16 Oct 2025
Included Calico versions
Calico version: v3.30.4
Calico Enterprise version: v3.21.2
Warning
This release fixes the defaulting behaviour for Authentication.Spec.OIDC.requestedScopes such that it now includes offline_access as documented in the API. In the unlikely case that your identity provider does not support offline_access and if you did previously not specify requestedScopes, you should set requestedScopes to [profile, openid, email] . #4174 (@rene-dekker)
Other changes
- The operator now pushes the value of
felixConfig.CgroupV2Pathto themount-bpffsinit container, improving compatibility with immutable OSes like Talos Linux. #4196 (@lucastigera) - Update the Dex client configuration to support Single Page Applications (SPAs) code flow with PKCE. The 'X-Frame-Options' header was changed from 'DENY' to 'SAMEORIGIN'. #4138 (@rene-dekker)
- Properly provide secrets RBAC when operator is running in an alternative namespace. #4126 (@caseydavenport)
- Use a host alias for Felix to resolve goldmane service address, avoiding dependency on kube-dns. #4107 (@caseydavenport)
- Use quay.io as the default image location instead of Docker Hub #3936 (@skoryk-oleksandr)