Skip to main content
Version: 3.16 (latest)

Release notes

The following table shows component versioning for Calico Enterprise v3.16.

To select a different version, click Releases in the top navigation bar.

Calico Enterprise v3.16.1

Release archive with Kubernetes manifests. Based on Calico v3.25.

5 April 2023

What's new

Application layer policy with Envoy

Calico Enterprise now includes support for application layer policy with Envoy, enabling platform operators to define authorization rules in Calico Enterprise policies for protocols such as HTTP and gRPC. For more information, see Application layer policies.

Policies for SELinux

Calico Enterprise adds support for clusters that use SELinux as an additional layer of security for node operating systems. RPM packages are available to install on each node with policies that authorize the access required by Calico Enterprise components. For more information, see System requirements.

Known issues

  • The ClusterInformations resource is showing the wrong versions for calicoVersion and cnxVersion. This will be addressed the next patch.
  • BPF dataplane on EKS with Kubernetes 1.24, and AKS with Kubenetes 1.25 is not supported at this time. This will be addressed in the next patch.
  • Upgrading to Calico Enterprise 3.16.0 on Rancher/RKE from Calico Enterprise 3.13.0 currently requires manually terminating the calico-node container for an upgrade to proceed.

Component Versions

This release comprises the following components, and can be installed using quay.io/tigera/operator:v1.29.4

ComponentVersion
cnx-managerv3.16.1
voltronv3.16.1
guardianv3.16.1
cnx-apiserverv3.16.1
cnx-queryserverv3.16.1
cnx-kube-controllersv3.16.1
calicoqv3.16.1
typhav3.16.1
calicoctlv3.16.1
cnx-nodev3.16.1
dikastesv3.16.1
dexv3.16.1
fluentdv3.16.1
fluentd-windowsv3.16.1
es-proxyv3.16.1
eck-kibana7.17.9
kibanav3.16.1
eck-elasticsearch7.17.9
elasticsearchv3.16.1
cloud-controllersv3.16.1
elastic-tsee-installerv3.16.1
es-curatorv3.16.1
intrusion-detection-controllerv3.16.1
compliance-controllerv3.16.1
compliance-reporterv3.16.1
compliance-snapshotterv3.16.1
compliance-serverv3.16.1
compliance-benchmarkerv3.16.1
ingress-collectorv3.16.1
l7-collectorv3.16.1
license-agentv3.16.1
tigera-cniv3.16.1
firewall-integrationv3.16.1
egress-gatewayv3.16.1
honeypodv3.16.1
honeypod-exp-servicev3.16.1
honeypod-controllerv3.16.1
key-cert-provisionerv1.1.7
anomaly_detection_jobsv3.16.1
anomaly-detection-apiv3.16.1
elasticsearch-metricsv3.16.1
packetcapturev3.16.1
prometheusv3.16.1
coreos-prometheusv2.32.0
prometheus-operatorv3.16.1
prometheus-config-reloaderv3.16.1
tigera-prometheus-servicev3.16.1
es-gatewayv3.16.1
deep-packet-inspectionv3.16.1
eck-elasticsearch-operator2.6.1
elasticsearch-operatorv3.16.1
coreos-alertmanagerv0.23.0
alertmanagerv3.16.1
envoyv3.16.1
envoy-initv3.16.1
windowsv3.16.1
windows-upgradev3.16.1
flexvolv3.16.1
csi-driverv3.16.1
csi-node-driver-registrarv3.16.1

Calico Enterprise v3.16.0

Release archive with Kubernetes manifests. Based on Calico v3.25.

15 February 2023

What's new

Egress gateways for AKS and Azure

Calico Enterprise has added egress gateway support for Microsoft Azure and AKS. egress gateways allow you to identify the namespaces associated with egress traffic outside your cluster.

For more information, see Configure egress gateways, Azure.

Operator-managed deployments of egress gateways

Calico Enterprise now includes Operator-managed deployments of egress gateways. This reduces operational overhead and eliminates additional steps required during upgrades.

For more information, see Egress gateways.

UI for workload-based web application firewalls

Calico Enterprise includes a new UI that can be used to enable and configure a workload-based web application firewall.

For more information, see Workload-based web application firewall.

Service Graph performance optimizations

This release of Calico Enterprise includes several optimizations to improve the performance of Service Graph for clusters with larger numbers of namespaces.

Revised installation steps for Rancher RKE2

Calico Enterprise has revised the installation steps for Rancher RKE2 to accommodate options available in the most recent versions of that platform.

For more information, see Rancher Manager.

Improvements to Envoy to accommodate advanced ingress controllers

Calico Enterprise includes improvements to its Envoy deployment to enable customers to use this feature in clusters with ingress controllers that perform advanced load balancing.

For more information, see Workload-based web application firewall.

Support for multiple external networks

Calico Enterprise includes networking options that allows pods from different namespaces to egress onto different external networks (Virtual Routing Functions or VRFs) that may have overlapping IPs with each other. This also enables administrators to configure which service IPs are advertised for a network by the service IP advertisement feature.

For more information, see Configure egress traffic to multiple external networks.

Improved product security with more restrictive SecurityContext

Calico Enterprise has updated its components to apply a more restrictive SecurityContext where applicable. This includes the following:

  • Non-root context whenever possible and added drop ALL Capabilities
  • Root context and privilege escalation are used only when necessary
  • SeccompProfile is set to RuntimeDefault

Known issues

  • L7 log collection fails to deploy on CIS hardened clusters. As a result, some cards in the manager UI dashboard will not display any metrics.
  • Upgrading to Calico Enterprise 3.16.0 on Rancher/RKE from Calico Enterprise 3.13.0 currently requires manually terminating the calico-node container for upgrade to proceed.

Component Versions

This release comprises the following components, and can be installed using quay.io/tigera/operator:v1.29.1

ComponentVersion
cnx-managerv3.16.0
voltronv3.16.0
guardianv3.16.0
cnx-apiserverv3.16.0
cnx-queryserverv3.16.0
cnx-kube-controllersv3.16.0
calicoqv3.16.0
typhav3.16.0
calicoctlv3.16.0
cnx-nodev3.16.0
dikastesv3.16.0
dexv3.16.0
fluentdv3.16.0
fluentd-windowsv3.16.0
es-proxyv3.16.0
eck-kibana7.17.7
kibanav3.16.0
eck-elasticsearch7.17.7
elasticsearchv3.16.0
cloud-controllersv3.16.0
elastic-tsee-installerv3.16.0
es-curatorv3.16.0
intrusion-detection-controllerv3.16.0
compliance-controllerv3.16.0
compliance-reporterv3.16.0
compliance-snapshotterv3.16.0
compliance-serverv3.16.0
compliance-benchmarkerv3.16.0
ingress-collectorv3.16.0
l7-collectorv3.16.0
license-agentv3.16.0
tigera-cniv3.16.0
firewall-integrationv3.16.0
egress-gatewayv3.16.0
honeypodv3.16.0
honeypod-exp-servicev3.16.0
honeypod-controllerv3.16.0
key-cert-provisionerv1.1.6
anomaly_detection_jobsv3.16.0
anomaly-detection-apiv3.16.0
elasticsearch-metricsv3.16.0
packetcapturev3.16.0
prometheusv3.16.0
coreos-prometheusv2.32.0
prometheus-operatorv3.16.0
prometheus-config-reloaderv3.16.0
tigera-prometheus-servicev3.16.0
es-gatewayv3.16.0
deep-packet-inspectionv3.16.0
eck-elasticsearch-operator2.6.1
elasticsearch-operatorv3.16.0
coreos-alertmanagerv0.23.0
alertmanagerv3.16.0
envoyv3.16.0
envoy-initv3.16.0
windowsv3.16.0
windows-upgradev3.16.0
flexvolv3.16.0
csi-driverv3.16.0
csi-node-driver-registrarv3.16.0