tigera/operator v1.31.0

on GitHub

31 Aug 2023

Included Calico versions

Calico version: v3.26.1
Calico Enterprise version: v3.18.0

Bug fixes

• Correctly generate pkg/render/applicationlayer #2819 (@electricjesus)
• Fix watch that is monitoring the wrong namespace #2815 (@rene-dekker)
• Internal-manager-tls should contain only K8S services (#2810) #2811 (@asincu)
• Remove duplicate Felix Health Port for Openshift #2797 (@rene-dekker)
• Fix EGW deployment in OpenShift 4.13 #2781 (@sridhartigera)
• Fix typo in filename to pod_security_policy.go #2725 (@anthonytwh)
• WAF rules should be intialized as DetectionOnly post-install #2716 (@electricjesus)
• Set DNS trusted servers using FelixConfig instead of FELIX_ env var #2700 (@nelljerram)
• Fix missing certificate management configurations #2697 (@rene-dekker)
• Move BGPFilter permissions from EE-only to OSS+EE in apiserver #2617 (@coutinhop)

Other changes

• Relax Linseed Policy in case we have DPI installed (#2831) #2837 (@asincu)
• Update felixConfiguration CRD description #2830 (@ti-afra)
• Update coreruleset to 3.3.5 (#2821) #2822 (@electricjesus)
• Use default non-root SecurityContext for manager #2812 (@hjiawei)
• Create internal manager tls inside of manager_controller #2808 (@rene-dekker)
• Increase probes timeout for calico components #2801 (@hjiawei)
• Certs: Return specific error type when key usage is wrong #2793 (@rene-dekker)
• Add SecurityContext for Prometheus service container #2787 (@hjiawei)
• Recreate certificates that are only specified to be used as server certs #2777 (@tmjd)
• Update more felixConfiguration CRD patterns #2766 (@ti-afra)
• Add PSPs for dex and policy recommendation #2761 (@hjiawei)
• Update felixConfiguration CRD patterns #2760 (@ti-afra)
• Add watch for managed cluster linseed cert in compliance #2756 (@tmjd)
• Increase probes timeout for calico components #2746 (@hjiawei)
• Don't use subPath on windows: moby/moby#30555 #2740 (@rene-dekker)
• Use internal manager tls certificate for es-proxy and linseed #2739 (@asincu)
• Update golang to 1.20.6 #2735 (@Behnam-Shobiri)
• Update ES&KB to v7.17.11 #2730 (@rene-dekker)
• Revert k8s126 update #2727 (@tmjd)
• Add annotation for OpenShift PodSecurity #2724 (@MichalFupso)
• Add watch for ES PublicCertSecret #2718 (@tmjd)
• Add networkpolicies to policy rec clusterrole #2714 (@dimitri-nicolo)
• Postpone policy recommendation scope watches until apiserver is up and running #2713 (@rene-dekker)
• Drop cluster name from intrusion detection controller #2710 (@asincu)
• Linseed must be able to verify Voltron's certificate #2706 (@caseydavenport)
• Add gatewayPreference to egress gateway policies CRD #2702 (@sridhartigera)
• Remove cluster name as an environment variable needed for Compliance #2699 (@asincu)
• Update and clarify release instructions #2693 (@danudey)
• Modify Linseed deployment to set Elastic credentials #2688 (@Josh-Tigera)
• Set Openshift namespace label #2687 (@MichalFupso)
• Remove tigera-prometheus-api deployment that may have been installed in an older version #2684 (@rene-dekker)
• Support HostPorts in eBPF mode #2679 (@StevenTigera)
• Anomaly detection jobs should query Linseed #2678 (@asincu)
• Add RBAC for threat feeds #2674 (@asincu)
• Add missing namespaces to SG layer tigera infrastructure #2671 (@vara2504)
• Add temporary role for calico-node during namespace migration #2670 (@MichalFupso)
• Add c: prefix for token path on Windows #2668 (@asincu)
• Update description for tierName in policy recommendation scopes CRD #2665 (@tmjd)
• Changes to pick fips image for all the components #2661 (@sridhartigera)
• Enable user-configurable envoy XFF settings #2657 (@electricjesus)
• Remove /etc/calico host path volume #2654 (@uhthomas)