Releases
The following table shows component versioning for Calico v3.2.
Use the version selector at the top-right of this page to view a different release.
v3.2.1
Release archive with Kubernetes manifests, Docker images and binaries.
23 August 2018
Bug fixes
- Fix missing iptables after a HostEndpoint-protected interface is deleted and re-added. felix #1885 (@neiljerram)
- Fix a bug where etcd compaction may not have occurred due to transient connection issues. kube-controllers #288 (@caseydavenport)
| Component | Version |
|---|---|
| calico/node | v3.2.1 |
| calicoctl | v3.2.1 |
| calico/cni | v3.2.1 |
| calico/kube-controllers | v3.2.1 |
| networking-calico | 3.2.0 |
| typha | v3.2.1 |
| flannel | v0.9.1 |
| calico/routereflector | v0.6.3 |
| calico/dikastes | v3.2.1 |
| flexvol | v3.2.1 |
v3.2.0
Release archive with Kubernetes manifests, Docker images and binaries.
14 August 2018
We are very excited to announce v3.2.0 of Calico. Some of the highlights of this release are:
GA for Application Layer Policy
With Calico v3.2 we are moving support for application layer policy from “tech preview” to GA. With today’s evolving threat landscape, enterprises are deploying a zero trust network security model to protect their crown jewels. Application layer policy from Tigera Calico, combined with the open source Istio project simplifies authenticating and authorizing network flows using multiple attributes.
IPVS kube-proxy
Calico v3.2 updates support for IPVS proxy from beta to GA. IPVS support is activated automatically if Calico detects when kube-proxy is running IPVS mode. IPVS kube-proxy promises greater scale and performance.
Labels for OpenStack EndPoints
If using Calico with OpenStack endpoints, each OpenStack VM identified as Calico workload endpoint will now have labels for project name and security groups the virtual machine belongs to.
Updated dependencies
All components are built using Go v1.10.3 and all images are based on the latest build of Alpine v3.8
Multiple Architectures
Thanks to concerted efforts from the community, images are now available for all components for the arm64 and ppc64le architectures.
Other changes
- Removed the kubeadm installation manfiest in favor of the etcd / kdd manifests. calico #1933 (@caseydavenport)
- calico/node is now supported in IPv6 only environments. calico #1917 (@tmjd)
- ipAddrsNoIpam is now disabled by default and can be enabled using the new “feature_control” flag in the CNI config. calico #1901 (@ozdanborne)
- The address used by Felix for health information now defaults to localhost instead of 0.0.0.0. A new config parameter was added for control over this behavior: HealthHost calico #1900 (@ozdanborne)
- calico/node supports an exec based readiness probe for monitoring felix and BIRD readiness calico #1841 (@ozdanborne)
- kubernetes manifests now enable BIRD BGP readiness checks by default. calico #1841 (@ozdanborne)
- veth MTU is now configurable via the configmap in the Kubernetes self-hosted manifests calico #1770 (@ketkulka)
- Substantially reduced the calico/node image size by consolidating shared code in a single binary. node #26 (@caseydavenport)
- Calico’s CNI plugin now supports the host-local IPAM plugin’s ranges configuration section when substituting “usePodCidr”. cni-plugin #571 (@fasaxc)
- Fix a bug in the CNI plugin where IP allocations were not properly updated on container restart cni-plugin #529 (@caseydavenport)
- When ran as a pod CNI will be configured with K8s CA for tls verification. cni-plugin #527 (@tmjd)
- Fix etcd cert file existence check in calico/cni cni-plugin #526 (@bjhaid)
- Add the tuning plugin to the calico/cni image cni-plugin #519 (@eranreshef)
- Add support for configuring container IP forwarding via the CNI configuration file. cni-plugin #501 (@caseydavenport)
- Support configuring MTU via install-cni.sh environment variable cni-plugin #491 (@ketkulka)
- The iptables rules for forwarded traffic passing through a HostEndpoint have been improved so that that traffic is allowed by default (when there is no relevant ApplyOnForward policy) even if the host has
iptables -P FORWARD DROP. (For the full intended semantics for forwarded traffic through HostEndpoints, which have not changed, see https://docs.projectcalico.org/master/getting-started/bare-metal/policy/forwarded.) felix #1841 (@neiljerram) - Workaround an etcd client issue that caused high CPU when the etcd server was down. felix #1808 (@fasaxc)
- Felix now handles no-op policy updates more efficiently, this can significantly reduce CPU usage where policy is frequently rewritten with no changes. felix #1806 (@fasaxc)
- HealthCheck default behavior changed from listening on all interfaces to just listening on localhost. This behavior can be controlled by the new HealthHost parameter. felix #1782 (@ozdanborne)
- Felix now uses unique temporary IP set names; this works around transient deletion failures and failures caused by other apps incorrectly referencing Calico IP sets. felix #1779 (@fasaxc)
- Since Typha no longer exposes its readiness check on 0.0.0.0 (in order to improve security), our manifests have been updated to use a new command-line readiness check. typha #179 (@fasaxc)
- Typha now supports configuring both port and host to bind to for health checks. The default is now localhost. typha #140 (@renan)
- IPAM doesn’t use old IP blocks after upgrade to Calico 3.1 libcalico-go #868 (@gunjan5)
- For updated Kubernetes clusters that allow it, you may include both a pod and namespace selector on a NetworkPolicyPeer. libcalico-go #867 (@spikecurtis)
- Can now set the bind address for Felix health endpoints in the FelixConfiguration object libcalico-go #849 (@renan)
- When converting do not copy egress type when preDNAT is set on a policy. libcalico-go #848 (@tmjd)
- Remove feature flag check for service accounts. libcalico-go #836 (@saumoh)
Limitations
-
Offers only Kubernetes, OpenShift, OpenStack, and host endpoint integrations: the Mesos, DC/OS, and libnetwork orchestrators have not been tested. The latest supported release for these orchestrators is v2.6.
-
GoBGP not supported: Setting the
CALICO_NETWORKING_BACKENDenvironment variable togobgpis not supported. See Configuring calico/node for more information. We plan to resume support for GoBGP in a future release. -
Route reflectors cannot be clustered: We plan to resume support for this in a future release.
| Component | Version |
|---|---|
| calico/node | v3.2.0 |
| calicoctl | v3.2.0 |
| calico/cni | v3.2.0 |
| calico/kube-controllers | v3.2.0 |
| networking-calico | 3.2.0 |
| typha | v3.2.0 |
| flannel | v0.9.1 |
| calico/routereflector | v0.6.3 |
| calico/dikastes | v3.2.0 |
| flexvol | v3.2.0 |