29 Oct 2024
Included Calico versions
Calico version: v3.29.0
Enhancements
- [CORE-10407] Add support for OpenShift HCP #3389 (@coutinhop)
Bug fixes
Other changes
- Upgrade Elasticsearch and Kibana to 7.17.25 #3561 (@vara2504)
- Set "system-node-critical" priority on calico-node-windows pod. #3557 (@coutinhop)
- Add tolerations for arm64 workloads on GKE. #3554 (@hjiawei)
- Remove Host Numeric rule from coreruleset. #3553 (@radixo)
- Reducing DPI readiness initial delay 90s -> 10s. #3551 (@bartolini)
- Introduce SidecarWebhook status field in ApplicationLayer for UI to determine when deployments can be patched with WAF. #3547 (@radixo)
- Use restricted namespace for opensource calico-apiserver. #3530 (@mihivagyok)
- Enable TPROXY support in ApplicationLayer component. #3522 (@electricjesus)
- Update CRDs. #3521, #3419 (@rene-dekker)
- Adding X-Frames-Options DENY header for Kibana. #3520 (@vikastigera)
- Removes enovyproxy-envoy, sidecar images for envoy. #3515 (@radixo)
- Fix sidecar envoy image. #3510 (@radixo)
- Reduce the number of restart for tigera-manager. #3505 (@asincu)
- Update Prometheus to v2.54.1 and AlertManager to v0.27.0 #3500 (@vikastigera)
- Render NonClusterHost resources. #3493 (@hjiawei)
- DPI Snort rules configurable via intrusiondetection CR. #3488 (@bartolini)
- Add new NonClusterHost resource for log ingestion. #3485 (@hjiawei)
- Add hostendpoints get and list to tigera ui and admin users. #3484 (@hjiawei)
- Respect HTTP proxies when rendering Guardian policy. #3475 (@pasanw)
- Add back services RBAC permissions. #3473 (@LorcanMcVeigh)
- Add IP pool config to disable new allocations. #3472 (@caseydavenport)
- Make capitalization of Dockerfile keywords consistent. #3466 (@rene-dekker)
- Change services permissions to deployments permissions. #3465 (@LorcanMcVeigh)
- Add sidecarInjection to ApplicationLayer resource. #3460 (@radixo)
- Rename and update tigera-crds clusterrole. #3458 (@ti-afra)
- Print image options and ImageSet utility. #3453 (@tmjd)
- Improve OpenShift platform detection accuracy. #3452 (@libesz)
- Fix apiserver certs issue when upgrading to enterprise. #3439 (@gcosgrave)
- Set default values for vxlanVNI and BPFHostConntrackBypass for DockerEE. #3435 (@sridhartigera)
- Bind all tenants to linseed RBAC. #3434 (@asincu)
- Add ES kube controllers as containers. #3430 (@asincu)
- Relax ImageSet validation. #3424 (@tmjd)
- Configure resources for es-kube-controllers via the tenant CR. #3423 (@asincu)
- Fix missing error message in tigerastatus object. #3417 (@rene-dekker)
- Change dashboard name for redirecting users after login. #3416 (@rene-dekker)
- Changes to enable nftables dataplane. #3412 (@caseydavenport)
- Bind all tenants service account for compliance server cluster role. #3411 (@asincu)
- Read elastic username from secrets. #3409 (@asincu)
- External Elastic client should use external certificate. #3407 (@asincu)
- Fix deadlock situation where two controller rely on the same secret. #3406 (@rene-dekker)
- Create namespace before certificates. #3403 (@asincu)
- CSI DaemonSet no longer uses the "default" ServiceAccount. #3399 (@caseydavenport)
- Port creating an MTLS client for ElasticSearch. #3395 (@asincu)
- Make intrusion detection multi-tenant aware. #3394 (@asincu)