Release 2.4.0

[caseydavenport]

Description

Calico v2.4.0

Todos

• Tests
• Documentation
• Release note

Proposed Release notes for Calico v2.4.0

Changes to typha

• #27: Implement health endpoints for Typha (@neiljerram)

Changes to calicoctl

• #1687: The calicoctl version command now includes the CalicoVersion and ClusterType as retrieved from the datastore. (@tmjd)
• #1680: Added functionality for calicoctl commands to read in multiple yaml documents specified in the same file/input and separated by ---. (@mgleung)
• #1673: The calico/ctl container's default working directory has changed to /root (@caseydavenport)

Changes to felix

• #1500: Improve performance of dataplane driver by reducing number of conntrack deletions. (@fasaxc)
• #1498: Improve performance when the conntrack table contains many entries by doing conntrack deletions in the background. (@fasaxc)

Changes to cni-plugin

• #341: The calico/cni container now supports setting SKIP_CNI_BINARIES to skip installation of certain binaries. (@abhinavdahiya)

Changes to calico

• #964: Felix now supports a health check endpoint, and the Kubernetes self-hosted installation manifests now enable liveness and readiness probes which report Felix health. (@gunjan5)
• #952: [beta feature] Add global and per-node BGP peer configuration and global BGP configuration support when using Kubernetes API as the Calico datastore. (@robbrockbank)
• #924: The version of etcd included in the Calico kubeadm manifests has been revved to v3.1.10. (@caseydavenport)
• #935: Felix now (optionally) acquires the iptables lock while manipulating iptables. This prevents
  conflicts with other applications, such as kube-proxy (as long as they also honor the lock).
  • Note: to be effective if Felix is running in a container, this feature requires the
    directory containing the iptables lock file, "/run/", to be mounted into the container. (@fasaxc)
• #915: calico/node will now only check for conflicting Node IPs when initially getting an IP or when a change in IP is detected. This should reduce the load on the cluster when a large number of nodes are restarting. (@heschlie)
• #910: Pre-DNAT Policy - a new flavor of Calico Policy that is enforced before any DNAT that a cluster node may do (for example kube-proxy). Pre-DNAT Policy is useful for securing the perimeter of a cluster against incoming traffic, except for pinholes that are expressed in terms of particular IP addresses and/or ports that external clients are allowed to connect in to. For more information please see http://docs.projectcalico.org/v2.4/getting-started/bare-metal/bare-metal#pre-dnat-policy. (@neiljerram)
• #898: Calico releases now produce a release archive including Kubernetes manifests, docker images, and binaries. (@tomdee)
• #885: Added new option that takes interface regexes to skip interfaces during ip auto detection. (@mgleung)
• #885: Added support for specifying multiple interface regexes to attempt to match on during ip auto detection. (@mgleung)
• #861: Ability to enable / disable outgoing NAT on the default IP Pool using an environment variable. (@VincentS)

Changes to k8s-policy

• #105: Calico now implements the networking.k8s.io/NetworkPolicy API semantics as defined by Kubernetes when using the etcd datastore
  • Note: This represents a change in how existing Kubernetes NetworkPolicies are enforced by Calico. To maintain existing behavior when upgrading, follow these steps:
    • In Namespaces that previously did not have the “DefaultDeny” annotation, you should delete any existing NetworkPolicy objects.
    • In Namespaces that previously did have the “DefaultDeny” annotation, you can create the equivalent semantics by creating a NetworkPolicy that selects all pods but does not allow any traffic. (@caseydavenport)

Changes to libcalico-go

• #471: Policy objects now support arbitrary key/value annotations. (@caseydavenport)
• #470: Add new Source.Nets and Destination.Nets fields (and their negated couterparts)
  to rules, allowing multiple CIDRs to be matched in a single rule. The Source.Net
  and Destination.Net fields are now deprecated; when reading back data that
  contains a Net field, it will be converted to a single-entry Nets field. Felix (and
  Typha, if in use) should be upgraded before using the new Nets fields in a rule. (@fasaxc)

[robbrockbank]

Don't we usually move the latest version to the top of this file?

[robbrockbank]

One comment about ordering but otherwise LGTM. (and needs squashing)