diff --git a/charts/calico/values.yaml b/charts/calico/values.yaml index b60c0667084..347d29910a9 100644 --- a/charts/calico/values.yaml +++ b/charts/calico/values.yaml @@ -1,5 +1,5 @@ # The Calico version to use when generating manifests. -version: master +version: v3.29.0 # Configure the images to use when generating manifests. node: diff --git a/charts/tigera-operator/values.yaml b/charts/tigera-operator/values.yaml index c71c197583a..d26c5ba95f0 100644 --- a/charts/tigera-operator/values.yaml +++ b/charts/tigera-operator/values.yaml @@ -64,11 +64,11 @@ podLabels: {} # Image and registry configuration for the tigera/operator pod. tigeraOperator: image: tigera/operator - version: master + version: v1.36.0 registry: quay.io calicoctl: image: docker.io/calico/ctl - tag: master + tag: v3.29.0 kubeletVolumePluginPath: /var/lib/kubelet diff --git a/manifests/alp/istio-inject-configmap-1.1.0.yaml b/manifests/alp/istio-inject-configmap-1.1.0.yaml index 8af8223a08f..0aabd155ebf 100644 --- a/manifests/alp/istio-inject-configmap-1.1.0.yaml +++ b/manifests/alp/istio-inject-configmap-1.1.0.yaml @@ -178,7 +178,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.1.1.yaml b/manifests/alp/istio-inject-configmap-1.1.1.yaml index ef24b0fd127..8ebf85b94bc 100644 --- a/manifests/alp/istio-inject-configmap-1.1.1.yaml +++ b/manifests/alp/istio-inject-configmap-1.1.1.yaml @@ -178,7 +178,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.1.10.yaml b/manifests/alp/istio-inject-configmap-1.1.10.yaml index f17ec00444f..465ccd42c23 100644 --- a/manifests/alp/istio-inject-configmap-1.1.10.yaml +++ b/manifests/alp/istio-inject-configmap-1.1.10.yaml @@ -180,7 +180,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.1.11.yaml b/manifests/alp/istio-inject-configmap-1.1.11.yaml index 2fcf8c9bc29..01d99a2ef15 100644 --- a/manifests/alp/istio-inject-configmap-1.1.11.yaml +++ b/manifests/alp/istio-inject-configmap-1.1.11.yaml @@ -180,7 +180,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.1.12.yaml b/manifests/alp/istio-inject-configmap-1.1.12.yaml index 9901ee97e7d..60c48efd74f 100644 --- a/manifests/alp/istio-inject-configmap-1.1.12.yaml +++ b/manifests/alp/istio-inject-configmap-1.1.12.yaml @@ -180,7 +180,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.1.13.yaml b/manifests/alp/istio-inject-configmap-1.1.13.yaml index 57bf6d220e4..fc2c370dd21 100644 --- a/manifests/alp/istio-inject-configmap-1.1.13.yaml +++ b/manifests/alp/istio-inject-configmap-1.1.13.yaml @@ -180,7 +180,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.1.14.yaml b/manifests/alp/istio-inject-configmap-1.1.14.yaml index 4522b8bd075..f7b79235132 100644 --- a/manifests/alp/istio-inject-configmap-1.1.14.yaml +++ b/manifests/alp/istio-inject-configmap-1.1.14.yaml @@ -180,7 +180,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.1.15.yaml b/manifests/alp/istio-inject-configmap-1.1.15.yaml index 1c9b23c2c87..cafd313b29a 100644 --- a/manifests/alp/istio-inject-configmap-1.1.15.yaml +++ b/manifests/alp/istio-inject-configmap-1.1.15.yaml @@ -180,7 +180,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.1.16.yaml b/manifests/alp/istio-inject-configmap-1.1.16.yaml index 19be0f7a81b..4d5d2d46932 100644 --- a/manifests/alp/istio-inject-configmap-1.1.16.yaml +++ b/manifests/alp/istio-inject-configmap-1.1.16.yaml @@ -180,7 +180,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.1.17.yaml b/manifests/alp/istio-inject-configmap-1.1.17.yaml index 97b699711d3..16399bcfa53 100644 --- a/manifests/alp/istio-inject-configmap-1.1.17.yaml +++ b/manifests/alp/istio-inject-configmap-1.1.17.yaml @@ -180,7 +180,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.1.2.yaml b/manifests/alp/istio-inject-configmap-1.1.2.yaml index bb80f5c1b66..ed41a4732fb 100644 --- a/manifests/alp/istio-inject-configmap-1.1.2.yaml +++ b/manifests/alp/istio-inject-configmap-1.1.2.yaml @@ -178,7 +178,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.1.3.yaml b/manifests/alp/istio-inject-configmap-1.1.3.yaml index 1c9d84082fa..c4a66b03604 100644 --- a/manifests/alp/istio-inject-configmap-1.1.3.yaml +++ b/manifests/alp/istio-inject-configmap-1.1.3.yaml @@ -180,7 +180,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.1.4.yaml b/manifests/alp/istio-inject-configmap-1.1.4.yaml index 9c3a09d6c5f..777b24de4f6 100644 --- a/manifests/alp/istio-inject-configmap-1.1.4.yaml +++ b/manifests/alp/istio-inject-configmap-1.1.4.yaml @@ -180,7 +180,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.1.5.yaml b/manifests/alp/istio-inject-configmap-1.1.5.yaml index 57375853f4f..6c1e42d9f29 100644 --- a/manifests/alp/istio-inject-configmap-1.1.5.yaml +++ b/manifests/alp/istio-inject-configmap-1.1.5.yaml @@ -180,7 +180,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.1.6.yaml b/manifests/alp/istio-inject-configmap-1.1.6.yaml index 3f0a301b97c..61bdfecb54a 100644 --- a/manifests/alp/istio-inject-configmap-1.1.6.yaml +++ b/manifests/alp/istio-inject-configmap-1.1.6.yaml @@ -180,7 +180,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.1.7.yaml b/manifests/alp/istio-inject-configmap-1.1.7.yaml index c8307785bb3..d71dff8b562 100644 --- a/manifests/alp/istio-inject-configmap-1.1.7.yaml +++ b/manifests/alp/istio-inject-configmap-1.1.7.yaml @@ -180,7 +180,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.1.8.yaml b/manifests/alp/istio-inject-configmap-1.1.8.yaml index 36f04687208..7321c78f013 100644 --- a/manifests/alp/istio-inject-configmap-1.1.8.yaml +++ b/manifests/alp/istio-inject-configmap-1.1.8.yaml @@ -180,7 +180,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.1.9.yaml b/manifests/alp/istio-inject-configmap-1.1.9.yaml index 62fe25800ca..ac7dbfb7eef 100644 --- a/manifests/alp/istio-inject-configmap-1.1.9.yaml +++ b/manifests/alp/istio-inject-configmap-1.1.9.yaml @@ -180,7 +180,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.10.yaml b/manifests/alp/istio-inject-configmap-1.10.yaml index 4114e1f9bfd..4f0382cf24d 100644 --- a/manifests/alp/istio-inject-configmap-1.10.yaml +++ b/manifests/alp/istio-inject-configmap-1.10.yaml @@ -433,7 +433,7 @@ data: name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false @@ -720,7 +720,7 @@ data: name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.15.yaml b/manifests/alp/istio-inject-configmap-1.15.yaml index b2700320c11..389535de8fd 100644 --- a/manifests/alp/istio-inject-configmap-1.15.yaml +++ b/manifests/alp/istio-inject-configmap-1.15.yaml @@ -434,7 +434,7 @@ data: name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false @@ -719,7 +719,7 @@ data: name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.2.0.yaml b/manifests/alp/istio-inject-configmap-1.2.0.yaml index 5235bd14204..5c29503701c 100644 --- a/manifests/alp/istio-inject-configmap-1.2.0.yaml +++ b/manifests/alp/istio-inject-configmap-1.2.0.yaml @@ -301,7 +301,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.2.1.yaml b/manifests/alp/istio-inject-configmap-1.2.1.yaml index 5235bd14204..5c29503701c 100644 --- a/manifests/alp/istio-inject-configmap-1.2.1.yaml +++ b/manifests/alp/istio-inject-configmap-1.2.1.yaml @@ -301,7 +301,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.2.2.yaml b/manifests/alp/istio-inject-configmap-1.2.2.yaml index 5235bd14204..5c29503701c 100644 --- a/manifests/alp/istio-inject-configmap-1.2.2.yaml +++ b/manifests/alp/istio-inject-configmap-1.2.2.yaml @@ -301,7 +301,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.2.3.yaml b/manifests/alp/istio-inject-configmap-1.2.3.yaml index 5235bd14204..5c29503701c 100644 --- a/manifests/alp/istio-inject-configmap-1.2.3.yaml +++ b/manifests/alp/istio-inject-configmap-1.2.3.yaml @@ -301,7 +301,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.2.4.yaml b/manifests/alp/istio-inject-configmap-1.2.4.yaml index 5235bd14204..5c29503701c 100644 --- a/manifests/alp/istio-inject-configmap-1.2.4.yaml +++ b/manifests/alp/istio-inject-configmap-1.2.4.yaml @@ -301,7 +301,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.2.5.yaml b/manifests/alp/istio-inject-configmap-1.2.5.yaml index 5235bd14204..5c29503701c 100644 --- a/manifests/alp/istio-inject-configmap-1.2.5.yaml +++ b/manifests/alp/istio-inject-configmap-1.2.5.yaml @@ -301,7 +301,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.2.6.yaml b/manifests/alp/istio-inject-configmap-1.2.6.yaml index 5235bd14204..5c29503701c 100644 --- a/manifests/alp/istio-inject-configmap-1.2.6.yaml +++ b/manifests/alp/istio-inject-configmap-1.2.6.yaml @@ -301,7 +301,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.2.7.yaml b/manifests/alp/istio-inject-configmap-1.2.7.yaml index 5235bd14204..5c29503701c 100644 --- a/manifests/alp/istio-inject-configmap-1.2.7.yaml +++ b/manifests/alp/istio-inject-configmap-1.2.7.yaml @@ -301,7 +301,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.2.8.yaml b/manifests/alp/istio-inject-configmap-1.2.8.yaml index 5235bd14204..5c29503701c 100644 --- a/manifests/alp/istio-inject-configmap-1.2.8.yaml +++ b/manifests/alp/istio-inject-configmap-1.2.8.yaml @@ -301,7 +301,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.2.9.yaml b/manifests/alp/istio-inject-configmap-1.2.9.yaml index 5235bd14204..5c29503701c 100644 --- a/manifests/alp/istio-inject-configmap-1.2.9.yaml +++ b/manifests/alp/istio-inject-configmap-1.2.9.yaml @@ -301,7 +301,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.3.0.yaml b/manifests/alp/istio-inject-configmap-1.3.0.yaml index 20db0f920b4..6f246da202b 100644 --- a/manifests/alp/istio-inject-configmap-1.3.0.yaml +++ b/manifests/alp/istio-inject-configmap-1.3.0.yaml @@ -327,7 +327,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.3.1.yaml b/manifests/alp/istio-inject-configmap-1.3.1.yaml index e6411a07b4a..f78729a8e48 100644 --- a/manifests/alp/istio-inject-configmap-1.3.1.yaml +++ b/manifests/alp/istio-inject-configmap-1.3.1.yaml @@ -333,7 +333,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.3.2.yaml b/manifests/alp/istio-inject-configmap-1.3.2.yaml index e6411a07b4a..f78729a8e48 100644 --- a/manifests/alp/istio-inject-configmap-1.3.2.yaml +++ b/manifests/alp/istio-inject-configmap-1.3.2.yaml @@ -333,7 +333,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.3.3.yaml b/manifests/alp/istio-inject-configmap-1.3.3.yaml index e6411a07b4a..f78729a8e48 100644 --- a/manifests/alp/istio-inject-configmap-1.3.3.yaml +++ b/manifests/alp/istio-inject-configmap-1.3.3.yaml @@ -333,7 +333,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.3.4.yaml b/manifests/alp/istio-inject-configmap-1.3.4.yaml index e6411a07b4a..f78729a8e48 100644 --- a/manifests/alp/istio-inject-configmap-1.3.4.yaml +++ b/manifests/alp/istio-inject-configmap-1.3.4.yaml @@ -333,7 +333,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.3.5.yaml b/manifests/alp/istio-inject-configmap-1.3.5.yaml index e6411a07b4a..f78729a8e48 100644 --- a/manifests/alp/istio-inject-configmap-1.3.5.yaml +++ b/manifests/alp/istio-inject-configmap-1.3.5.yaml @@ -333,7 +333,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.4.0.yaml b/manifests/alp/istio-inject-configmap-1.4.0.yaml index a1c72bd783a..fe411e9a037 100644 --- a/manifests/alp/istio-inject-configmap-1.4.0.yaml +++ b/manifests/alp/istio-inject-configmap-1.4.0.yaml @@ -351,7 +351,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.4.1.yaml b/manifests/alp/istio-inject-configmap-1.4.1.yaml index a1c72bd783a..fe411e9a037 100644 --- a/manifests/alp/istio-inject-configmap-1.4.1.yaml +++ b/manifests/alp/istio-inject-configmap-1.4.1.yaml @@ -351,7 +351,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.4.2.yaml b/manifests/alp/istio-inject-configmap-1.4.2.yaml index a1c72bd783a..fe411e9a037 100644 --- a/manifests/alp/istio-inject-configmap-1.4.2.yaml +++ b/manifests/alp/istio-inject-configmap-1.4.2.yaml @@ -351,7 +351,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.6.yaml b/manifests/alp/istio-inject-configmap-1.6.yaml index 40dc8ba8405..acd9b262bdd 100644 --- a/manifests/alp/istio-inject-configmap-1.6.yaml +++ b/manifests/alp/istio-inject-configmap-1.6.yaml @@ -363,7 +363,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.7.yaml b/manifests/alp/istio-inject-configmap-1.7.yaml index 04eeb6c6ea8..f9a11228be7 100644 --- a/manifests/alp/istio-inject-configmap-1.7.yaml +++ b/manifests/alp/istio-inject-configmap-1.7.yaml @@ -369,7 +369,7 @@ data: - mountPath: /var/run/dikastes name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/alp/istio-inject-configmap-1.9.yaml b/manifests/alp/istio-inject-configmap-1.9.yaml index f6da341c625..94b71a75c1c 100644 --- a/manifests/alp/istio-inject-configmap-1.9.yaml +++ b/manifests/alp/istio-inject-configmap-1.9.yaml @@ -428,7 +428,7 @@ data: name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false @@ -714,7 +714,7 @@ data: name: dikastes-sock - name: dikastes - image: calico/dikastes:master + image: calico/dikastes:v3.29.0 args: ["server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"] securityContext: allowPrivilegeEscalation: false diff --git a/manifests/apiserver.yaml b/manifests/apiserver.yaml index 10350093271..add6a3d7997 100644 --- a/manifests/apiserver.yaml +++ b/manifests/apiserver.yaml @@ -77,7 +77,7 @@ spec: env: - name: DATASTORE_TYPE value: kubernetes - image: calico/apiserver:master + image: calico/apiserver:v3.29.0 name: calico-apiserver readinessProbe: httpGet: diff --git a/manifests/calico-bpf.yaml b/manifests/calico-bpf.yaml index 6e16733e406..8f99214af61 100644 --- a/manifests/calico-bpf.yaml +++ b/manifests/calico-bpf.yaml @@ -6112,7 +6112,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.29.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: @@ -6151,7 +6151,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.29.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -6205,7 +6205,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.29.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -6231,7 +6231,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.29.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -6468,7 +6468,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:master + image: docker.io/calico/kube-controllers:v3.29.0 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. diff --git a/manifests/calico-etcd.yaml b/manifests/calico-etcd.yaml index ea6d5976b39..33de1918e88 100644 --- a/manifests/calico-etcd.yaml +++ b/manifests/calico-etcd.yaml @@ -305,7 +305,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.29.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -351,7 +351,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.29.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -377,7 +377,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.29.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -623,7 +623,7 @@ spec: hostNetwork: true containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:master + image: docker.io/calico/kube-controllers:v3.29.0 imagePullPolicy: IfNotPresent env: # The location of the etcd cluster. diff --git a/manifests/calico-policy-only.yaml b/manifests/calico-policy-only.yaml index 8a5dd16a85d..6681c6dd920 100644 --- a/manifests/calico-policy-only.yaml +++ b/manifests/calico-policy-only.yaml @@ -6093,7 +6093,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.29.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -6130,7 +6130,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.29.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -6156,7 +6156,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.29.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -6350,7 +6350,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:master + image: docker.io/calico/kube-controllers:v3.29.0 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. @@ -6443,7 +6443,7 @@ spec: seccompProfile: type: RuntimeDefault containers: - - image: docker.io/calico/typha:master + - image: docker.io/calico/typha:v3.29.0 imagePullPolicy: IfNotPresent name: calico-typha ports: diff --git a/manifests/calico-typha.yaml b/manifests/calico-typha.yaml index 9daee28d80f..9d05d8d849f 100644 --- a/manifests/calico-typha.yaml +++ b/manifests/calico-typha.yaml @@ -6143,7 +6143,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.29.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: @@ -6171,7 +6171,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.29.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -6214,7 +6214,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.29.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -6240,7 +6240,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.29.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -6469,7 +6469,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:master + image: docker.io/calico/kube-controllers:v3.29.0 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. @@ -6562,7 +6562,7 @@ spec: seccompProfile: type: RuntimeDefault containers: - - image: docker.io/calico/typha:master + - image: docker.io/calico/typha:v3.29.0 imagePullPolicy: IfNotPresent name: calico-typha ports: diff --git a/manifests/calico-vxlan.yaml b/manifests/calico-vxlan.yaml index a78fd247b2c..22071e440ab 100644 --- a/manifests/calico-vxlan.yaml +++ b/manifests/calico-vxlan.yaml @@ -6107,7 +6107,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.29.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: @@ -6135,7 +6135,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.29.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -6178,7 +6178,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.29.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -6204,7 +6204,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.29.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -6425,7 +6425,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:master + image: docker.io/calico/kube-controllers:v3.29.0 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. diff --git a/manifests/calico.yaml b/manifests/calico.yaml index 4b547ab8b55..81e294d54f7 100644 --- a/manifests/calico.yaml +++ b/manifests/calico.yaml @@ -6107,7 +6107,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.29.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: @@ -6135,7 +6135,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.29.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -6178,7 +6178,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.29.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -6204,7 +6204,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.29.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -6427,7 +6427,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:master + image: docker.io/calico/kube-controllers:v3.29.0 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. diff --git a/manifests/calicoctl-etcd.yaml b/manifests/calicoctl-etcd.yaml index 23ba4a764f2..02865f018a5 100644 --- a/manifests/calicoctl-etcd.yaml +++ b/manifests/calicoctl-etcd.yaml @@ -1,7 +1,7 @@ # Calico Version master # https://projectcalico.docs.tigera.io/releases#master # This manifest includes the following component versions: -# calico/ctl:master +# calico/ctl:v3.29.0 apiVersion: v1 kind: Pod @@ -14,7 +14,7 @@ spec: hostNetwork: true containers: - name: calicoctl - image: calico/ctl:master + image: calico/ctl:v3.29.0 command: - calicoctl args: diff --git a/manifests/calicoctl.yaml b/manifests/calicoctl.yaml index cbf1bf5fa29..9782725b51b 100644 --- a/manifests/calicoctl.yaml +++ b/manifests/calicoctl.yaml @@ -1,7 +1,7 @@ # Calico Version master # https://projectcalico.docs.tigera.io/releases#master # This manifest includes the following component versions: -# calico/ctl:master +# calico/ctl:v3.29.0 apiVersion: v1 kind: ServiceAccount @@ -23,7 +23,7 @@ spec: serviceAccountName: calicoctl containers: - name: calicoctl - image: calico/ctl:master + image: calico/ctl:v3.29.0 command: - calicoctl args: diff --git a/manifests/canal-etcd.yaml b/manifests/canal-etcd.yaml index 60fd988cbe0..44d1cb5afbb 100644 --- a/manifests/canal-etcd.yaml +++ b/manifests/canal-etcd.yaml @@ -385,7 +385,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.29.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -455,7 +455,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.29.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -481,7 +481,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.29.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -783,7 +783,7 @@ spec: hostNetwork: true containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:master + image: docker.io/calico/kube-controllers:v3.29.0 imagePullPolicy: IfNotPresent env: # The location of the etcd cluster. diff --git a/manifests/canal.yaml b/manifests/canal.yaml index 932dcd10fac..32b60bd4fd2 100644 --- a/manifests/canal.yaml +++ b/manifests/canal.yaml @@ -6116,7 +6116,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.29.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -6165,7 +6165,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.29.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -6191,7 +6191,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.29.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -6425,7 +6425,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:master + image: docker.io/calico/kube-controllers:v3.29.0 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. diff --git a/manifests/csi-driver.yaml b/manifests/csi-driver.yaml index 6cd732b2823..1a3b275abc9 100644 --- a/manifests/csi-driver.yaml +++ b/manifests/csi-driver.yaml @@ -50,7 +50,7 @@ spec: effect: NoSchedule containers: - name: calico-csi - image: calico/csi:master + image: calico/csi:v3.29.0 imagePullPolicy: IfNotPresent args: - --nodeid=$(KUBE_NODE_NAME) @@ -75,7 +75,7 @@ spec: mountPath: /var/lib/kubelet/ mountPropagation: "Bidirectional" - name: csi-node-driver-registrar - image: calico/node-driver-registrar:master + image: calico/node-driver-registrar:v3.29.0 imagePullPolicy: IfNotPresent args: - --v=5 diff --git a/manifests/flannel-migration/calico.yaml b/manifests/flannel-migration/calico.yaml index f35f8ba4215..0a741cf7f8b 100644 --- a/manifests/flannel-migration/calico.yaml +++ b/manifests/flannel-migration/calico.yaml @@ -6109,7 +6109,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.29.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: @@ -6137,7 +6137,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:master + image: docker.io/calico/cni:v3.29.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -6180,7 +6180,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.29.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -6206,7 +6206,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:master + image: docker.io/calico/node:v3.29.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -6427,7 +6427,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:master + image: docker.io/calico/kube-controllers:v3.29.0 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. diff --git a/manifests/flannel-migration/migration-job.yaml b/manifests/flannel-migration/migration-job.yaml index 8574185fe43..9ad230cae4b 100644 --- a/manifests/flannel-migration/migration-job.yaml +++ b/manifests/flannel-migration/migration-job.yaml @@ -150,7 +150,7 @@ spec: restartPolicy: OnFailure containers: - name: flannel-migration-controller - image: calico/flannel-migration-controller:master + image: calico/flannel-migration-controller:v3.29.0 env: # Choose which controllers to run. - name: ENABLED_CONTROLLERS diff --git a/manifests/ocp/02-tigera-operator.yaml b/manifests/ocp/02-tigera-operator.yaml index e5153c73784..a55481934b3 100644 --- a/manifests/ocp/02-tigera-operator.yaml +++ b/manifests/ocp/02-tigera-operator.yaml @@ -32,7 +32,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: tigera-operator - image: quay.io/tigera/operator:master + image: quay.io/tigera/operator:v1.36.0 imagePullPolicy: IfNotPresent command: - operator @@ -50,7 +50,7 @@ spec: - name: OPERATOR_NAME value: "tigera-operator" - name: TIGERA_OPERATOR_INIT_IMAGE_VERSION - value: master + value: v1.36.0 envFrom: - configMapRef: name: kubernetes-services-endpoint @@ -69,7 +69,7 @@ spec: name: install-resources-script initContainers: - name: create-initial-resources - image: docker.io/calico/ctl:master + image: docker.io/calico/ctl:v3.29.0 env: - name: DATASTORE_TYPE value: kubernetes diff --git a/manifests/tigera-operator.yaml b/manifests/tigera-operator.yaml index f6a2ede95af..88ddc8b040f 100644 --- a/manifests/tigera-operator.yaml +++ b/manifests/tigera-operator.yaml @@ -22579,7 +22579,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: tigera-operator - image: quay.io/tigera/operator:master + image: quay.io/tigera/operator:v1.36.0 imagePullPolicy: IfNotPresent command: - operator @@ -22597,7 +22597,7 @@ spec: - name: OPERATOR_NAME value: "tigera-operator" - name: TIGERA_OPERATOR_INIT_IMAGE_VERSION - value: master + value: v1.36.0 envFrom: - configMapRef: name: kubernetes-services-endpoint diff --git a/release-notes/v3.29.0-release-notes.md b/release-notes/v3.29.0-release-notes.md new file mode 100644 index 00000000000..56b640c2748 --- /dev/null +++ b/release-notes/v3.29.0-release-notes.md @@ -0,0 +1,112 @@ +28 Oct 2024 + +#### Tiered policies and k8s AdminNetworkPolicy support + +Calico introduces [tiered policy](https://docs.tigera.io/calico/v3.29/network-policy/policy-tiers/tiered-policy) support and support for Kubernetes AdminNetworkPolicy. Tiers are a hierarchical construct used to group policies and enforce higher precedence policies that cannot be circumvented by other teams. They have built-in features that support workload microsegmentation. + +The [AdminNetworkPolicy (ANP)](https://docs.tigera.io/calico/v3.29/network-policy/policy-tiers/tiered-policy#adminnetworkpolicy-tier) resource helps administrators set strict security rules for the cluster, i.e. a developer cannot override these rules by creating NetworkPolicies that apply to the same workloads as the AdminNetworkPolicy. + +- Add tiered policy support [calico 9085](https://github.com/projectcalico/calico/pull/9085) (@mazdakn) +- Allow users to specify the default action in a tier. [calico 9245](https://github.com/projectcalico/calico/pull/9245) (@mazdakn) +- Add support for the core functionalities of the new k8s AdminNetworkPolicy API. [calico 9206](https://github.com/projectcalico/calico/pull/9206) (@mazdakn) +- Add support for AdminNetworkPolicy egress network CIDRs. [calico 9303](https://github.com/projectcalico/calico/pull/9303) (@mazdakn) + +#### nftables dataplane (tech-preview) + +Calico introduces tech-preview support for programming policy directly using native [nftables](https://docs.tigera.io/calico/v3.29/getting-started/kubernetes/nftables) tooling on Linux. nftables is the successor to iptables, providing an extended feature set and improved kernel API. + +- Tech-preview support for nftables dataplane and nftables kube-proxy compatibility [calico 8780](https://github.com/projectcalico/calico/pull/8780) (@caseydavenport) + +#### Bug fixes + +**BPF Dataplane** + +- Fixed memory leak in BPF endpoint manager. [calico 9309](https://github.com/projectcalico/calico/pull/9309) (@tomastigera) +- ebpf: Fix for Istio ambient mode - traffic that arrives from host should go back through host and not skip iptables [calico 9192](https://github.com/projectcalico/calico/pull/9192) (@tomastigera) +- ebpf: When bpfConntrackBypass is disabled, ensure that iptables rules, which allow 3rd party iptables rules work for traffic originally for the host, are in place. [calico 9188](https://github.com/projectcalico/calico/pull/9188) (@tomastigera) +- ebpf: Fixed frequently attaching BPF programs when pods annotations/labels change and eventually failing due to running out of tc priority. [calico 9089](https://github.com/projectcalico/calico/pull/9089) (@sridhartigera) +- ebpf: Fix parsing host IP update and re-attach program on all interfaces when there is a host IP update. [calico 9084](https://github.com/projectcalico/calico/pull/9084) (@sridhartigera) +- Fixed Missing routes for UDP services when in dual stack mode. [calico 9050](https://github.com/projectcalico/calico/pull/9050) (@sridhartigera) +- ebpf: Fixed bug that would leave residual logging when log filters were applied and then disabled. [calico 9137](https://github.com/projectcalico/calico/pull/9137) (@tomastigera) +- ebpf: Attach XDP to bond slave devices. [calico 9132](https://github.com/projectcalico/calico/pull/9132) (@sridhartigera) +- ebpf: Fix Felix panic when using non-default BPF map sizes. Size was not updated in all places resulting in failure to attach programs. [calico 9117](https://github.com/projectcalico/calico/pull/9117) (@fasaxc) +- ebpf: Fixes missing iptables rules that would keep preexisting V6 connections working when switching to ebpf mode [calico 8943](https://github.com/projectcalico/calico/pull/8943) (@tomastigera) +- ebpf: Don't drop, but reject unknown midflow tcp packets with rst [calico 8933](https://github.com/projectcalico/calico/pull/8933) (@tomastigera) +- ebpf: Set bpfin/out.cali MTU to the smallest of all host ifaces including overlay. That means if jumbo frames are used, this device also uses them. [calico 8922](https://github.com/projectcalico/calico/pull/8922) (@tomastigera) +- ebpf: Fix - let the node handle packet when we are not sure about the destination [calico 8921](https://github.com/projectcalico/calico/pull/8921) (@tomastigera) +- ebpf: Cleanup BPF special devices when BPF is turned off [calico 8884](https://github.com/projectcalico/calico/pull/8884) (@tomastigera) +- ebpf: Support for service loop prevention [calico 8876](https://github.com/projectcalico/calico/pull/8876) (@sridhartigera) +- ebpf: Fixed forwarding, NATing and checksumming of related ICMP traffic (icmp errors) [calico 8858](https://github.com/projectcalico/calico/pull/8858) (@tomastigera) +- ebpf: If a bond master device is part of the bpfDataIfacePattern regexp, calico attaches to it and not to the slaves [calico 8803](https://github.com/projectcalico/calico/pull/8803) (@sridhartigera) +- ebpf: Forwarding services via vxlan tunnel uses different source ports for different flows to better utilize bonded devices and CPUs on the receiving side. [calico 8790](https://github.com/projectcalico/calico/pull/8790) (@tomastigera) +- ebpf: Do not panic in dual-stack mode when a node is configured with only one and not both IPs or autodetection is not enabled for one. [calico 8760](https://github.com/projectcalico/calico/pull/8760) (@tomastigera) +- ebpf: Clean up stale icmp6 conntrack entries [calico 8749](https://github.com/projectcalico/calico/pull/8749) (@tomastigera) +- ebpf: Update map definition in sockops program to let libbpf v1.0+ load them successfully. [calico 8693](https://github.com/projectcalico/calico/pull/8693) (@debasishbsws) +- ebpf: Fix map creation during upgrade. [calico 8684](https://github.com/projectcalico/calico/pull/8684) (@sridhartigera) +- ebpf: Fix natOutgoing SNAT for icmp6 [calico 8679](https://github.com/projectcalico/calico/pull/8679) (@sridhartigera) + +**Windows** + +- Configure kubelet certificate rotation on manually installed Calico for Windows. [calico 9178](https://github.com/projectcalico/calico/pull/9178) (@jxlwqq) +- Added support for non-English language versions of Windows. [calico 9062](https://github.com/projectcalico/calico/pull/9062) (@wayne-cheng) +- Fix non-HPC Calico for Windows startup issue with the CalicoNode service. [calico 9016](https://github.com/projectcalico/calico/pull/9016) (@coutinhop) +- [windows] Skip node IP discovery if --NodeIp parameter is provided to kubelet-service.ps1. [calico 8915](https://github.com/projectcalico/calico/pull/8915) (@wayne-cheng) + +**Helm** + +- Helm: Fix error parsing kubernetesServiceEndpoint.host as an integer [calico 9067](https://github.com/projectcalico/calico/pull/9067) (@MichalFupso) +- Helm: Fix rendering of KUBERNETES_SERVICE_PORT [calico 8865](https://github.com/projectcalico/calico/pull/8865) (@simonostendorf) +- Fix error when using helm additionalLabels in conjunction with image pull secrets [calico 8785](https://github.com/projectcalico/calico/pull/8785) (@caseydavenport) + +**General** + +- Fix spurious warning about unexpected inserted rules. [calico 9397](https://github.com/projectcalico/calico/pull/9397) (@fasaxc) +- Fix image in flannel migration manifest [calico 9265](https://github.com/projectcalico/calico/pull/9265) (@radTuti) +- Ignore empty CIDRs specified in the BGPConfiguration. [calico 9230](https://github.com/projectcalico/calico/pull/9230) (@fasaxc) +- Update flannel to version v0.24.4 to fix kube-flannel log spam when ipv6 is disabled. [calico 9208](https://github.com/projectcalico/calico/pull/9208) (@mkhpalm) +- [etcd mode] Fix issue where Calico nodes failed to decommission if calico-kube-controllers was running on the terminated node. [calico 9190](https://github.com/projectcalico/calico/pull/9190) (@caseydavenport) +- BGP: Prevent the advertisement of local kernel routes learned from eBPF interfaces (bpf*.cali) to peers. [calico 9112](https://github.com/projectcalico/calico/pull/9112) (@mstansberry) +- Fix that shutting down a ticker waited a whole tick. (Mainly impacts tests.) [calico 9111](https://github.com/projectcalico/calico/pull/9111) (@fasaxc) +- Fix interaction between kube-proxy and Calico's SNAT rules that could cause corrupted VXLAN packets when checksum offload was enabled. Move Calico's rules after kube-proxy's to make sure kube-proxy's mark bit is cleared if both would have done SNAT. [calico 9091](https://github.com/projectcalico/calico/pull/9091) (@tomastigera) +- Fix that Felix would panic when trying to resync a temporary IP set. Temporary IP sets are created in certain scenarios after previous failures. [calico 9077](https://github.com/projectcalico/calico/pull/9077) (@fasaxc) +- Fix missing resources in calicoctl command help text [calico 9054](https://github.com/projectcalico/calico/pull/9054) (@caseydavenport) +- Calico now uses the logging framework's built in capability to capture the caller's filename/line number. This removes a potential source of concurrency bugs. [calico 9044](https://github.com/projectcalico/calico/pull/9044) (@fasaxc) +- Fix that the conversion from Pod to WorkloadEndpoint could mutate the pod labels; this isn't safe if something else has a reference to the Pod (e.g. if we're used with a caching informer). [calico 9039](https://github.com/projectcalico/calico/pull/9039) (@fasaxc) +- Fix 'undefined symbol: xtables_strdup' error when running 'iptables-legacy-save' in the calico-node image. [calico 9022](https://github.com/projectcalico/calico/pull/9022) (@coutinhop) +- Fixed continuous addition/deletion of service routes in eBPF mode. [calico 8983](https://github.com/projectcalico/calico/pull/8983) (@sridhartigera) +- Felix now arranges for VXLAN packets to skip netfilter conntrack. VXLAN uses pseudo random source ports so the "flows" are unidirectional and not meaningful to conntrack. [calico 8977](https://github.com/projectcalico/calico/pull/8977) (@cyclinder) +- Add IPReservation and BGPFilter to etcd datastore migration [calico 8971](https://github.com/projectcalico/calico/pull/8971) (@caseydavenport) +- Don't run pprof on prometheus metrics port [calico 8967](https://github.com/projectcalico/calico/pull/8967) (@caseydavenport) +- Felix: Move log initialisation earlier in start-up sequence to avoid missing some logs. [calico 8944](https://github.com/projectcalico/calico/pull/8944) (@fasaxc) +- Felix now sets the Go runtime's GC threshold to 40% (instead of the more aggressive 20% used previously). This trades slight extra RAM usage for significantly lower GC CPU usage. The setting is now exposed in the FelixConfiguration as goGCThreshold, along with goMemoryLimitMB. To get the old behaviour, set goGCThreshold to 20. If memory usage is not a concern, the value can be set even higher to reduce CPU usage. [calico 8904](https://github.com/projectcalico/calico/pull/8904) (@fasaxc) +- Upgrade bpftool to v7.4 to fix the issue of loading XDP programs in iptables data plane that happens in few distributions. [calico 8880](https://github.com/projectcalico/calico/pull/8880) (@mazdakn) +- Reduce spammy logs in route table [calico 8879](https://github.com/projectcalico/calico/pull/8879) (@caseydavenport) +- Fixed incorrect logging level related to service IPs. [calico 8816](https://github.com/projectcalico/calico/pull/8816) (@mazdakn) +- Fix that Calico would ignore changes to Kubernetes Node InternalIP when using InternalIP node address autodetection. [calico 8728](https://github.com/projectcalico/calico/pull/8728) (@Levi080513) +- ebpf: wg6 traffic is allowed even if blocked by policy [calico 8712](https://github.com/projectcalico/calico/pull/8712) (@tomastigera) +- Fix pods stuck in ContainerCreating state due to "failed to create host netlink handle: protocol not supported" error on kernels that don't support XFRM. [calico 8710](https://github.com/projectcalico/calico/pull/8710) (@carloslima) +- Fix missing log line numbers in cni-installer log output [calico 8696](https://github.com/projectcalico/calico/pull/8696) (@caseydavenport) +- Restart calico/node if unable to set the NodeNetwork condition. [calico 8673](https://github.com/projectcalico/calico/pull/8673) (@cyclinder) +- Clean up IP addresses of pods with Evicted status. [calico 7713](https://github.com/projectcalico/calico/pull/7713) (@gaopeiliang) + +#### Other changes + +- ebpf: Faster redirection from host interface to workloads for any included traffic that does not use NAT (CTLB enabled or pod-to-pod) [calico 9213](https://github.com/projectcalico/calico/pull/9213) (@tomastigera) +- Include license file in non-AMD64 images. [calico 8735](https://github.com/projectcalico/calico/pull/8735) (@fasaxc) +- Address GitHub Dependabot security alerts [calico 9108](https://github.com/projectcalico/calico/pull/9108) (@hjiawei) +- Improve cni-plugin binary install verification. [calico 8827](https://github.com/projectcalico/calico/pull/8827) (@coutinhop) +- Felix's route programming now handles routing conflicts deterministically, prioritising routes based on their type. Conntrack cleanup has been improved; cleanup is now correctly sequenced with route programming when IP addresses move from local to remote workloads. [calico 8418](https://github.com/projectcalico/calico/pull/8418) (@fasaxc) +- In manifest installs, in order to prevent default IP-pools creation, `CALICO_IPV4POOL_CIDR`=`none` and `CALICO_IPV6POOL_CIDR`=`none` environment variable special values are now supported. [calico 8156](https://github.com/projectcalico/calico/pull/8156) (@kruftik) +- The calico-kube-controllers container now runs with `securityContext.runAsNonRoot=true`. [calico 6499](https://github.com/projectcalico/calico/pull/6499) (@ialidzhikov) +- New helm values.yaml field - additionalLabels - allows configuring labels on resources created by the chart. @TheCubicleJockey [calico 8722](https://github.com/projectcalico/calico/pull/8722) (@caseydavenport) +- New Felix config param IPForwarding allows for preventing Felix from enabling IP forwarding on systems that are only using Calico for host protection (and hence don't need to forward traffic to workloads). [calico 9320](https://github.com/projectcalico/calico/pull/9320) (@fasaxc) +- Felix now logs our policy selectors as well as the policy ID. [calico 9187](https://github.com/projectcalico/calico/pull/9187) (@fasaxc) +- Felix's route resync logic has been optimised; it now uses 50% less CPU time and 80% less memory. [calico 9139](https://github.com/projectcalico/calico/pull/9139) (@fasaxc) +- BGPFilter: Add prefix length matching [calico 9114](https://github.com/projectcalico/calico/pull/9114) (@mstansberry) +- Conntrack cleanup debug logs now include more information. [calico 9131](https://github.com/projectcalico/calico/pull/9131) (@fasaxc) +- Log formatting performance has been improved, reducing the overhead of logging. [calico 9055](https://github.com/projectcalico/calico/pull/9055) (@fasaxc) +- Felix now uses less CPU and memory when listing routes from the kernel. [calico 8979](https://github.com/projectcalico/calico/pull/8979) (@fasaxc) +- Adjust default IP set refresh interval from 10s to 90s. [calico 8959](https://github.com/projectcalico/calico/pull/8959) (@caseydavenport) +- apiserver defaults logrus level based on `-v` argument [calico 8697](https://github.com/projectcalico/calico/pull/8697) (@caseydavenport) +- Expose the Go runtime's "GOMAXPROCS" setting via felix configuration. This may be useful for tuning Felix to take account of CPU limits. [calico 8945](https://github.com/projectcalico/calico/pull/8945) (@fasaxc) + diff --git a/release/internal/outputs/releasenotes.go b/release/internal/outputs/releasenotes.go index 9564404c5a1..69e6cab26b5 100644 --- a/release/internal/outputs/releasenotes.go +++ b/release/internal/outputs/releasenotes.go @@ -109,7 +109,7 @@ func prIssuesByRepo(client *github.Client, owner, repo string, opts *github.Issu // between the start and end markers. func extractReleaseNoteFromIssue(issue *github.Issue) ([]string, error) { body := issue.GetBody() - pattern := "```release-note(.*?)```" + pattern := "\\`\\`\\`release-note\\r?\\n(.*)\\r?\\n\\`\\`\\`" re := regexp.MustCompile(pattern) matches := re.FindAllStringSubmatch(body, -1) if len(matches) == 0 {