v2.6.0

Warning: incorrect release artifacts, do not use. Please upgrade to Calico v2.6.1 instead

Release notes for Calico v2.6.0

Changes to calicoctl

• #1702: The calicoctl node diags command now returns logs when Calico is configured to log to stdout (such as in a self-hosted Kubernetes installation). (@heschlie)

Changes to libcalico-go

• #521: Calico now enforces egress rules and ipBlock selectors in Kubernetes network policies (beta features of Kubernetes 1.8). See the 1.8 and later Kubernetes documentation for more information. (@bcreane)
• #502: When converting Kubernetes network policies to Calico policies, Calico now sets the converted policies as ingress only instead of appending an egress rule that allows all traffic. This allows subsequent Kubernetes network policies to match an explicit egress rule. (@bcreane)

Changes to calico

• #1133: Calico no longer inserts a default egress allow for all pods selected by a Kubernetes NetworkPolicy. If you have created policies with calicoctl that select pods and you would like to maintain the same behavior, you must ensure that all desired egress traffic is allowed by an explicit rule before upgrading to Calico v2.6.0. (@tmjd)

  • Action may be required: Because Calico no longer programs a default egress allow rule, if you have created policies with calicoctl which have egress rules they may no longer allow the full set of desired traffic. In this scenario, you should create an egress allow policy for any pods which were previously selected by a Kubernetes NetworkPolicy and also selected by an egress policy created with calicoctl.

• #1133: Calico no longer configures deprecated tags in the profiles created for Kubernetes Namespaces. (@tmjd)

  • Action may be required: Any rules created via calicoctl which reference these tags will no longer work. If you’ve created a policy or profile rule which references the per-namespace profile tags, you will need to modify the rule to use a label instead.

• #1099: The policy controller options CONFIGURE_ETC_HOSTS and K8S_API are no longer supported. If needed, use KUBECONFIG instead. (@caseydavenport)

• #1063: A new types field in Calico policies allows you to specify explicitly whether that policy should apply to selected endpoints for ingress traffic, or egress traffic, or both. This makes it easy to apply ingress policy to certain endpoints without accidentally changing the default egress treatment for those endpoints, and vice versa. For more information please see https://docs.projectcalico.org/master/reference/calicoctl/resources/policy. (@bcreane)

Changes to cni-plugin

• #383: Calico no longer occasionally deletes the workload endpoints of running Kubernetes pods. (@caseydavenport)
• #380: The Calico CNI plugin now correctly launches Kubernetes pods with IPv6 addresses. (@gunjan5)
• #379: CNI panic no longer causes container deletion failures. (@gunjan5)
• #375: Calico now respects the nodename in the CNI configuration, if set. Previously, affinity blocks got assigned to the hostname of the node , even if a nodename was specified. (@heschlie)
  • Action may be required: If you previously included the nodename parameter in your CNI config when using etcd mode, you should remove it before upgrading to v2.6.0 as it was not properly respected in earlier versions of Calico and will be respected upon upgrade.
• #367: The install-cni container now supports a LOG_LEVEL environment variable set to info or debug. By default, the LOG_LEVEL is set to warn. (@zopanix)
• #358: Network set up of containers and pods no longer fails if the route already exists on the host. (@gunjan5)
• #356: Upgrade note: The install-cni.sh script now overwrites existing binaries by default, making upgrades easier. To modify this behavior, set the UPDATE_CNI_BINARIES environment variable to false. (@alvelcom)

Changes to kube-controllers

• #162: The calico/kube-policy-controller image has been renamed to calico/kube-controllers. While functionally the same, the name change better represents that the container includes multiple distinct Kubernetes controllers including a policy controller. (@caseydavenport)
  • Upgrade note: When upgrading to Calico v2.6 using a self-hosted manifest, the existing calico-policy-controller deployment will be configured to 0 replicas, and a new deployment called calico-kube-controllers will be installed. After upgrade, it is safe to delete the old calico-policy-controller deployment.
• #133: calico/kube-controllers (formerly named calico/kube-policy-controller) has been ported to golang. (@caseydavenport)