v2.4.0-rc1: Release Candidate for testing
Pre-release
Pre-release
·
30137 commits
to master
since this release
This is a release candidate for Calico v2.4.0. Below are the current work-in-progress release notes for Calico v2.4.0.
Candidate Release notes
Changes to calico
- #924: The version of etcd included in the Calico kubeadm manifests has been revved to v3.1.10. (@caseydavenport)
- #915: calico/node will now only check for conflicting Node IPs when initially getting an IP or when a change in IP is detected. This should reduce the load on the cluster when a large number of nodes are restarting. (@heschlie)
- #902: Felix now (optionally) acquires the iptables lock while manipulating iptables. This prevents
conflicts with other applications, such as kube-proxy (as long as they also honor the lock).- Upgrade note: to be effective if Felix is running in a container, this feature requires the
directory containing the iptables lock file,/run
, to be mounted into the container. (@fasaxc)
- Upgrade note: to be effective if Felix is running in a container, this feature requires the
- #898: Calico releases now produce a release archive including Kubernetes manifests, docker images, and binaries. (@tomdee)
- #885: Added new option that takes interface regexes to skip interfaces during ip auto detection. (@mgleung)
- #885: Added support for specifying multiple interface regexes to attempt to match on during ip auto detection. (@mgleung)
- #861: Ability to enable / disable outgoing NAT on the default IP Pool using an environment variable. (@VincentS)
Changes to calicoctl
- #1687: The calicoctl version command now includes the CalicoVersion and ClusterType as retrieved from the datastore. (@tmjd)
- #1680: Added functionality for calicoctl commands to read in multiple yaml documents specified in the same file/input and separated by
---
. (@mgleung) - #1673: The calico/ctl container's default working directory has changed to
/root
(@caseydavenport)
Changes to typha
- #27: Implement health endpoints for Typha (@neiljerram)
Changes to cni-plugin
- #341: The calico/cni container now supports setting
SKIP_CNI_BINARIES
to skip installation of certain binaries. (@abhinavdahiya)
Changes to libcalico-go
- #471: Policy objects now support arbitrary key/value annotations. (@caseydavenport)
- #470: Add new Source.Nets and Destination.Nets fields (and their negated couterparts)
to rules, allowing multiple CIDRs to be matched in a single rule. The Source.Net
and Destination.Net fields are now deprecated; when reading back data that
contains a Net field, it will be converted to a single-entry Nets field. Felix (and
Typha, if in use) should be upgraded before using the new Nets fields in a rule. (@fasaxc) - #464 #468: Add BGP peer and global/node BGP peer configuration to KDD datastore driver. (@robbrockbank)
Changes to k8s-policy
- #105: Calico now implements the networking.k8s.io/NetworkPolicy API semantics as defined by Kubernetes when using the etcd datastore
- Note: This represents a change in how existing Kubernetes NetworkPolicies are enforced by Calico. To maintain existing behavior when upgrading, follow these steps:
- In Namespaces that previously did not have the “DefaultDeny” annotation, you should delete any existing NetworkPolicy objects.
- In Namespaces that previously did have the “DefaultDeny” annotation, you can create the equivalent semantics by creating a NetworkPolicy that selects all pods but does not allow any traffic. (@caseydavenport)
- Note: This represents a change in how existing Kubernetes NetworkPolicies are enforced by Calico. To maintain existing behavior when upgrading, follow these steps:
Changes to felix
- #1500: Improve performance of dataplane driver by reducing number of conntrack deletions. (@fasaxc)
- #1498: Improve performance when the conntrack table contains many entries by doing conntrack deletions in the background. (@fasaxc)
- #1491: Felix now acquires the iptables lock while manipulating iptables. This prevents conflicts
with other applications, such as kube-proxy (as long as they also honor the lock).- Upgrade note: to be effective if Felix is running in a container, this feature requires the
directory containing the iptables lock file,/run
, to be mounted into the container. (@fasaxc)
- Upgrade note: to be effective if Felix is running in a container, this feature requires the