Calico Cloud release notes

September 11, 2023 (version 17.1.1)

New features and enhancements

• We redesigned a section of the Image Assurance UI to make it easier to see how vulnerable an image is.
• We made improvements to the way Container Threat Detection processes large volumes of alerts.

Bug fixes

• We fixed a problem that caused the user interface to crash when a user attempted to edit a policy.
• We fixed a problem that prevented certain images from being scanned.

September 5, 2023 (version 17.1.0)

New features and enhancements

Improvements to software versioning for Calico Cloud installations on managed clusters

We've made it easier to see what version of Calico Cloud you're running or installing on a managed cluster. Now you can:

• view the Calico Cloud version number for each connected cluster from the Managed Clusters page
• see when an update is available for a managed cluster
• select a specific Calico Cloud version to install when you connect a cluster

Security Events UI page

Alerts corresponding to detections generated by container threat detection will now be published to the Security Events UI page, found within the Threat Defense left navigation menu item.

On this page, for every security event detected, users can view:

• security event name
• security event type
• severity level
• a description of what suspicious activity has been detected
• impacted assets (pod and namespace)
• attack vector type
• Mitre tactic and techniques associated with the detection
• mitigation recommendation
• additional metadata and context associated with the detection.

Alerts will continue to also appear on the Alerts UI page.

For more information, see Security event management.

Bug fixes

• Runtime Security alerts now correctly show the generated_time as the time the alert was generated. Previously they incorrectly showed the time when the underlying event which caused the alert was generated.
• Runtime Security alerts now correctly show the associated Mitre information.

Known issues

• Enabling WAF and Container Threat Detection through the UI is not possible for clusters running Kubernetes v1.27+. Both features can be enabled using kubectl.

• If you connected your cluster to Calico Cloud using Helm before the release of version 17.1.0, reinstalling or upgrading to any version of Calico Cloud may result in an error: "Error: rendered manifests contain a resource that already exists." Previously, the installers.operator.calicocloud.io custom resource definition (CRD) installed by Helm required manual upgrades. After the release of Calico Cloud 17.1.0, this CRD is updated automatically, but this change causes errors the first time you attempt to reinstall or upgrade Calico Cloud on a cluster that was connected using Helm before the release of Calico Cloud 17.1.0.

  As a workaround, label the CRD so that it is managed by Helm by running the following command:

  kubectl patch crd installers.operator.calicocloud.io -p '{"metadata": {"annotations": {"meta.helm.sh/release-name":"calico-cloud-crds","meta.helm.sh/release-namespace":"calico-cloud"},"labels":{"app.kubernetes.io/managed-by":"Helm"}}}'

  This allows you to successfully reinstall or upgrade to Calico Cloud by following the procedure in Upgrade Calico Cloud.

Security updates

• Runtime security upgraded to golang 1.20.7, which includes security updates.
• We rebuilt cc-operator and cc-cni-config-scanner, which has reduced the number of CVEs.

August 21, 2023 (version 17.0.0)

New features and enhancements

New policy recommendations engine for namespace isolation

Calico Cloud has added a new policy recommendations engine that automatically generates staged policies for namespace isolation within your cluster. Policy recommendations.

Destination-based routing for egress gateways

Calico Cloud introduces a new mode for egress gateways that can leverage destination-based routing. Destination-based routing for egress gateways allows operators associated with a destination that is external to a Kubernetes cluster (for example, IP address or CIDR), to a specific egress gateway deployment. Egress gateways.

Support for DNS rules in clusters using NodeLocal DNSCache

Calico Cloud has added support for DNS rules in clusters using NodeLocal DNSCache. Also related, there is new documentation on using Calico policy to secure DNS traffic within the cluster with NodeLocal DNSCache enabled. Use NodeLocal DNSCache in your cluster.

Improved UI for configuring Workload-based Web Application Firewall (WAF)

Calico Cloud includes updates to the UI that allows you to select which services are enabled for the Workload-based Web Application Firewall. Web application firewall.

Wireguard support for AKS and EKS with Calico CNI

Calico Cloud now offers official support for Wireguard when using Microsoft AKS or Amazon EKS with Calico CNI. This mode of deployment offers performance benefits and a more efficient routing table compared to using cloud provider CNIs. Encrypt data in transit.

Additional custom roles for Calico Cloud

You can now create custom role-based access controls for two new roles: "Usage Metrics" and "Image Assurance Admin".

Image Assurance improvements

• A containerized version of Image Assurance scanner is now available to integrate into your CI/CD platform. See Image Assurance containerized scanner to pull the latest image.
• Substantial UI improvements including a new package-centric view of images

Known issues

• The canvas on Service Graph may zoom and pan unexpectedly when modifying Views or Layers
• Dragging tiers to modify their order is currently not working in the UI, though you can still change its order when editing a tier
• Policy recommendations may generate rules with ports and protocols for intra-namespace traffic. This will be modified in the next patch release to exclude ports and protocols and provide an option to Allow or Pass this traffic.

June 6, 2023

New features and enhancements

In-cluster scanning with Image Assurance

Calico Cloud now includes the ability to scan and monitor the images running in your Kubernetes clusters for new vulnerabilities. In-cluster scanning will scan any new images not previously scanned, and continuously monitor the BOM (Bill of Materials) for running images that have prior scan results.

New detectors for container threat detection

We've added several new detectors for container threat detection. These detectors help identify unsanctioned use of network tools, task scheduling, container admin and Docker commands, and much more. Calico Cloud now includes over 40 different detectors across each category of the MITRE ATT&CK Matrix.

May 2, 2023

This release includes a number of performance improvements and bug fixes.

April 24, 2023

Depreciated support for RKE, RKE2

Calico Cloud no longer supports installation on RKE or RKE2.

April 11, 2023

New features and enhancements

Updates to Managed Clusters

The Managed Clusters page has been redesigned to make it easier and more intuitive to search and filter your clusters.

Egress gateways for AKS and Azure

Calico Cloud adds egress gateway support for Microsoft Azure and AKS. Egress gateways allow you to identify the namespaces associated with egress traffic outside of your cluster. Egress gateways for AKS and Azure.

UI for workload-based Web Application Firewall (WAF)

Calico Cloud includes a new UI to enable and configure a workload-based Web Application Firewall. For more information, see Workload-based web application firewall.

Application layer policy with Envoy

Calico Cloud now includes support for application layer policy with Envoy, enabling platform operators to define authorization rules in Calico Cloud policies for protocols such as HTTP and gRPC. For more information, see Application layer policies.

Service Graph performance optimizations

Calico Cloud added several optimizations to improve the performance of Service Graph for clusters with larger numbers of namespaces.

Improvements to Envoy to accommodate advanced ingress controllers

Calico Cloud improves its Envoy deployment so you can use this feature in clusters with ingress controllers that perform advanced load balancing. For more information, see Workload-based web application firewall.

Improved Calico Cloud component security

Calico Cloud components were updated with more restrictive access for pods and containers using the Kubernetes security context:

• Non-root context whenever possible
• Root context and privilege escalation are used only when necessary
• Added drop ALL capabilities for pod security
• Enabled RuntimeDefault as the default seccomp profile for all workloads

February 28, 2023

New features and enhancements

• Adds Bottlerocket support for Container Threat Detection.
• Adds support for scanning multiple images with Image Assurance

Bug fixes

• Fixes "Kibana" menu item rename to "Logs".
• Bug fixes for Container Threat Detection alerts.

February 7, 2023

New features and enhancements

New and improved Dashboards

Calico Cloud includes new and improved Dashboards that enable operators to define cluster* and namespace-scoped dashboards with new modules for policy usage, application layer and DNS metrics, and much more.

Configure Threat Feeds in the Calico Cloud UI

Calico Cloud includes a new UI that can be used to manage and configure global threat feeds

For more information, see Detect and alert on anomalies and Trace and block suspicious IPs.

Namespace-based policy recommendations

Calico Cloud has improved its policy recommendation engine to add namespace-based recommendations. This enables operators to easily implement microsegmentation for namespaces.

For more information, see Create policy recommendation.

Create custom roles for Calico Cloud users

Calico Cloud adminstrators can now define granular roles and permissions for users using custom role-based access controls.

For more information, see Create and assign custom roles.

Egress gateway improvements

Calico Cloud has improved the probes to check readiness and outbound connectivity of egress gateways. Calico Cloud has also rearchitected egress gateway pods to improve security and make use of a temporary init container to set up packet forwarding.

Image Assurance updates

• CLI Version v1.3.4
• Calico Cloud supports the Image Assurance CLI scanner versions 1.3.0 and later.
• Bug fix: Previously, the scanner returned an error if it reached a size limit while uploading vulnerabilities. This size limit has been removed.

December 13, 2022

New features and enhancements

Search by CVE in Image Assurance

Image Assurance reporting features now includes a search and filtering capability that allows you to find list items based on a single CVE ID within any Image Assurance reports.

Enable and disable Container Threat Detection in the Calico Cloud UI

You can now enable or disable Container Threat Detection within the UI. After enabling the feature, you can review the status of which nodes are being monitored by the feature and which nodes of your cluster are unsupported.

New Feature: Calico Cloud Service Status Page

All users can view the status and health of the Calico Cloud service on our new status page: https://status.calicocloud.io.

November 1, 2022

Image Assurance

CLI Version v1.1.2.

New CLI will now check that it is compatible with the latest Image Assurance API.

Container Threat Detection

Release of Container Threat Detection

With Container Threat Detection, you can monitor container activity using eBPF. Enable this feature to receive alerts based on file and process activity for known malicious and suspicious behavior. Alert events can be viewed on the Alerts page in Manager UI.

To get started see, Container Threat Detection

September 26, 2022

New feature: Helm

Calico Cloud now supports installation using Helm.

New feature: Private Registry

Calico Cloud now supports installation from private registries. Note that this is only supported when installing with Helm.

Expanded platform support: RKEv2

Installation works on clusters with Calico deployed by RKEv2.

September 12, 2022

Image Assurance is GA

Image Assurance is now released for general availability.

With Image Assurance, DevOps and platform teams can scan images in public and private registries, including images that are automatically discovered in connected clusters. Image Assurance provides a runtime view into risk, based on known vulnerabilities. It also offers admission controller policies to block resources in Kubernetes from creating containers with vulnerable images from entering your cluster.

Changes from the tech preview version

New Image Assurance CLI scanner Image scanning is now configured and performed by the tigera-scanner CLI. You can integrate tigera-scanner into your CI/CD pipelines to ensure builds are checked by Image Assurance before deployment. You can also use the CLI scanner offline and on-demand for ad hoc scanning and emergency patching.

Export options for vulnerability scan results and runtime views

We've made it easier for platform operators to share Image Assurance scan results and runtime views with these export options:

• Export one row per image or one row per image and CVE.
• Export CSV or JSON files.

To get started see, Image Assurance.

Malware detection is GA

Malware detection is now released for general availability.

Calico Cloud's malware detection identifies malicious files in your cluster and generates alerts. Calico Cloud uses eBPF-based monitoring to log file hashes of programs running in your cluster. If there's a match to known malware from our threat intelligence library, you receive an alert. You can view your alerts on the Alerts page on Manager UI.

To get started see, Malware Detection)

July 27, 2022

Improvement: Export logs to a SIEM

To help meet your compliance requirements, we've added documentation to export logs to a SIEM (syslog, Splunk, or Amazon S3). See Export logs to a SIEM.

July 7, 2022

New feature: Distributed Web Application Firewall (WAF) with Envoy

Calico Cloud now includes the option to enable Web Application Firewall (WAF) rulesets when using Envoy as a daemonset. This enables operators to implement an additional layer of security and threat detection for application layer traffic. See Workload-based Web Application Firewall (WAF).

New Feature: Configuration option to use DNS rules with StagedNetworkPolicies

Calico Cloud has added a new configuration option in Felix (DNSPolicyMode) that lets you audit DNS rules with StagedNetworkPolicies. There is a small performance trade off if you enable this option, so we recommended to disabling it when it’s not required. See Felix configuration.

Improvement: Additional predefined RBAC options

Calico Cloud now supports 3 more pre-defined RBAC controls (devops, security and compliance persona) for role assignment.

Improvement: Anomaly detection deployment

Calico Cloud has made the configuration and deployment of anomaly detection jobs for threat detection and performance hotpots more granular, allowing you to selectively enable jobs depending on your use case. See Detect and alert on anomalies.

Improvement: Manager UI now displays cluster installation progress and streaming logs

Calico Cloud now displays information about managed cluster install progress right in the UI.

After you run the install command (Connect Cluster wizard in Managed Clusters), installation progress is automatically displayed along with logs for the managed cluster.

May 10, 2022

New feature: Visibility into usage metrics

Calico Cloud now displays information about cloud usage metrics. This will provide visibility into the node hours and data ingested for consumption-based invoices.

Account owners can click the new "Usage Metrics" button at the bottom of the left navbar to navigate to the new page.

Expanded platform support: AKS with managed Calico

Installation works on clusters with Calico deployed by AKS.

April 26, 2022

New feature: Malware detection

Calico Cloud introduces malware detection in tech preview, which uses eBPF-based monitoring to log observed file hashes of programs running in your Calico Cloud Kubernetes clusters. Malware detection identifies malicious files by comparing observed file hashes with our threat intelligence library of known malware, and generates alerts when malware is detected in your cluster. Alerts can be viewed on the Alerts page of Manager UI.

If you started using Calico Cloud before January 24, 2022, you must upgrade your existing cluster to get malware detection:

1. Navigate to the Managed Clusters page.
2. Select the cluster from the list, and click Reinstall.
3. Copy the updated install script command and run it against your cluster.

April 20, 2022

Improved installation

We’ve updated the Calico Cloud installation process to improve security, reduce dependencies on utilities (such as bash), and allow you to customize the name of your connected clusters.

The Calico Cloud installation process will now require running a kubectl apply command instead of a bash script. Additionally, the installation script has been moved behind an authenticated endpoint. The updated install script is now available on the Managed Clusters page of the Calico Cloud UI.

If you started using Calico Cloud before January 24, 2022, you must upgrade your existing cluster to get these changes:

1. Navigate to the Managed Clusters page.
2. Select the cluster from the list, and click Reinstall.
3. Copy the updated install script command and run it against your cluster.

April 19, 2022

New feature: Image Assurance

Calico Cloud introduces Image Assurance in tech preview, enabling DevOps and platform teams to scan images in public and private registries, and images that are automatically discovered in connected clusters. Image Assurance provides a runtime view into risk, based on discovered vulnerabilities. It also offers admission controller policies to enforce how vulnerable images are used to create resources within Kubernetes.

To get started see, Image Assurance.