Calico Enterprise 3.18 release notes

Learn about the new features, bug fixes, and other updates in this release of Calico Enterprise.

New features and enhancements

VXLAN support for cluster mesh and federation

We've expanded our support of cluster mesh to clusters using VXLAN for networking. Cluster mesh can be used to federate services and endpoints to authorize cross-cluster communication with Calico Enterprise network policies.

For more information, see Configure federated endpoint identity and services.

Helm-based install for multi-cluster management deployments

We've added the support for Helm for installing and setting up deployments that use the multi-cluster management feature. With Helm, DevOps teams can automate these complex deployments more easily.

For more information, see Helm for multi-cluster management.

HPC-based Windows install and upgrade

We've added support for operator-based install and upgrade for Windows nodes using HPC (HostProcess/Privileged containers). Calico Enterprise can now bootstrap Windows worker nodes just like Linux worker nodes. Platform engineers can scale Windows worker nodes with an auto-scaling node pool without bootstrapping each node manually, and upgrade Calico Enterprise deployments without manually upgrading nodes one at a time.

For more information, see the Calico Enterprise for Windows Operator guide.

Support for Azure CNI with overlay networking for AKS

We now officially support AKS clusters that are using overlay networking. This option is useful if you've exhausted your IP addresses. This option augments existing support for Azure CNI with no overlay (where a VNET IP address is assigned to every pod).

To review Azure CNI options, see Microsoft Azure Kubernetes Service (AKS).

Support for Kubernetes 1.28

We now support Kubernetes v1.28 for most platforms.

To review platform support, see Support and compatibility.

Performance improvements for Service Graph

We've added backend improvements to Service Graph that increases the performance when rendering a large number of graph nodes.

Improved Felix performance for extremely large clusters

We've improved how Felix processes active policy rules for clusters with extremely high numbers of endpoints and policy rules. Previously, calculating selector-based rules in these circumstances could take a long time or end in failure. Now Felix can perform these calculations quickly while reducing CPU usage by orders of magnitude.

For more information, see Selector performance in EntityRules.

Improved scalability for large number of policies when using the eBPF dataplane

We've made several improvements that allow you to enforce a larger number of Calico Enterprise network policies when using the eBPF dataplane.

New performance optimizations for egress gateways

Calico Enterprise includes new performance options for egress gateway policies that can be used to ensure that application client and gateway pods are on the same cluster node.

For more information, see Optimize egress networking for workloads with long-lived TCP connections.

Configurable XFF headers for Envoy

We've added support for XFF to propagate the original IP address when proxying application layer traffic with Envoy within a Kubernetes cluster.

For more information, see Installation reference.

Alert-only mode for Workload-based Web Application Firewall (WAF)

We've added a new default mode for WAF that is monitor/event only. This allows operators and security teams to verify the accuracy of configured rules before actively blocking traffic.

For more information, see Web application firewall.

Additional options for Helm-based installs

We've added new options for Helm installs including: set the number of replicas for specific deployments, node affinity rules, and configure Wireguard.

For more information, see Helm installation reference.

Deprecated and removed features

• The anomaly detection feature is removed in this release. If anomaly detection is enabled and you upgrade to Calico Enterprise 3.18, you will stop receiving anomaly detection alerts.
• The manual installation method for Windows is deprecated and will be removed in a future release. The recommended installation method is now operator-based.
• The FIPS mode feature is deprecated in this release. It will be removed in Calico Enterprise 3.19.
• The AWS security groups integration is deprecated in this release. It will be removed in Calico Enterprise 3.19.
• The ingress log collection feature is deprecated in this release. It will be removed in Calico Enterprise 3.19.

Technology Preview features

• Web application firewall

  Protect cloud-native applications from application layer attacks.

• Security events management

  Get alerts on security events that may indicate a threat is present in your Kubernetes cluster.

• DNS policy for Windows

  Use domain names in policies to identify services outside the cluster, which is often operationally simpler and more robust than using IP addresses.

Known issues

• Flow logs for the Windows workloads currently do not display entries with a Deny action.
• Before upgrading a Calico Enterprise cluster on MKE v3.6 to the latest Calico Enterprise version: 1) upgrade MKE from 3.6 to 3.7, then 2) upgrade Calico Enterprise.
• L7 logs with source name pvt is not visible in Service Graph.
• Multi-cluster management users only. If the manager-tls and internal-manager-tls secrets have overlapping DNS names, components such as es-calico-kube-controllers will log certificate errors. If you have previously installed a version older than v3.13.0 and never changed your manager-tls secret from the tigera-operator namespace, you must delete both of these secrets. This applies to you if the following command prints a certificate: $ kubectl get secret manager-tls -n tigera-operator -o "jsonpath={.data['cert']}".
• Upgrading to Calico Enterprise 3.18.0 on Rancher/RKE from Calico Enterprise 3.13.0 currently requires manually terminating the calico-node container for an upgrade to proceed.
• Calico panics if kube-proxy or other components are using native nftables rules instead of the iptables-nft compatibility shim. Until Calico supports native nftables mode, we recommend that you continue to use the iptables-nft compatibility layer for all components. (The compatibility layer was the only option before Kubernetes v1.29 added alpha-level nftables support.) Do not run Calico in "legacy" iptables mode on a system that is also using nftables. Although this combination does not panic or fail (at least on kernels that support both), the interaction between iptables "legacy" mode and nftables is confusing: both iptables and nftables rules can be executed on the same packet, leading to policy verdicts being "overturned".

Release details

Calico Enterprise 3.18.0 (early preview)

September 1, 2023

Calico Enterprise 3.18.0 is now available as an early preview release. This release is for previewing and testing purposes only. It is not supported for use in production.

Calico Enterprise 3.18.0-1.1 (early preview)

October 13, 2023

Calico Enterprise 3.18.0-1-1 is now available as an early preview release.

This release is for previewing and testing purposes only. It is not supported for use in production. This release includes improvements and bug fixes.

Calico Enterprise 3.18.0-2.0 (early preview)

December 1, 2023

Calico Enterprise 3.18.0-2-0 is now available as an early preview release.

This release is for previewing and testing purposes only. It is not supported for use in production. This release includes improvements and bug fixes.

Calico Enterprise 3.18.1 GA

January 17, 2024

Calico Enterprise 3.18.1 is now available as a GA release.

This release is supported for use in production.

Updating

To update an existing installation of Calico Enterprise 3.18, see Install a patch release.

Calico Enterprise 3.18.2 bug fix update

March 25, 2024

Calico Enterprise 3.18.2 is now available. This release includes bug fixes and improvements.

Improvements

• Reduced the validity of JSON Web Tokens issued by dex to 15 minutes (down from 24 hours).
• Added a configurable option for priorityClassName to the egress gateway CRD.
• Policy recommendation excludes OpenShift namespaces by default.

Bug fixes

• Drastically increased Voltron's Kubernetes client QPS and Burst to prevent it from rate limiting itself in MCM setups.0
• Fixed a bug that prevented Linseed from creating tokens for Intrusion Detection and DPI components in managed clusters if compliance is not enabled.
• Fixes an issue in the operator that caused it to accumulate more memory resources over time.
• If kube-controllers metric port is set to 0, no ingress rule will be created.
• Security updates.

Other

• FIPS mode is no longer supported.

Updating

To update an existing installation of Calico Enterprise 3.18, see Install a patch release.