Skip to main content
Calico Open Source 3.32 (latest) documentation

Calico Open Source 3.32 release notes

Learn about the new features, bug fixes, and other updates in this release of Calico.

New features and enhancements

Native v3 CRDs (tech preview)

Calico now supports installation with native projectcalico.org/v3 CRDs as an alternative to the aggregated API server. The Tigera Operator registers projectcalico.org/v3 resources directly as native Kubernetes CRDs — no host-network pods, no ordering dependencies between CRDs and the API server, and kubectl manages v3 resources without an extra install step. This removes a long-standing source of installation friction on managed Kubernetes platforms like EKS and AKS. For existing clusters, a new DatastoreMigration controller copies resources from the aggregated API server to native CRDs in place; the datastore is briefly locked but workload connectivity is preserved through the migration window.

Native v3 CRDs require the Kubernetes MutatingAdmissionPolicy feature gate, which is beta and not enabled by default.

This is the first phase of phasing out the aggregated API server: in a future release, native v3 CRDs will become the default install mode, and in a later release the aggregated API server will be removed entirely.

For more information, see Enable native v3 CRDs and Migrate from API server to native CRDs.

Kubernetes ClusterNetworkPolicy

Calico now implements the upstream Kubernetes SIG-Network ClusterNetworkPolicy resource (policy.networking.k8s.io/v1alpha2), giving cluster admins cluster-scoped Accept/Deny/Pass rules in two well-known tiers — Admin and Baseline — that namespace owners cannot override. This is how you enforce baseline guardrails and tenant isolation that namespace-scoped NetworkPolicy cannot express. ClusterNetworkPolicy composes with Calico's existing tiered policy: each upstream tier maps to a new auto-created Calico tier (kube-admin and kube-baseline), and priority maps to order, so you can mix ClusterNetworkPolicy, NetworkPolicy, and GlobalNetworkPolicy resources in either tier.

For more information, see Get started with policy tiers.

Istio ambient mode (tech preview)

Calico now bundles Istio in ambient mode, a sidecarless service-mesh architecture that delivers mTLS encryption and mesh security at much lower resource cost than sidecar mesh. Existing Calico and Kubernetes network policies continue to work unchanged: Calico includes a modified zTunnel proxy that preserves the original destination port instead of rewriting it to the HBONE tunnel port (15008). The exception is Istio's Waypoint proxy: if you deploy Waypoint, traffic to it follows upstream Istio behavior and your policies must allow port 15008.

For more information, see Istio Ambient Mode.

Live migration of KubeVirt VMs over BGP

Calico now provides first-class networking for KubeVirt virtual machines in bridge mode, including live migration of running VMs between nodes without breaking established TCP connections. A migrating VM keeps its IP and has network policy programmed on the destination node before it goes live there. Felix re-advertises the VM's route from the new host through BGP as soon as the VM activates, so existing connections survive node maintenance and load rebalancing without reconnect storms. Live migration requires bridge binding mode and BGP networking (no overlay), and is not supported with WireGuard.

For more information, see KubeVirt networking and BGP routing for KubeVirt live migration.

OpenStack live migration improvements

Calico for OpenStack now coordinates live migration with the BGP routing layer so existing TCP connections to a migrating VM survive maintenance, load-rebalancing, and planned-reboot migrations. On the target compute node, Felix programs the migrating VM's route with elevated priority so the target route wins while both source and target advertise the VM. Example BIRD configurations for iBGP (using LOCAL_PREF) and eBGP (using BGP communities) show how to propagate that priority correctly between nodes. Calico also recommends live_migration_wait_for_vif_plug = True in Nova so compute transfer waits until interface, ipset, and iptables programming is in place on the destination. A new state machine emits INFO-level logs in the Neutron driver and Felix so you can track each phase of a migration.

For more information, see Live migration for OpenStack VMs.

Maglev consistent-hash service load balancing

The eBPF data plane now supports Maglev consistent-hash load balancing for external traffic to a Service. When a backend is added or removed, Maglev only remaps a small fraction of flows — long-lived connections survive backend churn, and Calico nodes can act as stable ECMP nexthops for advertised service IPs. Opt in per-Service with the lb.projectcalico.org/external-traffic-strategy: "maglev" annotation; the feature requires the eBPF data plane in direct server return mode and does not apply to pod-to-Service, NodePort, or Services that set Kubernetes External Traffic Policy.

For more information, see Add Maglev load balancing to a service.

Whisker policy filtering and UI improvements (tech preview)

The Whisker web console gains additional filtering on the live flow-log stream — including by policy, namespace, pod, and verdict — so you can isolate the traffic you're investigating without leaving the console. This builds on the flow-logs API (Goldmane) and Whisker components introduced in earlier 3.x releases.

For more information, see View flow logs in the Calico Whisker web console. If you upgraded from 3.29 or earlier, see Enable the flow logs API and Calico Whisker to turn the components on.

eBPF: TCP RST on backend pod failure

When a backend pod for a Service goes away, the eBPF data plane now sends a TCP RST to clients with established connections to the failed backend. Applications fail immediately and reconnect to a healthy backend instead of hanging on a dead flow.

Kubernetes 1.36 support

This release adds support for Kubernetes 1.36.

Deprecations

  • The aggregated API server (calico-apiserver) is deprecated and will be removed in a future release. See Native v3 CRDs for the recommended replacement.

Bug fixes

  • Fixes an issue where calico-apiserver generated malformed OpenAPI schema definitions after the Kubernetes 1.35 dependency bump, which could cause ArgoCD and similar tools to fail schema validation. calico 12637 (@MichalFupso)
  • Typha now rejects oversized inbound client gob frames before reading them, preventing a potential denial-of-service caused by excessive memory allocation. calico 12590 (@Behnam-Shobiri)
  • Removed sensitive material (auth tokens, kubeconfig contents, etcd credentials, and inline certificates/keys) from log output. Logs that previously included full client-config or environment-variable dumps now log structured non-secret fields instead. calico 12588 (@Behnam-Shobiri)
  • Fix LoadBalancer IPAM race on kube-controllers startup that could assign multiple addresses to a Service. calico 12568 (@MichalFupso)
  • calicoctl no longer logs raw client config on startup, which previously included K8sAPIToken, inline kubeconfig, EtcdPassword, and inline etcd key/cert material. The replacement log entry reports only non-sensitive fields and boolean "set" indicators for each credential. calico 12536 (@Behnam-Shobiri)
  • app-policy (Dikastes): normalize HTTP request-target before evaluating Application Layer Policy path rules, and reject shapes whose resolved form depends on upstream-specific decoding. Request paths are now RFC 3986 / RFC 7230 normalized (decode percent-escapes once, resolve dot-segments and repeated slashes, fold backslashes, strip matrix parameters per segment) and prefix matches are anchored to path-segment boundaries. Paths whose decoded form still contains percent-encoded path separators (%2e / %2f / %5c), or contains a null byte, are rejected. calico 12532 (@electricjesus)
  • Sanitize CNI plugin log output. calico 12526 (@Behnam-Shobiri)
  • Fixed a Felix eBPF cleanup race condition that could cause a nil-pointer panic when an interface disappeared during TC qdisc cleanup. calico 12480 (@Behnam-Shobiri)
  • Use cryptographically secure random number generator for X.509 certificate serial numbers. calico 12468 (@Behnam-Shobiri)
  • ebpf: Fix conntrack counter accounting for NAT-outgoing flows where bytes_in and packets_in were always zero. calico 12323 (@lucastigera)
  • Fix a data race in Felix's BPF endpoint manager when comparing HostEndpoint protobuf messages, which could cause flaky race-detector failures or subtle logic errors under concurrent access. calico 12174 (@fasaxc)
  • Fix goroutine leak after nflog reader restart. calico 12159 (@fasaxc)
  • Fix a goroutine leak in Felix's interface monitor that could occur on netlink reconnect. calico 12139 (@fasaxc)
  • Fix memory leak in routing table logic. The "interfaces to ARP" set was not properly cleaned out when an interface was removed, resulting in leaving old interface names in the set. calico 12138 (@fasaxc)
  • Fix dikastes L7 application layer policy enforcement being broken since v3.30.0 due to missing ALPCheckProvider registration. calico 11986 (@electricjesus)
  • ebpf: Fix kernel crash on UDP GSO FRAGLIST packets after partial bpf_skb_pull_data by fully linearizing the packet. Auto-detected via kernel version (fixed in 6.16+), overridable via FeatureDetectOverride. calico 11920 (@tomastigera)
  • Fix advertisement of /32 LB IP addresses when not present in the Service Spec calico 11917 (@caseydavenport)
  • LoadBalancer controller prevent nil pointer dereference in handleBlockUpdate calico 11913 (@MichalFupso)
  • Fix calico-kube-controllers IPAM GC controller getting stuck when cleaning up nodes during rapid scale-down. calico 11906 (@caseydavenport)
  • Fix failure to enable ingress bandwidth QoS controls when a non-default qdisc previously existed on the workload interface (handle != 0). calico 11899 (@coutinhop)
  • Fix CNI delete timeout to start after IPAM lock acquisition, preventing "context deadline exceeded" failures during high pod churn calico 11824 (@sudheernv)
  • Fix API server startup failure when configuring TLS 1.3-only cipher suites. The API server now supports the TLS_MIN_VERSION environment variable (values: "1.2" or "1.3") to control the minimum TLS version. Set TLS_MIN_VERSION=1.3 when using TLS 1.3-only cipher suites to avoid HTTP/2 cipher validation errors. calico 11812 (@KameHameHa21110)
  • Fix BGP syncing on Windows calico 11748 (@rbrtbnfgl)
  • Bugfix: fix rendering of NatPortRange option when using nftables. calico 11736 (@nelljerram)
  • Fix that come components would add square brackets to IPv4s when forming host:port addresses (treating them like IPv6 addresses). calico 11721 (@fasaxc)
  • Fix that the CNI plugin installer generated a malformed URL for IPv4 addresses. This bug was exposed by a fix to the golang URL parser. calico 11713 (@fasaxc)
  • ebpf: fix - The eBPF dataplane regressed when switching to the flow based vxlan device and the VNI is always 0 regardless of the actual setting calico 11692 (@tomastigera)
  • ebpf: fixed performance for UDP (QUIC/HTTP3) nodeports calico 11653 (@tomastigera)
  • eBPF: fix that local workload with borrowed IPs lose connectivity calico 11640 (@fasaxc)
  • ebpf - Fixed routing of fragmented packets from a pod with multiple host interfaces. calico 11616 (@sridhartigera)
  • Don't uninstall CNI and kube-proxy service when using non-Calico CNI on Windows with operator install. calico 11614 (@coutinhop)
  • Fix possible segmentation fault in IP address parsing code calico 11602 (@majiayu000)
  • Restrict Calico ML2 leader election participation to the parent Neutron server process, preventing API and worker processes from becoming leader and reducing contention under high API load. calico 11580 (@chaowang987)
  • ebpf: fix bug where ingress and egress policy program indexes were confused, resulting in cleaning up the wrong policy program. calico 11565 (@fasaxc)
  • bpf: Fix IP fragment reassembly between 8,000 and 16,000 bytes. Offsets were miscalculated due to incorrect order of operations. calico 11557 (@fasaxc)
  • Fix potential HEP / WEP chain name conflicts in IPVS mode. calico 11541 (@terror96)
  • Fix race in EndpointSlice logic for BGP service advertisement calico 11503 (@sergeimonakhov)
  • eBPF - Fixed map operations for older kernels. calico 11482 (@sridhartigera)
  • Fix kube-controllers watch handling to avoid leaking watchers when the configuration watch is recreated. calico 11433 (@fusidic)
  • eBPF - Fixed loading connecttime load balancer program in 6.12 kernel calico 11399 (@sridhartigera)
  • Fix: IPPool CIDR Validation Fails on Semantically-Identical IPv6 CIDRs calico 11385 (@skoryk-oleksandr)
  • OpenStack: don't force the MTU to 1500 in IPv6 router advertisements calico 11380 (@kristiangronas)
  • Fix startup failure when using etcdv3 storage without any Kubernetes API server. calico 11361 (@Nativu5)
  • Felix now explicitly sets priority 1024 for IPv6 routes instead of relying on kernel default, ensuring routes round-trip correctly when read from the kernel. calico 11356 (@Copilot)
  • Re-create and swap out Calico ipsets that are not possible to list due to different failures like user-space/kernel incompatibility. calico 11340 (@mazdakn)
  • Fix AllowSpoofedSourcePrefixes for dual stack clusters. calico 11338 (@sknat)
  • OpenStack bugfix: request etcd compaction periodically regardless of how long resync takes, or if periodic resync is disabled. calico 11306 (@nelljerram)
  • Fixes pending policy evaluation race post endpoint deletion calico 11281 (@dimitri-nicolo)
  • ebpf: kube-proxy binds service health probes to node IPs instead of "any" calico 11280 (@tomastigera)
  • Fixed a race in flow log generation that could mis-report service traffic as denied when a backing pod was deleted while the packet was being processed. calico 11276 (@dimitri-nicolo)
  • fix (release-tool): include image tarballs in release archive file calico 11253 (@radTuti)
  • ebpf: Do not adjust gso_size after nodeport tunnel vxlan decap. There is no guarantee that there would be enough data after removing tunnel headers. The packet is shrunk by 50 bytes while the gso_size would grow. Kernel would drop the packet if the original gso packet is too small. calico 11252 (@juliantaylor)
  • Fix BGP advertisement of externalIP addresses on Services with type=ClusterIP. calico 11204 (@caseydavenport)
  • CNI plugin: double-check the IPv6 LL address on the host side of the veth and refresh it if it seems wrong. Sometimes the kernel uses a stale MAC to calculate it. calico 11182 (@fasaxc)
  • Fix IPAM block leak of older blocks when deleting IP pools. calico 11179 (@caseydavenport)
  • ebpf: do not blindly redirect back to the same host iface - fixed regression from 3.29 to 3.30 calico 11117 (@tomastigera)
  • Fix that empty source/destination EntityRules would serialize as '' instead of being omitted. Due to change of JSON library, this makes the errors reported for unexpected fields slightly less clear. calico 11116 (@fasaxc)
  • Fix potential nil pointer dereference in load balancer IP allocation controller calico 11092 (@caseydavenport)
  • Bugfix: reinstate support for VMs that are configured not to respond to ARP requests. calico 11052 (@nelljerram)
  • Add missing staged policy permissions to apiserver.yaml calico 11022 (@caseydavenport)
  • Various fixes for 32bit architectures. calico 11009 (@twz123)
  • Fix slow IPAM release performance when releasing IPs from disabled or deleted pools (especially for bulk deletions like those done by IPAM GC). Consider disabled pools as potential IP owners and cache any loaded blocks for fast access. calico 10973 (@fasaxc)

Other changes

  • Update bundled Istio version to 1.29.2, including CVE fixes for moby/spdystream, prometheus/prometheus, and opentelemetry-go/otel/sdk. calico 12581 (@radixo)
  • [Tech Preview] FelixConfiguration resources now support an optional nodeSelector field that restricts configuration to nodes matching a label selector, enabling per-node-group Felix configuration without requiring individual per-node resources. At most one selector-scoped FelixConfiguration should match any given node; if multiple match, the oldest by creation time wins to avoid disrupting existing working configuration. Overlapping selectors are treated as a misconfiguration and this behavior may change in future releases. calico 12497 (@tomastigera)
  • ebpf: Add JSON output support to calico-bpf dump commands (counters, conntrack, NAT, routes, arp, ifstate, maps) calico 12312 (@tomastigera)
  • Add support for named ports in ClusterNetworkPolicy. calico 12227 (@mazdakn)
  • Calico's BIRD configuration (generated by the confd subcomponent of calico-node) has been enhanced to propagate route priorities within a contiguous AS (autonomous system). This is one of a set of changes needed for seamless live migration of VMs. calico 12089 (@nelljerram)
  • Make live migration more seamless in Calico for OpenStack; specifically in that there should be much less latency after the VM becomes active on the target node, before network traffic can be successfully sent to and from that VM. calico 12064 (@nelljerram)
  • Added manifest-mode support for deploying Calico with native v3 CRDs (projectcalico.org/v3) without the operator, including a standalone webhooks manifest and v1-to-v3 CRD migration support. calico 12062 (@caseydavenport)
  • calico-bpf policy dump: Improved output readability with hierarchical indentation, human-readable rule actions, and resolved IP set members instead of opaque hex IDs. calico 12050 (@sridhartigera)
  • Calico now builds and publishes its own customized Istio images (pilot, proxyv2, install-cni, and ztunnel) with Calico-specific patches applied (DSCP magic-mark for transparent networking, plus CVE-fix dependency bumps). These were previously available only in Calico Enterprise. calico 12039 (@radixo)
  • Support live migration for KubeVirt VMs. calico 12038 (@nelljerram)
  • ebpf: Allow disabling BPF kube-proxy health check by setting port to 0 calico 12033 (@tomastigera)
  • calico-bpf nat dump now accepts optional <ip> <port> <proto> arguments to scope output to a single service (including all sibling frontends sharing the same service ID), and a new --group-by-service flag groups frontends with their shared backend list printed once per service. calico 12021 (@Copilot)
  • BGPFilter: Add new match criteria (PeerType, Communities, ASPathPrefix, Priority) and route operations (AddCommunity, PrependASPath, SetPriority) to BGPFilter rules, enabling advanced BGP policy use cases such as route priority propagation for KubeVirt live migration. calico 12002 (@song-jiang)
  • [Tech Preview] FelixConfiguration resources now support an optional nodeSelector field that restricts configuration to nodes matching a label selector, enabling per-node-group Felix configuration without requiring individual per-node resources. At most one selector-scoped FelixConfiguration should match any given node; if multiple match, the oldest by creation time wins to avoid disrupting existing working configuration. Overlapping selectors are treated as a misconfiguration and this behavior may change in future releases. calico 11977 (@tomastigera)
  • calicoctl ipam configure now accepts --kubevirt-ip-persistence=<Enabled|Disabled> to toggle whether KubeVirt VMs retain a persistent IP across reboots, live migrations, and pod evictions. Pairs with the IPAM-side support added in #11865. calico 11971 (@skoryk-oleksandr)
  • Introduces istioAmbientMode and istioDSCPMark to felix for integration with Calico Istio compilation. calico 11880 (@radixo)
  • Calico IPAM now supports persistent IP addresses for KubeVirt VMs, allowing VMs to retain their IPs across reboots, live migrations, and pod evictions. calico 11865 (@song-jiang)
  • Applied code modernization with "go fix", this had a small impact on the Calico v1 APIs due to removing some invalid "omitempty" annotations on JSON fields. calico 11864 (@fasaxc)
  • calico-node: base image bumped from UBI 8 to UBI 9 calico 11860 (@lucastigera)
  • Felix now keeps a cache of recently computed interned label maps. This reduces memory usage, particularly with large deployments or large numbers of namespaces. calico 11854 (@fasaxc)
  • Skip unnecessary calls to nft when running in iptables mode. calico 11848 (@haojiwu)
  • Felix now defers calculation of selector label restrictions until they are needed, saving RAM when many selectors are active. calico 11846 (@fasaxc)
  • Introduce ProgramClusterRoutes option in BGPConfiguration to control how a cluster node gets a route to a workload on another node, when that workload's IP comes from an IP Pool with vxlanMode: Never. When ProgramClusterRoutes is Enabled, confd and BIRD program that route. When ProgramClusterRoutes is Disabled, it is expected that Felix will program that route. Felix always programs such routes for IP Pools with vxlanMode: Always or vxlanMode: CrossSubnet. [Default: Enabled] calico 11845 (@mazdakn)
  • The Tier allow-tigera has been renamed to calico-system. If your Calico installation does not use the Tigera Operator, or if you have created custom Network Policies within this Tier, you must manually update your resources to reference the new Tier name. Please review and adjust any affected policies to ensure continued correct behavior. calico 11842 (@radixo)
  • Use indexer for EndpointSlice lookups to avoid O(n) scans in confd calico 11838 (@haojiwu)
  • Improve resource consumption when IP_AUTODETECTION_METHOD is set to cidr on Linux instances with many addresses. calico 11834 (@imbstack)
  • Update Envoy Gateway from v1.5.6 to v1.5.7. calico 11820 (@electricjesus)
  • calicoctl cluster diags now collects Multus network-attachment-definitions. calico 11816 (@Copilot)
  • Adds a validating admission webhook that enforces tier-based RBAC on (Global)NetworkPolicy and staged-policy CRUD operations. This makes tier permissions enforceable in manifest-mode (no-API-server) installs by checking that the requesting user has rights on the policy's tier before allowing the write. calico 11803 (@caseydavenport)
  • ebpf - Reset the tcp connection when the backend is deleted. calico 11762 (@sridhartigera)
  • ebpf: Added support to Kubernetes Service Traffic Distribution for Services and for the service.kubernetes.io/topology-mode annotation, replacing the deprecated service.kubernetes.io/topology-aware-hints behavior. calico 11751 (@lucastigera)
  • We continue testing Calico against OpenStack Caracal, but have stopped testing Calico against OpenStack Yoga. This is because Yoga has now been "unmaintained" for over a year, and is not compatible with current CI platforms based on Ubuntu 22.04. calico 11742 (@nelljerram)
  • The tigera-operator Installation CRD now accepts node, felix, and confd as Windows container names (in addition to the legacy calico-node-windows), and adds NodeWindows, FelixWindows, and ConfdWindows as componentResources keys, allowing per-container resource overrides on Windows nodes. calico 11735 (@tmjd)
  • BREAKING: The tigera-operator Helm chart no longer includes custom resource definitions for Calico. A new crd.projectcalico.org.v1 companion Helm chart has been introduced which includes the CRDs instead. calico 11727 (@caseydavenport)
  • Support custom qps and burst for Kubernetes client in calico and calico-ipam CNI plugins. calico 11674 (@renyunkang)
  • ebpf: update BPFExtToServiceConnmark to work with fib lookup with kernel 6.10+ The mark allows steering response packet via different route than ingress traffic. calico 11665 (@tomastigera)
  • [BPF] Adds new Prometheus metric: felix_bpf_conntrack_maglev_entries_total for maglev connection count. calico 11660 (@aaaaaaaalex)
  • Support auto-detection of nftables or iptables based on kube-proxy configuration. calico 11629 (@caseydavenport)
  • feat: push helm charts to OCI registry (quay.io/calico/charts) fix: use accurate created date for chart entry in helm index calico 11626 (@radTuti)
  • eBPF: implement allowedSourcePrefixes functionality calico 11615 (@turkmenkaan)
  • Update flow log policy hit syntax used by Felix so that it explicitly includes the policy kind. calico 11603 (@caseydavenport)
  • Add support for configurable dnsPolicy in tigera-operator deployment to fix DNS circular dependency issues on AWS EKS. Users can now override the default ClusterFirstWithHostNet behavior by setting dnsPolicy: Default in values.yaml. This change maintains backward compatibility with existing deployments. calico 11595 (@kalavt)
  • Adds configurable field resync_max_interval_secs that defines the max time allowed between successful periodic resyncs. Logs an error message if the interval exceeds the threshold. calico 11577 (@LeoBJenkins)
  • Restrict LogPrefix in FelixConfiguration to alphanumeric, :, %, /, _, - and space characters. calico 11566 (@mazdakn)
  • Whisker: Added new filtering capabilities including "Reporter" filter, "pending/staged actions" filter calico 11556 (@skoryk-oleksandr)
  • Bump bundled Envoy Gateway to v1.5.6 calico 11527 (@nelljerram)
  • Introduce logActionRateLimit and logActionRateLimitBurst in FelixConfiguration to rate limit the number of hitting a rule with LOG action. calico 11514 (@mazdakn)
  • Define specifiers to allow users include policy details in system logs generated from rules with LOG action. %t: Tier name where policy is placed. %k: Policy or profile kind. Short names are used. For example, gnp for GlobalNetworkPolicy. %n: Policy name. %p: Namespaced policy name. Either namespace/name for namespaced kinds or just name for non namespaced ones. calico 11496 (@mazdakn)
  • Add controller to migrate underlying policy storage to use v3 API names. calico 11493 (@caseydavenport)
  • Rotated log files are now compressed to reduce host disk usage. calico 11467 (@hjiawei)
  • Adjust JSON parsing logic to give unique stack trace per resource type. Makes memory profiles a lot more descriptive. calico 11342 (@fasaxc)
  • Calico Windows container images have been updated to use Nano Server LTSC 2019 instead of 1809. calico 11330 (@hjiawei)
  • Remove deprecated iptablesLockTimeout parameter and associated function. Modern versions of iptables-restore always take the lock on their own so using it would cause immediate deadlock. calico 11326 (@fasaxc)
  • Rev etcd client to v3.6.5. Rev server used in tests to v3.5.24. calico 11288 (@fasaxc)
  • Deprecated the "L2Only" value for BPFRedirectToPeer. BPFRedirectToPeer="Enabled" now explicitly allows direct redirection to the peer side from both L2 and L3 host devices (e.g. IPIP/WireGuard). calico 11279 (@sridhartigera)
  • updated tigera-operator RBAC: create mutatingwebhooks, and update mutatingwebhooks. update restricted to specific resourceNames: envoy-gateway-topology-injector.tigera-gateway calico 11257 (@electricjesus)
  • Default KubeControllersConfiguration.LoadBalancer when not set to AllServices calico 11251 (@MichalFupso)
  • Naming restrictions for NetworkPolicy, GlobalNetworkPolicy, and all staged policy variants have been relaxed to no longer require the policy tier prefix for policies in non-default tiers. Calico will perform an automatic upgrade of existing policies to be compatible with this change on upgrade. calico 11232 (@caseydavenport)
  • Enabled FIB for IPIP so that we can redirect packets in eBPF. calico 11230 (@sridhartigera)
  • ebpf: start only a single kube-proxy health-server in dual stack mode calico 11223 (@tomastigera)
  • kube-controllers: improve logs around load balancer IPAM. calico 11184 (@fasaxc)
  • BPF: Adds support for Maglev-style service loadbalancer, which enables service traffic failover to another loadbalancer in case of a failure. calico 11159 (@aaaaaaaalex)
  • IPAM: when a pool is full, try to reclaim empty blocks from other nodes before giving up. Helps the most with special-purpose block-size-/32 pools; prevents blocks from getting stranded on nodes that can't use them. calico 11149 (@fasaxc)
  • Removing AdminNetworkPolicy and BaselineAdminNetworkPolicy API support in favor of ClusterNetworkPolicy. These resources must be removed or replaced by ClusterNetworkPolicy before upgrade, since Calico v3.32 and newer won't enforce them. Static tiers named adminnetworkpolicy and baselineadminnetworkpolicy are removed. calico 11144 (@mazdakn)
  • Openstack: Stop compressing DWARF debugging information with dwz because Golang 1.25 has moved to the unsupported DWARF 5 calico 11074 (@matthewdupre)
  • ebpf: calico-node -bpf policy dump prints the End of (Rule | Policy | Tier) in the default concise output calico 11071 (@tomastigera)
  • ebpf: Felix now disables BPF JIT hardening for its own privileged BPF programs by default, because hardening can slow large-policy programming by 10–20x on systems where it is forced on (e.g. Bottlerocket). The new BPFJITHardening Felix config option overrides this: set it to Strict to honour the system-wide setting instead. calico 11024 (@Copilot)
  • Make Calico's backing CRDs optional. Calico will no longer fail to start if a CRD is missing. calico 11023 (@caseydavenport)
  • ebpf: BPFKubeProxyHealtzPort allows to change the kube-proxy healthz server port calico 11011 (@Copilot)
  • Add keepalive time to BGPPeer API calico 10998 (@lgYanami)
  • Calico is now built with Kubernetes v1.33.5. calico 10994 (@dependabot[bot])
  • Envoy Gateway version updated to v1.5.4 calico 10984 (@electricjesus)
  • OpenStack: support IPv6 subnets using SLAAC calico 10876 (@kristiangronas)
  • Add support for the standard and experimental (networks peers and named ports) functionalities of the new k8s ClusterNetworkPolicy API. Two new static tiers named kube-admin(order 1,000) and kube-baseline(order 10,000,000) are created at startup where ClusterNetworkPolicy resources in Admin tier, and ClusterNetworkPolicy in Baseline resources in Baseline tier are enforced respectively. calico 10810 (@mazdakn)
  • Support for TLS on Felix Prometheus metrics endpoint. calico 10495 (@peppi-lotta)
  • Tech-preview support for using the projectcalico.org/v3 API directly as CRDs, without the need for an extension API server. calico 10447 (@caseydavenport)
  • The tigera-operator helm chart no longer includes crd.projectcalico.org CRDs. They must be created / updated prior to running the chart. calico 10447 (@caseydavenport)

Release details

Calico Open Source 3.32.0 general availability release

April 30, 2026

Calico Open Source release 3.32.0 is now generally available.

Updating

To update a previous version of Calico, see our upgrade guides.