Toggle nav

Release notes

The following table shows component versioning for Calico v3.16.

To select a different version, click Releases in the top navigation bar.

v3.16.10

Release archive with Kubernetes manifests, Docker images and binaries.

22 Apr 2021

Bug fixes

• Fix that calico/node would fail to set NetworkUnavailable to false for etcd clusters with mismatched nodenames node #948 (@caseydavenport)
• Fixes a bug where IPv6 networks were not handled properly by the failsafe rules felix #2772 (@mgleung)
• Fix that, after a netlink read failure, Felix would tight loop reading from a closed channel. Restart the event poll in that case. felix #2712 (@fasaxc)

Other changes

• FailsafeInboundHostPorts & FailsafeOutboundHostPorts now support restricting to specific cidrs. New format :: [felix #2720](https://github.com/projectcalico/felix/pull/2720) (@mgleung)

v3.16.9

Release archive with Kubernetes manifests, Docker images and binaries.

05 Mar 2021

Bug fixes

• When interpreting Kubernetes NetworkPolicy ports, Calico now interprets an empty port struct as “all TCP” as per the NetworkPolicy spec. Previously, empty structs were ignored. libcalico-go #1371 (@mgleung)

• Includes changes for typha #484 (@fasaxc) targeted for Calico v3.16.8 that were excluded due to build issues.

v3.16.8

Release archive with Kubernetes manifests, Docker images and binaries.

17 Feb 2021

Changes

• For improved security, then using TLS, the Felix-Typha API now requires a minimum TLS version of v1.2. typha #484 (@fasaxc)

Note: Due to build issues, the fix for typha #484 was not actually included in this release. Please use v3.16.9 instead.

v3.16.7

Release archive with Kubernetes manifests, Docker images and binaries.

03 Feb 2021

Bug fixes

• Fixes bug where namespaced resources were not being migrated across datastores. calicoctl #2250 (@mgleung)

v3.16.6

Release archive with Kubernetes manifests, Docker images and binaries.

06 Jan 2021

Changes

• All components that use Typha now use the same logic to discover Typha’s address. They lookup the endpoints of the service directly and connect to one at random. This avoids a dependency on kube-proxy. typha #465 (@fasaxc)
• Rebuild with updated base images to pull in security fixes.

v3.16.5

Release archive with Kubernetes manifests, Docker images and binaries.

06 Nov 2020

Bug fixes

• Fix a bug that causes IPAM assignment to throw a nil pointer exception in cases where tunnel address IP assignment failed. cni-plugin #970 (@mgleung)
• Fix that installing CNI plugin would fail if binaries were in use cni-plugin #969 (@caseydavenport)
• Fix crash if updating EC2 src/dest check fails. felix #2553 (@fasaxc)
• Fix issue where when using etcdv3 backend, some watchers may fail to resynchronize data after an etcd compaction. This is fixed across various components. libcalico-go #1338 (@robbrockbank)

v3.16.4

Release archive with Kubernetes manifests, Docker images and binaries.

21 Oct 2020

Bug fixes

• Add handling for migrating per-node BGP configurations and Calico v1 API Felix configuration fields. calicoctl #2207 (@mgleung)

v3.16.3

Release archive with Kubernetes manifests, Docker images and binaries.

09 Oct 2020

Bug fixes

• Fix that calico/node would assert an IP was present even when not required node #586 (@realgaurav)

Other changes

• It’s now possible to specify a password on a BGPPeer resource, and the password will be used to authenticate the peer on BGP sessions generated by that resource. calico #4052 (@neiljerram)

v3.16.2

Release archive with Kubernetes manifests, Docker images and binaries.

06 Oct 2020

Bug fixes

• Fix a bug with mismatched node names when migrating IPAM data from etcd to Kubernetes datastores. calicoctl #2196 (@mgleung)
• Fix that broadcast routes weren’t filtered out of felix’s list of local IPs. In BPF mode, this caused dataplane route flaps. felix #2496 (@fasaxc)

v3.16.1

Release archive with Kubernetes manifests, Docker images and binaries.

08 Sep 2020

Bug fixes

• Fix population of etcd certificates in CNI config cni-plugin #949 (@caseydavenport)
• Resolves an issue on nodes whose Kubernetes node name does not exactly match the system hostname cni-plugin #943 (@neiljerram)
• Fix flannel migration issues when running on Rancher kube-controllers #506 (@songjiang)
• Fix kubectl exec format for migration controller kube-controllers #504 (@songjiang)
• Fix flannel migration for clusters with multiple control-plane nodes. kube-controllers #503 (@caseydavenport)
• Fix datastore migration of KubeControllerConfiguration calico #3976 (@mgleung)

Other changes

• Add knobs to explicitly disable adding drop rules for encapsulated packets originating from workloads. felix #2486 (@doublek)
• Add FelixConfiguration parameters to explicitly allow encapsulated packets from workloads. libcalico-go #1301 (@doublek)
• In BPF mode, Felix no longer needs configuration to avoid detecting EKS workloads as host interfaces. felix #2471 (@fasaxc)

v3.16.0

Release archive with Kubernetes manifests, Docker images and binaries.

27 Aug 2020

eBPF is generally available

We introduced tech-preview support for the eBPF dataplane in Calico v3.13. The eBPF dataplane has several advantages over the Linux networking dataplane including: higher throughput, lower CPU usage, and native Kubernetes services support. With Calico v3.16, eBPF support is now GA! Check out the guide to try it out.

Windows support

Calico for Windows is open-source! Calico for Windows supports Kubernetes networking using VXLAN and enforces network policy for Windows workloads. Try out our quickstart guide to get a Calico for Windows cluster up and running!

BGP Community Advertisement

Calico now supports BGP communities! Check out the BGP configuration resource reference for more details. We’ve also added custom BGP port configuration.

Bug fixes

• Adding support for monitoring node IP addresses/subnets changes. node #554 (@realgaurav)
• Don’t fail if not authorized to access configmaps node #541 (@caseydavenport)
• Always auto-detect node IP address & subnet. node #531 (@realgaurav)
• Fix that calico/node required IP auto detection to be enabled node #513 (@krisiasty)
• In BPF mode, fix that packets could be dropped if the UDP/TCP header didn’t fit in the SKB’s head buffer. felix #2462 (@fasaxc)
• In BPF mode, ensure that the host is always reachable, even if the conntrack table gets full. felix #2456 (@tomastigera)
• In BPF mode, fix file descriptor leaks. felix #2455 (@fasaxc)
• Fix that the async_calc_graph health watchdog could time out while the calc graph was blocked sending its output downstream. felix #2451 (@fasaxc)
• Fix route_table.go slow retries (and reduce log spam) when a route is moved from one interface to another. felix #2448 (@fasaxc)
• Reduce log spam when an interface is removed from the dataplane. felix #2447 (@fasaxc)
• In BPF mode, Felix now correctly handles the case where a workload endpoint interface is recreated with the same name. felix #2431 (@fasaxc)
• Felix no longer logs “Wireguard disabled” in its dataplane resolution loop. felix #2420 (@fasaxc)
• Fix that libcalico-go could emit a nil Node resource resulting in a memory leak in Typha and errors in Felix. libcalico-go #1291 (@fasaxc)

Other changes

• Add support for BGP communities and configurable BGP ports libcalico-go #1262 (@Suraiya-Hameed)
• Calico IPAM support for Windows nodes libcalico-go #1276 (@song-jiang)
• Reintroduce Windows operating system support felix #2443 (@song-jiang)
• calico/node’s security has been improved by removing as many unneeded packages, binaries and libraries from the base image as possible. node #525 (@fasaxc)
• A new IP/interface detection method cidr is added. The syntax (for example for the environment variable IP_AUTODETECTION_METHOD is cidr=<cidr>(,<cidr>)*. node #518 (@mandelsoft)
• Upgrade to golang 1.14 typha #385 (@Brian-McM)
• Upgrade to Golang 1.14 felix #2437 (@Brian-McM)
• Fix incorrect parsing of pod CIDR when using host-local IPAM libcalico-go #1278 (@caseydavenport)
• Previously, Felix had a fixed 10s timer on which it resynced its list of local interfaces with the dataplane. To reduce CPU usage, the timer has been increased to 90s by default and a config parameter (InterfaceRefreshInterval) added to control it. felix #2433 (@fasaxc)
• Connections to services without endpoints are now properly rejected in iptables dataplane mode. The fix required moving the iptables ACCEPT rule to the end of the filter FORWARD chain; if you have your own rules in that chain then please check that they do not drop or reject pod traffic before it reaches the ACCEPT rule. felix #2424 (@caseydavenport)
• In BPF mode, traffic to unknown workload interfaces is now blocked (as long as Felix was running long enough to insert its policing rules). felix #2423 (@fasaxc)
• In BPF mode, Felix now attaches programs in parallel for improved performance. felix #2410 (@fasaxc)
• In BPF mode, Felix now collects the BPF verifier log only on retry for increased performance and prevention of log buffer size issues. felix #2429 (@fasaxc)
• In BPF mode, Felix now rate-limits stale BPF map cleanup in order to save CPU. felix #2428 (@fasaxc)
• In BPF mode, Felix now detects BPF support on Red Hat kernels with backports as well as generic kernels. felix #2409 (@sridhartigera)
• In BPF mode, Felix now uses a more efficient algorithm to resync the Kubernetes sevices with the dataplane. This speeds up the initial sync (especially with large numbers of services). felix #2401 (@tomastigera)
• eBPF dataplane support for encryption via Wireguard felix #2389 (@neiljerram)
• Reject connections to services with no backends felix #2380 (@sridhartigera)
• Implementation to handle setting source-destination-check for AWS EC2 instances. felix #2381 (@realgaurav)
• In BPF mode, Felix now applies policy updates without reapplying the BPF programs; this gives a performance boost and closes a window where traffic was not policed. felix #2363 (@fasaxc)
• In Kubernetes API Datastore mode, record when a pod is deleted from the network; this prevents pods that are stuck in Terminating state from being treated as active pods, resulting in duplicate IP errors and incorrect IP set calculation. libcalico-go #1284 (@fasaxc)
• Upgrade to golang 1.14 libcalico-go #1271 (@Brian-McM)
• Maintaining original next hop on specific bgppeer libcalico-go #1266 (@gunboe)
• New Felix configuration parameter “FeatureDetectOverride” allows for overriding iptables feature detection. libcalico-go #1264 (@uablrek)
• Speed up allocation of new IPAM blocks when most blocks are already in-use. libcalico-go #1248 (@caseydavenport)
• Handle backend watch, if upstream closes channel[ClosedByRemote] libcalico-go #1247 (@krishgobinath)
• Upgrade to Golang 1.14 pod2daemon #43 (@Brian-McM)
• Remove unnecessary packages from docker image pod2daemon #42 (@gianlucam76)
• Add support for BGP communities and configurable BGP ports confd #341 (@Suraiya-Hameed)
• Add configurable file logging. cni-plugin #927 (@mgleung)
• Upgrade to golang 1.14 cni-plugin #921 (@Brian-McM)
• Handle panics in the CNI plugin more gracefully cni-plugin #913 (@caseydavenport)
• install-cni will now check if the cni.conf file is a valid json document cni-plugin #904 (@johscheuer)
• The Calico CNI plugin now disables duplicate address detection on IPv6 interfaces. This avoids the associated delay. cni-plugin #895 (@fasaxc)
• Support projectcalico.org/namespace label for Mesos to enable namespaced workload endpoints cni-plugin #886 (@vixns)
• Enable CNI plugin logging to disk by default calico #3881 (@mgleung)
• Update version of flannel included in documentation to v0.12.0 calico #3873 (@caseydavenport)

Known issues

• Calico CNI binaries panic unless they use the canonical binary name cni-plugin #941