What’s New in Calico v3.20

We’re excited to announce Calico v3.20! Thank you to everyone who contributed to this release! For detailed release notes, please go here. Below are some highlights from the release.

Service-based egress rules

Calico NetworkPolicy and GlobalNetworkPolicy now support egress rules that match on Kubernetes service names. Service matches in egress rules can be used to allow or deny access to in-cluster services, as well as services typically not backed by pods (for example, the Kubernetes API). Address and port information is learned from the individual endpoints within the service, making it easier to keep your network policy in sync with your workloads.

Check out the docs for more!

Golang API

In Calico v3.19, we introduced a tech-preview API server that allows management of Calico resources directly with kubectl. In v3.20, we’re building upon that with a new Golang API for Calico!

Install the API server and import the Golang API to manage Calico network policies and more, in your own applications! See the projectcalico/api repository, which includes an example, and the Go documentation page.

Configurable BGP graceful restart timer

If you’re using BGP in your cluster, the graceful restart timer is used during rolling updates to ensure a graceful upgrade of Calico without disrupting network traffic. For large or heavily burdened clusters, sometimes an update of a particular node can take longer than the 2 minutes BGP typically allows due to load on the Kubernetes control plane. Calico v3.20 now allows configuration of the BGP graceful restart timer to better work in these scenarios.

See the maxRestartTime configuration option in the BGPPeer API.

BPF mode support for DoNotTrack policy for DoS prevention

Calico’s eBPF data plane has not previously supported any DoNotTrack policy. Calico v3.20 adds tech preview support for a specific subset of DoNotTrack policy, using XDP to implement that. The specific subset is any DoNotTrack ingress deny policy (i.e. policy whose effect is only to drop certain traffic on ingress) and is useful for preventing denial of service attacks from known malicious IPs. More general DoNotTrack policy support, for the eBPF data plane, is in progress and should arrive in a subsequent release in the near future.

Did you know you can become a certified Calico operator? Learn Kubernetes networking and security fundamentals using Calico in this free, self-paced certification course.

Join our mailing list

Get updates on blog posts, workshops, certification programs, new releases, and more!