tigera/operator v1.30.0

on GitHub

26 May 2023

Included Calico versions

Calico version: v3.26.0
Calico Enterprise version: v3.16.1

Enhancements

• Check more indicators for EKS discovery #2615 (@tmjd)
• [Calico Enterprise] Application-Layer Policies via per-host/per-node envoy support #2218 (@electricjesus)

Bug fixes

• Move BGPFilter permissions from EE-only to OSS+EE in apiserver #2617 (@coutinhop)
• [Calico Enterprise] Removes named resource clause on applicationlayers resource. #2567 (@mikestephen)
• [RS-749] - Sets fluentd env vars for RS index replicas and shards. #2485 (@mikestephen)

Other changes

• Automated cherry pick of #2668: Fix! Windows needs c: prefix for the token path #2669 (@rene-dekker)
• [EV-3431] Add linseed resources to policy recommendation (#2621) #2667 (@dimitri-nicolo)
• Update CRDs #2666 (@tmjd)
• Revert "Add dynamic layers to tigera infra layer in SG EV-3506" #2663 (@vara2504)
• [Release 1.30] Update golang to 1.20.4 #2659 (@Behnam-Shobiri)
• Automated cherry pick of #2653: Remove GeoIP downloader from Elasticsearch as we have no #2655 (@rene-dekker)
• Remove GeoIP downloader from Elasticsearch as we have no use for it. #2653 (@rene-dekker)
• Merge pull request #2645 from sridhartigera/host-path-init #2651 (@sridhartigera)
• Cherry-pick #2639 Add dynamic layers to tigera infra layer in SG EV-3506 #2649 (@vara2504)
• Update CRDs [r1.30] #2648 (@tmjd)
• Use correct calico-node UID when running in non-privileged mode. #2645 (@sridhartigera)
• [Release 1.30] Update base image to UBI 8.8 #2641 (@Behnam-Shobiri)
• Update base image to UBI 8.8 #2640 (@Behnam-Shobiri)
• Add dynamic layers to tigera infra layer in SG EV-3506 #2639 (@vara2504)
• [v1.30] Enforce default deny for calico-system #2638 (@pasanw)
• [cherry-pick] Make es-gateway use rolling update instead of recreate strategy (#2632) #2637 (@asincu)
• Enforce default deny for calico-system #2636 (@pasanw)
• Update CRDs: felixconfigurations #2635 (@tmjd)
• [release-v1.30] Bump Prometheus version to v2.43.1 #2634 (@hjiawei)
• Update CRDs: felixconfigurations update #2633 (@tmjd)
• Make es-gateway use rolling update instead of recreate strategy #2632 (@asincu)
• Bump Prometheus version to v2.43.1 #2631 (@hjiawei)
• Update CRDs: felixconfigurations update [r1.30] #2629 (@tmjd)
• Check more indicators for EKS discovery [pick 2615, r1.30] #2627 (@tmjd)
• [1.30] Do not manage Kibana certs/secrets in Managed clusters #2625 (@pasanw)
• Do not manage Kibana certs/secrets in Managed clusters #2624 (@pasanw)
• Cherrypick Add policy to support nodelocal dnscache #2623 (@ti-afra)
• [EV-3431] Add linseed resources to policy recommendation #2621 (@dimitri-nicolo)
• Add policyrecommendationscopes to CRDs list #2620 (@danudey)
• [Cherry-pick] Rever secrets rbac & add rolling update strategy to linseed deployment #2616 (@asincu)
• Revert access to secrets for Linseed #2614 (@asincu)
• Egress gateway policy CRD update #2613 (@tmjd)
• Add policy to support nodelocal dnscache #2612 (@ti-afra)
• Fix! Linseed should have a rolling deployment strategy #2610 (@asincu)
• Cherry-pick iptables backend to 3.17 #2609 (@sridhartigera)
• [cherry-pick] Fix! Linseed controller needs get and create for secrets #2607 (@asincu)
• Handle iptablesbackend felix config changes in EGW controller #2606 (@sridhartigera)
• Fix! Linseed controller needs get and create for secrets #2605 (@asincu)
• s390x: build s390x binary and image #2604 (@huoqifeng)
• [Cherry-pick 1.30] Support Egress Gateway Policy resource - EE 3.17 #2602 (@mazdakn)
• Add egress gateway policy to API server RBAC #2600 (@mazdakn)
• migrate typha deployment affinities #2598 (@Tamas-Biro1)
• [cherry-pick] Compliance reporter needs access to flows #2597 (@asincu)
• Fix! Reporter is missing access to flows #2596 (@asincu)
• [Cherry-pick] Fix volumes for compliance and rbac roles for intrusion detection #2595 (@asincu)
• Fix! Mount linseed tokens as secret instead of config maps #2594 (@asincu)
• Fix! Missing rbac for flowlogs and snapshots and benchmarks #2593 (@asincu)
• A couple of development improvements #2590 (@caseydavenport)
• Update CRDs #2589 (@tmjd)
• Ensure precommit checks happen on PR code #2588 (@tmjd)
• [EV-3352][EV-3353] Update manager-role, network-admin and ui-user clu… #2587 (@dimitri-nicolo)
• Upgrade golang to v1.20.3 and k8s deps to 1.26 release #2586 (@hjiawei)
• Support for Linseed access tokens #2585 (@caseydavenport)
• Support Egress Gateway Policy resource #2584 (@mazdakn)
• [EV-2059] Create default PolicyRecommendationScope resource #2583 (@dimitri-nicolo)
• Add patch permissions to tigera-network-admin for services #2582 (@LorcanMcVeigh)
• Fix periodic reconcile logic #2576 (@pasanw)
• Allow connection between DPI and linseed #2575 (@asincu)
• Remove unused K8s registry #2574 (@tmjd)
• Add BGPFilter and ExternalNetwork RBAC to node #2573 (@coutinhop)
• Add shards and replicas to Linseed #2572 (@asincu)
• Updates for MCM with Linseed #2571 (@caseydavenport)
• Configure certificate path for Windows setup #2566 (@asincu)
• Prevent installation of PSPs in OCP in order to use SCCs instead #2564 (@mgleung)
• Update Calico Enterprise Compliance to use Linseed #2561 (@caseydavenport)
• check for cniLogging nil values before referencing #2559 (@ti-afra)
• Add PSP PolicyRule for anomaly detection detectors #2555 (@hjiawei)
• Automated cherry pick of #2551: Add clusterrolebinding for OCP w/ federation #2553 (@rene-dekker)
• Update CRDs #2548 (@ti-afra)
• Update readme #2547 (@MichalFupso)
• Update the CRDs #2544 (@rene-dekker)
• update go-build to v0.82 (golang 1.19.7) #2541 (@rene-dekker)
• Trim extraneous lines in operator CRD yamls #2539 (@tmjd)
• Bump alertmanager version to v0.25.0 #2538 (@hjiawei)
• Add patch permissions for services/status #2536 (@LorcanMcVeigh)
• [master] Add missing egress flow to Guardian access policy #2535 (@pasanw)
• Intrusion detection migration to Linseed API #2532 (@asincu)
• Automated cherry pick of #2528: Update ECK to 2.6.1 #2529 (@rene-dekker)
• Add NET_RAW capability to ocp scc. #2524 (@sridhartigera)
• Bump Elasticsearch version to v7.17.9 #2519 (@hjiawei)
• stabilise intrusion detection failures due to elastic search not being ready #2517 (@ti-afra)
• Add waf resource to the lma.tigera.io resource group #2516 (@gantony)
• Bump Kibana version to v7.17.9 #2513 (@hjiawei)
• Remove Elastic SELinux init container #2511 (@hjiawei)
• Update image for linseed component #2508 (@asincu)
• Fix an unused variable passed to ES metrics #2506 (@caseydavenport)
• Introduce Linseed component to Calico Enterprise #2505 (@caseydavenport)
• Add and update PodSecurityPolicy to match SecurityContext #2504 (@hjiawei)
• Expose logging config for calico cni #2503 (@ti-afra)
• Update dependencies #2500 (@Behnam-Shobiri)
• Copy pull secrets to the EGW namespace #2499 (@sridhartigera)
• Automated cherry pick of #2479: Increase timeout to 20s #2495 (@rene-dekker)
• Fix EGW icmp probes #2493 (@sridhartigera)
• Mount SSL_CERT_FILE in system-wide trust store #2486 (@hjiawei)
• CSI driver should tolerate all like l7 and node #2483 (@tmjd)
• Add chown to the elastic init keystore container securitycontext #2476 (@hjiawei)
• Don't render SecurityContext for fluentd on Windows #2471 (@hjiawei)
• Fix SCC for Egw openshift #2466 (@sridhartigera)
• Upgrade Prometheus to v2.42.0 #2464 (@hjiawei)
• [master] Omit updates for NetworkPolicy/Tier when Spec is identical #2463 (@pasanw)
• Increase Elasticsearch readiness probe threshold and timeout #2456 (@hjiawei)
• Remove and replace deprecated ioutil #2451 (@hjiawei)
• Use the right registry for OSS cni-fips #2446 (@rene-dekker)
• Update runAsUser for es-proxy and aws securitygroup #2443 (@hjiawei)
• Update CRDs to the latest #2442 (@hjiawei)
• Do not delete psp when cluster doesn't support psp #2437 (@sridhartigera)
• Update CRDs to the latest #2434 (@hjiawei)
• Apply more restrictive SecurityContext to components #2433 (@hjiawei)
• Use two constructors for deletion passthru #2432 (@caseydavenport)
• Create, delete cluster scoped resources from EGW controller #2427 (@sridhartigera)
• [RS-707] - Allow tigera-ui-user to view WAF config #2422 (@mikestephen)
• Move guardian hash annotation to podTemplate #2421 (@tmjd)
• Remove max-tls-flag. It is no longer necessary for FIPS mode #2417 (@rene-dekker)
• Add some missing certificates to the bundles of various namespaces #2413 (@rene-dekker)
• Update ids controller healthz path #2408 (@hjiawei)
• Fix EGW upgrade and crd comments for doc #2406 (@sridhartigera)
• Fix: incompatible job spec caused controller to fail #2403 (@rene-dekker)
• Add externalNetwork to the EGW operator CRD #2398 (@sridhartigera)
• Separate calico-node and calico-cni-plugin service accounts #2393 (@MichalFupso)
• [EV-2059] Add policy recommendation resources #2392 (@dimitri-nicolo)
• Add pod2daemon private mstr #2390 (@rene-dekker)
• Enable mtls for kube controller metrics endpoint #2387 (@vara2504)
• Fix race condition where trusted bundle is rendered twice with differ… #2377 (@rene-dekker)
• Allow query server talk to Prometheus #2329 (@hjiawei)