Calico Enterprise 3.21 release notes
Learn about the new features, bug fixes, and other updates in this release of Calico Enterprise.
This version of Calico Enterprise is based on Calico Open Source 3.30.
New features and enhancements
Introducing Calico Ingress Gateway (tech-preview)
Calico Enterprise now includes the ability to deploy Calico Ingress Gateway which is an Enterprise hardened, 100% upstream distribution of Envoy Gateway. Envoy Gateway is an implementation of the Kubernetes Gateway API with several extensions that provide advanced security and traffic management features.
For more information, see Configure an ingress gateway.
IPAM for load balancers
Calico Enterprise now extends its IPAM capabilities to support service LoadBalancer IP allocation, providing a centralized, automated approach to managing LoadBalancer IPs within Kubernetes clusters.
For more information, see LoadBalancer IP address management
Support for WireGuard encryption between clusters
We added support for WireGuard encryption between federated services and endpoints in different clusters.
For more information, see Creating the cluster mesh.
Improvements to flow log reporting for staged network policies
This release introduces changes to improve how staged network policies are reported in flow logs. Previously, a flow log reported the action of staged network policy rules at the time a connection was initiated. For long-lived connections, changing a staged policy did not affect the reported action. Now, flow logs report the action that represents the current policy rules. Flow logs report an action that reflects how a new connection would interact with the current staged policies.
As part of this, we've also added more granular information about policies in the flow logs. For more information, see Flow log data types.
Security event webhooks for Alertmanager
We added support for using webhooks to post security alerts directly to Alertmanager.
For more information, see Webhooks for security event alerts.
View rule details for Web Application Firewall
You can now use the web console to view details of the default rule set used by Web Application Firewall. From the Web Application Firewall page, click the Rulesets tab to open a list of default rules.
Enhancements
- Control-plane label customization for AKS:
We added support for customizing the namespace labels on AKS clusters.
By default we apply a
control-planelabel to namespaces so that they are exempt from Azure Policy. If you wish to apply Azure Policy to our namespaces, you can now override this label. - Log levels for api-server component: You can now tune the log level for the API server to better support production deployments and troubleshooting scenarios.
- Clusterrolebindings have reduced privileges:
Clusterrolebindings for the
tigera-operator,calico-kube-controller, andcalico-prometheus-operatorcomponents have been changed to improve Calico Enterprise's least-privileged security model. - Improved scaling for non-cluster hosts by having them connect to Typha, rather than the Kubernetes apiserver directly.
- Added web console support for
AdminNetworkPolicyandBaseAdminNetworkPolicytiers (view-only).
Release details
Calico Enterprise 3.21.0-1.0 (early preview)
February 11, 2025
Calico Enterprise 3.21.0-1.0 is now available as an early preview release. This release is for previewing and testing purposes only. It is not supported for use in production.
Calico Enterprise 3.21.0-2.0 (early preview)
June 3, 2025
Calico Enterprise 3.21.0-2.0 is now available as an early preview release. This release is for previewing and testing purposes only. It is not supported for use in production.
To update an existing installation of Calico Enterprise 3.21, see Install a patch release.
Calico Enterprise 3.21.1 general availability release
July 16, 2025
Calico Enterprise 3.21.1 is now available as a general availability release.
This release is supported for use in production.
Enhancements
- Added observability for forwarding decisions made by hosts. Apply on forward or pre-DNAT policy decisions made by hosts when forwarding traffic previously did not result in flow logs. For more information, see host forwarded traffic.
- Added support for peak rate (and optionally min burst) configuration to bandwidth QoS controls.
- Added support for packet burst configuration to packet rate QoS controls.
- Added the NextHopMode field to BGPPeer API. NextHopMode defines the method of calculating the next hop attribute for received routes. This replaces and expands the deprecated KeepOriginalNextHop field.
- Added support for Red Hat OpenShift Service on AWS (ROSA).
Bug fixes
- Fixed an issue that prevented the Tigera Operator from detecting HTTP proxies set on the guardian container.
- Fixed security contexts for init containers when certificate management is enabled, so the certificates have the right file permissions.
- Fixed upper and lower boundaries of packet rate and number of connections QoS controls to be in-line with kernel limits.
- Skip mounting cgroup in bpffs init container when in iptables mode.
- Permissions on files in
/var/log/calicohave been lowered from755to644. - Added delete permission to Tigera Operator for AdminNetworkPolicy and BaseAdminNetworkPolicy custom resource definitions. This is required for setting an owner reference on OpenShift.
- Fixed an issue where application layer policy would only match
TCP,UDP, orICMP, it now matches all protocols. - Fixed Calico early networking to retry netlink list APIs when it returns EINTR and eventually use whatever data it received.
Known issues
- Flow logs generated for forwarding decisions may have their byte and packet counts erroneously reported as 0 for allowed traffic. This will be addressed in the next patch release.
To update an existing installation of Calico Enterprise 3.20, see Install a patch release.