v2.6.0

Warning: incorrect release artifacts, do not use. Please upgrade to Calico v2.6.1 instead

Release notes for Calico v2.6.0

Changes to calicoctl

• #1702: The calicoctl node diags command now returns logs when Calico is configured to log to stdout (such as in a self-hosted Kubernetes installation). (@heschlie)

Changes to libcalico-go

• #521: Calico now enforces egress rules and ipBlock selectors in Kubernetes network policies (beta features of Kubernetes 1.8). See the 1.8 and later Kubernetes documentation for more information. (@bcreane)
• #502: When converting Kubernetes network policies to Calico policies, Calico now sets the converted policies as ingress only instead of appending an egress rule that allows all traffic. This allows subsequent Kubernetes network policies to match an explicit egress rule. (@bcreane)

Changes to calico

• #1133: Calico no longer inserts a default egress allow for all pods selected by a Kubernetes NetworkPolicy. If you have created policies with calicoctl that select pods and you would like to maintain the same behavior, you must ensure that all desired egress traffic is allowed by an explicit rule before upgrading to Calico v2.6.0. (@tmjd)

  • Action may be required: Because Calico no longer programs a default egress allow rule, if you have created policies with calicoctl which have egress rules they may no longer allow the full set of desired traffic. In this scenario, you should create an egress allow policy for any pods which were previously selected by a Kubernetes NetworkPolicy and also selected by an egress policy created with calicoctl.

• #1133: Calico no longer configures deprecated tags in the profiles created for Kubernetes Namespaces. (@tmjd)

  • Action may be required: Any rules created via calicoctl which reference these tags will no longer work. If you’ve created a policy or profile rule which references the per-namespace profile tags, you will need to modify the rule to use a label instead.

• #1099: The policy controller options CONFIGURE_ETC_HOSTS and K8S_API are no longer supported. If needed, use KUBECONFIG instead. (@caseydavenport)

• #1063: A new types field in Calico policies allows you to specify explicitly whether that policy should apply to selected endpoints for ingress traffic, or egress traffic, or both. This makes it easy to apply ingress policy to certain endpoints without accidentally changing the default egress treatment for those endpoints, and vice versa. For more information please see https://docs.projectcalico.org/master/reference/calicoctl/resources/policy. (@bcreane)

Changes to cni-plugin

• #383: Calico no longer occasionally deletes the workload endpoints of running Kubernetes pods. (@caseydavenport)
• #380: The Calico CNI plugin now correctly launches Kubernetes pods with IPv6 addresses. (@gunjan5)
• #379: CNI panic no longer causes container deletion failures. (@gunjan5)
• #375: Calico now respects the nodename in the CNI configuration, if set. Previously, affinity blocks got assigned to the hostname of the node , even if a nodename was specified. (@heschlie)
  • Action may be required: If you previously included the nodename parameter in your CNI config when using etcd mode, you should remove it before upgrading to v2.6.0 as it was not properly respected in earlier versions of Calico and will be respected upon upgrade.
• #367: The install-cni container now supports a LOG_LEVEL environment variable set to info or debug. By default, the LOG_LEVEL is set to warn. (@zopanix)
• #358: Network set up of containers and pods no longer fails if the route already exists on the host. (@gunjan5)
• #356: Upgrade note: The install-cni.sh script now overwrites existing binaries by default, making upgrades easier. To modify this behavior, set the UPDATE_CNI_BINARIES environment variable to false. (@alvelcom)

Changes to kube-controllers

• #162: The calico/kube-policy-controller image has been renamed to calico/kube-controllers. While functionally the same, the name change better represents that the container includes multiple distinct Kubernetes controllers including a policy controller. (@caseydavenport)
  • Upgrade note: When upgrading to Calico v2.6 using a self-hosted manifest, the existing calico-policy-controller deployment will be configured to 0 replicas, and a new deployment called calico-kube-controllers will be installed. After upgrade, it is safe to delete the old calico-policy-controller deployment.
• #133: calico/kube-controllers (formerly named calico/kube-policy-controller) has been ported to golang. (@caseydavenport)

v2.6.0-rc2

Release candidate for Calico v2.6.0 testing. This release is not suitable for production use.

v2.6.0-rc1

Release candidate for Calico v2.6.0 testing. This release is not suitable for production use.

Calico v2.5.1

Release notes for Calico v2.5.1

Attention Kubernetes datastore users upgrading to v2.5.x:
Users upgrading from Calico v2.4.x or older to v2.5.x or higher with Kubernetes datastore backend must follow the one-time configuration migration task to upgrade the cluster: https://github.com/projectcalico/calico/blob/master/upgrade/v2.5/README.md (@gunjan5)

Changes to Felix

• #1538: Add read/write timeouts to Typha connection; fixes that Felix wouldn't spot if TCP connection was dropped without being cleanly shut down.

Calico v2.5.0

Release notes for Calico v2.5.0

Attention Kubernetes datastore users upgrading to v2.5.x:
Users upgrading from Calico v2.4.x or older to v2.5.x or higher with Kubernetes datastore backend must follow the one-time configuration migration task to upgrade the cluster: https://github.com/projectcalico/calico/blob/master/upgrade/v2.5/README.md (@gunjan5)

Changes to libcalico-go

• #491: Migrate from TPR to CRD for the Kubernetes backend.

v2.5.0-rc2: Release Candidate for testing

This is a release candidate for Calico v2.5.0. Below are the current work-in-progress release notes for Calico v2.5.0. Release candidate 2 has an updated confd which is built on an updated libcalico-go.

Candidate Release notes

Changes to libcalico-go

• #491: Migrate from TPR to CRD for the Kubernetes backend. (@gunjan5)

v2.5.0-rc1: Release Candidate for testing

This is a release candidate for Calico v2.5.0. Below are the current work-in-progress release notes for Calico v2.5.0.

Candidate Release notes

Changes to libcalico-go

• #491: Migrate from TPR to CRD for the Kubernetes backend. (@gunjan5)

Calico v2.4.1

Release notes for Calico v2.4.1

Changes to libcalico-go

• #488: bugfix: fix handling of empty namespaceSelector when using Kubernetes datastore driver (@gunjan5)
• #486: bugfix: properly resync node IPs during Felix restart in Kubernetes datastore driver (@bcreane)

Calico v2.4.0

Release notes for Calico v2.4.0

Changes to typha

• #27: Implement health endpoints for Typha (@neiljerram)

Changes to calicoctl

• #1687: The calicoctl version command now includes the CalicoVersion and ClusterType as retrieved from the datastore. (@tmjd)
• #1680: Added functionality for calicoctl commands to read in multiple yaml documents specified in the same file/input and separated by ---. (@mgleung)
• #1673: The calico/ctl container's default working directory has changed to /root (@caseydavenport)

Changes to felix

• #1500: Improve performance of dataplane driver by reducing number of conntrack deletions. (@fasaxc)
• #1498: Improve performance when the conntrack table contains many entries by doing conntrack deletions in the background. (@fasaxc)

Changes to cni-plugin

• #341: The calico/cni container now supports setting SKIP_CNI_BINARIES to skip installation of certain binaries. (@abhinavdahiya)

Changes to calico

• #964: Felix now supports a health check endpoint, and the Kubernetes self-hosted installation manifests now enable liveness and readiness probes which report Felix health. (@gunjan5)
• #952: [beta feature] Add global and per-node BGP peer configuration and global BGP configuration support when using Kubernetes API as the Calico datastore. (@robbrockbank)
• #924: The version of etcd included in the Calico kubeadm manifests has been revved to v3.1.10. (@caseydavenport)
• #935: Felix now (optionally) acquires the iptables lock while manipulating iptables. This prevents
  conflicts with other applications, such as kube-proxy (as long as they also honor the lock).
  • Note: to be effective if Felix is running in a container, this feature requires the
    directory containing the iptables lock file, "/run/", to be mounted into the container. (@fasaxc)
• #915: calico/node will now only check for conflicting Node IPs when initially getting an IP or when a change in IP is detected. This should reduce the load on the cluster when a large number of nodes are restarting. (@heschlie)
• #910: Pre-DNAT Policy - a new flavor of Calico Policy that is enforced before any DNAT that a cluster node may do (for example kube-proxy). Pre-DNAT Policy is useful for securing the perimeter of a cluster against incoming traffic, except for pinholes that are expressed in terms of particular IP addresses and/or ports that external clients are allowed to connect in to. For more information please see http://docs.projectcalico.org/v2.4/getting-started/bare-metal/bare-metal#pre-dnat-policy. (@neiljerram)
• #898: Calico releases now produce a release archive including Kubernetes manifests, docker images, and binaries. (@tomdee)
• #885: Added new option that takes interface regexes to skip interfaces during ip auto detection. (@mgleung)
• #885: Added support for specifying multiple interface regexes to attempt to match on during ip auto detection. (@mgleung)
• #861: Ability to enable / disable outgoing NAT on the default IP Pool using an environment variable. (@VincentS)

Changes to k8s-policy

• #105: Calico now implements the networking.k8s.io/NetworkPolicy API semantics as defined by Kubernetes when using the etcd datastore
  • Note: This represents a change in how existing Kubernetes NetworkPolicies are enforced by Calico. To maintain existing behavior when upgrading, follow these steps:
    • In Namespaces that previously did not have the “DefaultDeny” annotation, you should delete any existing NetworkPolicy objects.
    • In Namespaces that previously did have the “DefaultDeny” annotation, you can create the equivalent semantics by creating a NetworkPolicy that selects all pods but does not allow any traffic. (@caseydavenport)

Changes to libcalico-go

• #471: Policy objects now support arbitrary key/value annotations. (@caseydavenport)
• #470: Add new Source.Nets and Destination.Nets fields (and their negated couterparts)
  to rules, allowing multiple CIDRs to be matched in a single rule. The Source.Net
  and Destination.Net fields are now deprecated; when reading back data that
  contains a Net field, it will be converted to a single-entry Nets field. Felix (and
  Typha, if in use) should be upgraded before using the new Nets fields in a rule. (@fasaxc)

v2.4.0-rc2: Release candidate for testing

This is a release candidate for Calico v2.4.0. Below are the current work-in-progress release notes for Calico v2.4.0.

Candidate release notes

Changes to typha

• #27: Implement health endpoints for Typha (@neiljerram)

Changes to calicoctl

• #1687: The calicoctl version command now includes the CalicoVersion and ClusterType as retrieved from the datastore. (@tmjd)
• #1680: Added functionality for calicoctl commands to read in multiple yaml documents specified in the same file/input and separated by ---. (@mgleung)
• #1673: The calico/ctl container's default working directory has changed to /root (@caseydavenport)

Changes to felix

• #1500: Improve performance of dataplane driver by reducing number of conntrack deletions. (@fasaxc)
• #1498: Improve performance when the conntrack table contains many entries by doing conntrack deletions in the background. (@fasaxc)

Changes to cni-plugin

• #341: The calico/cni container now supports setting SKIP_CNI_BINARIES to skip installation of certain binaries. (@abhinavdahiya)

Changes to calico

• #924: The version of etcd included in the Calico kubeadm manifests has been revved to v3.1.10. (@caseydavenport)
• #915: calico/node will now only check for conflicting Node IPs when initially getting an IP or when a change in IP is detected. This should reduce the load on the cluster when a large number of nodes are restarting. (@heschlie)
• #910: Pre-DNAT Policy - a new flavor of Calico Policy that is enforced before any DNAT that a cluster node may do (for example kube-proxy). Pre-DNAT Policy is useful for securing the perimeter of a cluster against incoming traffic, except for pinholes that are expressed in terms of particular IP addresses and/or ports that external clients are allowed to connect in to. For more information please see http://docs.projectcalico.org/v2.4/getting-started/bare-metal/bare-metal#pre-dnat-policy. (@neiljerram)
• #898: Calico releases now produce a release archive including Kubernetes manifests, docker images, and binaries. (@tomdee)
• #885: Added new option that takes interface regexes to skip interfaces during ip auto detection. (@mgleung)
• #885: Added support for specifying multiple interface regexes to attempt to match on during ip auto detection. (@mgleung)
• #861: Ability to enable / disable outgoing NAT on the default IP Pool using an environment variable. (@VincentS)

Changes to k8s-policy

• #105: Calico now implements the networking.k8s.io/NetworkPolicy API semantics as defined by Kubernetes when using the etcd datastore
  • Note: This represents a change in how existing Kubernetes NetworkPolicies are enforced by Calico. To maintain existing behavior when upgrading, follow these steps:
    • In Namespaces that previously did not have the “DefaultDeny” annotation, you should delete any existing NetworkPolicy objects.
    • In Namespaces that previously did have the “DefaultDeny” annotation, you can create the equivalent semantics by creating a NetworkPolicy that selects all pods but does not allow any traffic. (@caseydavenport)

Changes to libcalico-go

• #471: Policy objects now support arbitrary key/value annotations. (@caseydavenport)
• #470: Add new Source.Nets and Destination.Nets fields (and their negated couterparts)
  to rules, allowing multiple CIDRs to be matched in a single rule. The Source.Net
  and Destination.Net fields are now deprecated; when reading back data that
  contains a Net field, it will be converted to a single-entry Nets field. Felix (and
  Typha, if in use) should be upgraded before using the new Nets fields in a rule. (@fasaxc)