26 May 2023
Included Calico versions
Calico version: v3.26.0
Calico Enterprise version: v3.16.1
Enhancements
- Check more indicators for EKS discovery #2615 (@tmjd)
- [Calico Enterprise] Application-Layer Policies via per-host/per-node envoy support #2218 (@electricjesus)
Bug fixes
- Move BGPFilter permissions from EE-only to OSS+EE in apiserver #2617 (@coutinhop)
- [Calico Enterprise] Removes named resource clause on applicationlayers resource. #2567 (@mikestephen)
- [RS-749] - Sets fluentd env vars for RS index replicas and shards. #2485 (@mikestephen)
Other changes
- Automated cherry pick of #2668: Fix! Windows needs c: prefix for the token path #2669 (@rene-dekker)
- [EV-3431] Add linseed resources to policy recommendation (#2621) #2667 (@dimitri-nicolo)
- Update CRDs #2666 (@tmjd)
- Revert "Add dynamic layers to tigera infra layer in SG EV-3506" #2663 (@vara2504)
- [Release 1.30] Update golang to 1.20.4 #2659 (@Behnam-Shobiri)
- Automated cherry pick of #2653: Remove GeoIP downloader from Elasticsearch as we have no #2655 (@rene-dekker)
- Remove GeoIP downloader from Elasticsearch as we have no use for it. #2653 (@rene-dekker)
- Merge pull request #2645 from sridhartigera/host-path-init #2651 (@sridhartigera)
- Cherry-pick #2639 Add dynamic layers to tigera infra layer in SG EV-3506 #2649 (@vara2504)
- Update CRDs [r1.30] #2648 (@tmjd)
- Use correct calico-node UID when running in non-privileged mode. #2645 (@sridhartigera)
- [Release 1.30] Update base image to UBI 8.8 #2641 (@Behnam-Shobiri)
- Update base image to UBI 8.8 #2640 (@Behnam-Shobiri)
- Add dynamic layers to tigera infra layer in SG EV-3506 #2639 (@vara2504)
- [v1.30] Enforce default deny for calico-system #2638 (@pasanw)
- [cherry-pick] Make es-gateway use rolling update instead of recreate strategy (#2632) #2637 (@asincu)
- Enforce default deny for calico-system #2636 (@pasanw)
- Update CRDs: felixconfigurations #2635 (@tmjd)
- [release-v1.30] Bump Prometheus version to v2.43.1 #2634 (@hjiawei)
- Update CRDs: felixconfigurations update #2633 (@tmjd)
- Make es-gateway use rolling update instead of recreate strategy #2632 (@asincu)
- Bump Prometheus version to v2.43.1 #2631 (@hjiawei)
- Update CRDs: felixconfigurations update [r1.30] #2629 (@tmjd)
- Check more indicators for EKS discovery [pick 2615, r1.30] #2627 (@tmjd)
- [1.30] Do not manage Kibana certs/secrets in Managed clusters #2625 (@pasanw)
- Do not manage Kibana certs/secrets in Managed clusters #2624 (@pasanw)
- Cherrypick Add policy to support nodelocal dnscache #2623 (@ti-afra)
- [EV-3431] Add linseed resources to policy recommendation #2621 (@dimitri-nicolo)
- Add policyrecommendationscopes to CRDs list #2620 (@danudey)
- [Cherry-pick] Rever secrets rbac & add rolling update strategy to linseed deployment #2616 (@asincu)
- Revert access to secrets for Linseed #2614 (@asincu)
- Egress gateway policy CRD update #2613 (@tmjd)
- Add policy to support nodelocal dnscache #2612 (@ti-afra)
- Fix! Linseed should have a rolling deployment strategy #2610 (@asincu)
- Cherry-pick iptables backend to 3.17 #2609 (@sridhartigera)
- [cherry-pick] Fix! Linseed controller needs get and create for secrets #2607 (@asincu)
- Handle iptablesbackend felix config changes in EGW controller #2606 (@sridhartigera)
- Fix! Linseed controller needs get and create for secrets #2605 (@asincu)
- s390x: build s390x binary and image #2604 (@huoqifeng)
- [Cherry-pick 1.30] Support Egress Gateway Policy resource - EE 3.17 #2602 (@mazdakn)
- Add egress gateway policy to API server RBAC #2600 (@mazdakn)
- migrate typha deployment affinities #2598 (@Tamas-Biro1)
- [cherry-pick] Compliance reporter needs access to flows #2597 (@asincu)
- Fix! Reporter is missing access to flows #2596 (@asincu)
- [Cherry-pick] Fix volumes for compliance and rbac roles for intrusion detection #2595 (@asincu)
- Fix! Mount linseed tokens as secret instead of config maps #2594 (@asincu)
- Fix! Missing rbac for flowlogs and snapshots and benchmarks #2593 (@asincu)
- A couple of development improvements #2590 (@caseydavenport)
- Update CRDs #2589 (@tmjd)
- Ensure precommit checks happen on PR code #2588 (@tmjd)
- [EV-3352][EV-3353] Update manager-role, network-admin and ui-user clu… #2587 (@dimitri-nicolo)
- Upgrade golang to v1.20.3 and k8s deps to 1.26 release #2586 (@hjiawei)
- Support for Linseed access tokens #2585 (@caseydavenport)
- Support Egress Gateway Policy resource #2584 (@mazdakn)
- [EV-2059] Create default PolicyRecommendationScope resource #2583 (@dimitri-nicolo)
- Add patch permissions to tigera-network-admin for services #2582 (@LorcanMcVeigh)
- Fix periodic reconcile logic #2576 (@pasanw)
- Allow connection between DPI and linseed #2575 (@asincu)
- Remove unused K8s registry #2574 (@tmjd)
- Add BGPFilter and ExternalNetwork RBAC to node #2573 (@coutinhop)
- Add shards and replicas to Linseed #2572 (@asincu)
- Updates for MCM with Linseed #2571 (@caseydavenport)
- Configure certificate path for Windows setup #2566 (@asincu)
- Prevent installation of PSPs in OCP in order to use SCCs instead #2564 (@mgleung)
- Update Calico Enterprise Compliance to use Linseed #2561 (@caseydavenport)
- check for cniLogging nil values before referencing #2559 (@ti-afra)
- Add PSP PolicyRule for anomaly detection detectors #2555 (@hjiawei)
- Automated cherry pick of #2551: Add clusterrolebinding for OCP w/ federation #2553 (@rene-dekker)
- Update CRDs #2548 (@ti-afra)
- Update readme #2547 (@MichalFupso)
- Update the CRDs #2544 (@rene-dekker)
- update go-build to v0.82 (golang 1.19.7) #2541 (@rene-dekker)
- Trim extraneous lines in operator CRD yamls #2539 (@tmjd)
- Bump alertmanager version to v0.25.0 #2538 (@hjiawei)
- Add patch permissions for services/status #2536 (@LorcanMcVeigh)
- [master] Add missing egress flow to Guardian access policy #2535 (@pasanw)
- Intrusion detection migration to Linseed API #2532 (@asincu)
- Automated cherry pick of #2528: Update ECK to 2.6.1 #2529 (@rene-dekker)
- Add NET_RAW capability to ocp scc. #2524 (@sridhartigera)
- Bump Elasticsearch version to v7.17.9 #2519 (@hjiawei)
- stabilise intrusion detection failures due to elastic search not being ready #2517 (@ti-afra)
- Add waf resource to the lma.tigera.io resource group #2516 (@gantony)
- Bump Kibana version to v7.17.9 #2513 (@hjiawei)
- Remove Elastic SELinux init container #2511 (@hjiawei)
- Update image for linseed component #2508 (@asincu)
- Fix an unused variable passed to ES metrics #2506 (@caseydavenport)
- Introduce Linseed component to Calico Enterprise #2505 (@caseydavenport)
- Add and update PodSecurityPolicy to match SecurityContext #2504 (@hjiawei)
- Expose logging config for calico cni #2503 (@ti-afra)
- Update dependencies #2500 (@Behnam-Shobiri)
- Copy pull secrets to the EGW namespace #2499 (@sridhartigera)
- Automated cherry pick of #2479: Increase timeout to 20s #2495 (@rene-dekker)
- Fix EGW icmp probes #2493 (@sridhartigera)
- Mount SSL_CERT_FILE in system-wide trust store #2486 (@hjiawei)
- CSI driver should tolerate all like l7 and node #2483 (@tmjd)
- Add chown to the elastic init keystore container securitycontext #2476 (@hjiawei)
- Don't render SecurityContext for fluentd on Windows #2471 (@hjiawei)
- Fix SCC for Egw openshift #2466 (@sridhartigera)
- Upgrade Prometheus to v2.42.0 #2464 (@hjiawei)
- [master] Omit updates for NetworkPolicy/Tier when Spec is identical #2463 (@pasanw)
- Increase Elasticsearch readiness probe threshold and timeout #2456 (@hjiawei)
- Remove and replace deprecated ioutil #2451 (@hjiawei)
- Use the right registry for OSS cni-fips #2446 (@rene-dekker)
- Update runAsUser for es-proxy and aws securitygroup #2443 (@hjiawei)
- Update CRDs to the latest #2442 (@hjiawei)
- Do not delete psp when cluster doesn't support psp #2437 (@sridhartigera)
- Update CRDs to the latest #2434 (@hjiawei)
- Apply more restrictive SecurityContext to components #2433 (@hjiawei)
- Use two constructors for deletion passthru #2432 (@caseydavenport)
- Create, delete cluster scoped resources from EGW controller #2427 (@sridhartigera)
- [RS-707] - Allow tigera-ui-user to view WAF config #2422 (@mikestephen)
- Move guardian hash annotation to podTemplate #2421 (@tmjd)
- Remove max-tls-flag. It is no longer necessary for FIPS mode #2417 (@rene-dekker)
- Add some missing certificates to the bundles of various namespaces #2413 (@rene-dekker)
- Update ids controller healthz path #2408 (@hjiawei)
- Fix EGW upgrade and crd comments for doc #2406 (@sridhartigera)
- Fix: incompatible job spec caused controller to fail #2403 (@rene-dekker)
- Add externalNetwork to the EGW operator CRD #2398 (@sridhartigera)
- Separate calico-node and calico-cni-plugin service accounts #2393 (@MichalFupso)
- [EV-2059] Add policy recommendation resources #2392 (@dimitri-nicolo)
- Add pod2daemon private mstr #2390 (@rene-dekker)
- Enable mtls for kube controller metrics endpoint #2387 (@vara2504)
- Fix race condition where trusted bundle is rendered twice with differ… #2377 (@rene-dekker)
- Allow query server talk to Prometheus #2329 (@hjiawei)