Skip to content

Releases: projectcalico/calico

Calico v2.5.1

30 Aug 15:49
Compare
Choose a tag to compare

Release notes for Calico v2.5.1

Attention Kubernetes datastore users upgrading to v2.5.x:
Users upgrading from Calico v2.4.x or older to v2.5.x or higher with Kubernetes datastore backend must follow the one-time configuration migration task to upgrade the cluster: https://github.com/projectcalico/calico/blob/master/upgrade/v2.5/README.md (@gunjan5)

Changes to Felix

  • #1538: Add read/write timeouts to Typha connection; fixes that Felix wouldn't spot if TCP connection was dropped without being cleanly shut down.

Calico v2.5.0

23 Aug 00:13
Compare
Choose a tag to compare

Release notes for Calico v2.5.0

Attention Kubernetes datastore users upgrading to v2.5.x:
Users upgrading from Calico v2.4.x or older to v2.5.x or higher with Kubernetes datastore backend must follow the one-time configuration migration task to upgrade the cluster: https://github.com/projectcalico/calico/blob/master/upgrade/v2.5/README.md (@gunjan5)

Changes to libcalico-go

  • #491: Migrate from TPR to CRD for the Kubernetes backend.

v2.5.0-rc2: Release Candidate for testing

18 Aug 06:08
Compare
Choose a tag to compare

This is a release candidate for Calico v2.5.0. Below are the current work-in-progress release notes for Calico v2.5.0. Release candidate 2 has an updated confd which is built on an updated libcalico-go.

Candidate Release notes

Changes to libcalico-go

  • #491: Migrate from TPR to CRD for the Kubernetes backend. (@gunjan5)

v2.5.0-rc1: Release Candidate for testing

16 Aug 17:37
Compare
Choose a tag to compare

This is a release candidate for Calico v2.5.0. Below are the current work-in-progress release notes for Calico v2.5.0.

Candidate Release notes

Changes to libcalico-go

  • #491: Migrate from TPR to CRD for the Kubernetes backend. (@gunjan5)

Calico v2.4.1

08 Aug 00:15
Compare
Choose a tag to compare

Release notes for Calico v2.4.1

Changes to libcalico-go

  • #488: bugfix: fix handling of empty namespaceSelector when using Kubernetes datastore driver (@gunjan5)
  • #486: bugfix: properly resync node IPs during Felix restart in Kubernetes datastore driver (@bcreane)

Calico v2.4.0

31 Jul 23:34
Compare
Choose a tag to compare

Release notes for Calico v2.4.0

Changes to typha

  • #27: Implement health endpoints for Typha (@neiljerram)

Changes to calicoctl

  • #1687: The calicoctl version command now includes the CalicoVersion and ClusterType as retrieved from the datastore. (@tmjd)
  • #1680: Added functionality for calicoctl commands to read in multiple yaml documents specified in the same file/input and separated by ---. (@mgleung)
  • #1673: The calico/ctl container's default working directory has changed to /root (@caseydavenport)

Changes to felix

  • #1500: Improve performance of dataplane driver by reducing number of conntrack deletions. (@fasaxc)
  • #1498: Improve performance when the conntrack table contains many entries by doing conntrack deletions in the background. (@fasaxc)

Changes to cni-plugin

  • #341: The calico/cni container now supports setting SKIP_CNI_BINARIES to skip installation of certain binaries. (@abhinavdahiya)

Changes to calico

  • #964: Felix now supports a health check endpoint, and the Kubernetes self-hosted installation manifests now enable liveness and readiness probes which report Felix health. (@gunjan5)
  • #952: [beta feature] Add global and per-node BGP peer configuration and global BGP configuration support when using Kubernetes API as the Calico datastore. (@robbrockbank)
  • #924: The version of etcd included in the Calico kubeadm manifests has been revved to v3.1.10. (@caseydavenport)
  • #935: Felix now (optionally) acquires the iptables lock while manipulating iptables. This prevents
    conflicts with other applications, such as kube-proxy (as long as they also honor the lock).
    • Note: to be effective if Felix is running in a container, this feature requires the
      directory containing the iptables lock file, "/run/", to be mounted into the container. (@fasaxc)
  • #915: calico/node will now only check for conflicting Node IPs when initially getting an IP or when a change in IP is detected. This should reduce the load on the cluster when a large number of nodes are restarting. (@heschlie)
  • #910: Pre-DNAT Policy - a new flavor of Calico Policy that is enforced before any DNAT that a cluster node may do (for example kube-proxy). Pre-DNAT Policy is useful for securing the perimeter of a cluster against incoming traffic, except for pinholes that are expressed in terms of particular IP addresses and/or ports that external clients are allowed to connect in to. For more information please see http://docs.projectcalico.org/v2.4/getting-started/bare-metal/bare-metal#pre-dnat-policy. (@neiljerram)
  • #898: Calico releases now produce a release archive including Kubernetes manifests, docker images, and binaries. (@tomdee)
  • #885: Added new option that takes interface regexes to skip interfaces during ip auto detection. (@mgleung)
  • #885: Added support for specifying multiple interface regexes to attempt to match on during ip auto detection. (@mgleung)
  • #861: Ability to enable / disable outgoing NAT on the default IP Pool using an environment variable. (@VincentS)

Changes to k8s-policy

  • #105: Calico now implements the networking.k8s.io/NetworkPolicy API semantics as defined by Kubernetes when using the etcd datastore
    • Note: This represents a change in how existing Kubernetes NetworkPolicies are enforced by Calico. To maintain existing behavior when upgrading, follow these steps:
      • In Namespaces that previously did not have the “DefaultDeny” annotation, you should delete any existing NetworkPolicy objects.
      • In Namespaces that previously did have the “DefaultDeny” annotation, you can create the equivalent semantics by creating a NetworkPolicy that selects all pods but does not allow any traffic. (@caseydavenport)

Changes to libcalico-go

  • #471: Policy objects now support arbitrary key/value annotations. (@caseydavenport)
  • #470: Add new Source.Nets and Destination.Nets fields (and their negated couterparts)
    to rules, allowing multiple CIDRs to be matched in a single rule. The Source.Net
    and Destination.Net fields are now deprecated; when reading back data that
    contains a Net field, it will be converted to a single-entry Nets field. Felix (and
    Typha, if in use) should be upgraded before using the new Nets fields in a rule. (@fasaxc)

v2.4.0-rc2: Release candidate for testing

28 Jul 01:05
Compare
Choose a tag to compare

This is a release candidate for Calico v2.4.0. Below are the current work-in-progress release notes for Calico v2.4.0.

Candidate release notes

Changes to typha

  • #27: Implement health endpoints for Typha (@neiljerram)

Changes to calicoctl

  • #1687: The calicoctl version command now includes the CalicoVersion and ClusterType as retrieved from the datastore. (@tmjd)
  • #1680: Added functionality for calicoctl commands to read in multiple yaml documents specified in the same file/input and separated by ---. (@mgleung)
  • #1673: The calico/ctl container's default working directory has changed to /root (@caseydavenport)

Changes to felix

  • #1500: Improve performance of dataplane driver by reducing number of conntrack deletions. (@fasaxc)
  • #1498: Improve performance when the conntrack table contains many entries by doing conntrack deletions in the background. (@fasaxc)

Changes to cni-plugin

  • #341: The calico/cni container now supports setting SKIP_CNI_BINARIES to skip installation of certain binaries. (@abhinavdahiya)

Changes to calico

  • #924: The version of etcd included in the Calico kubeadm manifests has been revved to v3.1.10. (@caseydavenport)
  • #915: calico/node will now only check for conflicting Node IPs when initially getting an IP or when a change in IP is detected. This should reduce the load on the cluster when a large number of nodes are restarting. (@heschlie)
  • #910: Pre-DNAT Policy - a new flavor of Calico Policy that is enforced before any DNAT that a cluster node may do (for example kube-proxy). Pre-DNAT Policy is useful for securing the perimeter of a cluster against incoming traffic, except for pinholes that are expressed in terms of particular IP addresses and/or ports that external clients are allowed to connect in to. For more information please see http://docs.projectcalico.org/v2.4/getting-started/bare-metal/bare-metal#pre-dnat-policy. (@neiljerram)
  • #898: Calico releases now produce a release archive including Kubernetes manifests, docker images, and binaries. (@tomdee)
  • #885: Added new option that takes interface regexes to skip interfaces during ip auto detection. (@mgleung)
  • #885: Added support for specifying multiple interface regexes to attempt to match on during ip auto detection. (@mgleung)
  • #861: Ability to enable / disable outgoing NAT on the default IP Pool using an environment variable. (@VincentS)

Changes to k8s-policy

  • #105: Calico now implements the networking.k8s.io/NetworkPolicy API semantics as defined by Kubernetes when using the etcd datastore
    • Note: This represents a change in how existing Kubernetes NetworkPolicies are enforced by Calico. To maintain existing behavior when upgrading, follow these steps:
      • In Namespaces that previously did not have the “DefaultDeny” annotation, you should delete any existing NetworkPolicy objects.
      • In Namespaces that previously did have the “DefaultDeny” annotation, you can create the equivalent semantics by creating a NetworkPolicy that selects all pods but does not allow any traffic. (@caseydavenport)

Changes to libcalico-go

  • #471: Policy objects now support arbitrary key/value annotations. (@caseydavenport)
  • #470: Add new Source.Nets and Destination.Nets fields (and their negated couterparts)
    to rules, allowing multiple CIDRs to be matched in a single rule. The Source.Net
    and Destination.Net fields are now deprecated; when reading back data that
    contains a Net field, it will be converted to a single-entry Nets field. Felix (and
    Typha, if in use) should be upgraded before using the new Nets fields in a rule. (@fasaxc)

v2.4.0-rc1: Release Candidate for testing

25 Jul 00:34
Compare
Choose a tag to compare

This is a release candidate for Calico v2.4.0. Below are the current work-in-progress release notes for Calico v2.4.0.

Candidate Release notes

Changes to calico

  • #924: The version of etcd included in the Calico kubeadm manifests has been revved to v3.1.10. (@caseydavenport)
  • #915: calico/node will now only check for conflicting Node IPs when initially getting an IP or when a change in IP is detected. This should reduce the load on the cluster when a large number of nodes are restarting. (@heschlie)
  • #902: Felix now (optionally) acquires the iptables lock while manipulating iptables. This prevents
    conflicts with other applications, such as kube-proxy (as long as they also honor the lock).
    • Upgrade note: to be effective if Felix is running in a container, this feature requires the
      directory containing the iptables lock file, /run, to be mounted into the container. (@fasaxc)
  • #898: Calico releases now produce a release archive including Kubernetes manifests, docker images, and binaries. (@tomdee)
  • #885: Added new option that takes interface regexes to skip interfaces during ip auto detection. (@mgleung)
  • #885: Added support for specifying multiple interface regexes to attempt to match on during ip auto detection. (@mgleung)
  • #861: Ability to enable / disable outgoing NAT on the default IP Pool using an environment variable. (@VincentS)

Changes to calicoctl

  • #1687: The calicoctl version command now includes the CalicoVersion and ClusterType as retrieved from the datastore. (@tmjd)
  • #1680: Added functionality for calicoctl commands to read in multiple yaml documents specified in the same file/input and separated by ---. (@mgleung)
  • #1673: The calico/ctl container's default working directory has changed to /root (@caseydavenport)

Changes to typha

  • #27: Implement health endpoints for Typha (@neiljerram)

Changes to cni-plugin

  • #341: The calico/cni container now supports setting SKIP_CNI_BINARIES to skip installation of certain binaries. (@abhinavdahiya)

Changes to libcalico-go

  • #471: Policy objects now support arbitrary key/value annotations. (@caseydavenport)
  • #470: Add new Source.Nets and Destination.Nets fields (and their negated couterparts)
    to rules, allowing multiple CIDRs to be matched in a single rule. The Source.Net
    and Destination.Net fields are now deprecated; when reading back data that
    contains a Net field, it will be converted to a single-entry Nets field. Felix (and
    Typha, if in use) should be upgraded before using the new Nets fields in a rule. (@fasaxc)
  • #464 #468: Add BGP peer and global/node BGP peer configuration to KDD datastore driver. (@robbrockbank)

Changes to k8s-policy

  • #105: Calico now implements the networking.k8s.io/NetworkPolicy API semantics as defined by Kubernetes when using the etcd datastore
    • Note: This represents a change in how existing Kubernetes NetworkPolicies are enforced by Calico. To maintain existing behavior when upgrading, follow these steps:
      • In Namespaces that previously did not have the “DefaultDeny” annotation, you should delete any existing NetworkPolicy objects.
      • In Namespaces that previously did have the “DefaultDeny” annotation, you can create the equivalent semantics by creating a NetworkPolicy that selects all pods but does not allow any traffic. (@caseydavenport)

Changes to felix

  • #1500: Improve performance of dataplane driver by reducing number of conntrack deletions. (@fasaxc)
  • #1498: Improve performance when the conntrack table contains many entries by doing conntrack deletions in the background. (@fasaxc)
  • #1491: Felix now acquires the iptables lock while manipulating iptables. This prevents conflicts
    with other applications, such as kube-proxy (as long as they also honor the lock).
    • Upgrade note: to be effective if Felix is running in a container, this feature requires the
      directory containing the iptables lock file, /run, to be mounted into the container. (@fasaxc)