Skip to main content
Version: 3.17 (latest)

Release notes

Calico Enterprise v3.17.1

Release archive with Kubernetes manifests. Based on Calico v3.25.

08 August 2023

What's new

New policy recommendations engine for namespace isolation

Calico Enterprise has added a new policy recommendations engine that automatically generates staged policies for namespace isolation within your cluster. Policy recommendations.

Destination-based routing for egress gateways

Calico Enterprise introduces a new mode for egress gateways that can leverage destination-based routing. Destination-based routing for egress gateways allows operators associated with a destination that is external to a Kubernetes cluster (for example, IP address or CIDR), to a specific egress gateway deployment. Egress gateways.

Support for DNS rules in clusters using NodeLocal DNSCache

Calico Enterprise has added support for DNS rules in clusters using NodeLocal DNSCache. Also related, there is new documentation on using Calico policy to secure DNS traffic within the cluster with NodeLocal DNSCache enabled. Use NodeLocal DNSCache in your cluster.

Improved UI for configuring Workload-based Web Application Firewall (WAF)

Calico Enterprise includes updates to the UI that allows you to select which services are enabled for the Workload-based Web Application Firewall. Web application firewall.

Wireguard support for AKS and EKS with Calico CNI

Calico Enterprise now offers official support for Wireguard when using Microsoft AKS or Amazon EKS with Calico CNI. This mode of deployment offers performance benefits and a more efficient routing table compared to using cloud provider CNIs. Encrypt data in transit.

Helm support for BYO Prometheus Operator

Calico Enterprise now supports an existing Prometheus Operator when installing with Helm. You can pass the following false flags during install. For example:

  helm install calico-enterprise tigera-operator-vx.y.z-0.tgz ... \
--set tags.tigera-prometheus-operator=false \
--set tigera-prometheus-operator.enabled=false

Or customize the Helm chart using existing installation steps.

Known issues

  • The canvas on Service Graph may zoom and pan unexpectedly when modifying Views or Layers
  • Dragging tiers to modify their order is currently not working in the UI, though you can still change its order when editing a tier
  • Policy recommendations may generate rules with ports and protocols for intra-namespace traffic. This will be modified in the next patch release to exclude ports and protocols and provide an option to Allow or Pass this traffic.
  • Installing Calico Enterprise on OpenShift Container Platform (OCP) 4.13 with the eBPF dataplane is currently not working
  • Upgrading to Calico Enterprise 3.17.1 on Rancher/RKE from Calico Enterprise 3.13.0 currently requires manually terminating the calico-node container for an upgrade to proceed.
  • Multi-cluster management of managed clusters with version < v3.17.0 is currently not working.

Component Versions

This release comprises the following components, and can be installed using quay.io/tigera/operator:v1.30.5

ComponentVersion
cnx-managerv3.17.1
voltronv3.17.1
guardianv3.17.1
cnx-apiserverv3.17.1
cnx-queryserverv3.17.1
cnx-kube-controllersv3.17.1
calicoqv3.17.1
typhav3.17.1
calicoctlv3.17.1
cnx-nodev3.17.1
dikastesv3.17.1
dexv3.17.1
fluentdv3.17.1
fluentd-windowsv3.17.1
es-proxyv3.17.1
eck-kibana7.17.11
kibanav3.17.1
eck-elasticsearch7.17.11
elasticsearchv3.17.1
cloud-controllersv3.17.1
elastic-tsee-installerv3.17.1
es-curatorv3.17.1
intrusion-detection-controllerv3.17.1
compliance-controllerv3.17.1
compliance-reporterv3.17.1
compliance-snapshotterv3.17.1
compliance-serverv3.17.1
compliance-benchmarkerv3.17.1
ingress-collectorv3.17.1
l7-collectorv3.17.1
license-agentv3.17.1
linseedv3.17.1
tigera-cniv3.17.1
firewall-integrationv3.17.1
egress-gatewayv3.17.1
honeypodv3.17.1
honeypod-exp-servicev3.17.1
honeypod-controllerv3.17.1
key-cert-provisionerv1.1.10
anomaly_detection_jobsv3.17.1
anomaly-detection-apiv3.17.1
elasticsearch-metricsv3.17.1
packetcapturev3.17.1
prometheusv3.17.1
coreos-prometheusv2.43.1
coreos-prometheus-operatorv0.62.0
coreos-config-reloaderv0.62.0
prometheus-operatorv3.17.1
prometheus-config-reloaderv3.17.1
tigera-prometheus-servicev3.17.1
es-gatewayv3.17.1
deep-packet-inspectionv3.17.1
eck-elasticsearch-operator2.6.1
elasticsearch-operatorv3.17.1
coreos-alertmanagerv0.25.0
alertmanagerv3.17.1
envoyv3.17.1
envoy-initv3.17.1
windowsv3.17.1
windows-upgradev3.17.1
policy-recommendationv3.17.1
flexvolv3.17.1
csi-driverv3.17.1
csi-node-driver-registrarv3.17.1

Calico Enterprise v3.17.0

Release archive with Kubernetes manifests. Based on Calico v3.25.

16 June 2023

What's new

New policy recommendations engine for namespace isolation

Calico Enterprise has added a new policy recommendations engine that automatically generates staged policies for namespace isolation within your cluster. Policy recommendations.

Destination-based routing for egress gateways

Calico Enterprise introduces a new mode for egress gateways that can leverage destination-based routing. Destination-based routing for egress gateways allows operators associated with a destination that is external to a Kubernetes cluster (for example, IP address or CIDR), to a specific egress gateway deployment. Egress gateways.

Support for DNS rules in clusters using NodeLocal DNSCache

Calico Enterprise has added support for DNS rules in clusters using NodeLocal DNSCache. Also related, there is new documentation on using Calico policy to secure DNS traffic within the cluster with NodeLocal DNSCache enabled. Use NodeLocal DNSCache in your cluster.

Improved UI for configuring Workload-based Web Application Firewall (WAF)

Calico Enterprise includes updates to the UI that allows you to select which services are enabled for the Workload-based Web Application Firewall. Web application firewall.

Wireguard support for AKS and EKS with Calico CNI

Calico Enterprise now offers official support for Wireguard when using Microsoft AKS or Amazon EKS with Calico CNI. This mode of deployment offers performance benefits and a more efficient routing table compared to using cloud provider CNIs. Encrypt data in transit.

Helm support for BYO Prometheus Operator

Calico Enterprise now supports an existing Prometheus Operator when installing with Helm. You can pass the following false flags during install. For example:

  helm install calico-enterprise tigera-operator-vx.y.z-0.tgz ... \
--set tags.tigera-prometheus-operator=false \
--set tigera-prometheus-operator.enabled=false

Or customize the Helm chart using existing installation steps.

Known issues

  • Upgrading to Calico Enterprise 3.17.0 on Rancher/RKE from Calico Enterprise 3.13.0 currently requires manually terminating the calico-node container for an upgrade to proceed.
  • Multi-cluster management of managed clusters with version < v3.17.0 is currently not working.

Component Versions

This release comprises the following components, and can be installed using quay.io/tigera/operator:v1.30.3

ComponentVersion
cnx-managerv3.17.0
voltronv3.17.0
guardianv3.17.0
cnx-apiserverv3.17.0
cnx-queryserverv3.17.0
cnx-kube-controllersv3.17.0
calicoqv3.17.0
typhav3.17.0
calicoctlv3.17.0
cnx-nodev3.17.0
dikastesv3.17.0
dexv3.17.0
fluentdv3.17.0
fluentd-windowsv3.17.0
es-proxyv3.17.0
eck-kibana7.17.9
kibanav3.17.0
eck-elasticsearch7.17.9
elasticsearchv3.17.0
cloud-controllersv3.17.0
elastic-tsee-installerv3.17.0
es-curatorv3.17.0
intrusion-detection-controllerv3.17.0
compliance-controllerv3.17.0
compliance-reporterv3.17.0
compliance-snapshotterv3.17.0
compliance-serverv3.17.0
compliance-benchmarkerv3.17.0
ingress-collectorv3.17.0
l7-collectorv3.17.0
license-agentv3.17.0
linseedv3.17.0
tigera-cniv3.17.0
firewall-integrationv3.17.0
egress-gatewayv3.17.0
honeypodv3.17.0
honeypod-exp-servicev3.17.0
honeypod-controllerv3.17.0
key-cert-provisionerv1.1.9
anomaly_detection_jobsv3.17.0
anomaly-detection-apiv3.17.0
elasticsearch-metricsv3.17.0
packetcapturev3.17.0
prometheusv3.17.0
coreos-prometheusv2.43.1
prometheus-operatorv3.17.0
prometheus-config-reloaderv3.17.0
tigera-prometheus-servicev3.17.0
es-gatewayv3.17.0
deep-packet-inspectionv3.17.0
eck-elasticsearch-operator2.6.1
elasticsearch-operatorv3.17.0
coreos-alertmanagerv0.25.0
alertmanagerv3.17.0
envoyv3.17.0
envoy-initv3.17.0
windowsv3.17.0
windows-upgradev3.17.0
policy-recommendationv3.17.0
flexvolv3.17.0
csi-driverv3.17.0
csi-node-driver-registrarv3.17.0