18 Jun 2026

Included Calico versions

Calico version: v3.31.6
Calico Enterprise version: v3.22.6

17 Jun 2026

Included Calico versions

Calico version: v3.31.5
Calico Enterprise version: v3.22.6

Bug fixes

• Fix RBAC error preventing operator from creating secrets in tigera-manager namespace on fresh installs with Authentication CR configured #4892 (@vara2504)
• Fixed 403 errors on custom dashboards for OIDC users. #4856 (@alexh-tigera)
• Fixes the non-cluster-host Typha deployment crashlooping on clusters where the host-network kube-apiserver endpoint is not reachable from pod-networked pods (e.g. MKE proxy.local). #4841 (@caseydavenport)
• Aligned the bundled Envoy Gateway v1.7.2 helm chart / gateway api resources with the controller binary version shipping in this release. #4831 (@electricjesus)

11 Jun 2026

Included Calico versions

Calico version: v3.32.0
Calico Enterprise version: v3.23.0-2.0

Bug fixes

• Fixed 403 errors on custom dashboards for OIDC users. #4836 (@alexh-tigera)
• Fixed WAF HTTP filter failing open in clusters installed without the Calico API server (USE_API_SERVER=false / v3-CRDs-only mode). The filter's license check now succeeds regardless of which Calico CRD group is installed, so WAF rule processing engages as intended. #4812 (@electricjesus)
• Fixed an operator upgrade that could stall on kind clusters, looping on an unsupported "Kind" kubernetesProvider value instead of completing. #4882 (@caseydavenport)
• Fixed a 403 when creating UISettings (e.g. Service Graph layers) as a tigera-network-admin user in v3 CRD / webhooks mode. #4867 (@caseydavenport)
• Fixed an issue where Calico Enterprise compliance reports were never scheduled due to a missing RBAC permission on the calico-apiserver ClusterRole. #4863 (@caseydavenport)
• Fixed the non-cluster-host Typha deployment crashlooping on clusters where the host-network kube-apiserver endpoint is not reachable from pod-networked pods (e.g. MKE proxy.local). The pod-network endpoint from the kubernetes-service-endpoint ConfigMap is now used when set. #4842 (@caseydavenport)
• Fixed a bootstrap deadlock on fresh managed clusters that prevented calico-apiserver from starting and the Guardian tunnel from being established when the management cluster had not yet pushed the calico-apiserver linseed token. #4799 (@tianfeng92)
• Fixed a permissions error in calico-kube-controllers that prevented it from reading IPAM configuration. #4776 (@caseydavenport)
• Fixed operator reconcile failure on Kubernetes clusters that only serve the v1 (not v1beta1) MutatingAdmissionPolicy API. #4905 (@radTuti)

Other changes

• Add a named "https" port on the calico-manager Service and, when the OpenShift IDP is configured, publish a tigera-ca-public Secret in calico-system so OpenShift's Ingress→Route conversion can produce a reencrypt Route fronting the manager. #4789 (@rene-dekker)
• Grant operator-managed service accounts update permission on /status subresources for GlobalAlert, PacketCapture, and SecurityEventWebhook. #4854 (@caseydavenport)
• Bumped bundled Envoy Gateway from v1.7.2 to v1.8.0. Adds first-class ListenerSet support (enables cert-manager and external-dns integration with Gateway-API), the safe-upgrades ValidatingAdmissionPolicy for CRD version migrations, and pulls in the v1.8.0 security and bug-fix rollup.
  Note: v1.8.0 contains several upstream behavior changes (DirectResponse template interpolation, SecurityPolicy 0s timeout semantics, samplingFraction 100x correction, OIDC filter consolidation) — see Envoy Gateway v1.8.0 release notes. #4833 (@electricjesus)
• Bump bundled ECK Kibana/Elasticsearch version constant to 8.19.15. #4815 (@tianfeng92)
• Bump golang.org/x/net to v0.54.0 to keep the operator aligned with the calico-private release-calient-v3.23 dependency baseline (mitigates CVE-2026-33814 reporting and picks up subsequent x/net hardening). #4811 (@xiumozhan)

05 Jun 2026

Included Calico versions

Calico version: v3.32.0
Calico Enterprise version: v3.23.0-2.0

Bug fixes

• Fixed 403 errors on custom dashboards for OIDC users. #4836 (@alexh-tigera)
• Fix WAF HTTP filter failing open in clusters installed without the Calico API server (USE_API_SERVER=false / v3-CRDs-only mode). The filter's license check now succeeds regardless of which Calico CRD group is installed, so WAF rule processing engages as intended. #4812 (@electricjesus)

Other changes

• Fixes an operator upgrade that could stall on kind clusters, looping on an unsupported "Kind" kubernetesProvider value instead of completing. #4882 (@caseydavenport)
• Fixes a 403 when creating UISettings (e.g. Service Graph layers) as a tigera-network-admin user in v3 CRD / webhooks mode. #4867 (@caseydavenport)
• Fixes an issue where Calico Enterprise compliance reports were never scheduled due to a missing RBAC permission on the calico-apiserver ClusterRole. #4863 (@caseydavenport)
• Grant operator-managed service accounts update permission on /status subresources for GlobalAlert, PacketCapture, and SecurityEventWebhook. #4854 (@caseydavenport)
• Fixes the non-cluster-host Typha deployment crashlooping on clusters where the host-network kube-apiserver endpoint is not reachable from pod-networked pods (e.g. MKE proxy.local). The pod-network endpoint from the kubernetes-service-endpoint ConfigMap is now used when set. #4842 (@caseydavenport)
• Bumped bundled Envoy Gateway from v1.7.2 to v1.8.0. Adds first-class ListenerSet support (enables cert-manager and external-dns integration with Gateway-API), the safe-upgrades ValidatingAdmissionPolicy for CRD version migrations, and pulls in the v1.8.0 security and bug-fix rollup. Note: v1.8.0 contains several upstream behavior changes (DirectResponse template interpolation, SecurityPolicy 0s timeout semantics, samplingFraction 100x correction, OIDC filter consolidation) — see https://gateway.envoyproxy.io/news/releases/notes/v1.8.0/. #4833 (@electricjesus)
• Bump bundled ECK Kibana/Elasticsearch version constant to 8.19.15. #4815 (@tianfeng92)
• Bump golang.org/x/net to v0.54.0 to keep the operator aligned with the calico-private release-calient-v3.23 dependency baseline (mitigates CVE-2026-33814 reporting and picks up subsequent x/net hardening). #4811 (@xiumozhan)
• Fix a bootstrap deadlock on fresh managed clusters that prevented calico-apiserver from starting and the Guardian tunnel from being established when the management cluster had not yet pushed the calico-apiserver linseed token. #4799 (@tianfeng92)
• Add a named "https" port on the calico-manager Service and, when the OpenShift IDP is configured, publish a tigera-ca-public Secret in calico-system so OpenShift's Ingress→Route conversion can produce a reencrypt Route fronting the manager. #4789 (@rene-dekker)
• Fixes a permissions error in calico-kube-controllers that prevented it from reading IPAM configuration. #4776 (@caseydavenport)

25 May 2026

Included Calico versions

Calico version: v3.30.7
Calico Enterprise version: v3.21.8

Other changes

• Sync bundled Kibana's version to 8.19.15. #4813 (@tianfeng92)

20 May 2026

Included Calico versions

Calico version: v3.31.5
Calico Enterprise version: v3.22.5

Other changes

• Bump bundled ECK Kibana/Elasticsearch version constant to 8.19.15. #4816 (@tianfeng92)
• Add a named "https" port on the calico-manager Service and, when the OpenShift IDP is configured, publish a tigera-ca-public Secret in calico-system so OpenShift's Ingress→Route conversion can produce a reencrypt Route fronting the manager. #4790 (@rene-dekker)

12 May 2026

Included Calico versions

Calico version: v3.30.7
Calico Enterprise version: v3.21.7

Bug fixes

• Fix Kibana crashloop when upgrading from Calico Enterprise 3.20 or earlier to 3.21. The orphan ingest_manager_settings saved object left by Fleet 7.17 is now discarded during Kibana 8.x saved-object migration. #4743 (@tianfeng92)
• Remove logstorage validation warning message for node count exceeding replicas by 1. #4579 (@tianfeng92)

Other changes

• Add a named "https" port on the calico-manager Service and, when the OpenShift IDP is configured, publish a tigera-ca-public Secret in the calico-system namespace so OpenShift's Ingress→Route conversion can produce a reencrypt Route fronting the manager. #4791 (@rene-dekker)

05 May 2026

Included Calico versions

Calico version: v3.31.5
Calico Enterprise version: v3.22.4

Other changes

• Remove defaulting to run as privileged #4757 (@MichalFupso)

30 Apr 2026

Included Calico versions

Calico version: v3.32.0

Bug fixes

• Fixes configuration of Calico Windows Daemonset Requests and Limits. #4366 (@tmjd)

Other changes

• Update bundled Istio version to 1.29.2, including CVE fixes for moby/spdystream, prometheus/prometheus, and opentelemetry-go/otel/sdk. #4733 (@radixo)

• Update golang.org/x/* libraries to latest. #4727 (@rene-dekker)

• Grant the tigera-noncluster-host ClusterRole create access on linseed.tigera.io/policyactivity so non-cluster host policy activity logs reach Linseed. #4726 (@xiumozhan)

• None #4701 (@caseydavenport)

• Operator now passes the CA certificate CommonName to Voltron via VOLTRON_CA_SIGNER_NAME, enabling configurable CA issuer identification. #4673 (@rene-dekker)

• Always add --tunnelSecretName flag to the apiserver, so it will pick the correct secret for signing tunnel certificates. #4662 (@rene-dekker)

• Added label selector for networkpolicies selecting coredns on Canonical Kubernetes clusters. #4652 (@rene-dekker)

• Improve TigeraStatus to include more detailed information when readiness and liveness probes fail. #4646 (@caseydavenport)

• Bump bundled Envoy Gateway to v1.7.0. Kubernetes version floor raised to v1.32. #4637 (@pasanw)

• Give Policy Recommendation Controller the necessary RBAC to recommend policies for HostEndpoints. #4594 (@xiumozhan)

• Fix calico-apiserver RBAC to allow queryserver's authorization review to access tiers, uisettingsgroups, and managedclusters via the aggregated API. #4568 (@tianfeng92)

• Istio support is now available for Calico (OSS) installations. Previously, the Istio controller was restricted to Calico Enterprise only. With this change, OSS users can leverage the operator to manage Istio ambient mesh components (istiod, CNI, and ztunnel) alongside their Calico installation. #4536 (@radixo)

• Add validation for logstorage node count and replicas setting. #4529 (@tianfeng92)

• Allow Calico nodes to create and update BGPConfiguration resources. #4520 (@mazdakn)

• Fix pod creation failures during manifest-to-operator migration caused by the calico-cni-plugin #4514 (@caseydavenport)

• ClusterRoleBinding losing its kube-system subject before all nodes are migrated. #4514 (@caseydavenport)

• Config option to control whether BIRD or Felix manages intra-cluster routing. #4511 (@mazdakn)

• Set correct CA_TRUSTED_NODE_ACCOUNTS namespace on OpenShift #4510 (@electricjesus)

• Fix calico-apiserver TLS errors on upgrade to v3.31 for long-lived clusters. #4493 (@caseydavenport)

• The operator now correctly reissues certificates with updated SANs when the apiserver namespace changes, instead of treating legacy operator-signed certs as user-provided. #4493 (@caseydavenport)

• Operator now disables log forwarding and metrics scraping on enterprise license expiry while keeping the dataplane running, and reports license status in TigeraStatus. #4482 (@hjiawei)

• Surface certificate metadata (issuer, expiry, DNS SANs, IP SANs) as annotations and add filtering labels (secret-type, signer) on TLS secrets produced by Secret() and CreateSelfSignedSecret(). #4479 (@rene-dekker)

• Display the Degraded condition's message when running kubectl get tigerastatus, making it easier to see error details at a glance without needing to describe the resource. #4479 (@rene-dekker)

• Users can now override the resources and/or limits on the calico-dashboard-api container in the manager deployment. #4478 (@rene-dekker)

• Split kubernetes-services-endpoint configmap into KUBERNETES_SERVICE_HOST/PORT for host-networked pods (previous behaviour) and KUBERNETES_SERVICE_HOST_POD_NETWORK and KUBERNETES_SERVICE_PORT_POD_NETWORK for pod-networked pods. #4474 (@coutinhop)

• Fix Istio GKE platform detection: set platform=gke on istiod and ztunnel Helm charts in addition to the CNI chart, enabling the ztunnel ResourceQuota and PLATFORM=gke environment variable on istiod. #4463 (@electricjesus)

• Use backwards compatible schema configuration for prometheus endpoints on Openshift. #4454 (@rene-dekker)

• ECK certificates are now rotated 30d before expiry just like all certificates that are managed by this operator. #4453 (@rene-dekker)

• The Tier allow-tigera has been renamed to calico-system. #4438 (@radixo)

• If your Calico installation does not use the Tigera Operator, or if you have created custom Network Policies within this Tier, you must manually update your resources to reference the new Tier name. #4438 (@radixo)

• Please review and adjust any affected policies to ensure continued correct behavior. #4438 (@radixo)

• • Dropped support to the non-privileged mode and deprecated the Installation.spec.nonPrivileged field. The Operator ignores this setting and will mark Calico as Degraded if it is set to Enabled. #4433 (@lucastigera)

• Fixed rendering resource limits and requests for Egress Gateway. #4427 (@sridhartigera)

• Register NetworkAttachmentDefinition type in operator scheme for Istio OpenShift support. #4408 (@electricjesus)

• Bump Go to 1.25.7 #4403 (@alexh-tigera)

• Fix Istio service mesh components (istio-cni, istiod, ztunnel) failing on OpenShift due to missing platform detection. The operator now sets platform=openshift on all embedded Istio Helm charts, activating correct CNI binary paths (/var/lib/cni/bin), Multus provider configuration, SCC RBAC rules, SELinux contexts, and trusted ztunnel namespace settings. #4402 (@electricjesus)

• Auto-detect kube-proxy nftables/iptables mode. #4389 (@caseydavenport)

• Fix that operator would remove other controllers finalizers from objects it creates. #4381 (@caseydavenport)

• Prometheus Operator is updated from v0.84.0 to v0.88.0. #4379 (@hjiawei)

• Prometheus is updated from v3.4.1 to v3.9.1. #4379 (@hjiawei)

• Prometheus Alertmanager is updated from v0.28.0 to v0.30.1. #4379 (@hjiawei)

• Updated Elasticsearch NodeSet name generation to prevent unnecessary recreations of the Elasticsearch StatefulSet. #4378 (@pasanw)

• Added a required permission for setting up watches in the calico-apiserver on OCP 4.20 #4372 (@rene-dekker)

• Elasticsearch and Kibana are updated to v8.19.10. #4367 (@hjiawei)

• Updated the Tigera Operator runtime base image to UBI 9. #4365 (@hjiawei)

• Fixed an issue caused by manager_controller and apiserver_controller both writing the calico-management-cluster-connection secret to calico-system causing constant reconciliations. #4358 (@rene-dekker)

• Add rule to allow-tigera to allow traffic from intrusion detection controller to voltron #4350 (@xiumozhan)

• Update CRDs #4344 (@Josh-L)

• Added LINSEED_URL environment variable to tigera-dpi daemonset to fix an issue with forwarding alerts from a managed cluster running DPI to the management cluster. #4330 (@Josh-L)

• Fix a stack trace in the kibana logs as a result of timeouts from fleet. #4328 (@rene-dekker)

• Set recommended labels as per #4327 (@rene-dekker)

• https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/ #4327 (@rene-dekker)

• Fixed an issue where Guardian was missing the certificate of the Calico API server from it's CA bundle. This issue only impacted clusters that were created using an older version of the Operator that did not use a centralized signer. #4314 (@pasanw)

24 Apr 2026

Included Calico versions

Calico version: v3.31.5
Calico Enterprise version: v3.22.3

Bug fixes

• Fix Kibana crashloop when upgrading frrom Calico Enterprise 3.20 or earlier to 3.22. The orphan ingest_manager_settings saved object left by Fleet 7.17 is now discarded during Kibana 8.x saved-object migration. #4744 (@tianfeng92)

Other changes

• Update bundled Istio version to 1.29.2, including CVE fixes for moby/spdystream, prometheus/prometheus, and opentelemetry-go/otel/sdk. #4735 (@radixo)
• Update spdystream to v0.5.1 and golang.org/x/* libraries to latest. #4724 (@rene-dekker)