Skip to main content
Calico Enterprise 3.18 documentation

Calico Enterprise 3.18 release notes

Learn about the new features, bug fixes, and other updates in this release of Calico Enterprise.

New features and enhancements​

VXLAN support for cluster mesh and federation​

We've expanded our support of cluster mesh to clusters using VXLAN for networking. Cluster mesh can be used to federate services and endpoints to authorize cross-cluster communication with Calico Enterprise network policies.

For more information, see Configure federated endpoint identity and services.

Helm-based install for multi-cluster management deployments​

We've added the support for Helm for installing and setting up deployments that use the multi-cluster management feature. With Helm, DevOps teams can automate these complex deployments more easily.

For more information, see Helm for multi-cluster management.

HPC-based Windows install and upgrade​

We've added support for operator-based install and upgrade for Windows nodes using HPC (HostProcess/Privileged containers). Calico Enterprise can now bootstrap Windows worker nodes just like Linux worker nodes. Platform engineers can scale Windows worker nodes with an auto-scaling node pool without bootstrapping each node manually, and upgrade Calico Enterprise deployments without manually upgrading nodes one at a time.

For more information, see the Calico Enterprise for Windows Operator guide.

Support for Azure CNI with overlay networking for AKS​

We now officially support AKS clusters that are using overlay networking. This option is useful if you've exhausted your IP addresses. This option augments existing support for Azure CNI with no overlay (where a VNET IP address is assigned to every pod).

To review Azure CNI options, see Microsoft Azure Kubernetes Service (AKS).

Support for Kubernetes 1.28​

We now support Kubernetes v1.28 for most platforms.

To review platform support, see Support and compatibility.

Performance improvements for Service Graph​

We've added backend improvements to Service Graph that increases the performance when rendering a large number of graph nodes.

Improved Felix performance for extremely large clusters​

We've improved how Felix processes active policy rules for clusters with extremely high numbers of endpoints and policy rules. Previously, calculating selector-based rules in these circumstances could take a long time or end in failure. Now Felix can perform these calculations quickly while reducing CPU usage by orders of magnitude.

For more information, see Selector performance in EntityRules.

Improved scalability for large number of policies when using the eBPF data plane​

We've made several improvements that allow you to enforce a larger number of Calico Enterprise network policies when using the eBPF data plane.

New performance optimizations for egress gateways​

Calico Enterprise includes new performance options for egress gateway policies that can be used to ensure that application client and gateway pods are on the same cluster node.

For more information, see Optimize egress networking for workloads with long-lived TCP connections.

Configurable XFF headers for Envoy​

We've added support for XFF to propagate the original IP address when proxying application layer traffic with Envoy within a Kubernetes cluster.

For more information, see Installation reference.

Alert-only mode for Workload-based Web Application Firewall (WAF)​

We've added a new default mode for WAF that is monitor/event only. This allows operators and security teams to verify the accuracy of configured rules before actively blocking traffic.

For more information, see Web application firewall.

Additional options for Helm-based installs​

We've added new options for Helm installs including: set the number of replicas for specific deployments, node affinity rules, and configure Wireguard.

For more information, see Helm installation reference.

Deprecated and removed features​

  • The anomaly detection feature is removed in this release. If anomaly detection is enabled and you upgrade to Calico Enterprise 3.18, you will stop receiving anomaly detection alerts.
  • The manual installation method for Windows is deprecated and will be removed in a future release. The recommended installation method is now operator-based.
  • The FIPS mode feature is deprecated in this release. It will be removed in Calico Enterprise 3.19.
  • The AWS security groups integration is deprecated in this release. It will be removed in Calico Enterprise 3.19.
  • The ingress log collection feature is deprecated in this release. It will be removed in Calico Enterprise 3.19.

Technology Preview features​

  • Web application firewall

    Protect cloud-native applications from application layer attacks.

  • Security events management

    Get alerts on security events that may indicate a threat is present in your Kubernetes cluster.

  • DNS policy for Windows

    Use domain names in policies to identify services outside the cluster, which is often operationally simpler and more robust than using IP addresses.

Known issues​

  • Flow logs for the Windows workloads currently do not display entries with a Deny action.
  • Before upgrading a Calico Enterprise cluster on MKE v3.6 to the latest Calico Enterprise version: 1) upgrade MKE from 3.6 to 3.7, then 2) upgrade Calico Enterprise.
  • L7 logs with source name pvt is not visible in Service Graph.
  • Multi-cluster management users only. If the manager-tls and internal-manager-tls secrets have overlapping DNS names, components such as es-calico-kube-controllers will log certificate errors. If you have previously installed a version older than v3.13.0 and never changed your manager-tls secret from the tigera-operator namespace, you must delete both of these secrets. This applies to you if the following command prints a certificate: $ kubectl get secret manager-tls -n tigera-operator -o "jsonpath={.data['cert']}".
  • Upgrading to Calico Enterprise 3.18.0 on Rancher/RKE from Calico Enterprise 3.13.0 currently requires manually terminating the calico-node container for an upgrade to proceed.
  • Calico panics if kube-proxy or other components are using native nftables rules instead of the iptables-nft compatibility shim. Until Calico supports native nftables mode, we recommend that you continue to use the iptables-nft compatibility layer for all components. (The compatibility layer was the only option before Kubernetes v1.29 added alpha-level nftables support.) Do not run Calico in "legacy" iptables mode on a system that is also using nftables. Although this combination does not panic or fail (at least on kernels that support both), the interaction between iptables "legacy" mode and nftables is confusing: both iptables and nftables rules can be executed on the same packet, leading to policy verdicts being "overturned".

  • Some application layer features are not working as expected for Calico Enterprise installations with the following deployment types:

    • AKS clusters with Azure CNI for networking and Calico Enterprise for network policy
    • RKE2 clusters installed with Rancher UI

    During installation, for these deployment types, kubeletVolumePluginPath is set to None in the Installation CR, causing all application layer features to stop working. The affected features include web application firewalls, application layer policies, and L7 logging. As a workaround, you can restore the default value by running the following command on an affected cluster:

    kubectl patch installation.tigera.io default --type=merge  -p '{"spec":{"kubeletVolumePluginPath":"/var/lib/kubelet"}}'

    • Release details​

    Calico Enterprise 3.18.0 (early preview)​

    September 1, 2023

    Calico Enterprise 3.18.0 is now available as an early preview release. This release is for previewing and testing purposes only. It is not supported for use in production.

    Calico Enterprise 3.18.0-1.1 (early preview)​

    October 13, 2023

    Calico Enterprise 3.18.0-1-1 is now available as an early preview release.

    This release is for previewing and testing purposes only. It is not supported for use in production. This release includes improvements and bug fixes.

    Calico Enterprise 3.18.0-2.0 (early preview)​

    December 1, 2023

    Calico Enterprise 3.18.0-2-0 is now available as an early preview release.

    This release is for previewing and testing purposes only. It is not supported for use in production. This release includes improvements and bug fixes.

    Calico Enterprise 3.18.1 GA​

    January 17, 2024

    Calico Enterprise 3.18.1 is now available as a GA release.

    This release is supported for use in production.

    Updating​

    To update an existing installation of Calico Enterprise 3.18, see Install a patch release.

    Calico Enterprise 3.18.2 bug fix release​

    March 25, 2024

    Calico Enterprise 3.18.2 is now available. This release includes bug fixes and improvements.

    Improvements​

    • Reduced the validity of JSON Web Tokens issued by dex to 15 minutes (down from 24 hours).
    • Added a configurable option for priorityClassName to the egress gateway CRD.
    • Policy recommendation excludes OpenShift namespaces by default.

    Bug fixes​

    • Drastically increased Voltron's Kubernetes client QPS and Burst to prevent it from rate limiting itself in MCM setups.
    • Fixed a bug that prevented Linseed from creating tokens for Intrusion Detection and DPI components in managed clusters if compliance is not enabled.
    • Fixes an issue in the operator that caused it to accumulate more memory resources over time.
    • If kube-controllers metric port is set to 0, no ingress rule will be created.
    • Security updates.

    Other​

    • FIPS mode is no longer supported.

    Updating​

    To update an existing installation of Calico Enterprise 3.18, see Install a patch release.

    Calico Enterprise 3.18.3 bug fix release​

    April 29, 2024

    Calico Enterprise 3.18.3 is now available. This release includes bug fixes and improvements.

    Bug fixes​

    • Fixed an issue where the token login page stopped working when an identity provider was configured.
    • Fixed a bug that caused workload egress traffic to be incorrectly handled as host-sourced traffic if DNS policy and IPVS kube-proxy were used together.
    • Security updates.

    Updating​

    To update an existing installation of Calico Enterprise 3.18, see Install a patch release.

    Calico Enterprise 3.18.4 bug fix release​

    June 14, 2024

    Calico Enterprise 3.18.4 is now available. This release includes bug fixes and improvements.

    Bug fixes​

    • Fixes a bug in Egress gateways where IP rules were not updated when a pod's IP address changes.
    • Fixes an issue where the curator job crash-loops due to a missing module.
    • Fixes an issue where SecurityContextConstraints for components were incorrect or missing.
    • Security updates.

    Calico Enterprise 3.18.4 operator-only bug fix release​

    July 22, 2024

    Calico Enterprise 3.18.4 is now available with an update to the Tigera Operator. The Tigera operator version has been updated to version 1.32.10. No other components have been changed.

    Bug fixes​

    • Removed a mutual dependency between logstorage and other components that could result in a degraded TigeraStatus if certificates are missing required key usages.

    Updating​

    To update an existing installation of Calico Enterprise 3.18, see Install a patch release.

    Calico Enterprise 3.18.5 bug fix release​

    August 19, 2024

    Calico Enterprise 3.18.5 is now available. This release includes bug fixes and improvements.

    Bug fixes​

    • Fix that Felix would panic when trying to resync a temporary IP set. Temporary IP sets are created in certain scenarios after previous failures.
    • Fix excessive CPU usage in the process name lookup cache if a PID was unknown.
    • Updates the default behaviour of list request without tier field selector or label selector on globalnetworkpolicy, stagedglobalnetworkpolicy, networkpolicy and staged network policy to return all policies available to user, instead of returning only the policies in the default tier. This change allows to manage policies with GitOps tools like ArgoCD.
    • Fix Felix panic when using non-default BPF map sizes. Size was not updated in all places resulting in failure to attach programs.
    • Security updates.

    Updating​

    To update an existing installation of Calico Enterprise 3.18, see Install a patch release.

    Calico Enterprise 3.18.6 bug fix release​

    December 19, 2024

    Calico Enterprise 3.18.6 is now available. This release includes bug fixes and improvements.

    Bug fixes​

    • Fixed an issue where excessive API calls were made by the operator when users are running a large number of egress gateways.
    • Fix dual ToR startup when using bgp-layout ConfigMap to assign AS numbers.
    • Reduce lock contention between the process info cache and the flow logs collector. Avoids slowing down the collector when the info cache is under update load.
    • Security updates. This is the last scheduled patch for security updates, we urge users to consider updating to a later minor version of Calico Enterprise.

    Updating​

    To update an existing installation of Calico Enterprise 3.18, see Install a patch release.