github tigera/operator v1.41.0
V1.41.0
on GitHub

pre-release6 hours ago

13 Feb 2026

Included Calico versions

Calico Enterprise version: v3.23.0-1.0

Caution

This version of Operator contains breaking changes. If you are upgrading an existing cluster please read the release notes carefully.

Bug Fixes

  • Fix Istio service mesh components (istio-cni, istiod, ztunnel) failing on OpenShift due to missing platform detection. The operator now sets platform=openshift on all embedded Istio Helm charts, activating correct CNI binary paths (/var/lib/cni/bin), Multus provider configuration, SCC RBAC rules, SELinux contexts, and trusted ztunnel namespace settings. #4406 (@electricjesus)
  • Fixed an issue caused by manager_controller and apiserver_controller both writing the calico-management-cluster-connection secret to calico-system causing constant reconciliations. #4375 (@rene-dekker)
  • Updated Elasticsearch NodeSet name generation to prevent unnecessary recreations of the Elasticsearch StatefulSet. #4390 (@pasanw)
  • Added a required permission for setting up watches in the calico-apiserver on OCP 4.20 #4373 (@rene-dekker)
  • Fix a stack trace in the kibana logs as a result of timeouts from fleet. #4333 (@rene-dekker)
  • Fixed an issue where Guardian was missing the certificate of the Calico API server from it's CA bundle. This issue only impacted clusters that were created using an older version of the Operator that did not use a centralized signer. #4315 (@pasanw)
  • Fix DPI ClusterRole so it can discover IP via endpointslices #4258 (@Dean-Coakley)
  • Fixes an issue where the logger was not initialized before log statements were produced. #4235 (@rene-dekker)
  • Fixed a race condition in tigerastatus monitor where the alertmanager and prometheus statefulsets hadn't been created yet, but the monitor was marked as Available. #4214 (@alexh-tigera)
  • Fix policy sync check for CIG #4210 (@LorcanMcVeigh)
  • Add finalizers to Installation CR to try to ensure it is safe to cleanup the CNI permissions #4207 (@tmjd)
  • Fix that Whisker would not function on nodes with IPv6 support disabled. #4204 (@caseydavenport)
  • Do not require LoadBalancer pools to have outgoing NAT enabled. #4183 (@MichalFupso)
  • Improve uninstall stability while waiting for pods to be torn down. #4179 (@caseydavenport)
  • Fix calico-system Namespace PSS Conflict where, under certain conditions, the calico-system would end up with a PSS value of restricted instead of privileged. This started happening on August 15, 2025 (so we may not have released an Enterprise version since). #4172 (@gantony)

Breaking changes

  • Fixed the defaulting behavior for Authentication.Spec.OIDC.requestedScopes such that it now includes offline_access as documented in the API. In the unlikely case that your identity provider does not support offline_access and if you did previously not specify requestedScopes, you should set requestedScopes to [profile, openid, email] . #4173 (@rene-dekker)
  • Contents of tigera-manager namespace have been moved to calico-system namespace on standalone and management clusters (managed clusters were moved in a previous release). Component names prefixed with "tigera-" have been renamed to use prefix "calico-" instead. An ExternalName service has been retained in the tigera-manager namespace to ease migration. Any ingress or gateway API resources that provided external access to the tigera-manager service will need to be updated. #4153 (@Josh-L)

Other changes

  • Use backwards compatible schema configuration for prometheus endpoints on Openshift. #4420 (@rene-dekker)
  • Prometheus Operator is updated from v0.84.0 to v0.88.0. Prometheus is updated from v3.4.1 to v3.9.1. Prometheus Alertmanager is updated from v0.28.0 to v0.30.1. #4397 (@hjiawei)
  • Elasticsearch and Kibana are updated to v8.19.10. #4368 (@hjiawei)
  • Add rule to allow-tigera to allow traffic from intrusion detection controller to voltron #4354 (@xiumozhan)
  • Fix Annotation Removal when patching FelixConfiguration #4306 (@radixo)
  • Update Istio from 1.27.3 to 1.28.1 #4287 (@radixo)
  • updated RBAC for Gateway stats and logs collector #4282 (@electricjesus)
  • Use CEL validation for CR names. #4280 (@caseydavenport)
  • feat: operator.tigera.io/Istio CRD - installs and manages Istio for Calico #4256 (@radixo)
  • Allow non-cluster hosts to remove failed CSRs before generating new requests. #4236 (@hjiawei)
  • Tigera Operator is now built with Go 1.25. #4221 (@hjiawei)
  • Remove unused env vars in l7 sidecar CIG gateway deployment #4202 (@LorcanMcVeigh)
  • Added support for custom-signed Calico Node certificates on non-cluster hosts. #4181 (@hjiawei)
  • Use gateway-specific l7 collector image. #4171 (@gantony)
  • Calico Operator is now build with k8s v1.33 #4168 (@MichalFupso)
  • add support for developmental builds of operator with custom image paths for components #4163 (@radTuti)
  • Update RBAC for the new k8s ClusterNetworkPolicy API. #4155 (@mazdakn)
  • Envoy Gateway updated to v1.5.0. This now includes envoy SecurityPolicy CRD #4130 (@electricjesus)
  • The impersonation permissions on guardian are made configurable through the ManagementClusterConnection resource. #4085 (@rene-dekker)
Check out latest releases or
releases around tigera/operator v1.41.0

Don't miss a new operator release

NewReleases is sending notifications on new releases.

Get notifications