v2.6.3

Calico v2.6.3 resolves several issues:

• Addresses several outstanding common vulnerabilities and exposures (CVE).
• A new node controller for Kubernetes deployments clears data associated with deleted nodes from the Calico datastore, preventing conflicts that can lead to crash loops.
• Reduces default confd log level from debug to info.
• #418: If the CNI-plugin fails to re-network an existing endpoint, it no longer releases the IP allocations to the pool that are still attached to the endpoint. (@fasaxc)
• #408: The CNI-plugin no longer throws file exists while programming route (@gunjan5)

v3.0.0-beta1

This is a pre-release of v3.0.0. This release is intended for testing purposes only and is NOT to be used on production systems.

What's new

• Support for the etcd version 3 datastore.

• Two new calicoctl resources: BGP Configuration and Felix Configuration.

• Those using the Kubernetes API datastore can now use calicoctl to create, read, update, and delete Calico policies.

• The calicoctl policy resource has been split into new network policy and global network policy resources.

• Network policy resources can include a namespace value, allowing you to create policies that only apply to workload endpoint resources in the same namespace.

• You can now create namespaceSelector expressions in network policy and global network policy resources to apply a policy to an entire namespace.

• The get, apply, create, delete, and replace commands of calicoctl now include an optional --namespace=<NS> flag. Refer to the calicoctl Command reference section for more details.

• The get command of calicoctl now includes optional --all-namespaces and --export flags. Refer to the calicoctl get section for more information.

• calicoctl no longer accepts the following flags in get commands: --node=<NODE>, --orchestrator=<ORCH>, --workload=<WORKLOAD>, and --scope=<SCOPE>. These options are now a part of the individual resources.

• calicoctl no longer includes a config command. To achieve the equivalent functionality, refer to Modifying low-level component configurations.

• You can now name host and workload endpoint ports and reference them by name in your policy rules.

• The new ApplyOnForward flag allows you to specify if a host endpoint policy should apply to forwarded traffic or not. Forwarded traffic includes traffic forwarded between host endpoints and traffic forwarded between a host endpoint and a workload endpoint on the same host. Refer to Using Calico to secure host interfaces for more details.

• Calico now works with Kubernetes network services proxy with IPVS/LVS. Calico enforces network policies with kube-proxy running in IPVS mode for Kubernetes clusters. Currently only workload ingress policy is supported.

• After a period of deprecation, this release removes support for the ETCD_AUTHORITY and ETCD_SCHEME environment variables. Calico no longer reads these values. If you have not transitioned to ETCD_ENDPOINTS, you must do so as of v3.0. Refer to Configuring calicoctl - etcdv3 datastore for more information.

• A new node controller for Kubernetes deployments clears data associated with deleted nodes from the Calico datastore, preventing conflicts that can lead to crash loops. Refer to Configuring the Calico Kubernetes controllers for more information.

• calicoctl now allows a 0 value for ICMP entries in policy resources, enabling ping responses. In addition, it now rejects 255 values in the type field due to lack of kernel support. Refer to the reference documentation of the network policy and global network policy resources for more information.

Limitations

• No upgrades: this version of Calico ends support for etcd version 2. Existing customers must migrate their data to etcd version 3. The alpha and beta releases do not provide migration capabilities, nor do they support upgrades. We plan to add migration and upgrade support in the GA release.

• Integrates only with Kubernetes, OpenShift, and host endpoints: the OpenStack, Mesos, DC/OS, rkt, and Docker orchestrators have not been tested and are not supported. (Calico still supports Docker and rkt containers.) We plan to resume support for the OpenStack, Mesos, DC/OS, and Docker orchestrators in a future release.

• BGP route reflector not supported: large deployments that require the BGP route reflector are not supported. We plan to resume support for the BGP route reflector in a future release.

• GoBGP not supported: Setting the CALICO_NETWORKING_BACKEND environment variable to gobgp is not supported. See Configuring calico/node for more information. We plan to resume support for GoBPG in a future release.

v3.0.0-alpha1

This is a pre-release of v3.0.0. This release is intended for testing purposes only and is NOT to be used on production systems.

What's new

• Support for the etcd version 3 datastore.

• Two new calicoctl resources: BGP Configuration and Felix Configuration.

• Those using the Kubernetes API datastore can now use calicoctl to create, update, and delete Calico policies.

• The calicoctl Policy resource has been split into Network Policy and Global Network Policy.

• The get, apply, create, delete, and replace commands of calicoctl now include an optional --namespace=<NS> flag. Refer to the calicoctl Command reference section for more details.

• The get command of calicoctl now includes an optional --all-namespaces flag. Refer to the calicoctl get section for more information.

• calicoctl no longer accepts the following flags in get commands: --node=<NODE>, --orchestrator=<ORCH>, --workload=<WORKLOAD>, and --scope=<SCOPE>. These options are now a part of the individual resources.

• calicoctl no longer includes a config command. To achieve the equivalent functionality: refer to Modifying low-level component configurations.

• You can now name host and workload endpoint ports and reference them by name in your policy rules.

• The new ApplyOnForward flag allows you to specify if a host endpoint policy should apply to forwarded traffic or not. Forwarded traffic includes traffic forwarded between host endpoints and traffic forwarded between a host endpoint and a workload endpoint on the same host. Refer to Using Calico to secure host interfaces for more details.

• Calico now works with Kubernetes network services proxy with IPVS/LVS. Calico enforces network policies with kube-proxy running in ipvs mode for Kubernetes clusters. Currently only workload ingress policy is supported.

• After a period of deprecation, this release removes support for the ETCD_AUTHORITY and ETCD_SCHEME environment variables. Calico no longer reads these values. If you have not transitioned to ETCD_ENDPOINTS, you must do so as of v3.0. Refer to Configuring calicoctl - etcdv3 datastore for more information.

Limitations

• No upgrades: Calico v3.0.0 ends support for etcd version 2. Existing customers must migrate their data to etcd version 3. The alpha release does not provide migration capabilities, nor does it support upgrades. We plan to add migration and upgrade support in the GA release.

• Integrates only with Kubernetes and host endpoints: the OpenStack, OpenShift, Mesos, DC/OS, rkt, and Docker orchestrators have not been tested and are not supported. (Calico v3.0.0 still supports Docker and rkt containers.) We plan to resume support for the OpenStack, OpenShift, Mesos, DC/OS, and Docker orchestrators in a future release.

• Lack of calicoctl data validation: calicoctl does not perform as much validation on data, increasing the potential for bad data. Use caution when entering data via calicoctl.

• BGP route reflector not supported: large deployments that require the BGP route reflector are not supported. We plan to resume support for the BGP route reflector in a future release.

• GoBGP not supported: Setting the CALICO_NETWORKING_BACKEND environment variable to gobgp is not supported. See Configuring calico/node for more information. We plan to resume support for GoBPG in a future release.

v3.0.0-alpha1-rc1

This is a pre-release of v3.0.0-alpha1. This release is intended for testing purposes only and is NOT to be used on production systems.

v2.6.2

Calico v2.6.2 adds fixes and enhancements for Calico/OpenStack deployments. For Kubernetes and other integrations there is no change from v2.6.1.

• The dnsmasq packages that we provide have been upgraded so as to address various security issues.
• networking-calico 1.4.3 has been released to provide support for OpenStack Ocata and later.

v2.6.1

Release notes for Calico v2.6.1

• Fixes a bug in which the wrong version of Felix was shipped in calico/node

v2.6.0

Warning: incorrect release artifacts, do not use. Please upgrade to Calico v2.6.1 instead

Release notes for Calico v2.6.0

Changes to calicoctl

• #1702: The calicoctl node diags command now returns logs when Calico is configured to log to stdout (such as in a self-hosted Kubernetes installation). (@heschlie)

Changes to libcalico-go

• #521: Calico now enforces egress rules and ipBlock selectors in Kubernetes network policies (beta features of Kubernetes 1.8). See the 1.8 and later Kubernetes documentation for more information. (@bcreane)
• #502: When converting Kubernetes network policies to Calico policies, Calico now sets the converted policies as ingress only instead of appending an egress rule that allows all traffic. This allows subsequent Kubernetes network policies to match an explicit egress rule. (@bcreane)

Changes to calico

• #1133: Calico no longer inserts a default egress allow for all pods selected by a Kubernetes NetworkPolicy. If you have created policies with calicoctl that select pods and you would like to maintain the same behavior, you must ensure that all desired egress traffic is allowed by an explicit rule before upgrading to Calico v2.6.0. (@tmjd)

  • Action may be required: Because Calico no longer programs a default egress allow rule, if you have created policies with calicoctl which have egress rules they may no longer allow the full set of desired traffic. In this scenario, you should create an egress allow policy for any pods which were previously selected by a Kubernetes NetworkPolicy and also selected by an egress policy created with calicoctl.

• #1133: Calico no longer configures deprecated tags in the profiles created for Kubernetes Namespaces. (@tmjd)

  • Action may be required: Any rules created via calicoctl which reference these tags will no longer work. If you’ve created a policy or profile rule which references the per-namespace profile tags, you will need to modify the rule to use a label instead.

• #1099: The policy controller options CONFIGURE_ETC_HOSTS and K8S_API are no longer supported. If needed, use KUBECONFIG instead. (@caseydavenport)

• #1063: A new types field in Calico policies allows you to specify explicitly whether that policy should apply to selected endpoints for ingress traffic, or egress traffic, or both. This makes it easy to apply ingress policy to certain endpoints without accidentally changing the default egress treatment for those endpoints, and vice versa. For more information please see https://docs.projectcalico.org/master/reference/calicoctl/resources/policy. (@bcreane)

Changes to cni-plugin

• #383: Calico no longer occasionally deletes the workload endpoints of running Kubernetes pods. (@caseydavenport)
• #380: The Calico CNI plugin now correctly launches Kubernetes pods with IPv6 addresses. (@gunjan5)
• #379: CNI panic no longer causes container deletion failures. (@gunjan5)
• #375: Calico now respects the nodename in the CNI configuration, if set. Previously, affinity blocks got assigned to the hostname of the node , even if a nodename was specified. (@heschlie)
  • Action may be required: If you previously included the nodename parameter in your CNI config when using etcd mode, you should remove it before upgrading to v2.6.0 as it was not properly respected in earlier versions of Calico and will be respected upon upgrade.
• #367: The install-cni container now supports a LOG_LEVEL environment variable set to info or debug. By default, the LOG_LEVEL is set to warn. (@zopanix)
• #358: Network set up of containers and pods no longer fails if the route already exists on the host. (@gunjan5)
• #356: Upgrade note: The install-cni.sh script now overwrites existing binaries by default, making upgrades easier. To modify this behavior, set the UPDATE_CNI_BINARIES environment variable to false. (@alvelcom)

Changes to kube-controllers

• #162: The calico/kube-policy-controller image has been renamed to calico/kube-controllers. While functionally the same, the name change better represents that the container includes multiple distinct Kubernetes controllers including a policy controller. (@caseydavenport)
  • Upgrade note: When upgrading to Calico v2.6 using a self-hosted manifest, the existing calico-policy-controller deployment will be configured to 0 replicas, and a new deployment called calico-kube-controllers will be installed. After upgrade, it is safe to delete the old calico-policy-controller deployment.
• #133: calico/kube-controllers (formerly named calico/kube-policy-controller) has been ported to golang. (@caseydavenport)

v2.6.0-rc2

Release candidate for Calico v2.6.0 testing. This release is not suitable for production use.

v2.6.0-rc1

Release candidate for Calico v2.6.0 testing. This release is not suitable for production use.

Calico v2.5.1

Release notes for Calico v2.5.1

Attention Kubernetes datastore users upgrading to v2.5.x:
Users upgrading from Calico v2.4.x or older to v2.5.x or higher with Kubernetes datastore backend must follow the one-time configuration migration task to upgrade the cluster: https://github.com/projectcalico/calico/blob/master/upgrade/v2.5/README.md (@gunjan5)

Changes to Felix

• #1538: Add read/write timeouts to Typha connection; fixes that Felix wouldn't spot if TCP connection was dropped without being cleanly shut down.