Skip to content

Calico v2.4.0

Compare
Choose a tag to compare
@caseydavenport caseydavenport released this 31 Jul 23:34
· 29884 commits to master since this release

Release notes for Calico v2.4.0

Changes to typha

  • #27: Implement health endpoints for Typha (@neiljerram)

Changes to calicoctl

  • #1687: The calicoctl version command now includes the CalicoVersion and ClusterType as retrieved from the datastore. (@tmjd)
  • #1680: Added functionality for calicoctl commands to read in multiple yaml documents specified in the same file/input and separated by ---. (@mgleung)
  • #1673: The calico/ctl container's default working directory has changed to /root (@caseydavenport)

Changes to felix

  • #1500: Improve performance of dataplane driver by reducing number of conntrack deletions. (@fasaxc)
  • #1498: Improve performance when the conntrack table contains many entries by doing conntrack deletions in the background. (@fasaxc)

Changes to cni-plugin

  • #341: The calico/cni container now supports setting SKIP_CNI_BINARIES to skip installation of certain binaries. (@abhinavdahiya)

Changes to calico

  • #964: Felix now supports a health check endpoint, and the Kubernetes self-hosted installation manifests now enable liveness and readiness probes which report Felix health. (@gunjan5)
  • #952: [beta feature] Add global and per-node BGP peer configuration and global BGP configuration support when using Kubernetes API as the Calico datastore. (@robbrockbank)
  • #924: The version of etcd included in the Calico kubeadm manifests has been revved to v3.1.10. (@caseydavenport)
  • #935: Felix now (optionally) acquires the iptables lock while manipulating iptables. This prevents
    conflicts with other applications, such as kube-proxy (as long as they also honor the lock).
    • Note: to be effective if Felix is running in a container, this feature requires the
      directory containing the iptables lock file, "/run/", to be mounted into the container. (@fasaxc)
  • #915: calico/node will now only check for conflicting Node IPs when initially getting an IP or when a change in IP is detected. This should reduce the load on the cluster when a large number of nodes are restarting. (@heschlie)
  • #910: Pre-DNAT Policy - a new flavor of Calico Policy that is enforced before any DNAT that a cluster node may do (for example kube-proxy). Pre-DNAT Policy is useful for securing the perimeter of a cluster against incoming traffic, except for pinholes that are expressed in terms of particular IP addresses and/or ports that external clients are allowed to connect in to. For more information please see http://docs.projectcalico.org/v2.4/getting-started/bare-metal/bare-metal#pre-dnat-policy. (@neiljerram)
  • #898: Calico releases now produce a release archive including Kubernetes manifests, docker images, and binaries. (@tomdee)
  • #885: Added new option that takes interface regexes to skip interfaces during ip auto detection. (@mgleung)
  • #885: Added support for specifying multiple interface regexes to attempt to match on during ip auto detection. (@mgleung)
  • #861: Ability to enable / disable outgoing NAT on the default IP Pool using an environment variable. (@VincentS)

Changes to k8s-policy

  • #105: Calico now implements the networking.k8s.io/NetworkPolicy API semantics as defined by Kubernetes when using the etcd datastore
    • Note: This represents a change in how existing Kubernetes NetworkPolicies are enforced by Calico. To maintain existing behavior when upgrading, follow these steps:
      • In Namespaces that previously did not have the “DefaultDeny” annotation, you should delete any existing NetworkPolicy objects.
      • In Namespaces that previously did have the “DefaultDeny” annotation, you can create the equivalent semantics by creating a NetworkPolicy that selects all pods but does not allow any traffic. (@caseydavenport)

Changes to libcalico-go

  • #471: Policy objects now support arbitrary key/value annotations. (@caseydavenport)
  • #470: Add new Source.Nets and Destination.Nets fields (and their negated couterparts)
    to rules, allowing multiple CIDRs to be matched in a single rule. The Source.Net
    and Destination.Net fields are now deprecated; when reading back data that
    contains a Net field, it will be converted to a single-entry Nets field. Felix (and
    Typha, if in use) should be upgraded before using the new Nets fields in a rule. (@fasaxc)