26 Jun 2026

Included Calico versions

Calico version: v3.32.1
Calico Enterprise version: v3.23.0-2.0

Bug fixes

• Fixes a regression where the Goldmane and Guardian pods were unable to reach DNS or the management cluster, which could break flow visibility (including on Calico Cloud-connected clusters). #4953 (@caseydavenport)

18 Jun 2026

Included Calico versions

Calico version: v3.31.6
Calico Enterprise version: v3.22.6

18 Jun 2026

Included Calico versions

Calico version: v3.30.7
Calico Enterprise version: v3.21.9

Other changes

• Fix RBAC error preventing operator from creating secrets in tigera-manager namespace on fresh installs with Authentication CR configured #4899 (@vara2504)

17 Jun 2026

Included Calico versions

Calico version: v3.31.5
Calico Enterprise version: v3.22.6

Bug fixes

• Fix RBAC error preventing operator from creating secrets in tigera-manager namespace on fresh installs with Authentication CR configured #4892 (@vara2504)
• Fixed 403 errors on custom dashboards for OIDC users. #4856 (@alexh-tigera)
• Fixes the non-cluster-host Typha deployment crashlooping on clusters where the host-network kube-apiserver endpoint is not reachable from pod-networked pods (e.g. MKE proxy.local). #4841 (@caseydavenport)
• Aligned the bundled Envoy Gateway v1.7.2 helm chart / gateway api resources with the controller binary version shipping in this release. #4831 (@electricjesus)

11 Jun 2026

Included Calico versions

Calico version: v3.32.0
Calico Enterprise version: v3.23.0-2.0

Bug fixes

• Fixed 403 errors on custom dashboards for OIDC users. #4836 (@alexh-tigera)
• Fixed WAF HTTP filter failing open in clusters installed without the Calico API server (USE_API_SERVER=false / v3-CRDs-only mode). The filter's license check now succeeds regardless of which Calico CRD group is installed, so WAF rule processing engages as intended. #4812 (@electricjesus)
• Fixed an operator upgrade that could stall on kind clusters, looping on an unsupported "Kind" kubernetesProvider value instead of completing. #4882 (@caseydavenport)
• Fixed a 403 when creating UISettings (e.g. Service Graph layers) as a tigera-network-admin user in v3 CRD / webhooks mode. #4867 (@caseydavenport)
• Fixed an issue where Calico Enterprise compliance reports were never scheduled due to a missing RBAC permission on the calico-apiserver ClusterRole. #4863 (@caseydavenport)
• Fixed the non-cluster-host Typha deployment crashlooping on clusters where the host-network kube-apiserver endpoint is not reachable from pod-networked pods (e.g. MKE proxy.local). The pod-network endpoint from the kubernetes-service-endpoint ConfigMap is now used when set. #4842 (@caseydavenport)
• Fixed a bootstrap deadlock on fresh managed clusters that prevented calico-apiserver from starting and the Guardian tunnel from being established when the management cluster had not yet pushed the calico-apiserver linseed token. #4799 (@tianfeng92)
• Fixed a permissions error in calico-kube-controllers that prevented it from reading IPAM configuration. #4776 (@caseydavenport)
• Fixed operator reconcile failure on Kubernetes clusters that only serve the v1 (not v1beta1) MutatingAdmissionPolicy API. #4905 (@radTuti)

Other changes

• Add a named "https" port on the calico-manager Service and, when the OpenShift IDP is configured, publish a tigera-ca-public Secret in calico-system so OpenShift's Ingress→Route conversion can produce a reencrypt Route fronting the manager. #4789 (@rene-dekker)
• Grant operator-managed service accounts update permission on /status subresources for GlobalAlert, PacketCapture, and SecurityEventWebhook. #4854 (@caseydavenport)
• Bumped bundled Envoy Gateway from v1.7.2 to v1.8.0. Adds first-class ListenerSet support (enables cert-manager and external-dns integration with Gateway-API), the safe-upgrades ValidatingAdmissionPolicy for CRD version migrations, and pulls in the v1.8.0 security and bug-fix rollup.
  Note: v1.8.0 contains several upstream behavior changes (DirectResponse template interpolation, SecurityPolicy 0s timeout semantics, samplingFraction 100x correction, OIDC filter consolidation) — see Envoy Gateway v1.8.0 release notes. #4833 (@electricjesus)
• Bump bundled ECK Kibana/Elasticsearch version constant to 8.19.15. #4815 (@tianfeng92)
• Bump golang.org/x/net to v0.54.0 to keep the operator aligned with the calico-private release-calient-v3.23 dependency baseline (mitigates CVE-2026-33814 reporting and picks up subsequent x/net hardening). #4811 (@xiumozhan)

05 Jun 2026

Included Calico versions

Calico version: v3.32.0
Calico Enterprise version: v3.23.0-2.0

Bug fixes

• Fixed 403 errors on custom dashboards for OIDC users. #4836 (@alexh-tigera)
• Fix WAF HTTP filter failing open in clusters installed without the Calico API server (USE_API_SERVER=false / v3-CRDs-only mode). The filter's license check now succeeds regardless of which Calico CRD group is installed, so WAF rule processing engages as intended. #4812 (@electricjesus)

Other changes

• Fixes an operator upgrade that could stall on kind clusters, looping on an unsupported "Kind" kubernetesProvider value instead of completing. #4882 (@caseydavenport)
• Fixes a 403 when creating UISettings (e.g. Service Graph layers) as a tigera-network-admin user in v3 CRD / webhooks mode. #4867 (@caseydavenport)
• Fixes an issue where Calico Enterprise compliance reports were never scheduled due to a missing RBAC permission on the calico-apiserver ClusterRole. #4863 (@caseydavenport)
• Grant operator-managed service accounts update permission on /status subresources for GlobalAlert, PacketCapture, and SecurityEventWebhook. #4854 (@caseydavenport)
• Fixes the non-cluster-host Typha deployment crashlooping on clusters where the host-network kube-apiserver endpoint is not reachable from pod-networked pods (e.g. MKE proxy.local). The pod-network endpoint from the kubernetes-service-endpoint ConfigMap is now used when set. #4842 (@caseydavenport)
• Bumped bundled Envoy Gateway from v1.7.2 to v1.8.0. Adds first-class ListenerSet support (enables cert-manager and external-dns integration with Gateway-API), the safe-upgrades ValidatingAdmissionPolicy for CRD version migrations, and pulls in the v1.8.0 security and bug-fix rollup. Note: v1.8.0 contains several upstream behavior changes (DirectResponse template interpolation, SecurityPolicy 0s timeout semantics, samplingFraction 100x correction, OIDC filter consolidation) — see https://gateway.envoyproxy.io/news/releases/notes/v1.8.0/. #4833 (@electricjesus)
• Bump bundled ECK Kibana/Elasticsearch version constant to 8.19.15. #4815 (@tianfeng92)
• Bump golang.org/x/net to v0.54.0 to keep the operator aligned with the calico-private release-calient-v3.23 dependency baseline (mitigates CVE-2026-33814 reporting and picks up subsequent x/net hardening). #4811 (@xiumozhan)
• Fix a bootstrap deadlock on fresh managed clusters that prevented calico-apiserver from starting and the Guardian tunnel from being established when the management cluster had not yet pushed the calico-apiserver linseed token. #4799 (@tianfeng92)
• Add a named "https" port on the calico-manager Service and, when the OpenShift IDP is configured, publish a tigera-ca-public Secret in calico-system so OpenShift's Ingress→Route conversion can produce a reencrypt Route fronting the manager. #4789 (@rene-dekker)
• Fixes a permissions error in calico-kube-controllers that prevented it from reading IPAM configuration. #4776 (@caseydavenport)

25 May 2026

Included Calico versions

Calico version: v3.30.7
Calico Enterprise version: v3.21.8

Other changes

• Sync bundled Kibana's version to 8.19.15. #4813 (@tianfeng92)

20 May 2026

Included Calico versions

Calico version: v3.31.5
Calico Enterprise version: v3.22.5

Other changes

• Bump bundled ECK Kibana/Elasticsearch version constant to 8.19.15. #4816 (@tianfeng92)
• Add a named "https" port on the calico-manager Service and, when the OpenShift IDP is configured, publish a tigera-ca-public Secret in calico-system so OpenShift's Ingress→Route conversion can produce a reencrypt Route fronting the manager. #4790 (@rene-dekker)

12 May 2026

Included Calico versions

Calico version: v3.30.7
Calico Enterprise version: v3.21.7

Bug fixes

• Fix Kibana crashloop when upgrading from Calico Enterprise 3.20 or earlier to 3.21. The orphan ingest_manager_settings saved object left by Fleet 7.17 is now discarded during Kibana 8.x saved-object migration. #4743 (@tianfeng92)
• Remove logstorage validation warning message for node count exceeding replicas by 1. #4579 (@tianfeng92)

Other changes

• Add a named "https" port on the calico-manager Service and, when the OpenShift IDP is configured, publish a tigera-ca-public Secret in the calico-system namespace so OpenShift's Ingress→Route conversion can produce a reencrypt Route fronting the manager. #4791 (@rene-dekker)

05 May 2026

Included Calico versions

Calico version: v3.31.5
Calico Enterprise version: v3.22.4

Other changes

• Remove defaulting to run as privileged #4757 (@MichalFupso)