Calico Cloud release notes

April 2, 2024 (version 19.1.0)

Bug fixes

• We fixed a problem that caused the Image Assurance operator to stop working when it reached its memory limit.

February 28, 2024 (version 19.0.0)

New features and enhancements

Improved flow log filtering for destination domains

We’ve updated the Felix parameter (dest_domains) for DNS policy to make it easy to find only domain names that the deployment connected to (not all the domain names that got translated to the same IP address). For more information, see Flow log data types.

New flow logs panel on Endpoints page

We've updated the Endpoints page in Manager UI with a new flow logs panel so you can view and filter Endpoints associated with denied traffic. Flow log metadata includes the source, destination, ports, protocols, and other key forms. We've also updated the Policy Board to highlight policies with denied traffic.

Improvements to security events dashboard

We've added the following improvements to the Security events dashboard:

• Jira and Slack webhook integration for security event alerts

  By configuring security event alerts, you can push security event alerts to Slack, Jira, or an external HTTP endpoint of your choice. This lets incident response and security teams to use native tools to respond to security event alerts.

• Added threat feed alerts

  If you have implemented global threat feeds for suspicious activity (domains or suspicious IPs), alerts are now visible in the Security Overview dashboard. For more information on threat feeds, see Trace and block suspicious IPs.

Deprecated and removed features

• The AWS security groups integration is removed in this release.
• The ingress log collection feature is removed in this release.

January 31, 2024 (version 18.3.0)

New features and enhancements

Assign custom roles to users automatically with Entra ID (formerly Azure AD) groups

We've added the ability to link custom roles in Calico Cloud to your organization's Entra ID groups. You can define and modify group membership in Entra ID, and Calico Cloud will automatically grant role-based access to users based on that group membership.

For more information, see Create a custom role for an Entra ID group.

Export custom roles

In this release you can export custom roles from a managed cluster and apply them to another managed cluster. Previously, if you wanted to duplicate roles in multiple clusters, you needed to create them manually for each cluster. Now there is a process to apply those roles quickly and accurately in all clusters.

For more information, see Creating and assigning custom roles.

Windows node support for Azure Kubernetes Service

We've added support for Windows nodes in AKS clusters.

For more information, see AKS requirements.

VXLAN support for cluster mesh and federation

We've expanded our support of cluster mesh to clusters using VXLAN for networking. Cluster mesh can be used to federate services and endpoints to authorize cross-cluster communication with Calico Cloud network policies.

For more information, see Configure federated endpoint identity and services.

Support for Azure CNI with overlay networking for AKS

We now officially support AKS clusters that are using overlay networking. This option is useful if you've exhausted your IP addresses. This option augments existing support for Azure CNI with no overlay (where a VNET IP address is assigned to every pod).

Support for Kubernetes 1.28

This release adds support for Kubernetes 1.28.

Deprecated and removed features

• The anomaly detection feature is removed in this release. If you enabled this feature, you will now stop receiving anomaly detection alerts.
• The AWS security groups integration is deprecated in this release. It will be removed in a future release.
• The ingress log collection feature is deprecated in this release. It will be removed in future release.

Bug fixes

• We fixed a problem that stopped diagnostics from being collected after a failed installation.

December 21, 2023 (version 18.2.0)

New features and enhancements

Security Posture Overview dashboard

We've added a new Security Posture Overview dashboard that helps you assess the security posture of your cluster. Using a list of prioritized recommended actions, you can start to take steps to reduce your risk over time. Because the dashboard is based on existing Calico Cloud data, no configuration is required. You can start improving the security posture of your Kubernetes cluster immediately.

For more information, see Security Posture Overview dashboard

Support for RKE2

This release comes with support for connecting RKE2 clusters to Calico Cloud.

For more information, see the requirements for RKE2

Known issues

• You can't connect RKE2 clusters to Calico Cloud if you enabled the Image Assurance runtime view feature on any of your managed clusters. As a workaround, disable runtime view before connecting your RKE2 cluster.

Bug fixes

• Code changes to the Kubernetes controller-runtime led to intermittent errors in how the Container Threat Detection status was displayed in Manager UI. We modified the Runtime Security operator to account for these changes.

November 29, 2023 (version 18.1.0)

New features and enhancements

• We limited the permissions that are assigned to the Calico Cloud installer. Previously, the installer had cluster administrator privileges. Now the installer gets access only to what is required to install Calico Cloud.
• Image Assurance. We added a filter that lets you sort your list of running images by severity rating.

Known issues

• If you update your cluster to a previous version of Calico Cloud (18.0.0 or earlier), you may see an erroneous message about a failed installation that took place before the successful installation. This failed installation message can be disregarded.

Bug fixes

• Fixed an issue that caused security events generated by AKS managed clusters to be missing pod and namespace information.
• Fixed an issue that caused some pods on managed clusters to crash-loop after upgrading clusters that also have Dynatrace running.

October 23, 2023 (version 18.0.0)

New features and enhancements

Image Assurance registry scanner

The Image Assurance feature adds the ability to scan images in container registries at any time, on any infrastructure, including Kubernetes. This is ideal protection for images that don’t go through a pipeline (for example, third-party images), but are published to a registry. If CVEs are missed in your build pipeline, you can catch them before they are deployed.

For more information, see Scan images in container registries.

Security event management

We've added a new Security event management dashboard for threat detection. Security events provides context for suspicious activity detected in your cluster. Combined with the Kubernetes context, you can see what workloads are affected.

For more information, see Security event management.

New performance optimizations for egress gateways

Calico Cloud includes new performance options for egress gateway policies that can be used to ensure that application client and gateway pods are on the same cluster node.

For more information, see Optimize egress networking for workloads with long-lived TCP connections.

Configurable XFF headers for Envoy

We've added support for XFF to propagate the original IP address when proxying application layer traffic with Envoy within a Kubernetes cluster.

For more information, see Installation reference.

Alert-only mode for workload-based Web Application Firewall (WAF)

We've added a new default mode for WAF that is monitor/event only. This allows operators and security teams to verify the accuracy of configured rules before actively blocking traffic.

For more information, see Web application firewall.

Enhancements

• You can now remove disconnected clusters from the list of managed clusters. See Cluster management.

Known issues

• The policy recommendation tool is not displaying policy recommendations. There is currently no workaround, but the issue will be fixed in an upcoming release.

• Using a bookmarked link to log in to the Calico Cloud UI in this release causes the following problems:

• Image Assurance configuration page fails to load
• The Manager UI shows the enterprise license countdown at the top of the screen even for paid customers

If you are experiencing any login issues, go to https://calicocloud.io and log back in.

• Calico panics if kube-proxy or other components are using native nftables rules instead of the iptables-nft compatibility shim. Until Calico supports native nftables mode, we recommend that you continue to use the iptables-nft compatibility layer for all components. (The compatibility layer was the only option before Kubernetes v1.29 added alpha-level nftables support.) Do not run Calico in "legacy" iptables mode on a system that is also using nftables. Although this combination does not panic or fail (at least on kernels that support both), the interaction between iptables "legacy" mode and nftables is confusing: both iptables and nftables rules can be executed on the same packet, leading to policy verdicts being "overturned". Note that this issue applies to all previous versions of Calico Cloud.

Bug fixes

• We fixed an issue that caused a bad error message to appear when you changed a Calico Cloud user's role.

September 11, 2023 (version 17.1.1)

New features and enhancements

• We redesigned a section of the Image Assurance UI to make it easier to see how vulnerable an image is.
• We made improvements to the way Container Threat Detection processes large volumes of alerts.

Bug fixes

• We fixed a problem that caused the user interface to crash when a user attempted to edit a policy.
• We fixed a problem that prevented certain images from being scanned.

September 5, 2023 (version 17.1.0)

New features and enhancements

Improvements to software versioning for Calico Cloud installations on managed clusters

We've made it easier to see what version of Calico Cloud you're running or installing on a managed cluster. Now you can:

• view the Calico Cloud version number for each connected cluster from the Managed Clusters page
• see when an update is available for a managed cluster
• select a specific Calico Cloud version to install when you connect a cluster

Security Events UI page

Alerts corresponding to detections generated by container threat detection will now be published to the Security Events UI page, found within the Threat Defense left navigation menu item.

On this page, for every security event detected, users can view:

• security event name
• security event type
• severity level
• a description of what suspicious activity has been detected
• impacted assets (pod and namespace)
• attack vector type
• Mitre tactic and techniques associated with the detection
• mitigation recommendation
• additional metadata and context associated with the detection.

Alerts will continue to also appear on the Alerts UI page.

For more information, see Security event management.

Bug fixes

• Runtime Security alerts now correctly show the generated_time as the time the alert was generated. Previously they incorrectly showed the time when the underlying event which caused the alert was generated.
• Runtime Security alerts now correctly show the associated Mitre information.

Known issues

• Enabling WAF and Container Threat Detection through the UI is not possible for clusters running Kubernetes v1.27+. Both features can be enabled using kubectl.
• If you connected your cluster to Calico Cloud using Helm before the release of version 17.1.0, reinstalling or upgrading to any version of Calico Cloud may result in an error: "Error: rendered manifests contain a resource that already exists." Previously, the installers.operator.calicocloud.io custom resource definition (CRD) installed by Helm required manual upgrades. After the release of Calico Cloud 17.1.0, this CRD is updated automatically, but this change causes errors the first time you attempt to reinstall or upgrade Calico Cloud on a cluster that was connected using Helm before the release of Calico Cloud 17.1.0.

As a workaround, label the CRD so that it is managed by Helm by running the following command:

kubectl patch crd installers.operator.calicocloud.io -p '{"metadata": {"annotations": {"meta.helm.sh/release-name":"calico-cloud-crds","meta.helm.sh/release-namespace":"calico-cloud"},"labels":{"app.kubernetes.io/managed-by":"Helm"}}}'

This allows you to successfully reinstall or upgrade to Calico Cloud by following the procedure in Upgrade Calico Cloud.

Security updates

• Runtime security upgraded to golang 1.20.7, which includes security updates.
• We rebuilt cc-operator and cc-cni-config-scanner, which has reduced the number of CVEs.

August 21, 2023 (version 17.0.0)

New features and enhancements

New policy recommendations engine for namespace isolation

Calico Cloud has added a new policy recommendations engine that automatically generates staged policies for namespace isolation within your cluster. Policy recommendations.

Destination-based routing for egress gateways

Calico Cloud introduces a new mode for egress gateways that can leverage destination-based routing. Destination-based routing for egress gateways allows operators associated with a destination that is external to a Kubernetes cluster (for example, IP address or CIDR), to a specific egress gateway deployment. Egress gateways.

Support for DNS rules in clusters using NodeLocal DNSCache

Calico Cloud has added support for DNS rules in clusters using NodeLocal DNSCache. Also related, there is new documentation on using Calico policy to secure DNS traffic within the cluster with NodeLocal DNSCache enabled. Use NodeLocal DNSCache in your cluster.

Improved UI for configuring Workload-based Web Application Firewall (WAF)

Calico Cloud includes updates to the UI that allows you to select which services are enabled for the Workload-based Web Application Firewall. Web application firewall.

Wireguard support for AKS and EKS with Calico CNI

Calico Cloud now offers official support for Wireguard when using Microsoft AKS or Amazon EKS with Calico CNI. This mode of deployment offers performance benefits and a more efficient routing table compared to using cloud provider CNIs. Encrypt data in transit.

Additional custom roles for Calico Cloud

You can now create custom role-based access controls for two new roles: "Usage Metrics" and "Image Assurance Admin".

Image Assurance improvements

• A containerized version of Image Assurance scanner is now available to integrate into your CI/CD platform. See Image Assurance containerized scanner to pull the latest image.
• Substantial UI improvements including a new package-centric view of images

Known issues

• The canvas on Service Graph may zoom and pan unexpectedly when modifying Views or Layers
• Dragging tiers to modify their order is currently not working in the UI, though you can still change its order when editing a tier
• Policy recommendations may generate rules with ports and protocols for intra-namespace traffic. This will be modified in the next patch release to exclude ports and protocols and provide an option to Allow or Pass this traffic.

June 6, 2023

New features and enhancements

In-cluster scanning with Image Assurance

Calico Cloud now includes the ability to scan and monitor the images running in your Kubernetes clusters for new vulnerabilities. In-cluster scanning will scan any new images not previously scanned, and continuously monitor the BOM (Bill of Materials) for running images that have prior scan results.

New detectors for container threat detection

We've added several new detectors for container threat detection. These detectors help identify unsanctioned use of network tools, task scheduling, container admin and Docker commands, and much more. Calico Cloud now includes over 40 different detectors across each category of the MITRE ATT&CK Matrix.

May 2, 2023

This release includes a number of performance improvements and bug fixes.

April 24, 2023

Depreciated support for RKE, RKE2

Calico Cloud no longer supports installation on RKE or RKE2.

April 11, 2023

New features and enhancements

Updates to Managed Clusters

The Managed Clusters page has been redesigned to make it easier and more intuitive to search and filter your clusters.

Egress gateways for AKS and Azure

Calico Cloud adds egress gateway support for Microsoft Azure and AKS. Egress gateways allow you to identify the namespaces associated with egress traffic outside of your cluster. Egress gateways for AKS and Azure.

UI for workload-based Web Application Firewall (WAF)

Calico Cloud includes a new UI to enable and configure a workload-based Web Application Firewall. For more information, see Workload-based web application firewall.

Application layer policy with Envoy

Calico Cloud now includes support for application layer policy with Envoy, enabling platform operators to define authorization rules in Calico Cloud policies for protocols such as HTTP and gRPC. For more information, see Application layer policies.

Service Graph performance optimizations

Calico Cloud added several optimizations to improve the performance of Service Graph for clusters with larger numbers of namespaces.

Improvements to Envoy to accommodate advanced ingress controllers

Calico Cloud improves its Envoy deployment so you can use this feature in clusters with ingress controllers that perform advanced load balancing. For more information, see Workload-based web application firewall.

Improved Calico Cloud component security

Calico Cloud components were updated with more restrictive access for pods and containers using the Kubernetes security context:

• Non-root context whenever possible
• Root context and privilege escalation are used only when necessary
• Added drop ALL capabilities for pod security
• Enabled RuntimeDefault as the default seccomp profile for all workloads

February 28, 2023

New features and enhancements

• Adds Bottlerocket support for Container Threat Detection.
• Adds support for scanning multiple images with Image Assurance

Bug fixes

• Fixes "Kibana" menu item rename to "Logs".
• Bug fixes for Container Threat Detection alerts.

February 7, 2023

New features and enhancements

New and improved Dashboards

Calico Cloud includes new and improved Dashboards that enable operators to define cluster* and namespace-scoped dashboards with new modules for policy usage, application layer and DNS metrics, and much more.

Configure Threat Feeds in the Calico Cloud UI

Calico Cloud includes a new UI that can be used to manage and configure global threat feeds

For more information, see Trace and block suspicious IPs.

Namespace-based policy recommendations

Calico Cloud has improved its policy recommendation engine to add namespace-based recommendations. This enables operators to easily implement microsegmentation for namespaces.

For more information, see Create policy recommendation.

Create custom roles for Calico Cloud users

Calico Cloud administrators can now define granular roles and permissions for users using custom role-based access controls.

For more information, see Create and assign custom roles.

Egress gateway improvements

Calico Cloud has improved the probes to check readiness and outbound connectivity of egress gateways. Calico Cloud has also rearchitected egress gateway pods to improve security and make use of a temporary init container to set up packet forwarding.

Image Assurance updates

• CLI Version v1.3.4
• Calico Cloud supports the Image Assurance CLI scanner versions 1.3.0 and later.
• Bug fix: Previously, the scanner returned an error if it reached a size limit while uploading vulnerabilities. This size limit has been removed.

December 13, 2022

New features and enhancements

Search by CVE in Image Assurance

Image Assurance reporting features now includes a search and filtering capability that allows you to find list items based on a single CVE ID within any Image Assurance reports.

Enable and disable Container Threat Detection in the Calico Cloud UI

You can now enable or disable Container Threat Detection within the UI. After enabling the feature, you can review the status of which nodes are being monitored by the feature and which nodes of your cluster are unsupported.

New Feature: Calico Cloud Service Status Page

All users can view the status and health of the Calico Cloud service on our new status page: https://status.calicocloud.io.

November 1, 2022

Image Assurance

CLI Version v1.1.2.

New CLI will now check that it is compatible with the latest Image Assurance API.

Container Threat Detection

Release of Container Threat Detection

With Container Threat Detection, you can monitor container activity using eBPF. Enable this feature to receive alerts based on file and process activity for known malicious and suspicious behavior. Alert events can be viewed on the Alerts page in Manager UI.

To get started see, Container Threat Detection

September 26, 2022

New feature: Helm

Calico Cloud now supports installation using Helm.

New feature: Private Registry

Calico Cloud now supports installation from private registries. Note that this is only supported when installing with Helm.

Expanded platform support: RKEv2

Installation works on clusters with Calico deployed by RKEv2.

September 12, 2022

Image Assurance is GA

Image Assurance is now released for general availability.

With Image Assurance, DevOps and platform teams can scan images in public and private registries, including images that are automatically discovered in connected clusters. Image Assurance provides a runtime view into risk, based on known vulnerabilities. It also offers admission controller policies to block resources in Kubernetes from creating containers with vulnerable images from entering your cluster.

Changes from the tech preview version

New Image Assurance CLI scanner Image scanning is now configured and performed by the tigera-scanner CLI. You can integrate tigera-scanner into your CI/CD pipelines to ensure builds are checked by Image Assurance before deployment. You can also use the CLI scanner offline and on-demand for ad hoc scanning and emergency patching.

Export options for vulnerability scan results and runtime views

We've made it easier for platform operators to share Image Assurance scan results and runtime views with these export options:

• Export one row per image or one row per image and CVE.
• Export CSV or JSON files.

To get started see, Image Assurance.

Malware detection is GA

Malware detection is now released for general availability.

Calico Cloud's malware detection identifies malicious files in your cluster and generates alerts. Calico Cloud uses eBPF-based monitoring to log file hashes of programs running in your cluster. If there's a match to known malware from our threat intelligence library, you receive an alert. You can view your alerts on the Alerts page on Manager UI.

To get started see, Malware Detection)

July 27, 2022

Improvement: Export logs to a SIEM

To help meet your compliance requirements, we've added documentation to export logs to a SIEM (syslog, Splunk, or Amazon S3). See Export logs to a SIEM.

July 7, 2022

New feature: Distributed Web Application Firewall (WAF) with Envoy

Calico Cloud now includes the option to enable Web Application Firewall (WAF) rule sets when using Envoy as a daemonset. This enables operators to implement an additional layer of security and threat detection for application layer traffic. See Workload-based Web Application Firewall (WAF).

New Feature: Configuration option to use DNS rules with StagedNetworkPolicies

Calico Cloud has added a new configuration option in Felix (DNSPolicyMode) that lets you audit DNS rules with StagedNetworkPolicies. There is a small performance trade off if you enable this option, so we recommended to disabling it when it’s not required. See Felix configuration.

Improvement: Additional predefined RBAC options

Calico Cloud now supports 3 more pre-defined RBAC controls (devops, security and compliance persona) for role assignment.

Improvement: Anomaly detection deployment

Calico Cloud has made the configuration and deployment of anomaly detection jobs for threat detection and performance hotspots more granular, allowing you to selectively enable jobs depending on your use case.

Improvement: Manager UI now displays cluster installation progress and streaming logs

Calico Cloud now displays information about managed cluster install progress right in the UI.

After you run the install command (Connect Cluster wizard in Managed Clusters), installation progress is automatically displayed along with logs for the managed cluster.

May 10, 2022

New feature: Visibility into usage metrics

Calico Cloud now displays information about cloud usage metrics. This will provide visibility into the node hours and data ingested for consumption-based invoices.

Account owners can click the new "Usage Metrics" button at the bottom of the left navbar to navigate to the new page.

Expanded platform support: AKS with managed Calico

Installation works on clusters with Calico deployed by AKS.

April 26, 2022

New feature: Malware detection

Calico Cloud introduces malware detection in tech preview, which uses eBPF-based monitoring to log observed file hashes of programs running in your Calico Cloud Kubernetes clusters. Malware detection identifies malicious files by comparing observed file hashes with our threat intelligence library of known malware, and generates alerts when malware is detected in your cluster. Alerts can be viewed on the Alerts page of Manager UI.

If you started using Calico Cloud before January 24, 2022, you must upgrade your existing cluster to get malware detection:

1. Navigate to the Managed Clusters page.
2. Select the cluster from the list, and click Reinstall.
3. Copy the updated install script command and run it against your cluster.

April 20, 2022

Improved installation

We’ve updated the Calico Cloud installation process to improve security, reduce dependencies on utilities (such as bash), and allow you to customize the name of your connected clusters.

The Calico Cloud installation process will now require running a kubectl apply command instead of a bash script. Additionally, the installation script has been moved behind an authenticated endpoint. The updated install script is now available on the Managed Clusters page of the Calico Cloud UI.

If you started using Calico Cloud before January 24, 2022, you must upgrade your existing cluster to get these changes:

1. Navigate to the Managed Clusters page.
2. Select the cluster from the list, and click Reinstall.
3. Copy the updated install script command and run it against your cluster.

April 19, 2022

New feature: Image Assurance

Calico Cloud introduces Image Assurance in tech preview, enabling DevOps and platform teams to scan images in public and private registries, and images that are automatically discovered in connected clusters. Image Assurance provides a runtime view into risk, based on discovered vulnerabilities. It also offers admission controller policies to enforce how vulnerable images are used to create resources within Kubernetes.

To get started see, Image Assurance.