github tigera/operator v1.42.2
on GitHub

pre-release6 hours ago

11 Jun 2026

Included Calico versions

Calico version: v3.32.0
Calico Enterprise version: v3.23.0-2.0

Bug fixes

  • Fixed 403 errors on custom dashboards for OIDC users. #4836 (@alexh-tigera)
  • Fixed WAF HTTP filter failing open in clusters installed without the Calico API server (USE_API_SERVER=false / v3-CRDs-only mode). The filter's license check now succeeds regardless of which Calico CRD group is installed, so WAF rule processing engages as intended. #4812 (@electricjesus)
  • Fixed an operator upgrade that could stall on kind clusters, looping on an unsupported "Kind" kubernetesProvider value instead of completing. #4882 (@caseydavenport)
  • Fixed a 403 when creating UISettings (e.g. Service Graph layers) as a tigera-network-admin user in v3 CRD / webhooks mode. #4867 (@caseydavenport)
  • Fixed an issue where Calico Enterprise compliance reports were never scheduled due to a missing RBAC permission on the calico-apiserver ClusterRole. #4863 (@caseydavenport)
  • Fixed the non-cluster-host Typha deployment crashlooping on clusters where the host-network kube-apiserver endpoint is not reachable from pod-networked pods (e.g. MKE proxy.local). The pod-network endpoint from the kubernetes-service-endpoint ConfigMap is now used when set. #4842 (@caseydavenport)
  • Fixed a bootstrap deadlock on fresh managed clusters that prevented calico-apiserver from starting and the Guardian tunnel from being established when the management cluster had not yet pushed the calico-apiserver linseed token. #4799 (@tianfeng92)
  • Fixed a permissions error in calico-kube-controllers that prevented it from reading IPAM configuration. #4776 (@caseydavenport)
  • Fixed operator reconcile failure on Kubernetes clusters that only serve the v1 (not v1beta1) MutatingAdmissionPolicy API. #4905 (@radTuti)

Other changes

  • Add a named "https" port on the calico-manager Service and, when the OpenShift IDP is configured, publish a tigera-ca-public Secret in calico-system so OpenShift's Ingress→Route conversion can produce a reencrypt Route fronting the manager. #4789 (@rene-dekker)
  • Grant operator-managed service accounts update permission on /status subresources for GlobalAlert, PacketCapture, and SecurityEventWebhook. #4854 (@caseydavenport)
  • Bumped bundled Envoy Gateway from v1.7.2 to v1.8.0. Adds first-class ListenerSet support (enables cert-manager and external-dns integration with Gateway-API), the safe-upgrades ValidatingAdmissionPolicy for CRD version migrations, and pulls in the v1.8.0 security and bug-fix rollup.
    Note: v1.8.0 contains several upstream behavior changes (DirectResponse template interpolation, SecurityPolicy 0s timeout semantics, samplingFraction 100x correction, OIDC filter consolidation) — see Envoy Gateway v1.8.0 release notes. #4833 (@electricjesus)
  • Bump bundled ECK Kibana/Elasticsearch version constant to 8.19.15. #4815 (@tianfeng92)
  • Bump golang.org/x/net to v0.54.0 to keep the operator aligned with the calico-private release-calient-v3.23 dependency baseline (mitigates CVE-2026-33814 reporting and picks up subsequent x/net hardening). #4811 (@xiumozhan)
Check out latest releases or
releases around tigera/operator v1.42.2

Don't miss a new operator release

NewReleases is sending notifications on new releases.

Get notifications