloud.io and log back in.

• Calico panics if kube-proxy or other components are using native nftables rules instead of the iptables-nft compatibility shim. Until Calico supports native nftables mode, we recommend that you continue to use the iptables-nft compatibility layer for all components. (The compatibility layer was the only option before Kubernetes v1.29 added alpha-level nftables support.) Do not run Calico in "legacy" iptables mode on a system that is also using nftables. Although this combination does not panic or fail (at least on kernels that support both), the interaction between iptables "legacy" mode and nftables is confusing: both iptables and nftables rules can be executed on the same packet, leading to policy verdicts being "overturned". Note that this issue applies to all previous versions of Calico Cloud.

Bug fixes

• We fixed an issue that caused a bad error message to appear when you changed a Calico Cloud user's role.

September 11, 2023 (version 17.1.1)

New features and enhancements

• We redesigned a section of the Image Assurance UI to make it easier to see how vulnerable an image is.
• We made improvements to the way Container Threat Detection processes large volumes of alerts.

Bug fixes

• We fixed a problem that caused the user interface to crash when a user attempted to edit a policy.
• We fixed a problem that prevented certain images from being scanned.

September 5, 2023 (version 17.1.0)

New features and enhancements

Improvements to software versioning for Calico Cloud installations on managed clusters

We've made it easier to see what version of Calico Cloud you're running or installing on a managed cluster. Now you can:

• view the Calico Cloud version number for each connected cluster from the Managed Clusters page
• see when an update is available for a managed cluster
• select a specific Calico Cloud version to install when you connect a cluster

Security Events UI page

Alerts corresponding to detections generated by container threat detection will now be published to the Security Events UI page, found within the Threat Defense left navigation menu item.

On this page, for every security event detected, users can view:

• security event name
• security event type
• severity level
• a description of what suspicious activity has been detected
• impacted assets (pod and namespace)
• attack vector type
• Mitre tactic and techniques associated with the detection
• mitigation recommendation
• additional metadata and context associated with the detection.

Alerts will continue to also appear on the Alerts UI page.

For more information, see Security event management.

Bug fixes

• Runtime Security alerts now correctly show the generated_time as the time the alert was generated. Previously they incorrectly showed the time when the underlying event which caused the alert was generated.
• Runtime Security alerts now correctly show the associated Mitre information.

Known issues

• Enabling WAF and Container Threat Detection through the UI is not possible for clusters running Kubernetes v1.27+. Both features can be enabled using kubectl.
• If you connected your cluster to Calico Cloud using Helm before the release of version 17.1.0, reinstalling or upgrading to any version of Calico Cloud may result in an error: "Error: rendered manifests contain a resource that already exists." Previously, the installers.operator.calicocloud.io custom resource definition (CRD) installed by Helm required manual upgrades. After the release of Calico Cloud 17.1.0, this CRD is updated automatically, but this change causes errors the first time you attempt to reinstall or upgrade Calico Cloud on a cluster that was connected using Helm before the release of Calico Cloud 17.1.0.

As a workaround, label the CRD so that it is managed by Helm by running the following command:

kubectl patch crd installers.operator.calicocloud.io -p '{"metadata": {"annotations": {"meta.helm.sh/release-name":"calico-cloud-crds","meta.helm.sh/release-namespace":"calico-cloud"},"labels":{"app.kubernetes.io/managed-by":"Helm"}}}'

This allows you to successfully reinstall or upgrade to Calico Cloud by following the procedure in Upgrade Calico Cloud.

Security updates

• Runtime security upgraded to golang 1.20.7, which includes security updates.
• We rebuilt cc-operator and cc-cni-config-scanner, which has reduced the number of CVEs.

August 21, 2023 (version 17.0.0)

New features and enhancements

New policy recommendations engine for namespace isolation

Calico Cloud has added a new policy recommendations engine that automatically generates staged policies for namespace isolation within your cluster. Policy recommendations.

Destination-based routing for egress gateways

Calico Cloud introduces a new mode for egress gateways that can leverage destination-based routing. Destination-based routing for egress gateways allows operators associated with a destination that is external to a Kubernetes cluster (for example, IP address or CIDR), to a specific egress gateway deployment. Egress gateways.

Support for DNS rules in clusters using NodeLocal DNSCache

Calico Cloud has added support for DNS rules in clusters using NodeLocal DNSCache. Also related, there is new documentation on using Calico policy to secure DNS traffic within the cluster with NodeLocal DNSCache enabled. Use NodeLocal DNSCache in your cluster.

Improved UI for configuring Workload-based Web Application Firewall (WAF)

Calico Cloud includes updates to the UI that allows you to select which services are enabled for the Workload-based Web Application Firewall. Web application firewall.

Wireguard support for AKS and EKS with Calico CNI

Calico Cloud now offers official support for Wireguard when using Microsoft AKS or Amazon EKS with Calico CNI. This mode of deployment offers performance benefits and a more efficient routing table compared to using cloud provider CNIs. Encrypt data in transit.

Additional custom roles for Calico Cloud

You can now create custom role-based access controls for two new roles: "Usage Metrics" and "Image Assurance Admin".

Image Assurance improvements

• A containerized version of Image Assurance scanner is now available to integrate into your CI/CD platform. See Image Assurance containerized scanner to pull the latest image.
• Substantial UI improvements including a new package-centric view of images

Known issues

• The canvas on Service Graph may zoom and pan unexpectedly when modifying Views or Layers
• Dragging tiers to modify their order is currently not working in the UI, though you can still change its order when editing a tier
• Policy recommendations may generate rules with ports and protocols for intra-namespace traffic. This will be modified in the next patch release to exclude ports and protocols and provide an option to Allow or Pass this traffic.

June 6, 2023

New features and enhancements

In-cluster scanning with Image Assurance

Calico Cloud now includes the ability to scan and monitor the images running in your Kubernetes clusters for new vulnerabilities. In-cluster scanning will scan any new images not previously scanned, and continuously monitor the BOM (Bill of Materials) for running images that have prior scan results.

New detectors for container threat detection

We've added several new detectors for container threat detection. These detectors help identify unsanctioned use of network tools, task scheduling, container admin and Docker commands, and much more. Calico Cloud now includes over 40 different detectors across each category of the MITRE ATT&CK Matrix.

May 2, 2023

This release includes a number of performance improvements and bug fixes.

April 24, 2023

Depreciated support for RKE, RKE2

Calico Cloud no longer supports installation on RKE or RKE2.

April 11, 2023

New features and enhancements

Updates to Managed Clusters

The Managed Clusters page has been redesigned to make it easier and more intuitive to search and filter your clusters.

Egress gateways for AKS and Azure

Calico Cloud adds egress gateway support for Microsoft Azure and AKS. Egress gateways allow you to identify the namespaces associated with egress traffic outside of your cluster. Egress gateways for AKS and Azure.

UI for workload-based Web Application Firewall (WAF)

Calico Cloud includes a new UI to enable and configure a workload-based Web Application Firewall. For more information, see Workload-based web application firewall.

Application layer policy with Envoy

Calico Cloud now includes support for application layer policy with Envoy, enabling platform operators to define authorization rules in Calico Cloud policies for protocols such as HTTP and gRPC. For more information, see Application layer policies.

Service Graph performance optimizations

Calico Cloud added several optimizations to improve the performance of Service Graph for clusters with larger numbers of namespaces.

Improvements to Envoy to accommodate advanced ingress controllers

Calico Cloud improves its Envoy deployment so you can use this feature in clusters with ingress controllers that perform advanced load balancing. For more information, see Workload-based web application firewall.

Improved Calico Cloud component security

Calico Cloud components were updated with more restrictive access for pods and containers using the Kubernetes security context:

• Non-root context whenever possible
• Root context and privilege escalation are used only when necessary
• Added drop ALL capabilities for pod security
• Enabled RuntimeDefault as the default seccomp profile for all workloads

February 28, 2023

New features and enhancements

• Adds Bottlerocket support for Container Threat Detection.
• Adds support for scanning multiple images with Image Assurance

Bug fixes

• Fixes "Kibana" menu item rename to "Logs".
• Bug fixes for Container Threat Detection alerts.

February 7, 2023

New features and enhancements

New and improved Dashboards

Calico Cloud includes new and improved Dashboards that enable operators to define cluster* and namespace-scoped dashboards with new modules for policy usage, application layer and DNS metrics, and much more.

Configure Threat Feeds in the Calico Cloud UI

Calico Cloud includes a new UI that can be used to manage and configure global threat feeds

For more information, see Trace and block suspicious IPs.

Namespace-based policy recommendations

Calico Cloud has improved its policy recommendation engine to add namespace-based recommendations. This enables operators to easily implement microsegmentation for namespaces.

For more information, see Create policy recommendation.

Create custom roles for Calico Cloud users

Calico Cloud administrators can now define granular roles and permissions for users using custom role-based access controls.

For more information, see Create and assign custom roles.

Egress gateway improvements

Calico Cloud has improved the probes to check readiness and outbound connectivity of egress gateways. Calico Cloud has also rearchitected egress gateway pods to improve security and make use of a temporary init container to set up packet forwarding.

Image Assurance updates

• CLI Version v1.3.4
• Calico Cloud supports the Image Assurance CLI scanner versions 1.3.0 and later.
• Bug fix: Previously, the scanner returned an error if it reached a size limit while uploading vulnerabilities. This size limit has been removed.

December 13, 2022

New features and enhancements

Search by CVE in Image Assurance

Image Assurance reporting features now includes a search and filtering capability that allows you to find list items based on a single CVE ID within any Image Assurance reports.

Enable and disable Container Threat Detection in the Calico Cloud UI

You can now enable or disable Container Threat Detection within the UI. After enabling the feature, you can review the status of which nodes are being monitored by the feature and which nodes of your cluster are unsupported.

New Feature: Calico Cloud Service Status Page

All users can view the status and health of the Calico Cloud service on our new status page: https://status.calicocloud.io.

November 1, 2022

Image Assurance

CLI Version v1.1.2.

New CLI will now check that it is compatible with the latest Image Assurance API.

Container Threat Detection

Release of Container Threat Detection

With Container Threat Detection, you can monitor container activity using eBPF. Enable this feature to receive alerts based on file and process activity for known malicious and suspicious behavior. Alert events can be viewed on the Alerts page in the web console.

To get started, see Container Threat Detection

September 26, 2022

New feature: Helm

Calico Cloud now supports installation using Helm.

New feature: Private Registry

Calico Cloud now supports installation from private registries. Note that this is only supported when installing with Helm.

Expanded platform support: RKEv2

Installation works on clusters with Calico deployed by RKEv2.

September 12, 2022

Image Assurance is GA

Image Assurance is now released for general availability.

With Image Assurance, DevOps and platform teams can scan images in public and private registries, including images that are automatically discovered in connected clusters. Image Assurance provides a runtime view into risk, based on known vulnerabilities. It also offers admission controller policies to block resources in Kubernetes from creating containers with vulnerable images from entering your cluster.

Changes from the tech preview version

New Image Assurance CLI scanner Image scanning is now configured and performed by the tigera-scanner CLI. You can integrate tigera-scanner into your CI/CD pipelines to ensure builds are checked by Image Assurance before deployment. You can also use the CLI scanner offline and on-demand for ad hoc scanning and emergency patching.

Export options for vulnerability scan results and runtime views

We've made it easier for platform operators to share Image Assurance scan results and runtime views with these export options:

• Export one row per image or one row per image and CVE.
• Export CSV or JSON files.

To get started, see Image Assurance.

Malware detection is GA

Malware detection is now released for general availability.

Calico Cloud's malware detection identifies malicious files in your cluster and generates alerts. Calico Cloud uses eBPF-based monitoring to log file hashes of programs running in your cluster. If there's a match to known malware from our threat intelligence library, you receive an alert. You can view your alerts on the Alerts page on the web console.

To get started, see Malware Detection)

July 27, 2022

Improvement: Export logs to a SIEM

To help meet your compliance requirements, we've added documentation to export logs to a SIEM (syslog, Splunk, or Amazon S3). See Export logs to a SIEM.

July 7, 2022

New feature: Distributed Web Application Firewall (WAF) with Envoy

Calico Cloud now includes the option to enable Web Application Firewall (WAF) rule sets when using Envoy as a daemonset. This enables operators to implement an additional layer of security and threat detection for application layer traffic. See Workload-based Web Application Firewall (WAF).

New Feature: Configuration option to use DNS rules with StagedNetworkPolicies

Calico Cloud has added a new configuration option in Felix (DNSPolicyMode) that lets you audit DNS rules with StagedNetworkPolicies. There is a small performance trade off if you enable this option, so we recommended to disabling it when it’s not required. See Felix configuration.

Improvement: Additional predefined RBAC options

Calico Cloud now supports 3 more pre-defined RBAC controls (devops, security and compliance persona) for role assignment.

Improvement: Anomaly detection deployment

Calico Cloud has made the configuration and deployment of anomaly detection jobs for threat detection and performance hotspots more granular, allowing you to selectively enable jobs depending on your use case.

Improvement: the web console now displays cluster installation progress and streaming logs

Calico Cloud now displays information about managed cluster install progress right in the UI.

After you run the install command (Connect Cluster wizard in Managed Clusters), installation progress is automatically displayed along with logs for the managed cluster.

May 10, 2022

New feature: Visibility into usage metrics

Calico Cloud now displays information about cloud usage metrics. This will provide visibility into the node hours and data ingested for consumption-based invoices.

Account owners can click the new "Usage Metrics" button at the bottom of the left navbar to navigate to the new page.

Expanded platform support: AKS with managed Calico

Installation works on clusters with Calico deployed by AKS.

April 26, 2022

New feature: Malware detection

Calico Cloud introduces malware detection in tech preview, which uses eBPF-based monitoring to log observed file hashes of programs running in your Calico Cloud Kubernetes clusters. Malware detection identifies malicious files by comparing observed file hashes with our threat intelligence library of known malware, and generates alerts when malware is detected in your cluster. Alerts can be viewed on the Alerts page of the web console.

If you started using Calico Cloud before January 24, 2022, you must upgrade your existing cluster to get malware detection:

1. Navigate to the Managed Clusters page.
2. Select the cluster from the list, and click Reinstall.
3. Copy the updated install script command and run it against your cluster.

April 20, 2022

Improved installation

We’ve updated the Calico Cloud installation process to improve security, reduce dependencies on utilities (such as bash), and allow you to customize the name of your connected clusters.

The Calico Cloud installation process will now require running a kubectl apply command instead of a bash script. Additionally, the installation script has been moved behind an authenticated endpoint. The updated install script is now available on the Managed Clusters page of the Calico Cloud UI.

If you started using Calico Cloud before January 24, 2022, you must upgrade your existing cluster to get these changes:

1. Navigate to the Managed Clusters page.
2. Select the cluster from the list, and click Reinstall.
3. Copy the updated install script command and run it against your cluster.

April 19, 2022

New feature: Image Assurance

Calico Cloud introduces Image Assurance in tech preview, enabling DevOps and platform teams to scan images in public and private registries, and images that are automatically discovered in connected clusters. Image Assurance provides a runtime view into risk, based on discovered vulnerabilities. It also offers admission controller policies to enforce how vulnerable images are used to create resources within Kubernetes.

To get started, see Image Assurance.