dataplane to enhance your Kubernetes networking performance. Click Release notes
The following table shows component versioning for Calico Enterprise v3.16.
To select a different version, click Releases in the top navigation bar.
Calico Enterprise v3.16.1
Release archive with Kubernetes manifests. Based on Calico v3.25.
5 April 2023
What's new
Application layer policy with Envoy
Calico Enterprise now includes support for application layer policy with Envoy, enabling platform operators to define authorization rules in Calico Enterprise policies for protocols such as HTTP and gRPC. For more information, see Application layer policies.
Policies for SELinux
Calico Enterprise adds support for clusters that use SELinux as an additional layer of security for node operating systems. RPM packages are available to install on each node with policies that authorize the access required by Calico Enterprise components. For more information, see System requirements.
Known issues
- The ClusterInformations resource is showing the wrong versions for
calicoVersionandcnxVersion. This will be addressed the next patch. - BPF dataplane on EKS with Kubernetes 1.24, and AKS with Kubenetes 1.25 is not supported at this time. This will be addressed in the next patch.
- Upgrading to Calico Enterprise 3.16.0 on Rancher/RKE from Calico Enterprise 3.13.0 currently requires manually terminating the calico-node container for an upgrade to proceed.
Component Versions
This release comprises the following components, and can be installed using quay.io/tigera/operator:v1.29.4
| Component | Version |
|---|---|
| cnx-manager | v3.16.1 |
| voltron | v3.16.1 |
| guardian | v3.16.1 |
| cnx-apiserver | v3.16.1 |
| cnx-queryserver | v3.16.1 |
| cnx-kube-controllers | v3.16.1 |
| calicoq | v3.16.1 |
| typha | v3.16.1 |
| calicoctl | v3.16.1 |
| cnx-node | v3.16.1 |
| dikastes | v3.16.1 |
| dex | v3.16.1 |
| fluentd | v3.16.1 |
| fluentd-windows | v3.16.1 |
| es-proxy | v3.16.1 |
| eck-kibana | 7.17.9 |
| kibana | v3.16.1 |
| eck-elasticsearch | 7.17.9 |
| elasticsearch | v3.16.1 |
| cloud-controllers | v3.16.1 |
| elastic-tsee-installer | v3.16.1 |
| es-curator | v3.16.1 |
| intrusion-detection-controller | v3.16.1 |
| compliance-controller | v3.16.1 |
| compliance-reporter | v3.16.1 |
| compliance-snapshotter | v3.16.1 |
| compliance-server | v3.16.1 |
| compliance-benchmarker | v3.16.1 |
| ingress-collector | v3.16.1 |
| l7-collector | v3.16.1 |
| license-agent | v3.16.1 |
| tigera-cni | v3.16.1 |
| firewall-integration | v3.16.1 |
| egress-gateway | v3.16.1 |
| honeypod | v3.16.1 |
| honeypod-exp-service | v3.16.1 |
| honeypod-controller | v3.16.1 |
| key-cert-provisioner | v1.1.7 |
| anomaly_detection_jobs | v3.16.1 |
| anomaly-detection-api | v3.16.1 |
| elasticsearch-metrics | v3.16.1 |
| packetcapture | v3.16.1 |
| prometheus | v3.16.1 |
| coreos-prometheus | v2.32.0 |
| prometheus-operator | v3.16.1 |
| prometheus-config-reloader | v3.16.1 |
| tigera-prometheus-service | v3.16.1 |
| es-gateway | v3.16.1 |
| deep-packet-inspection | v3.16.1 |
| eck-elasticsearch-operator | 2.6.1 |
| elasticsearch-operator | v3.16.1 |
| coreos-alertmanager | v0.23.0 |
| alertmanager | v3.16.1 |
| envoy | v3.16.1 |
| envoy-init | v3.16.1 |
| windows | v3.16.1 |
| windows-upgrade | v3.16.1 |
| flexvol | v3.16.1 |
| csi-driver | v3.16.1 |
| csi-node-driver-registrar | v3.16.1 |
Calico Enterprise v3.16.0
Release archive with Kubernetes manifests. Based on Calico v3.25.
15 February 2023
What's new
Egress gateways for AKS and Azure
Calico Enterprise has added egress gateway support for Microsoft Azure and AKS. egress gateways allow you to identify the namespaces associated with egress traffic outside your cluster.
For more information, see Configure egress gateways, Azure.
Operator-managed deployments of egress gateways
Calico Enterprise now includes Operator-managed deployments of egress gateways. This reduces operational overhead and eliminates additional steps required during upgrades.
For more information, see Egress gateways.
UI for workload-based web application firewalls
Calico Enterprise includes a new UI that can be used to enable and configure a workload-based web application firewall.
For more information, see Workload-based web application firewall.
Service Graph performance optimizations
This release of Calico Enterprise includes several optimizations to improve the performance of Service Graph for clusters with larger numbers of namespaces.
Revised installation steps for Rancher RKE2
Calico Enterprise has revised the installation steps for Rancher RKE2 to accommodate options available in the most recent versions of that platform.
For more information, see Rancher Manager.
Improvements to Envoy to accommodate advanced ingress controllers
Calico Enterprise includes improvements to its Envoy deployment to enable customers to use this feature in clusters with ingress controllers that perform advanced load balancing.
For more information, see Workload-based web application firewall.
Support for multiple external networks
Calico Enterprise includes networking options that allows pods from different namespaces to egress onto different external networks (Virtual Routing Functions or VRFs) that may have overlapping IPs with each other. This also enables administrators to configure which service IPs are advertised for a network by the service IP advertisement feature.
For more information, see Configure egress traffic to multiple external networks.
Improved product security with more restrictive SecurityContext
Calico Enterprise has updated its components to apply a more restrictive SecurityContext where applicable.
This includes the following:
- Non-root context whenever possible and added drop ALL
Capabilities - Root context and privilege escalation are used only when necessary
SeccompProfileis set toRuntimeDefault
Known issues
- L7 log collection fails to deploy on CIS hardened clusters. As a result, some cards in the manager UI dashboard will not display any metrics.
- Upgrading to Calico Enterprise 3.16.0 on Rancher/RKE from Calico Enterprise 3.13.0 currently requires manually terminating the calico-node container for upgrade to proceed.
Component Versions
This release comprises the following components, and can be installed using quay.io/tigera/operator:v1.29.1
| Component | Version |
|---|---|
| cnx-manager | v3.16.0 |
| voltron | v3.16.0 |
| guardian | v3.16.0 |
| cnx-apiserver | v3.16.0 |
| cnx-queryserver | v3.16.0 |
| cnx-kube-controllers | v3.16.0 |
| calicoq | v3.16.0 |
| typha | v3.16.0 |
| calicoctl | v3.16.0 |
| cnx-node | v3.16.0 |
| dikastes | v3.16.0 |
| dex | v3.16.0 |
| fluentd | v3.16.0 |
| fluentd-windows | v3.16.0 |
| es-proxy | v3.16.0 |
| eck-kibana | 7.17.7 |
| kibana | v3.16.0 |
| eck-elasticsearch | 7.17.7 |
| elasticsearch | v3.16.0 |
| cloud-controllers | v3.16.0 |
| elastic-tsee-installer | v3.16.0 |
| es-curator | v3.16.0 |
| intrusion-detection-controller | v3.16.0 |
| compliance-controller | v3.16.0 |
| compliance-reporter | v3.16.0 |
| compliance-snapshotter | v3.16.0 |
| compliance-server | v3.16.0 |
| compliance-benchmarker | v3.16.0 |
| ingress-collector | v3.16.0 |
| l7-collector | v3.16.0 |
| license-agent | v3.16.0 |
| tigera-cni | v3.16.0 |
| firewall-integration | v3.16.0 |
| egress-gateway | v3.16.0 |
| honeypod | v3.16.0 |
| honeypod-exp-service | v3.16.0 |
| honeypod-controller | v3.16.0 |
| key-cert-provisioner | v1.1.6 |
| anomaly_detection_jobs | v3.16.0 |
| anomaly-detection-api | v3.16.0 |
| elasticsearch-metrics | v3.16.0 |
| packetcapture | v3.16.0 |
| prometheus | v3.16.0 |
| coreos-prometheus | v2.32.0 |
| prometheus-operator | v3.16.0 |
| prometheus-config-reloader | v3.16.0 |
| tigera-prometheus-service | v3.16.0 |
| es-gateway | v3.16.0 |
| deep-packet-inspection | v3.16.0 |
| eck-elasticsearch-operator | 2.6.1 |
| elasticsearch-operator | v3.16.0 |
| coreos-alertmanager | v0.23.0 |
| alertmanager | v3.16.0 |
| envoy | v3.16.0 |
| envoy-init | v3.16.0 |
| windows | v3.16.0 |
| windows-upgrade | v3.16.0 |
| flexvol | v3.16.0 |
| csi-driver | v3.16.0 |
| csi-node-driver-registrar | v3.16.0 |