github tigera/operator v1.40.0
on GitHub

6 hours ago

22 Oct 2025

Included Calico versions

Calico version: v3.31.0

Breaking changes

  • fixed the defaulting behaviour for Authentication.Spec.OIDC.requestedScopes such that it now includes offline_access as documented in the API. In the unlikely case that your identity provider does not support offline_access and if you did previously not specify requestedScopes, you should set requestedScopes to [profile, openid, email] . #4159 (@rene-dekker)

Bug fixes

  • Fix calico-system Namespace PSS Conflict where, under certain conditions, the calico-system would end up with a PSS value of restricted instead of privileged. This started happening on August 15, 2025 (so we may not have released an Enterprise version since). #4217 (@gantony)
  • Do not require LoadBalancer pools to have outgoing NAT enabled. #4184 (@MichalFupso)
  • Properly provide secrets RBAC when operator is running in an alternative namespace. #4123 (@caseydavenport)
  • Fixed a race condition when checking if the calico-node DaemonSet has completed its rollout before enabling BPF. #4079 (@lucastigera)
  • revert Enable ClusterInfo controller in es-kube-controller to fetch ManagedClusters #4039 (@vara2504)
  • Fix crds #4037 (@rene-dekker)
  • Fixed an issue that prevented the operator from detecting HTTP proxies set on the Guardian container. #4031 (@pasanw)
  • Fix security contexts for init containers when certificate management is enabled, so the certificates have the right permissions set on them. #4025 (@rene-dekker)
  • Fix missing kube-controller secret access for guardian #4021 (@vara2504)
  • fix digest of images to return correct registry for calico node FIPS image #4007 (@radTuti)

Other changes

  • Add support for custom-signed Calico Node certificates on non-cluster hosts. #4226 (@hjiawei)
  • Updates the versions of the ECK Kibana and ECK Elasticsearch components to 8.18.8. #4225 (@xiumozhan)
  • Add finalizers to Installation CR to try to ensure it is safe to cleanup the CNI permissions #4208 (@tmjd)
  • Gateway API: Envoy Gateway updated to v1.5.0 #4206 (@electricjesus)
  • Add log level to l7 collector container #4205 (@LorcanMcVeigh)
  • Improve uninstall stability while waiting for pods to be torn down. #4182 (@caseydavenport)
  • Calico Operator is now build with k8s v1.33 #4169 (@MichalFupso)
  • The impersonation permissions on guardian are made configurable through the ManagementClusterConnection resource. #4151 (@rene-dekker)
  • Changed default vxlanPort to 8472 for MKE when installing in ebpf mode. MKE already has a vxlan device at port 4789 and vni 4096. Until v3.30, we have been using FDB based vxlan in calico across all dataplanes. Now with 3.31, Calico creates Flow based vxlan for ebpf dataplane. When creating a flow based vxlan, we don't specify the VNI. This results in 2 devices at the same vxlan port causing conflicts. 8472 is/was the port allocated to vxlan before IANA standardized on 4789. #4144 (@sridhartigera)
  • This change updates the Dex client configuration to support Single Page Applications (SPAs) code flow with PKCE. The 'X-Frame-Options' header was changed from 'DENY' to 'SAMEORIGIN'. #4137 (@rene-dekker)
  • Setup licensing for waf-http-filter (Enterprise only) #4135 (@gantony)
  • Added support for Kubernetes SecretProviderClass resources from the secrets-store-csi-driver into the authentication flow, allowing for identity provider (IdP) secrets to be sourced via CSI drivers in addition to standard Kubernetes Secrets. #4120 (@xiumozhan)
  • BPF dataplane now programs nftables rules as needed instead of iptables rules. #4116 (@caseydavenport)
  • eBPF dataplane is now enabled by default for clusters using kube-proxy. Calico auto-detects eligible clusters and installs with eBPF mode without user configuration. Kind is added as a new option for KubernetesProvider in Installation CRD. #4115 (@lucastigera)
  • The operator now pushes the value of felixConfig.CgroupV2Path to the ebpf-bootstrap init container, improving compatibility with immutable OSes like Talos Linux. #4110 (@lucastigera)
  • Mount host's bpffs and cgroup in calico-node ds for all dataplanes. #4108 (@sridhartigera)
  • Use a host alias for Felix to resolve goldmane service address, avoiding dependency on kube-dns. #4104 (@caseydavenport)
  • The operator is now responsible for installing custom dashboard in the Enterprise environment. #4099 (@xiumozhan)
  • Support for explicit configuration of calico/node DNS policy and DNS configuration. #4098 (@caseydavenport)
  • In the absence of explicit configuration, calico/node will inherit DNS policy and DNS configuration from tigera/operator #4098 (@caseydavenport)
  • Export l7 access logs from Ingress Gateway #4091 (@LorcanMcVeigh)
  • Update apiserver anti-affinity; remove old pods to prevent hostNetwork port conflicts #4090 (@vara2504)
  • Accommodate OpenShift 4.19, which only provides some of the Gateway API CRDs itself and prevents our operator from installing the others. It means that our Gateway API support is less rich on OpenShift 4.19 than on other platforms, but that is better than not working at all. #4068 (@nelljerram)
  • Component Migration: To support a minimal footprint and simplify resource management, the policy-recommendation component and its associated resources have been moved from the tigera-policy-recommendation namespace to the calico-system namespace #4065 (@vara2504)
  • The init container mount-bpffs is now named ebpf-bootstrap to reflect its broader responsibilities. No impact on functionality. #4064 (@lucastigera)
  • ApplicationLayer controller now properly sets up the watch on the MutatingWebhookConfiguration so it will only reconcile on the specified named resource. #4062 (@tmjd)
  • The Operator now automatically handles all required configuration when installing Calico in BPF mode on clusters using kube-proxy. Two new fields, BPFNetworkBootstrap and KubeProxyManagement, have been added to the Installation CR to control this behavior. #4058 (@lucastigera)
  • Update Linseed URL for compliance components in managed cluster #4043 (@vara2504)
  • Deploy the WAF HTTP Filter alongside the Envoy Proxy when running in Calico Enterprise. #4032 (@LorcanMcVeigh)
  • merge tiered policy resource across Calico and Calico Enterprise #4017 (@vara2504)
  • All API server resources will now use the calico prefix instead of tigera, standardizing resource naming across Calico and Calico Enterprise. #4016 (@vara2504)
  • Operator now annotates Guardian pods with cluster version information #4015 (@vara2504)
  • All API server resources will now use the calico prefix instead of tigera, standardizing resource naming across Calico and Calico Enterprise. #4005 (@vara2504)
  • Reduce the number of unnecessary API calls made by tigera/operator. #4000 (@caseydavenport)
  • Manifest to operator migration supports copying Felix nftables mode. #3994 (@caseydavenport)
  • Remove the cnx- prefix from Calico Enterprise image names. #3894 (@hjiawei)
Check out latest releases or
releases around tigera/operator v1.40.0

Don't miss a new operator release

NewReleases is sending notifications on new releases.

Get notifications