Calico Enterprise 3.19 release notes

Learn about the new features, bug fixes, and other updates in this release of Calico Enterprise.

New features and enhancements

Improved flow log filtering for destination domains

We’ve updated the Felix parameter (dest_domains) for DNS policy to make it easy to find only domain names that the deployment connected to (not all the domain names that got translated to the same IP address). For more information, see Flow log data types.

New flow logs panel on Endpoints page

We've updated the Endpoints page in Manager UI with a new flow logs panel so you can view and filter Endpoints associated with denied traffic. Flow log metadata includes the source, destination, ports, protocols, and other key forms. We've also updated the Policy Board to highlight policies with denied traffic.

Improvements to security events

We've added the following improvements to the Security events list:

• Jira and Slack webhook integration for security event alerts

  By configuring security event alerts, you can push security event alerts to Slack, Jira, or an external HTTP endpoint of your choice. This lets incident response and security teams to use native tools to respond to security event alerts.

• Added threat feed alerts

  If you have implemented global threat feeds for suspicious activity (domains or suspicious IPs), alerts are now visible in the Security Overview dashboard. For more information on threat feeds, see Trace and block suspicious IPs.

Security events dashboard

A new dashboard summarizes security events and helps practitioners easily understand how events map across namespaces, MITRE techniques, event types, and attack phases. This allows first responders to quickly make sense of potential threats, engage the right stakeholders, and start the incident response and investigation process.

For more information, see Security event management.

Exceptions for security events

Calico Enterprise now allows users to create exceptions for Security Events with varying levels of scope, from excluding an entire namespace to a specific deployment or workload. This gives operators a way to tune the runtime threat detection they have deployed and focus their investigations and response on critical applications and infrastructure.

For more information, see Security event management.

New flow logs panel for Endpoints and View Policy pages

Calico Enterprise has added new entry points to view flow logs directly from the Endpoints listing and View Policy pages in the UI. Users can easily see which endpoints are involved in denied traffic, filter on those workloads, and click a link to open a panel that shows associated flows. A similar link has been added for View Policy pages, which allows users to quickly see the flows that have been recently evaluated by that policy to make sense of denied traffic or updates to rules.

Security Events in Service Graph

Calico Enterprise now includes a new tab for Security Events which has taken the Alerts. Most runtime threat detection features now generate Security Events, and their inclusion Service Graph enables users to automatically filter events based on where they are occurring in a cluster.

Security Events IP addresses enriched with ASN and geolocation

For security events that contain external IP addresses, Calico Enterprise now automatically performs a geolocation lookup. Understanding the country of origin for an IP address can often be the quickest and easiest way to distinguish legitimate traffic from malicious traffic.

Extend Workload-based WAF to Ingress Gateways

This latest release enables operators to plug-in a modifiedsimplified version of WAF to their own instances of Envoy. This allows users to deploy this version of WAF at the edge of their cluster integrated with an Ingress Gateway (if based on Envoy), with fully customizable rules based on OWASP CoreRuleSet 4.0 and powered by the Coraza engine.

For more information, see Deploying WAF with an ingress gateway .

ARM64 support

This release expands our support to clusters with nodes running ARM64-based architectures.

Specifying resource requests and limits in Calico Enterprise components

Calico Enterprise now provides the ability to set resource requests and limits for the components that run as part of Calico Enterprise. Please see documentation for specific guidance on setting these limits.

Deprecated and removed features

• The FIPS mode feature is removed in this release.
• The AWS security groups integration is removed in this release. It will be removed in Calico Enterprise 3.19.
• The ingress log collection feature is removed in this release.
• The manual installation method for Windows is deprecated and will be removed in a future release. The recommended installation method is now operator-based.

Technology Preview features

• Web application firewall

  Protect cloud-native applications from application layer attacks.

• DNS policy for Windows

  Use domain names in policies to identify services outside the cluster, which is often operationally simpler and more robust than using IP addresses.

Bug fixes

• Updates have been made to the Calico API server to ensure that Calico network policies can be sync with GitOps tools such as ArgoCD.

Known issues

• Flow logs for the Windows workloads currently do not display entries with a Deny action.
• Before upgrading a Calico Enterprise cluster on MKE v3.6 to the latest Calico Enterprise version: 1) upgrade MKE from 3.6 to 3.7, then 2) upgrade Calico Enterprise.
• L7 logs with source name pvt is not visible in Service Graph.
• Multi-cluster management users only. If the manager-tls and internal-manager-tls secrets have overlapping DNS names, components such as es-calico-kube-controllers will log certificate errors. If you have previously installed a version older than v3.13.0 and never changed your manager-tls secret from the tigera-operator namespace, you must delete both of these secrets. This applies to you if the following command prints a certificate: $ kubectl get secret manager-tls -n tigera-operator -o "jsonpath={.data['cert']}".
• Upgrading to Calico Enterprise 3.18.0 on Rancher/RKE from Calico Enterprise 3.13.0 currently requires manually terminating the calico-node container for an upgrade to proceed.
• Calico panics if kube-proxy or other components are using native nftables rules instead of the iptables-nft compatibility shim. Until Calico supports native nftables mode, we recommend that you continue to use the iptables-nft compatibility layer for all components. (The compatibility layer was the only option before Kubernetes v1.29 added alpha-level nftables support.) Do not run Calico in "legacy" iptables mode on a system that is also using nftables. Although this combination does not panic or fail (at least on kernels that support both), the interaction between iptables "legacy" mode and nftables is confusing: both iptables and nftables rules can be executed on the same packet, leading to policy verdicts being "overturned".
• When a tier order is set to the maximum float value (1.7976931348623157e+308), this can cause policy re-ordering in the UI not to work properly. Since the namespace-isolation tier has this value by default, policy recommendation users are affected. To workaround this issue edit any tier that has this value for the order. For example: use kubectl edit tier namespace-isolation and set the order to 10000.
• Linseed deployment needs to be manually restarted after an upgrade. Without a restart, Linseed can't ingest data because it can't authenticate with Elastic.

• Some application layer features are not working as expected for Calico Enterprise installations with the following deployment types:

  • AKS clusters with Azure CNI for networking and Calico Enterprise for network policy
  • RKE2 clusters installed with Rancher UI

  During installation, for these deployment types, kubeletVolumePluginPath is set to None in the Installation CR, causing all application layer features to stop working. The affected features include web application firewalls, application layer policies, and L7 logging. As a workaround, you can restore the default value by running the following command on an affected cluster:

  kubectl patch installation.tigera.io default --type=merge  -p '{"spec":{"kubeletVolumePluginPath":"/var/lib/kubelet"}}'

Updating

important

Calico Enterprise 3.19 contains breaking changes for installations that use the Calico API server.

• Breaking change: Upgrading from Calico Enterprise 3.18 or earlier Calico Enterprise will alter the UID of all projectcalico.org/v3 resources. If you're using the Calico API server, you must restart any controllers, including kube-controller-manager, that manage these resources after the upgrade. This change addresses an issue where duplicate UIDs on different API resources could disrupt Kubernetes garbage collection.

Release details

Calico Enterprise 3.19.0-1.0 (early preview)

February 2, 2024

Calico Enterprise 3.19.0-1.0 is now available as an early preview release. This release is for previewing and testing purposes only. It is not supported for use in production.

Calico Enterprise 3.19.0-2.0 (early preview)

May 9, 2024

Calico Enterprise 3.19.0-2.0 is now available as an early preview release. This release is for previewing and testing purposes only. It is not supported for use in production.

Calico Enterprise 3.19.1 GA

June 20, 2024

Calico Enterprise 3.19.1 is now available as a GA release.

This release is supported for use in production.

Updates

• License usage data is now collected and stored locally in the cluster

Bug fixes

• Fixes Security Event Exceptions not applying properly when using Multi-Cluster Management
• Fixes an issue where Egress Gateways don't properly handle changes in a pod's IP address
• Fixes Managed Cluster connection status not always being correctly reported
• Verify CNI plugin installed correctly
• Security updates

To update an existing installation of Calico Enterprise 3.19, see Install a patch release.

Calico Enterprise 3.19.1 operator-only bug fix release

July 24, 2024

Calico Enterprise 3.19.1 is now available with an update to the Tigera Operator. The Tigera Operator version has been updated to version 1.34.2. No other components have been changed.

Bug fixes

• Previously, for AKS clusters running Kubernetes 1.29 or higher, migrating from Calico Open Source to Calico Enterprise resulted in failure. AKS began applying an image set to clusters with Kubernetes 1.29, and this change conflicted with operations performed by the Tigera Operator during migration. We fixed the issue by modifying how the Tigera Operator checks for image sets during migrations to Calico Enterprise.
• Removed a mutual dependency between logstorage and other components that could result in a degraded TigeraStatus if certificates are missing required key usages.

Calico Enterprise 3.19.2 bug fix release

September 4, 2024

Calico Enterprise 3.19.2 is now available. This release includes bug fixes and improvements.

Bug fixes

• Fix that Felix would panic when trying to resync a temporary IP set. Temporary IP sets are created in certain scenarios after previous failures.
• Reduce lock contention between the process info cache and the flow logs collector. Avoids slowing down the collector when the info cache is under update load.
• Fix excessive CPU usage in the process name lookup cache if a PID was unknown.
• Updates the default behaviour of list request without tier field selector or label selector on globalnetworkpolicy, stagedglobalnetworkpolicy, networkpolicy and staged network policy to return all policies available to user, instead of returning only the policies in the default tier. This change allows to manage policies with GitOps tools like ArgoCD.
• Fix Felix panic when using non-default BPF map sizes. Size was not updated in all places resulting in failure to attach programs.
• Fix dual ToR startup when using bgp-layout ConfigMap to assign AS numbers.
• Added support for eBPF on MKE.
• Security updates.

To update an existing installation of Calico Enterprise 3.19, see Install a patch release.

Calico Enterprise 3.19.3 bug fix release

October 22, 2024

Calico Enterprise 3.19.3 is now available. This release includes bug fixes and improvements.

Bug fixes

• Added a new Felix Configuration option IPForwarding, which allows for preventing Felix from enabling IP forwarding on systems that are only using Calico for host protection (and hence don't need to forward traffic to workloads).
• Fixed a routing issue where CrossSubnet routes were not updated when the main IP moved interfaces.
• Fixed marking of return traffic from external network to egress gateways.
• Fixed a permission issue preventing the operator from updating the TigeraStatus for Egress Gateways.
• Fixed switching from iptables to eBPF mode with tcp stats turned on.
• Fixed tcp stats in eBPF mode.
• Adding X-Frames-Options DENY header to Kibana.
• Security updates.

To update an existing installation of Calico Enterprise 3.19, see Install a patch release.

Calico Enterprise 3.19.4 bug fix release

November 7, 2024

Calico Enterprise 3.19.4 is now available. This release includes bug fixes and improvements.

Bug fixes

• Fixed an issue where excessive API calls were made by the operator when users are running a large number of egress gateways.
• Security updates.

To update an existing installation of Calico Enterprise 3.19, see Install a patch release.