Calico Enterprise 3.20 release notes

Learn about the new features, bug fixes, and other updates in this release of Calico Enterprise.

New features and enhancements

Tech preview: network security for hosts and VMs

Calico can now be used on hosts and VMs running outside of Kubernetes. This tech-preview provides RPM packages for RHEL 8 and 9 that allows users to install Calico for network policy and flow logs.

Install Calico Enterprise on non-cluster hosts and VMs

Search by policy name or namespace

Calico Enterprise now includes search-to-filter capabilities on the policy board and listing pages, which helps you find a specific policy or a subset of policies more quickly.

Envoy deployment as a sidecar

Calico Enterprise now provides the ability to deploy Envoy as a sidecar so application layer policy and logging are compatible with other features such as egress gateways, Wireguard for data-in-transit encryption, and Calico’s eBPF data plane.

For more information, see Application layer policy and L7 logs.

Configurable rules for deep packet inspection

Calico Enterprise now provides the ability for administrators to configure and customize the Snort rules that are used in deep packet inspection. This gives customers greater control over the types of rules that are evaluated. It also ensures that they can effectively tune and selectively enable rules to phase their deep packet inspection and network-based threat detection.

For more information, see Deep packet inspection.

Calico early networking (for dual ToR) preserves post-boot default routes

Calico Enterprise includes improvements so that early network configuration will be superseded by any BGPPeer or BGPConfiguration resources after successful startup

For more information see Deploy a dual ToR cluster.

Other features

• Guardian will respect HTTP proxy environment variables when set on the deployment by mutating webhook configurations.
• Enhanced filtering options in the endpoints page of the web console.

Support for OpenShift hosted control planes

You can now install Calico Enterprise on OpenShift clusters that use hosted control planes.

For more information, see Installing Calico Enterprise on an OpenShift HCP cluster

Packet capture and compliance reports are disabled by default

We've changed the default behavior for packet capturing and compliance reporting. These features are now disabled by default.

Update note

Updating to Calico Enterprise 3.20 will disable the packet capture and compliance reporting features. To continue using these features, you must re-enable them during or after the update.

• Multi-cluster management You must enable compliance reports first in the management cluster, followed by the managed clusters.
• PacketCapture CR To maintain packet capture during an upgrade, you must create a PacketCaptureAPI custom resource.
• Helm Include the packetcaptureAPI and compliance flags in your values.yaml file to keep these features enabled during an update.

For more information, see Packet capture, Enable compliance reports, and Upgrade Calico Enterprise installed with Helm.

Deprecated and removed features

• All compliance reporting features are deprecated and will be removed in a future release. We're building a new compliance reporting system that will eventually replace the current one.
• The honeypods feature has been removed from this release.

Bug fixes

• WAF events now include source information such as IP and namespace from where the event originated from.
• Fix that Felix would panic when trying to resync a temporary IP set. Temporary IP sets are created in certain scenarios after previous failures.
• Add tolerations for arm64 workloads for compatibility with GKE.
• Fixes an issue where the byte rates in the Dashboards page were inflated.
• Security updates.

Known issues

• Flow logs for the Windows workloads currently do not display entries with a Deny action.
• Before upgrading a Calico Enterprise cluster on MKE v3.6 to the latest Calico Enterprise version: 1) upgrade MKE from 3.6 to 3.7, then 2) upgrade Calico Enterprise.
• L7 logs with source name pvt is not visible in Service Graph.
• Multi-cluster management users only. If the manager-tls and internal-manager-tls secrets have overlapping DNS names, components such as es-calico-kube-controllers will log certificate errors. If you have previously installed a version older than v3.13.0 and never changed your manager-tls secret from the tigera-operator namespace, you must delete both of these secrets. This applies to you if the following command prints a certificate: $ kubectl get secret manager-tls -n tigera-operator -o "jsonpath={.data['cert']}".
• Upgrading to Calico Enterprise 3.18.0 on Rancher/RKE from Calico Enterprise 3.13.0 currently requires manually terminating the calico-node container for an upgrade to proceed.
• Calico panics if kube-proxy or other components are using native nftables rules instead of the iptables-nft compatibility shim. Until Calico supports native nftables mode, we recommend that you continue to use the iptables-nft compatibility layer for all components. (The compatibility layer was the only option before Kubernetes v1.29 added alpha-level nftables support.) Do not run Calico in "legacy" iptables mode on a system that is also using nftables. Although this combination does not panic or fail (at least on kernels that support both), the interaction between iptables "legacy" mode and nftables is confusing: both iptables and nftables rules can be executed on the same packet, leading to policy verdicts being "overturned".

• Some application layer features are not working as expected for Calico Enterprise installations with the following deployment types:

  • AKS clusters with Azure CNI for networking and Calico Enterprise for network policy
  • RKE2 clusters installed with Rancher UI

  During installation, for these deployment types, kubeletVolumePluginPath is set to None in the Installation CR, causing all application layer features to stop working. The affected features include web application firewalls, application layer policies, and L7 logging. As a workaround, you can restore the default value by running the following command on an affected cluster:

  kubectl patch installation.tigera.io default --type=merge  -p '{"spec":{"kubeletVolumePluginPath":"/var/lib/kubelet"}}'
• When using eBPF mode with kernels older than 5.17 you may need to set bpfDNSPolicyMode to NoDelay in the FelixConfiguration to avoid a possible crash loop. Some distributions using kernel version < 5.17 may work depending on which backports are present in that kernel. For instance Ubuntu kernels 5.15+ and RH kernels 5.14+ have the necessary capabilities.

Updating

important

Calico Enterprise 3.20 contains breaking changes for installations that use the Calico API server.

• Breaking change: Upgrading from Calico Enterprise 3.18 or earlier Calico Enterprise will alter the UID of all projectcalico.org/v3 resources. If you're using the Calico API server, you must restart any controllers, including kube-controller-manager, that manage these resources after the upgrade. This change addresses an issue where duplicate UIDs on different API resources could disrupt Kubernetes garbage collection.

• Breaking change: Previously, the default tier had no order and was always evaluated last. Starting with Calico Enterprise 3.20.0-2.0, the default tier now has an order of 1,000,000. When upgrading, you must ensure that existing tiers have a lower order or else policy decisions may be affected.

Release details

Calico Enterprise 3.20.0-1.0 (early preview)

August 2, 2024

Calico Enterprise 3.20.0-1.0 is now available as an early preview release. This release is for previewing and testing purposes only. It is not supported for use in production.

Calico Enterprise 3.20.0-2.0 (early preview)

November 6, 2024

Calico Enterprise 3.20.0-2.0 is now available as an early preview release. This release is for previewing and testing purposes only. It is not supported for use in production.

This release of Calico Enterprise is based on Calico Open Source 3.29. For more information, see Calico Open Source 3.29 release notes.

To update an existing installation of Calico Enterprise 3.20, see Install a patch release.

Calico Enterprise 3.20-2.2 bug fix release (early preview)

November 27, 2024

Calico Enterprise 3.20.0-2.2 is now available as an early preview release. This release is for previewing and testing purposes only. It is not supported for use in production. This release includes bug fixes and improvements.

Bug fixes

• Fix a bug where pods with flexvol/nodeagent volumes would get stuck in the Terminating phase, if, during termination, their node rebooted.
• Fixes an issue where requests made to the queryserver, for example when opening the Endpoints page cannot be authenticated when OIDC is enabled.
• The eBPF data plane will fall back to non-CO-RE if CO-RE does not load. This will affect older kernel versions, including AKS and EKS.
• Security updates.

To update an existing installation of Calico Enterprise 3.20, see Install a patch release.

Calico Enterprise 3.20.1 general availability release

January 31, 2025

Calico Enterprise 3.20.1 is now available as a general availability release.

This release is supported for use in production.

Known issues

• Because of an error in the release process, one image was built with an internal version number (3.20.0-2.3) instead of the official release number (3.20.1). The image itself is the correct image, even if the version number does not match. You can continue to use Calico Enterprise normally. This incorrect version number will be corrected in an future patch release.

Enhancements

• Add X-Frame-Options Deny to Kibana's security headers.

Bug fixes

• Fixes an issue where kube-controller constantly restarts.
• Fixes an issue where policies are missing from the right hand panel in the Service Graph.
• Fixes an issue where the web console reports "Invalid value" when editing and saving staged policies.
• Security updates.

To update an existing installation of Calico Enterprise 3.20, see Install a patch release.