The following table shows component versioning for Calico v3.26.
To select a different version, click Releases in the top navigation bar.
Release archive with Kubernetes manifests, Docker images and binaries.
24 May 2023
Permissions for core Calico components have been separated and reduced to the minimum required for each component. This change allows us to tweak permissions on the CNI plugin itself regardless of the permissions required to manage the dataplane.
- Separate calico-node and calico-cni-plugin service accounts calico #7106 (@MichalFupso)
Calico now utilizes kernel-side route filtering in order to reduce CPU usage in systems with many different pods.
- Performance: use kernel-side route filtering when listing routes in the interface monitor. Dramatically reduces CPU usage (and garbage collection) on systems with many interfaces/routes. calico #7375 (@fasaxc)
- Performance: use kernel-side route filtering when listing routes. Dramatically reduces CPU usage (and garbage collection) on systems with many interfaces/pods/routes. calico #7364 (@fasaxc)
Windows Server 2022 Support
Calico now supports Windows Server 2022.
OpenStack Yoga Support
Calico now supports OpenStack Yoga.
- OpenStack: Support newer, more scalable version of etcd server calico #7147 (@nelljerram)
- Fix 'error while loading shared libraries: libresolv.so.2: cannot open shared object file' on csi-node-driver-registrar. calico #7587 (@coutinhop)
- Fix the auto iptables detection if ip_tables.ko preloaded on RHEL/CentOS 8. calico #7111 (@yankay)
- Update pin to use fixed calico/bird image to fix node ST failures. calico #7562 (@coutinhop)
- Prevents Node kube-controller's internal pod cache from getting out-of-sync thus leaking memory. calico #7433 (@dilyevsky)
- Fix high CPU usage in syncL2RoutesForLink: ignore incomplete ARP entries when cleaning up the FDB table. Prevents us from telling the kernel to delete an FDB entry with no HwAddr, which fails triggering a retry loop. calico #7421 (@detailyang)
- Ensure that veths are created with the proper default values from the kernel. calico #7358 (@radixo)
- Fix that the tunnel IP allocator did not respond to changes in the IP pool's allowedUses field. calico #7357 (@fasaxc)
- s390x: Fix image mislabel in CNI, Typha and kube-controllers. calico #7333 (@huoqifeng)
- Remove usage of deprecated '--logtostderr' command line flag. calico #7294 (@coutinhop)
- Fix that Calico API server would reuse UUIDs from the underlying CRD objects that underpin the datamodel (thus confusing Kubernetes ownership tracking and ArgoCD). This will result in the apparent UUIDs of calico "v3" resources changing over upgrade. This was unavoidable in order to split them from the underlying CRD UUIDs. calico #7291 (@fasaxc)
- Fix generation of
operator-crds.yamlmanifest. calico #7216 (@caseydavenport)
- Fix that, if a Typha client loads the list of Typha instances just before they all get upgraded, it takes 30s+ to time out. Reload the list of Typha instances between each connection attempt. calico #7176 (@fasaxc)
- eBPF: prevents infinite restarts when we switch to ebpf after kube-proxy was in IPVS mode. calico #7174 (@StevenTigera)
- When running Calico in policy-only mode, do not write the IP annotations to the node. calico #7632 (@mgleung)
- Introduce new BGPFilter resource. calico #7271 (@Josh-Tigera)
- Enable s390x architecture support. calico #7249 (@huoqifeng)
- ocp.tgz now hosted on GitHub. calico #7189 (@caseydavenport)
- Replace misleading BUG: logs in the Typha client. calico #7172 (@fasaxc)
- Add ability to set the deny action as REJECT instead of DROP. calico #5735 (@olljanat)
- ebpf: rules that mark established flows from before ebpf was turned on are installed asap to make transition smoother calico #7526 (@tomastigera)
- ebpf: BPFEnforceRPF is Loose by default to avoid issues in some environments. If Strict option is required,it has to be set explicitly and the BPFDataIfacePattern may need to be changed accordingly to avoid attaching to "slave" devices. calico #7518 (@tomastigera)
- ebpf: Jumpmap version incremented to prevent failures when upgrading from earlier calico versions calico #7484 (@tomastigera)
- ebpf: Topology Aware Hints supported when/where provided by k8s. calico #7241 (@StevenTigera)
- ebpf: Setting BPFDSROptoutCIDRs to a list of CIDRs allows clients from these CIDRs to opt out from DSR when DSR is enabled. We recommend enabling DSR and setting BPFDSROptoutCIDRs to 184.108.40.206/32 in AKS. calico #7211 (@tomastigera)