Calico Enterprise 3.21 release notes
Calico Enterprise 3.21 can be used for previewing and testing purposes only. It is not supported for use in production.
Learn about the new features, bug fixes, and other updates in this release of Calico Enterprise.
This version of Calico Enterprise is based on Calico Open Source 3.30.
New features and enhancements
Introducing Calico Ingress Gateway (tech-preview)
Calico Enterprise now includes the ability to deploy Calico Ingress Gateway which is an Enterprise hardened, 100% upstream distribution of Envoy Gateway. Envoy Gateway is an implementation of the Kubernetes Gateway API with several extensions that provide advanced security and traffic management features.
For more information, see Configure an ingress gateway.
IPAM for load balancers
Calico Enterprise now extends its IPAM capabilities to support service LoadBalancer IP allocation, providing a centralized, automated approach to managing LoadBalancer IPs within Kubernetes clusters.
For more information, see LoadBalancer IP address management
Support for WireGuard encryption between clusters
We added support for WireGuard encryption between federated services and endpoints in different clusters.
For more information, see Creating the cluster mesh.
Improvements to flow log reporting for staged network policies
This release introduces changes to improve how staged network policies are reported in flow logs. Previously, a flow log reported the action of staged network policy rules at the time a connection was initiated. For long-lived connections, changing a staged policy did not affect the reported action. Now, flow logs report the action that represents the current policy rules. Flow logs report an action that reflects how a new connection would interact with the current staged policies.
As part of this, we've also added more granular information about policies in the flow logs. For more information, see Flow log data types.
Security event webhooks for Alertmanager
We added support for using webhooks to post security alerts directly to Alertmanager.
For more information, see Webhooks for security event alerts.
View rule details for Web Application Firewall
You can now use the web console to view details of the default rule set used by Web Application Firewall. From the Web Application Firewall page, click the Rulesets tab to open a list of default rules.
Enhancements
- Control-plane label customization for AKS:
We added support for customizing the namespace labels on AKS clusters.
By default we apply a
control-planelabel to namespaces so that they are exempt from Azure Policy. If you wish to apply Azure Policy to our namespaces, you can now override this label. - Log levels for api-server component: You can now tune the log level for the API server to better support production deployments and troubleshooting scenarios.
- Clusterrolebindings have reduced privileges:
Clusterrolebindings for the
tigera-operator,calico-kube-controller, andcalico-prometheus-operatorcomponents have been changed to improve Calico Enterprise's least-privileged security model. - Improved performance for non-cluster hosts.
- Added web console support for
AdminNetworkPolicyandBaseAdminNetworkPolicytiers (view-only).
Release details
Calico Enterprise 3.21.0-1.0 (early preview)
February 11, 2025
Calico Enterprise 3.21.0-1.0 is now available as an early preview release. This release is for previewing and testing purposes only. It is not supported for use in production.
Calico Enterprise 3.21.0-2.0 (early preview)
June 3, 2025
Calico Enterprise 3.21.0-2.0 is now available as an early preview release. This release is for previewing and testing purposes only. It is not supported for use in production.
To update an existing installation of Calico Enterprise 3.21, see Install a patch release.