A couple of weeks ago, Tigera engineers released the new version of Calico, as part of a community effort to drive cloud security and networking even further. But before I begin diving into the details of this new release, I want to first spotlight a few of our community members who have merged their contributions to Calico Open Source for the first time.
Shout out to @agaffney for adding configurable labels and annotations to the tigera-operator deployment in Helm charts.
Shout out to @backjo for improving the Calico Windows installation script and adding support for IMDSv2 in AWS EC2 data retrieval.
Shout out to @EugenMayer for pointing out an improvement for the calicoctl binary in a Helm chart installation and @lou-lan for making it happen.
Shout out to @joskuijpers for informing the community about the outdated ipset package in the calico-node ARM64 image and @ScOut3R for updating it.
Shout out to @juanfresia for contributing changes to enable Calico to run without programming the route table, useful when integrating with other routing mechanisms.
Shout out to @muff1nman, who added Wireguard traffic to the Calico failsafe ports, allowing us to confidently apply network security policies without worrying about accidentally cutting off Wireguard communications!
Shout out to @redref for adding tolerations and node selectors to the Calico Helm chart.
Shout out to @vincent-pli for starting the conversation and @frezbo for taking care of the details so that the calico-kube-controllers pod properly respects the node-role.kubernetes.io/control-plane taint.
@ScheererJ, @cyclinder, and @yussufsh are our community veterans whose continuous contribution is appreciated.
Many improvements and new features are embedded into Calico V3.24 to enhance and improve your cloud-native environment and prepare you for future releases of Kubernetes. Let’s take a look at the details of the new release now.
Pod security policies
You might be aware that pod security policies were removed in Kubernetes v1.25.
But don’t worry, we’ve got you covered! Calico v3.24 and future releases will automatically transition to Pod Security Standards, so if you are eager to upgrade your cluster to check out the latest Kubernetes features, Calico is right there to help you with security and networking.
WireGuard for IPv6
Calico WireGuard is now available for IPv6 environments. This is a huge opportunity for anyone who needs to ensure sensitive data is encrypted in their dual-stack or IPv6 cluster environment.
The great part of this integration is that, just like IPv4, you can enable it with a single command in any cluster equipped with the Calico v3.24.
kubectl patch felixconfiguration default --type merge --patch
'{"spec":{"wireguardEnabledV6": true}}'
Calico API expansions
Calico resources are created under the projectalico.org API group, and for a long time, the calicoctl application was required to allow interaction with these resources. With the introduction of the Calico API server in v3.20, we have migrated most of the calicoctl functionalities to the API server, allowing you to manage Calico resources from the kubectl.
ipamconfiguration and blockaffinity resources are now available at your disposal to query information related to cluster IPAM, such as which CIDRs have been allocated to each node by Calico, or whether or not IP borrowing is enabled.
You can use the following commands in your Calico v3.24-equipped cluster to check your cluster IPAM information:
kubectl get ipamconfiguration kubectl get blockaffinity
With these new API expansions, you can further integrate Calico into your applications and DevOps playbook practices by simply using the Kubernetes API server to gather information about your cluster networking and security status.
If you have an integration story, we would love to hear about it at our Calico community event, where you can share your journey with other Calico enthusiasts—more info at the end.
Tigera Operator enhancements
The operator is your dedicated Calico guru who upgrades, configures, manages, and maintains the state of Calico in your cluster. The operator also provides the self-healing feature for your Calico installation. With our community’s help, we extended the operator’s functionality in this release, and these are some of the notable changes.
Configurable Calico components
It is now possible to fine-tune Calico component attributes such as tolerations, labels, node selectors, etc. In a nutshell, the operator now gives you more control over Calico components deployment in an operator-based installation. Thanks to all our community users @stevehipwell, @Chili-Man, @Symbianx, @alzabo, @technotaff-nbs, @nuriel77, and @tlcowling who contributed their vision and made these changes possible.
You can now use the following keys to control every Calico core component down to its small details.
- typhaTemplate
- kubeControllersTemplate
- calicoNodeTemplate
For example, the following installation resource pre-configures the calico-is-awesome label and annotation to your calico-pods, allowing you to take your CI/CD integrations to the next step!
apiVersion: operator.www.tigera.io/v1 kind: Installation metadata: name: default spec: calicoNodeTemplate: metadata: labels: calico-is-awesome: true annotations: calico-is-awesome: true
A full list of available features can be found here.
Join our community
If you like to work on the next anticipated Calico Open Source feature, join our contributor’s Slack channel. feel free to tell us about your vision and the community will help you achieve it.
You’re also welcome to take part in our next virtual community meeting event, where we discuss the future of Calico Open Source and spotlight community members who might have made some of the favorite features you currently use in your cluster environment.
Did you know we have an ambassador program? Join Calico Big Cats today and help us grow our Calico Open Source community.
Join our mailing list
Get updates on blog posts, workshops, certification programs, new releases, and more!
