Release notes


The following table shows component versioning for Calico v3.23.

To select a different version, click Releases in the top navigation bar.


Release archive with Kubernetes manifests, Docker images and binaries.

24 Jun 2022

Bug fixes

  • Fix IP address truncation when using autodetection method “k8s-internal-ip” calico #6234 (@Josh-Tigera)
  • Fix that a combination of node deletions and workload IP relocation previously could result in multiple nodes having the same CIDR. calico #6213 (@robbrockbank)
  • Fix helm upgrade instructions calico #6118 (@caseydavenport)
  • Handle errors correctly in wireguard tunnel IP setting on the node calico #6213 (@robbrockbank)
  • When there is no allocated Wireguard interface IP and host encryption is enabled the host IP is used as the device IP. This ensures source IP selection will choose the correct host IP when routing over Wireguard calico #6213 (@robbrockbank)
  • Don’t allocate wireguard device IPs for managed cloud non-calico CNI calico #6213 (@robbrockbank)

Other changes

  • Update the ipset package from 7.1 to 7.11 for ARM builds calico #6264 (@ScOut3R)
  • Calico now uses the TokenRequest API to generate and refresh a token for the CNI plugin. This ensures that the token remains valid even when the calico-node daemonset is restarted. (@ScheererJ) calico #6218 (@caseydavenport)
  • Updating a couple of dependencies for Calico 3.23 (including, spf13/viper, spf13/cobra and etcd related dependencies). Updating the dependencies would also help us with our CVE scan process. calico #6164 (@Behnam-Shobiri)
eBPF dataplane
  • eBPF: Move mount of BPFfs and cgroupv2 to a dedicated init container with elevated privileges; enter the root cgroup namespace to mount cgroupv2 in order to allow the CTLB to be installed system-wide. Reduce the mount privileges of the main calico-node container. calico #6240 (@mazdakn)
Component Version
calico/typha v3.23.2
calico/ctl v3.23.2
calico/node v3.23.2
calico/cni v3.23.2
calico/apiserver v3.23.2
calico/kube-controllers v3.23.2
calico/flannel-migration-controller v3.23.2
calico/windows v3.23.2
networking-calico v3.23.2 v0.15.1
calico/dikastes v3.23.2
calico/pod2daemon-flexvol v3.23.2
calico/csi v3.23.2


Release archive with Kubernetes manifests, Docker images and binaries.

17 May 2022

Bug fixes

  • Fix migration race conditions when upgrading from canal to Calico calico #6095 (@caseydavenport)
  • Fix helm chart handling of image pull secrets calico #6093 (@caseydavenport)
  • Skip ipv6 vxlan route update with wireguard manager calico #6081 (@song-jiang)
  • Fix bug where Calico would not recover after listing from a too old resource version calico #6079 (@caseydavenport)
Component Version
calico/typha v3.23.1
calico/ctl v3.23.1
calico/node v3.23.1
calico/cni v3.23.1
calico/apiserver v3.23.1
calico/kube-controllers v3.23.1
calico/flannel-migration-controller v3.23.1
calico/windows v3.23.1
networking-calico v3.23.1 v0.15.1
calico/dikastes v3.23.1
calico/pod2daemon-flexvol v3.23.1
calico/csi v3.23.1


Release archive with Kubernetes manifests, Docker images and binaries.

09 May 2022

User action required if upgrading to v3.23.0

  • The tigera-operator helm chart now requires the user pre-create the tigera-operator namespace, or pass the --create-namespace option to helm install. Additionally, there are specific upgrade steps that MUST be performed when upgrading a helm install to Calico v3.23. Please see the helm upgrade documentation for instructions. calico #5649 (@caseydavenport)

IPv6 VXLAN support

Calico now supports VXLAN encapsulation for IPv6 networks.

Pull Requests:

  • Add IPv6 VXLAN support calico #5988 (@coutinhop)
  • Add IPv6 VXLAN route calculation support to Felix calico #5919 (@coutinhop)
  • Allocate IPv6 VXLAN tunnel addresses calico #5893 (@coutinhop)

VPP dataplane beta

The Calico VPP dataplane integration has reached beta status! Over the last few releases, the VPP team has made great strides in increasing stability, performance and feature compatibility.

Calico networking support in AKS

You can now use Calico networking in your AKS clusters to take advantage of all of the Calico networking features. To try it out, follow the Calico on AKS installation instructions. To learn more about using your own network plugin in AKS, see the AKS documentation.

Pull Requests:

  • Updated Calico doc for AKS bring Your Own CNI. calico #5857 (@song-jiang)

BGP enhancements

We have added configuration options for turning off loop prevention so that any Calico nodes in separate clusters or sites can exchange routes even if they share the same AS. To cut down on graceful restart race conditions, we have also added the ability to configure the max restart time and BGP password for full mesh BGP configurations. If you are using specific global BGP peers instead of a full mesh, we have added logic to detect when the peer is another Calico instance and add in the passive configuration appropriately to further cut down on graceful restart race conditions.

Pull Requests:

  • Add BGP configuration options for turning off BGP loop prevention for eBGP peers. calico #5736 (@mgleung)
  • Add passive configuration for global BGP peers calico #5625 (@mgleung)
  • Add maxRestartTime and BGP password fields to BGP configurations for full mesh configurations. calico #5609 (@mgleung)

Container Storage Interface (CSI) support

Following the Kubernetes move from FlexVolumes, Calico now has its own CSI driver. Features that used to depend on FlexVolumes have been migrated to instead use CSI. To upgrade to use the CSI driver, follow the feature’s installation instructions again (e.g. application layer policy installation instructions).

Pull Requests:

  • Replace the use of the flexvolume driver with a CSI driver calico #5863 (@mgleung)

Windows HostProcess Containers Support (Tech Preview)

You can now install Calico on Windows using HostProcess containers. With HostProcess containers, you can manage your Calico installation using Kubernetes resources, such as DaemonSets and ConfigMaps. To try it for yourself, follow the Calico for Windows installation instructions.

Pull Requests:

  • Add tech-preview support for Calico for Windows using HostProcess containers calico #5864 (@lmm)

Bug fixes

  • Fix race condition in BIRD that could potentially cause missed config updates bird #101 (@pluzun)
  • Fix a bug where the check for treating the 240/4 CIDR like RFC 1918 ranges caught the broadcast address bird #100 (@gmavrikas)
  • Handle bootstrapping of Wireguard to ensure felix is able to connect to typha. This fixes a bug that is present when HostEncryptionEnabled is set to true (which is required for using wireguard with AKS). Previously, when nodes shared their wireguard public keys, depending on the order they keys were shared, it was possible to end up with asymmetric node-to- node routing. Packets will be dropped between impacted nodes. If the typha nodes are impacted then it is possible for other nodes to be effectively locked out from connecting to typha and the routing issue will persist. This will be apparent through persistent readiness checks failing on the node. calico #5869 (@robbrockbank)
  • IPAM block GC now respects the leak grace period instead of immediately deleting blocks. calico #5812 (@caseydavenport)
  • Fix potential panic in CNI plugin due to conflicting host routes calico #5780 (@luobily)
  • Calico’s install-cni command now fails in case the directory is not writeable. calico #5806 (@turekt)
  • Rework Felix’s interface monitoring logic. Fixes a couple of bugs where interface state changes wouldn’t be noticed: kube-proxy being switched ti IPVS mode could go unnoticed; BPF mode would sometimes fail to clean up status tracking files when an interface was removed. calico #5776 (@fasaxc)
  • Fix that Felix logs would sometimes record for the filename of some logs. [calico #5726]( (@fasaxc)
  • Prevent IPAM GC when datastore is locked calico #5676 (@Icarus9913)
  • Fix that Typha would periodically disconnect clients in clusters with more than 100 nodes per Typha due to miscalculating the expected number of connections. calico #5662 (@fasaxc)
  • Fix a typecast bug preventing the parsing of route table ranges. calico #5652 (@mikestephen)
  • Fix bug that prevented endpoint ipsets from being updated if the labels were empty values. calico #5624 (@lmm)
  • IPAM garbage collector properly releases IP addresses whose handles have been deleted calico #5613 (@caseydavenport)
  • Add backoff to Kubernetes watch loops to avoid tight looping in certain failure scenarios. calico #5562 (@fasaxc)
  • Fix dynamic build of pod2daemon which resulted in cryptic “no such file or directory” errors calico #5515 (@caseydavenport)
  • Fix garbage collection of empty blocks during flannel migration calico #5459 (@squ94wk)
  • Fix a bug causing deadlocking in host encryption enabled clusters using wireguard when nodes are restarted. calico #5280 (@aaaaaaaalex)
eBPF dataplane
  • ebpf: Fixes issue with IPIP tunnels on kernels 5.14+ and RH kernels 4.18.0-330.el8+ as the tunnel device started behaving as a proper L3 device. calico #5846 (@mazdakn)
  • epbf: Fixed in bug in ICMP connection tracking calico #5792 (@tomastigera)
  • ebpf: Fixed reusing stale conntrack TCP entries. calico #5804 (@tomastigera)
  • ebpf: Fix that policy would see as the post-nat destination for SYN packets that had a conntrack hit. calico #5768 (@tomastigera)
  • ebpf: Fixed unconnected udp affinity - avoids be selection for each packet. calico #5617 (@tomastigera)
  • Fix Calico for Windows install script not enabling WinDSR on EKS calico #5903 (@lmm)
  • Fix invalid parameter to prevented DSR enablement from being passed to kube-proxy in Windows. calico #5710 (@lmm)
  • Fix windows kube-proxy config incompatible with k8s 1.23 calico #5653 (@lmm)

Other changes

  • Operator monitors BGP configuration resource to trigger rolling updates as needed calico #6017 (@caseydavenport)
  • go version update to 1.17.9 calico #6002 (@doublek)
  • Attach SHA256SUMS as part of release, including checksums for all release artifacts. calico #5964 (@caseydavenport)
  • Update to CNI plugins v1.1.1 calico #5944 (@caseydavenport)
  • Helm chart allows configuration of tigera-operator resource requirements. calico #5934 (@sriramy)
  • Add defensive checks to CNI plugin installer to improve reliability. calico #5905 (@caseydavenport)
  • Increase Typha’s “max fall behind” timeout to 300s. This means that Typha will keep up to 300s of history if needed instead of 90s (thus increasing RAM usage if clients are falling a bit behind) but it reduces the chance of disconnecting a client spuriously in a very large cluster. calico #5885 (@fasaxc)
  • Add Felix configuration option for programming floating IPs. calico #5861 (@caseydavenport)
  • Produce both static and dynamic builds of the Calico CNI plugin, fixes compatibility with systems that do not include glibc. calico #5826 (@caseydavenport)
  • Add Felix configuration option to disable RPF check for specific workloads. calico #5742 (@AloysAugustin)
  • Felix now supports setting the source address hint for workload routes separately for both IPv4 and IPv6 via the DeviceRouteSourceAddress and DeviceRouteSourceAddressIPv6 config params. This allows for the IP address that kubelet uses to connect to a local pod to be controlled. calico #5728 (@hanamantagoudvk)
  • New per-pool IPAM metrics added calico #5706 (@pasanw)
  • Move PodDisruptionBudget from apiVersion policy/v1beta1 to policy/v1 calico #5667 (@coutinhop)
  • Update flannel to version v0.15.1 calico #5578 (@cyclinder) calico #5640 (@caseydavenport)
  • Felix now uses the existing IP Pools to determine whether the IPIP and/or VXLAN encapsulations should be enabled. Felix now cleans up IP addresses from the tunl0 interface if IPIP is implicitly disabled. It leaves those addresses on the interface if IPIP is explicitly disabled via the default FelixConfiguration. calico #5576 (@coutinhop)
  • Calico install documentation now uses operator-based instructions by default calico #5564 (@caseydavenport)
  • Switch to centos stream8 calico #5550 (@fasaxc)
  • Kubernetes dependencies are updated from v0.21.8 to v0.21.9. calico #5493 (@ialidzhikov)
  • We have removed ancient migration code for migrating from Calico v1 format data stored in an etcd v2 datastore - i.e. from a Calico installation before v3.0. There was already nothing in Calico’s code or docs to provide a frontend/UI/CLI/whatever for using that code, and it’s exceeding unlikely that it had any remaining usefulness. calico #5488 (@neiljerram)
  • Update the ipset package from 7.1 to 7.11 calico #5485 (@song-jiang)
  • Add DataplaneWatchdogTimeout configuration parameter to Felix to allow the watchdog timeout to be increased. Prevents spurious liveness failures on heavily loaded systems or systems operating at very high pod scale. Increase default timeout to 90s (from 20s) after seeing too many issues where the liveness check failed spuriously. calico #5484 (@fasaxc)
  • Add liveness callback to routing table updates to ensure watchdog doesn’t time out when handling large numbers of updates. calico #5483 (@fasaxc)
  • Downgrade watchercache.go log to debug level to reduce log spam calico #5470 (@caseydavenport)
  • Rev up etcd to 3.5.1, k8s to v1.23.1/v0.23.1, and and to v1.0.1. calico #5466 (@Aceralon)
  • proxy_delay setting failure should not be a critical error calico #5453 (@cyclinder)
  • Deprecated config arg routeTableRange in favour of routeTableRanges. Felix can now make use of a larger set of Linux route-tables, and can be configured to avoid sensitive ranges. This implicitly drops support for very old Linux kernels (below v2.6) calico #5432 (@aaaaaaaalex)
  • Switch to protobuf for Kubernetes API calls calico #5409 (@l1b0k)
  • Added ‘readiness_gates’ config to the CNI plugin, which will make it wait for the configured endpoints to be ready before launching the pod. calico #5399 (@VivekThrivikraman-est)
  • Wireguard PersistentKeepAlive enabled by default and wireguardKeepAlive parameter added to control PersistentKeepAlive option. calico #5338 (@makhov)
  • Allow configuration of bind mode via the BGPConfiguration API calico #5279 (@hanamantagoudvk)
eBPF dataplane
  • ebpf - workloads no longer adjust pmtu when FIB fails due to mtu check - the check is not needed anymore. calico #5937 (@sridhartigera)
  • ebpf: Add feature detection and also feature detection override in bpf data plane, similar to iptables. This allows to govern whether IPIP device is L3 or not. calico #5929 (@mazdakn)
  • ebpf - strict RPF enforced on workloads fully in BPF regardless of the workloads interface settings. calico #5923 (@tomastigera)
  • ebpf: Faster forwarding on CO-RE enabled kernels 5.7+ calico #5822 (@tomastigera)
  • Felix loads CO-RE enabled bpf programs in CO-RE capable kernels. That alows us to use more recent bpf feature where available. Starts with proper testing whether a packet is GSO which should address some MTU related nodeport issues when the host is a KVM (use virtio) VM. calico #5783 (@sridhartigera)
  • ebpf: pod can connect to self when CTLB is disabled. calico #5393 (@tomastigera)
  • FELIX_BPFEnforceRPF=Disabled/Strict (Strict by default) enforces strict RPF regardless of device settings in BPF mode. calico #5342 (@tomastigera)
  • Windows install script now auto-detects networking backend via ippools calico #6015 (@lmm)
  • windows: use upstream pause image in the quickstart for nodes using Docker as their runtime calico #5997 (@lmm)
  • Add Windows DSR Loopback support calico #5523 (@jsturtevant)
Component Version
calico/typha v3.23.0
calico/ctl v3.23.0
calico/node v3.23.0
calico/cni v3.23.0
calico/apiserver v3.23.0
calico/kube-controllers v3.23.0
calico/flannel-migration-controller v3.23.0
calico/windows v3.23.0
networking-calico v3.23.0 v0.15.1
calico/dikastes v3.23.0
calico/pod2daemon-flexvol v3.23.0
calico/csi v3.23.0