Releases: projectcalico/calico
Calico v2.5.1
Release notes for Calico v2.5.1
Attention Kubernetes datastore users upgrading to v2.5.x:
Users upgrading from Calico v2.4.x or older to v2.5.x or higher with Kubernetes datastore backend must follow the one-time configuration migration task to upgrade the cluster: https://github.com/projectcalico/calico/blob/master/upgrade/v2.5/README.md (@gunjan5)
Changes to Felix
- #1538: Add read/write timeouts to Typha connection; fixes that Felix wouldn't spot if TCP connection was dropped without being cleanly shut down.
Calico v2.5.0
Release notes for Calico v2.5.0
Attention Kubernetes datastore users upgrading to v2.5.x:
Users upgrading from Calico v2.4.x or older to v2.5.x or higher with Kubernetes datastore backend must follow the one-time configuration migration task to upgrade the cluster: https://github.com/projectcalico/calico/blob/master/upgrade/v2.5/README.md (@gunjan5)
Changes to libcalico-go
- #491: Migrate from TPR to CRD for the Kubernetes backend.
v2.5.0-rc2: Release Candidate for testing
This is a release candidate for Calico v2.5.0. Below are the current work-in-progress release notes for Calico v2.5.0. Release candidate 2 has an updated confd which is built on an updated libcalico-go.
Candidate Release notes
Changes to libcalico-go
v2.5.0-rc1: Release Candidate for testing
This is a release candidate for Calico v2.5.0. Below are the current work-in-progress release notes for Calico v2.5.0.
Candidate Release notes
Changes to libcalico-go
Calico v2.4.1
Release notes for Calico v2.4.1
Changes to libcalico-go
Calico v2.4.0
Release notes for Calico v2.4.0
Changes to typha
- #27: Implement health endpoints for Typha (@neiljerram)
Changes to calicoctl
- #1687: The calicoctl version command now includes the CalicoVersion and ClusterType as retrieved from the datastore. (@tmjd)
- #1680: Added functionality for calicoctl commands to read in multiple yaml documents specified in the same file/input and separated by
---
. (@mgleung) - #1673: The calico/ctl container's default working directory has changed to
/root
(@caseydavenport)
Changes to felix
- #1500: Improve performance of dataplane driver by reducing number of conntrack deletions. (@fasaxc)
- #1498: Improve performance when the conntrack table contains many entries by doing conntrack deletions in the background. (@fasaxc)
Changes to cni-plugin
- #341: The calico/cni container now supports setting
SKIP_CNI_BINARIES
to skip installation of certain binaries. (@abhinavdahiya)
Changes to calico
- #964: Felix now supports a health check endpoint, and the Kubernetes self-hosted installation manifests now enable liveness and readiness probes which report Felix health. (@gunjan5)
- #952: [beta feature] Add global and per-node BGP peer configuration and global BGP configuration support when using Kubernetes API as the Calico datastore. (@robbrockbank)
- #924: The version of etcd included in the Calico kubeadm manifests has been revved to v3.1.10. (@caseydavenport)
- #935: Felix now (optionally) acquires the iptables lock while manipulating iptables. This prevents
conflicts with other applications, such as kube-proxy (as long as they also honor the lock).- Note: to be effective if Felix is running in a container, this feature requires the
directory containing the iptables lock file, "/run/", to be mounted into the container. (@fasaxc)
- Note: to be effective if Felix is running in a container, this feature requires the
- #915: calico/node will now only check for conflicting Node IPs when initially getting an IP or when a change in IP is detected. This should reduce the load on the cluster when a large number of nodes are restarting. (@heschlie)
- #910: Pre-DNAT Policy - a new flavor of Calico Policy that is enforced before any DNAT that a cluster node may do (for example kube-proxy). Pre-DNAT Policy is useful for securing the perimeter of a cluster against incoming traffic, except for pinholes that are expressed in terms of particular IP addresses and/or ports that external clients are allowed to connect in to. For more information please see http://docs.projectcalico.org/v2.4/getting-started/bare-metal/bare-metal#pre-dnat-policy. (@neiljerram)
- #898: Calico releases now produce a release archive including Kubernetes manifests, docker images, and binaries. (@tomdee)
- #885: Added new option that takes interface regexes to skip interfaces during ip auto detection. (@mgleung)
- #885: Added support for specifying multiple interface regexes to attempt to match on during ip auto detection. (@mgleung)
- #861: Ability to enable / disable outgoing NAT on the default IP Pool using an environment variable. (@VincentS)
Changes to k8s-policy
- #105: Calico now implements the networking.k8s.io/NetworkPolicy API semantics as defined by Kubernetes when using the etcd datastore
- Note: This represents a change in how existing Kubernetes NetworkPolicies are enforced by Calico. To maintain existing behavior when upgrading, follow these steps:
- In Namespaces that previously did not have the “DefaultDeny” annotation, you should delete any existing NetworkPolicy objects.
- In Namespaces that previously did have the “DefaultDeny” annotation, you can create the equivalent semantics by creating a NetworkPolicy that selects all pods but does not allow any traffic. (@caseydavenport)
- Note: This represents a change in how existing Kubernetes NetworkPolicies are enforced by Calico. To maintain existing behavior when upgrading, follow these steps:
Changes to libcalico-go
- #471: Policy objects now support arbitrary key/value annotations. (@caseydavenport)
- #470: Add new Source.Nets and Destination.Nets fields (and their negated couterparts)
to rules, allowing multiple CIDRs to be matched in a single rule. The Source.Net
and Destination.Net fields are now deprecated; when reading back data that
contains a Net field, it will be converted to a single-entry Nets field. Felix (and
Typha, if in use) should be upgraded before using the new Nets fields in a rule. (@fasaxc)
v2.4.0-rc2: Release candidate for testing
This is a release candidate for Calico v2.4.0. Below are the current work-in-progress release notes for Calico v2.4.0.
Candidate release notes
Changes to typha
- #27: Implement health endpoints for Typha (@neiljerram)
Changes to calicoctl
- #1687: The calicoctl version command now includes the CalicoVersion and ClusterType as retrieved from the datastore. (@tmjd)
- #1680: Added functionality for calicoctl commands to read in multiple yaml documents specified in the same file/input and separated by
---
. (@mgleung) - #1673: The calico/ctl container's default working directory has changed to
/root
(@caseydavenport)
Changes to felix
- #1500: Improve performance of dataplane driver by reducing number of conntrack deletions. (@fasaxc)
- #1498: Improve performance when the conntrack table contains many entries by doing conntrack deletions in the background. (@fasaxc)
Changes to cni-plugin
- #341: The calico/cni container now supports setting
SKIP_CNI_BINARIES
to skip installation of certain binaries. (@abhinavdahiya)
Changes to calico
- #924: The version of etcd included in the Calico kubeadm manifests has been revved to v3.1.10. (@caseydavenport)
- #915: calico/node will now only check for conflicting Node IPs when initially getting an IP or when a change in IP is detected. This should reduce the load on the cluster when a large number of nodes are restarting. (@heschlie)
- #910: Pre-DNAT Policy - a new flavor of Calico Policy that is enforced before any DNAT that a cluster node may do (for example kube-proxy). Pre-DNAT Policy is useful for securing the perimeter of a cluster against incoming traffic, except for pinholes that are expressed in terms of particular IP addresses and/or ports that external clients are allowed to connect in to. For more information please see http://docs.projectcalico.org/v2.4/getting-started/bare-metal/bare-metal#pre-dnat-policy. (@neiljerram)
- #898: Calico releases now produce a release archive including Kubernetes manifests, docker images, and binaries. (@tomdee)
- #885: Added new option that takes interface regexes to skip interfaces during ip auto detection. (@mgleung)
- #885: Added support for specifying multiple interface regexes to attempt to match on during ip auto detection. (@mgleung)
- #861: Ability to enable / disable outgoing NAT on the default IP Pool using an environment variable. (@VincentS)
Changes to k8s-policy
- #105: Calico now implements the networking.k8s.io/NetworkPolicy API semantics as defined by Kubernetes when using the etcd datastore
- Note: This represents a change in how existing Kubernetes NetworkPolicies are enforced by Calico. To maintain existing behavior when upgrading, follow these steps:
- In Namespaces that previously did not have the “DefaultDeny” annotation, you should delete any existing NetworkPolicy objects.
- In Namespaces that previously did have the “DefaultDeny” annotation, you can create the equivalent semantics by creating a NetworkPolicy that selects all pods but does not allow any traffic. (@caseydavenport)
- Note: This represents a change in how existing Kubernetes NetworkPolicies are enforced by Calico. To maintain existing behavior when upgrading, follow these steps:
Changes to libcalico-go
- #471: Policy objects now support arbitrary key/value annotations. (@caseydavenport)
- #470: Add new Source.Nets and Destination.Nets fields (and their negated couterparts)
to rules, allowing multiple CIDRs to be matched in a single rule. The Source.Net
and Destination.Net fields are now deprecated; when reading back data that
contains a Net field, it will be converted to a single-entry Nets field. Felix (and
Typha, if in use) should be upgraded before using the new Nets fields in a rule. (@fasaxc)
v2.4.0-rc1: Release Candidate for testing
This is a release candidate for Calico v2.4.0. Below are the current work-in-progress release notes for Calico v2.4.0.
Candidate Release notes
Changes to calico
- #924: The version of etcd included in the Calico kubeadm manifests has been revved to v3.1.10. (@caseydavenport)
- #915: calico/node will now only check for conflicting Node IPs when initially getting an IP or when a change in IP is detected. This should reduce the load on the cluster when a large number of nodes are restarting. (@heschlie)
- #902: Felix now (optionally) acquires the iptables lock while manipulating iptables. This prevents
conflicts with other applications, such as kube-proxy (as long as they also honor the lock).- Upgrade note: to be effective if Felix is running in a container, this feature requires the
directory containing the iptables lock file,/run
, to be mounted into the container. (@fasaxc)
- Upgrade note: to be effective if Felix is running in a container, this feature requires the
- #898: Calico releases now produce a release archive including Kubernetes manifests, docker images, and binaries. (@tomdee)
- #885: Added new option that takes interface regexes to skip interfaces during ip auto detection. (@mgleung)
- #885: Added support for specifying multiple interface regexes to attempt to match on during ip auto detection. (@mgleung)
- #861: Ability to enable / disable outgoing NAT on the default IP Pool using an environment variable. (@VincentS)
Changes to calicoctl
- #1687: The calicoctl version command now includes the CalicoVersion and ClusterType as retrieved from the datastore. (@tmjd)
- #1680: Added functionality for calicoctl commands to read in multiple yaml documents specified in the same file/input and separated by
---
. (@mgleung) - #1673: The calico/ctl container's default working directory has changed to
/root
(@caseydavenport)
Changes to typha
- #27: Implement health endpoints for Typha (@neiljerram)
Changes to cni-plugin
- #341: The calico/cni container now supports setting
SKIP_CNI_BINARIES
to skip installation of certain binaries. (@abhinavdahiya)
Changes to libcalico-go
- #471: Policy objects now support arbitrary key/value annotations. (@caseydavenport)
- #470: Add new Source.Nets and Destination.Nets fields (and their negated couterparts)
to rules, allowing multiple CIDRs to be matched in a single rule. The Source.Net
and Destination.Net fields are now deprecated; when reading back data that
contains a Net field, it will be converted to a single-entry Nets field. Felix (and
Typha, if in use) should be upgraded before using the new Nets fields in a rule. (@fasaxc) - #464 #468: Add BGP peer and global/node BGP peer configuration to KDD datastore driver. (@robbrockbank)
Changes to k8s-policy
- #105: Calico now implements the networking.k8s.io/NetworkPolicy API semantics as defined by Kubernetes when using the etcd datastore
- Note: This represents a change in how existing Kubernetes NetworkPolicies are enforced by Calico. To maintain existing behavior when upgrading, follow these steps:
- In Namespaces that previously did not have the “DefaultDeny” annotation, you should delete any existing NetworkPolicy objects.
- In Namespaces that previously did have the “DefaultDeny” annotation, you can create the equivalent semantics by creating a NetworkPolicy that selects all pods but does not allow any traffic. (@caseydavenport)
- Note: This represents a change in how existing Kubernetes NetworkPolicies are enforced by Calico. To maintain existing behavior when upgrading, follow these steps:
Changes to felix
- #1500: Improve performance of dataplane driver by reducing number of conntrack deletions. (@fasaxc)
- #1498: Improve performance when the conntrack table contains many entries by doing conntrack deletions in the background. (@fasaxc)
- #1491: Felix now acquires the iptables lock while manipulating iptables. This prevents conflicts
with other applications, such as kube-proxy (as long as they also honor the lock).- Upgrade note: to be effective if Felix is running in a container, this feature requires the
directory containing the iptables lock file,/run
, to be mounted into the container. (@fasaxc)
- Upgrade note: to be effective if Felix is running in a container, this feature requires the