Calico Enterprise 3.22 release notes

Learn about the new features, bug fixes, and other updates in this release of Calico Enterprise.

This version of Calico Enterprise is based on Calico Open Source 3.31.

New features and enhancements

Calico Ingress Gateway is GA

Calico Ingress Gateway is now supported with general availability. Calico Ingress Gateway is an enterprise-hardened, 100% upstream distribution of Envoy Gateway. Envoy Gateway is an implementation of the Kubernetes Gateway API with several extensions that provide advanced security and traffic management features.

For more information, see About Calico Ingress Gateway.

Web application firewall for Calico Ingress Gateway

The release adds the ability to configure a web application firewall for Calico Ingress Gateway.

For more information, see Deploying WAF with an ingress gateway.

External load balancers for Calico Ingress Gateway

This release adds customization options for specifying external load balancers for Gateway resources in your cluster.

For more information, see Customize gateway deployment and features.

Istio Ambient Mode (tech preview)

Calico now provides a bundled version of Istio in ambient mode, a sidecarless architecture that delivers robust mTLS encryption and service mesh security while significantly reducing resource consumption and operational overhead. This implementation, managed by the Tigera Operator, features an enhanced zTunnel proxy that preserves original destination ports to ensure existing Calico and Kubernetes network policies continue to function seamlessly without requiring rewrites.

For more information, see Istio Ambient Mode.

HTTP header-based matching for application layer policies

This release includes support for HTTP header-based matching for application layer policies. You can now write deny and allow rules for L7 ingress traffic by matching values in HTTP headers.

For more information, see Global network policy.

Enhanced visibility for denied pre-DNAT traffic

This update delivers flow logs specifically for denied traffic by Calico pre-DNAT policies. Now, you can quickly identify and understand why certain traffic is being blocked at the earliest stage of packet processing, greatly simplifying troubleshooting and providing assurance that your pre-DNAT policies are effectively enforcing your desired access controls.

For more information, see Apply policy to forwarded traffic.

Observability tools for non-cluster hosts and VMs

You can now view traffic from connected non-cluster hosts and VMs using observability tools such as Flow Visualizer and Service Graph. This lets you observe and analyze traffic patterns for all your workloads, regardless of the platform.

For more information about these observability tools, see Network visualization.

Consolidated log forwarding for non-cluster hosts

This release includes a simpler way to forward logs from your non-cluster hosts. You can now forward these logs from your management cluster, which saves you the burden of configuring access to your data store for each external host.

For more information, see Archive logs.

External secret provider support

Calico Enterprise now supports loading credentials for external identity providers directly from a CSI Secret Store Driver, eliminating the need to store sensitive client secrets within Kubernetes. This capability is critical if you have security policies that prohibit creating Kubernetes secrets.

Instead of creating a secret, you can configure a SecretProviderClass resource that mounts fields, such as clientID and clientSecret, directly from your external vault onto the tigera-dex pod. This support is now available for OIDC, Google, and LDAP identity connectors.

For complete configuration instructions, see Configure an external identity provider.

Enhanced observability with built-in dashboards (tech preview)

Calico Enterprise now includes a comprehensive set of built-in observability dashboards, making it easier for you to quickly assess cluster activity, network health, and security posture without having to navigate to a separate Kibana instance.

You now have access to the following dashboards in the web console:

• Cluster Health: A high-level overview of overall cluster activity.
• Traffic Volume: A high-level view of traffic flow within your cluster.
• Flow Logs: An overview of packet activity to help spot unusual flows.
• DNS Logs: Summarized DNS data for performance and lookup analysis.
• HTTP Traffic: Application performance metrics for Kubernetes services, assisting with workload health assessment.
• Network Performance: Provides TCP metrics to help identify bottlenecks, packet loss, and performance issues.

For more information, see Dashboards.

High availability for hosts and VMs

Calico Enterprise now supports high availability mode for bare metal hosts and VMs protected by network policy.

This mode enables hosts to automatically fail over to a standby Kubernetes cluster when the primary fails, using an external load balancer to manage traffic. For this to work, you must use domain names for endpoints and synchronize network policies between the active and passive clusters. This feature is critical for maintaining continuous policy enforcement and disaster recovery.

For more information, see Configure high availability mode.

Enhancements

• To support a minimal footprint and simplify resource management, the API server component and its associated resources have been moved from the tigera-system namespace to the calico-system namespace. In addition, in managed clusters namespaces tigera-manager, tigera-policy-recommendation and tigera-elasticsearch have been removed. Permissions that were previously bound to service accounts in those namespaces have been moved to Guardian's cluster role.

Release details

Calico Enterprise 3.22.0-1.0 (early preview)

August 6, 2025

Calico Enterprise 3.22.0-1.0 is now available as an early preview release. This release is for previewing and testing purposes only. It is not supported for use in production.

This Calico Enterprise release is based on Calico Open Source 3.30.

Known issues

eBPF deployments within MKE fail to properly configure the VXLAN tunnel device. This issue is isolated to eBPF deployments. A fix for this issue will be included in the next release.

Calico Enterprise 3.22.0-2.0 (early preview)

November 14, 2025

Calico Enterprise 3.22.0-2.0 is now available as an early preview release. This release is for previewing and testing purposes only. It is not supported for use in production.

This release adds the following features:

• External secret provider support
• Enhanced observability with built-in dashboards (tech preview)
• High availability for hosts and VMs

This Calico Enterprise release is based on Calico Open Source 3.31.

Compatibility notes

• EKS installations using eBPF on Amazon Linux 2 nodes are not currently supported due to a kernel issue on these systems.

Enhancements

• The UI now uses the OIDC code flow when communicating with Dex, which is more secure. This affects all external identity providers (OIDC, LDAP, Openshift).
• Added support for custom-signed Calico Node certificates on non-cluster hosts.
• Add Support for IPv4 fragmentation in eBPF mode.

Bug fixes

• Breaking change: This release fixes the defaulting behaviour for Authentication.Spec.OIDC.requestedScopes such that it now includes offline_access as documented in the API. In the unlikely case that your identity provider does not support offline_access and if you did previously not specify requestedScopes, you should set requestedScopes to [profile, openid, email].
• Fixed an issue that prevented the UI from renewing session tokens when using LDAP.
• Fixed an issue where the operator would run into access errors if it was installed in a namespace other than tigera-operator.
• Fixed an issue where CSRs need manual deletion if a non-cluster host's CSR was rejected by the certificate signer.
• When IPAM runs out of address space, Calico will try to reclaim empty blocks from other nodes before giving up.
• Avoid writing 0 or negative values to prometheus from linseed, leading to recoverable panics in the logs.

Known issues

• Installations on EKS using the eBPF dataplane on AmazonLinux 2023, Bottlerocket, or Flatcar are currently unsupported as these installations may may fail due to a recent kernel change on these systems.

Upgrading

To update an existing installation of Calico Enterprise 3.22, see Install a patch release.

Calico Enterprise 3.22.0-3.0 (early preview)

December 23, 2025

Calico Enterprise 3.22.0-3.0 is now available as an early preview release. This release is for previewing and testing purposes only. It is not supported for use in production.

This release adds the following features:

• Istio Ambient Mode

Enhancements

• We've improved the Service Graph for clusters that have a very high volume of flows. When a high volume of flows is detected for a time range, a new namespaced-focused experience provides quicker access to insights from the graph. We've also added more feedback into the UI to keep you informed on the progress of graph computation.
• The namespace-focused experience will now also highlight namespaces that are estimated to take a long time to load with an orange indicator.
• We now support installation of Calico Enterprise on MKE 4k.
• ebpf: Added a new Felix configuration option CgroupV2Path to set a custom cgroupV2 mount path, improving compatibility with immutable OSes like Talos Linux.

Bug fixes

• eBPF - Fixed an issue with map operations for older kernels.

Known issues

• If you use the nftables data plane with L7 features (WAF or L7 logging) on a platform without legacy iptables support, such as OpenShift 4.20, these capabilities will fail to initialize. This occurs because some Calico images are missing the required nftables binaries and incorrectly rely on legacy iptables modules that have been removed from newer operating systems. As a workaround, ensure your host platform has legacy iptables kernel modules installed and loaded until a full fix is delivered in an upcoming patch release.
• Kibana attempts external API calls that are blocked by network policies related to Elastic Fleet. Errors will show in the logs. There is no further impact.
• Felix panics when WAF/L7 features are enabled with eBPF dataplane. This causes Felix to constantly restart, which can affect cluster performance. As a workaround, avoid enabling WAF/L7 functionalities with eBPF dataplane.

Upgrading

To update an existing installation of Calico Enterprise 3.22, see Install a patch release.

Calico Enterprise 3.22.1 general availability release

January 26, 2026

Calico Enterprise 3.22.1 is now available as a general availability release.

This release is supported for use in production.

Breaking changes

• Renamed the name of the certificate bundle in the tigera-ca-bundle configmaps from tigera-ca-bundle.crt to ca.crt. A copy of the operator signer can still be fond in the original location. This only affects users who use this bundle for features that are not managed by the operator in addition to bringing your own certificates.
• Removed the prefix "cnx-" from image names. The new image names can all be found here.
• We are requiring kernel support for the x86-64 v3 architecture in this release as we are beginning to migrate to UBI10.

Bug fixes

• Fixed an issue causing a panic in Felix when WAF/L7 features are enabled with eBPF dataplane.
• Fixed an issue preventing WAF/L7 features to work on hosts without legacy iptables support, such as Openshift 4.20.
• Fixed an issue where Kibana was making connections to public endpoints.
• Added an egress rule to allow traffic from intrusion detection controller to the tigera-manager deployment. This fixed an issue where traffic would be blocked if the user applies a default deny policy to the namespace.
• Fixed an issue where Guardian was missing the certificate of the Calico API server from its CA bundle. This issue only impacted clusters that were created using an older version of the Operator that did not use a centralized signer. (Calico Enterprise v3.12 and older.)
• Fixed an issue that caused local workloads with borrowed IPs lose connectivity when using the eBPF dataplane.
• Fixed an issue where the VXLAN overlay VNI is always 0 on the eBPF dataplane. calico 10625
• Fixed an issue where fragmented UDP packets were incorrectly handled, leading to denied flows.
• Security updates.

Known issues

• Pod restart may be required after initial deployment with Istio Ambient Mode.

  When using Calico eBPF dataplane with Istio ambient mode, pods created before ztunnel/istiod are fully ready may experience HBONE tunnel routing failures. Affected pods show connection resets (curl error 56) or TLS handshake failures when communicating with other ambient-enrolled pods.

  Symptoms:

  • curl: (56) Recv failure: Connection reset by peer between ambient pods
  • ztunnel logs showing received corrupt message of type InvalidContentType
  • Traffic works from non-ambient pods and via localhost

  Workaround: Restart affected deployments after enabling ambient mode:

  kubectl rollout restart deployment -n <namespace>

  Root Cause: Pods created during initial ambient mode setup may have stale ztunnel INPOD socket state, causing HBONE traffic to route to the application port instead of the ztunnel HBONE listener (port 15008).

• There is a bug in which the image pull secret is not propagated to the target namespace when deploying Istio Ambient Mode. Affects only users using a private registry.

• IPv4 addresses are not currently accepted as valid values for KUBERNETES_SERVICE_HOST - please use a hostname instead.  This issue will be resolved in the next patch release.

Upgrading

To update an existing installation of Calico Enterprise 3.22, see Install a patch release.