github tigera/operator v1.42.0
on GitHub

5 hours ago

30 Apr 2026

Included Calico versions

Calico version: v3.32.0

Bug fixes

  • Fixes configuration of Calico Windows Daemonset Requests and Limits. #4366 (@tmjd)

Other changes

  • Update bundled Istio version to 1.29.2, including CVE fixes for moby/spdystream, prometheus/prometheus, and opentelemetry-go/otel/sdk. #4733 (@radixo)

  • Update golang.org/x/* libraries to latest. #4727 (@rene-dekker)

  • Grant the tigera-noncluster-host ClusterRole create access on linseed.tigera.io/policyactivity so non-cluster host policy activity logs reach Linseed. #4726 (@xiumozhan)

  • None #4701 (@caseydavenport)

  • Operator now passes the CA certificate CommonName to Voltron via VOLTRON_CA_SIGNER_NAME, enabling configurable CA issuer identification. #4673 (@rene-dekker)

  • Always add --tunnelSecretName flag to the apiserver, so it will pick the correct secret for signing tunnel certificates. #4662 (@rene-dekker)

  • Added label selector for networkpolicies selecting coredns on Canonical Kubernetes clusters. #4652 (@rene-dekker)

  • Improve TigeraStatus to include more detailed information when readiness and liveness probes fail. #4646 (@caseydavenport)

  • Bump bundled Envoy Gateway to v1.7.0. Kubernetes version floor raised to v1.32. #4637 (@pasanw)

  • Give Policy Recommendation Controller the necessary RBAC to recommend policies for HostEndpoints. #4594 (@xiumozhan)

  • Fix calico-apiserver RBAC to allow queryserver's authorization review to access tiers, uisettingsgroups, and managedclusters via the aggregated API. #4568 (@tianfeng92)

  • Istio support is now available for Calico (OSS) installations. Previously, the Istio controller was restricted to Calico Enterprise only. With this change, OSS users can leverage the operator to manage Istio ambient mesh components (istiod, CNI, and ztunnel) alongside their Calico installation. #4536 (@radixo)

  • Add validation for logstorage node count and replicas setting. #4529 (@tianfeng92)

  • Allow Calico nodes to create and update BGPConfiguration resources. #4520 (@mazdakn)

  • Fix pod creation failures during manifest-to-operator migration caused by the calico-cni-plugin #4514 (@caseydavenport)

  • ClusterRoleBinding losing its kube-system subject before all nodes are migrated. #4514 (@caseydavenport)

  • Config option to control whether BIRD or Felix manages intra-cluster routing. #4511 (@mazdakn)

  • Set correct CA_TRUSTED_NODE_ACCOUNTS namespace on OpenShift #4510 (@electricjesus)

  • Fix calico-apiserver TLS errors on upgrade to v3.31 for long-lived clusters. #4493 (@caseydavenport)

  • The operator now correctly reissues certificates with updated SANs when the apiserver namespace changes, instead of treating legacy operator-signed certs as user-provided. #4493 (@caseydavenport)

  • Operator now disables log forwarding and metrics scraping on enterprise license expiry while keeping the dataplane running, and reports license status in TigeraStatus. #4482 (@hjiawei)

  • Surface certificate metadata (issuer, expiry, DNS SANs, IP SANs) as annotations and add filtering labels (secret-type, signer) on TLS secrets produced by Secret() and CreateSelfSignedSecret(). #4479 (@rene-dekker)

  • Display the Degraded condition's message when running kubectl get tigerastatus, making it easier to see error details at a glance without needing to describe the resource. #4479 (@rene-dekker)

  • Users can now override the resources and/or limits on the calico-dashboard-api container in the manager deployment. #4478 (@rene-dekker)

  • Split kubernetes-services-endpoint configmap into KUBERNETES_SERVICE_HOST/PORT for host-networked pods (previous behaviour) and KUBERNETES_SERVICE_HOST_POD_NETWORK and KUBERNETES_SERVICE_PORT_POD_NETWORK for pod-networked pods. #4474 (@coutinhop)

  • Fix Istio GKE platform detection: set platform=gke on istiod and ztunnel Helm charts in addition to the CNI chart, enabling the ztunnel ResourceQuota and PLATFORM=gke environment variable on istiod. #4463 (@electricjesus)

  • Use backwards compatible schema configuration for prometheus endpoints on Openshift. #4454 (@rene-dekker)

  • ECK certificates are now rotated 30d before expiry just like all certificates that are managed by this operator. #4453 (@rene-dekker)

  • The Tier allow-tigera has been renamed to calico-system. #4438 (@radixo)

  • If your Calico installation does not use the Tigera Operator, or if you have created custom Network Policies within this Tier, you must manually update your resources to reference the new Tier name. #4438 (@radixo)

  • Please review and adjust any affected policies to ensure continued correct behavior. #4438 (@radixo)

    • Dropped support to the non-privileged mode and deprecated the Installation.spec.nonPrivileged field. The Operator ignores this setting and will mark Calico as Degraded if it is set to Enabled. #4433 (@lucastigera)

  • Fixed rendering resource limits and requests for Egress Gateway. #4427 (@sridhartigera)

  • Register NetworkAttachmentDefinition type in operator scheme for Istio OpenShift support. #4408 (@electricjesus)

  • Bump Go to 1.25.7 #4403 (@alexh-tigera)

  • Fix Istio service mesh components (istio-cni, istiod, ztunnel) failing on OpenShift due to missing platform detection. The operator now sets platform=openshift on all embedded Istio Helm charts, activating correct CNI binary paths (/var/lib/cni/bin), Multus provider configuration, SCC RBAC rules, SELinux contexts, and trusted ztunnel namespace settings. #4402 (@electricjesus)

  • Auto-detect kube-proxy nftables/iptables mode. #4389 (@caseydavenport)

  • Fix that operator would remove other controllers finalizers from objects it creates. #4381 (@caseydavenport)

  • Prometheus Operator is updated from v0.84.0 to v0.88.0. #4379 (@hjiawei)

  • Prometheus is updated from v3.4.1 to v3.9.1. #4379 (@hjiawei)

  • Prometheus Alertmanager is updated from v0.28.0 to v0.30.1. #4379 (@hjiawei)

  • Updated Elasticsearch NodeSet name generation to prevent unnecessary recreations of the Elasticsearch StatefulSet. #4378 (@pasanw)

  • Added a required permission for setting up watches in the calico-apiserver on OCP 4.20 #4372 (@rene-dekker)

  • Elasticsearch and Kibana are updated to v8.19.10. #4367 (@hjiawei)

  • Updated the Tigera Operator runtime base image to UBI 9. #4365 (@hjiawei)

  • Fixed an issue caused by manager_controller and apiserver_controller both writing the calico-management-cluster-connection secret to calico-system causing constant reconciliations. #4358 (@rene-dekker)

  • Add rule to allow-tigera to allow traffic from intrusion detection controller to voltron #4350 (@xiumozhan)

  • Update CRDs #4344 (@Josh-L)

  • Added LINSEED_URL environment variable to tigera-dpi daemonset to fix an issue with forwarding alerts from a managed cluster running DPI to the management cluster. #4330 (@Josh-L)

  • Fix a stack trace in the kibana logs as a result of timeouts from fleet. #4328 (@rene-dekker)

  • Set recommended labels as per #4327 (@rene-dekker)

  • https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/ #4327 (@rene-dekker)

  • Fixed an issue where Guardian was missing the certificate of the Calico API server from it's CA bundle. This issue only impacted clusters that were created using an older version of the Operator that did not use a centralized signer. #4314 (@pasanw)

Check out latest releases or
releases around tigera/operator v1.42.0

Don't miss a new operator release

NewReleases is sending notifications on new releases.

Get notifications