Skip to main content
Calico Enterprise 3.21 documentation

Calico Enterprise 3.21 release notes

Learn about the new features, bug fixes, and other updates in this release of Calico Enterprise.

This version of Calico Enterprise is based on Calico Open Source 3.30.

New features and enhancements

Introducing Calico Ingress Gateway (tech-preview)

Calico Enterprise now includes the ability to deploy Calico Ingress Gateway which is an Enterprise hardened, 100% upstream distribution of Envoy Gateway. Envoy Gateway is an implementation of the Kubernetes Gateway API with several extensions that provide advanced security and traffic management features.

For more information, see Configure an ingress gateway.

IPAM for load balancers

Calico Enterprise now extends its IPAM capabilities to support service LoadBalancer IP allocation, providing a centralized, automated approach to managing LoadBalancer IPs within Kubernetes clusters.

For more information, see LoadBalancer IP address management

Support for WireGuard encryption between clusters

We added support for WireGuard encryption between federated services and endpoints in different clusters.

For more information, see Creating the cluster mesh.

Improvements to flow log reporting for staged network policies

This release introduces changes to improve how staged network policies are reported in flow logs. Previously, a flow log reported the action of staged network policy rules at the time a connection was initiated. For long-lived connections, changing a staged policy did not affect the reported action. Now, flow logs report the action that represents the current policy rules. Flow logs report an action that reflects how a new connection would interact with the current staged policies.

As part of this, we've also added more granular information about policies in the flow logs. For more information, see Flow log data types.

Security event webhooks for Alertmanager

We added support for using webhooks to post security alerts directly to Alertmanager.

For more information, see Webhooks for security event alerts.

View rule details for Web Application Firewall

You can now use the web console to view details of the default rule set used by Web Application Firewall. From the Web Application Firewall page, click the Rulesets tab to open a list of default rules.

Enhancements

  • Control-plane label customization for AKS: We added support for customizing the namespace labels on AKS clusters. By default we apply a control-plane label to namespaces so that they are exempt from Azure Policy. If you wish to apply Azure Policy to our namespaces, you can now override this label.
  • Log levels for api-server component: You can now tune the log level for the API server to better support production deployments and troubleshooting scenarios.
  • Clusterrolebindings have reduced privileges: Clusterrolebindings for the tigera-operator, calico-kube-controller, and calico-prometheus-operator components have been changed to improve Calico Enterprise's least-privileged security model.
  • Improved scaling for non-cluster hosts by having them connect to Typha, rather than the Kubernetes apiserver directly.
  • Added web console support for AdminNetworkPolicy and BaseAdminNetworkPolicy tiers (view-only).

Release details

Calico Enterprise 3.21.0-1.0 (early preview)

February 11, 2025

Calico Enterprise 3.21.0-1.0 is now available as an early preview release. This release is for previewing and testing purposes only. It is not supported for use in production.

Calico Enterprise 3.21.0-2.0 (early preview)

June 3, 2025

Calico Enterprise 3.21.0-2.0 is now available as an early preview release. This release is for previewing and testing purposes only. It is not supported for use in production.

To update an existing installation of Calico Enterprise 3.21, see Install a patch release.

Calico Enterprise 3.21.1 general availability release

July 16, 2025

Calico Enterprise 3.21.1 is now available as a general availability release.

This release is supported for use in production.

Enhancements

  • Added observability for forwarding decisions made by hosts. Apply on forward or pre-DNAT policy decisions made by hosts when forwarding traffic previously did not result in flow logs. For more information, see host forwarded traffic.
  • Added support for peak rate (and optionally min burst) configuration to bandwidth QoS controls.
  • Added support for packet burst configuration to packet rate QoS controls.
  • Added the NextHopMode field to BGPPeer API. NextHopMode defines the method of calculating the next hop attribute for received routes. This replaces and expands the deprecated KeepOriginalNextHop field.
  • Added support for Red Hat OpenShift Service on AWS (ROSA).

Bug fixes

  • Fixed an issue that prevented the Tigera Operator from detecting HTTP proxies set on the guardian container.
  • Fixed security contexts for init containers when certificate management is enabled, so the certificates have the right file permissions.
  • Fixed upper and lower boundaries of packet rate and number of connections QoS controls to be in-line with kernel limits.
  • Skip mounting cgroup in bpffs init container when in iptables mode.
  • Permissions on files in /var/log/calico have been lowered from 755 to 644.
  • Added delete permission to Tigera Operator for AdminNetworkPolicy and BaseAdminNetworkPolicy custom resource definitions. This is required for setting an owner reference on OpenShift.
  • Fixed an issue where application layer policy would only match TCP, UDP, or ICMP, it now matches all protocols.
  • Fixed Calico early networking to retry netlink list APIs when it returns EINTR and eventually use whatever data it received.

Known issues

  • Flow logs generated for forwarding decisions may have their byte and packet counts erroneously reported as 0 for allowed traffic. This will be addressed in the next patch release.

To update an existing installation of Calico Enterprise 3.20, see Install a patch release.

Calico Enterprise 3.21.2 bug fix release

August 8, 2025

Enhancements

  • The BGPPeer API now allows different configuration for each side of a BGP session by using the new ReversePeering field.

Bug fixes

  • Fixed an issue where IPAM allocation could leak handles when many workloads are scheduled to the same node at the same time, causing timeouts by "thundering herd".
  • Fixed a race between loading kubernetes services and conntrack cleanup. If conntrack cleanup ran before services were loaded, all service entries would look stale and get cleaned up.
  • Fixed an issue where Felix would panic when upgrading to v3.21.1 in eBPF mode.
  • Flow logs now correctly track packet and byte counts for forwarded traffic, ensuring accurate volume metrics for complete traffic visibility and analysis.
  • Removed logging in Guardian of connection resets that are expected and do not indicate an operational issue.

To update an existing installation of Calico Enterprise 3.21, see Install a patch release.

Calico Enterprise 3.21.3 bug fix release

November 05, 2025

Enhancements

Service Graph Enhancements

We've improved the Service Graph for clusters that have a very high volume of flows. When a high volume of flows is detected for a time range, a new namespaced-focused experience provides quicker access to insights from the graph. We've also added more feedback into the UI to keep you informed on the progress of graph computation.

Additional Enhancements
  • The UI now uses the OIDC code flow when communicating with Dex, which is more secure. This affects all external identity providers (OIDC, LDAP, OpenShift).
  • Added support for custom-signed Calico Node certificates on non-cluster hosts.
  • Add Support for IPv4 fragmentation in eBPF mode.

Bug fixes

  • Breaking change: This release fixes the defaulting behaviour for Authentication.Spec.OIDC.requestedScopes such that it now includes offline_access as documented in the API. In the unlikely case that your identity provider does not support offline_access and if you did previously not specify requestedScopes, you should set requestedScopes to [profile, openid, email].
  • Fixed an issue that prevented the UI from renewing session tokens when using LDAP.
  • Fixed an issue where CSRs need manual deletion if a non-cluster host's CSR was rejected by the certificate signer.
  • Fixed an issue where the operator would run into access errors if it was installed in a namespace other than tigera-operator.
  • When IPAM runs out of address space, Calico will try to reclaim empty blocks from other nodes before giving up.
  • Avoid writing 0 or negative values to prometheus from linseed, leading to recoverable panics in the logs.

Known issues

  • There is an issue affecting our Windows images, we are currently investigating it. Please work with your customer success representative for an updated ETA.

To update an existing installation of Calico Enterprise 3.21, see Install a patch release.

Calico Enterprise 3.21.4 hotfix release

November 27, 2025

Bug fixes

  • eBPF data plane: fix loading programs in 6.12 kernels
  • Add FelixConfiguration parameter EgressIPHostIfacePattern which controls the src_valid_mark sysctl on egress interfaces when needed
  • Only assign service IPs for services with LoadBalancerClass calico when the load balancer controller is in RequestedServicesOnly mode
  • Security updates are not included in this hotfix release, but will be included in our next scheduled release.

To update an existing installation of Calico Enterprise 3.21, see Install a patch release.

Calico Enterprise 3.21.5 hotfix release

December 18, 2025

Bug fixes

  • eBPF: Fixed an issue where the system was dropping fragmented packets when using a single uplink network connection.
  • Fixed PATH environment variable in the calico-node Windows image.
  • Security updates are not included in this hotfix release, but will be included in our next scheduled release.

To update an existing installation of Calico Enterprise 3.21, see Install a patch release.

Calico Enterprise 3.21.6 bug fix release

February 6, 2025

Bug fixes

  • Fixed an issue where fragmented packets where fragmented packets coming from a workload and leaving the node through dual uplink interfaces would have some fragments dropped when using BPF.
  • Added a missing network policy rule to allow traffic from intrusion detection controller to the manager.
  • Security updates.

Known issues

  • Workload-level ApplicationLayer features (WAF, ALP, and L7 Logging) via sidecar injection are not supported on OpenShift (OCP) clusters in this release. This is resolved in v3.22.1.

To update an existing installation of Calico Enterprise 3.21, see Install a patch release.

Calico Enterprise 3.21.7 bug fix release

May 13, 2026

Enhancements

  • Display the Degraded condition's message when running kubectl get tigerastatus, making it easier to see error details at a glance without needing to describe the resource.

    $ kubectl get tigerastatus
    NAME                          AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
    apiserver                     True        False         False      4m51s   All objects available
    calico                        False       False         True       106s    Pod calico-system/calico-node-tjlnv failed to pull container image for: ebpf-bootstrap
    intrusion-detection           False       False         True       11m     Error creating TLS certificate: secret tigera-operator/deep-packet-inspection-tls must specify ext key usages: ExtKeyUsageClientAuth, ExtKeyUsageServerAuth
    log-storage-access            False       False         True       11m     Pod tigera-elasticsearch/tigera-linseed-58745b7574-p6zmx has crash looping container: tigera-linseed
    manager                       True        False         False      6s      All objects available; Warning: user provided certificate "manager-tls" expires in 21 days
    ...

  • Surface certificate metadata (issuer, expiry, DNS SANs, IP SANs) as annotations and add filtering labels (secret-type, signer) on TLS secrets produced by Secret() and CreateSelfSignedSecret().

    $ kubectl get secrets -n tigera-operator -l operator.tigera.io/signer \
        -o custom-columns='NAME:.metadata.name,EXPIRY:.metadata.annotations.operator\.tigera\.io/cert-expiry,SIGNER:.metadata.annotations.operator\.tigera\.io/cert-signer'
    NAME                                        EXPIRY                 SIGNER
    calico-apiserver-certs                      2028-05-28T23:56:09Z   tigera-operator-signer
    calico-kube-controllers-metrics-tls         2028-05-28T23:56:09Z   tigera-operator-signer
    calico-node-prometheus-client-tls           2028-05-29T18:28:09Z   tigera-operator-signer
    ...

  • Added a named "https" port on the calico-manager Service and, when the OpenShift IDP is configured, publish a tigera-ca-public Secret in the calico-system namespace so that OpenShift's Ingress→Route conversion can produce a reencrypt Route fronting the manager.

Bug fixes

  • Fixed Kibana crashloop when upgrading from Calico Enterprise 3.20 or earlier to 3.21. The orphan ingest_manager_settings saved object left by Fleet 7.17 is now discarded during Kibana 8.x saved-object migration.
  • ECK certificates are now rotated 30 days before expiry, just like all certificates that are managed by our operator.
  • Deprecated the Installation.spec.nonPrivileged field. The Operator ignores this setting and will mark Calico as Degraded if it is set to Enabled.
  • Fixed the rendering resource limits and requests for Egress Gateway.
  • Added validation for the logstorage node count and replicas settings.
  • Fixed flow logs so the transit_policies field records pass-only forward and pre-DNAT host-endpoint policies even when all tiers pass without an explicit allow or deny verdict. Applies to iptables, nftables, and BPF dataplanes.
  • Fixed flow log aggregation to preserve distinct transit policy traces instead of overwriting them, ensuring accurate policy trace reporting at all aggregation levels.
  • Fixed l7-admission-controller webhook returning an invalid response when a pod has the sidecar label but no feature annotations.
  • Fixed an issue in the eBPF dataplane where link-local discovery packets were incorrectly dropped during strict reverse path forwarding (RPF) checks.
  • Fixed eBPF dataplane not deleting stale NAT conntrack entries from userspace.
  • Fixed a panic in Felix's NetworkSet processor on invalid CIDRs.
  • Fixed the LoadBalancer controller to prevent a nil pointer dereference in handleBlockUpdate.
  • Multi-NIC support: fix the projectcalico.org/network label; strip the namespace prefix added by Multus in recent versions. The prefix was not documented in our docs and, due to using a / separator, it could fail validation when CNI plugin tried to read a multi-NIC endpoint after node reboot causing pods to fail to come back up after reboot.
  • Security updates.

To update an existing installation of Calico Enterprise 3.21, see Install a patch release.