Building on the last two minor releases, Project Calico 2.4 brings with it readiness and liveness checks, pre-DNAT policy support, BGP with KDD support, CIDR policy match support, and more!
Felix and Typha now expose health-check endpoints which can be exposed as Kubernetes readiness and liveness checks in the Calico self-hosted manifests. Enabling the readiness probe provides a better rolling-upgrade experience when using those manifests by pausing the upgrade if a new deployment of Calico fails to become ready. Enabling the liveness probe helps ensure that Calico is alive and healthy on each node in the cluster, gracefully restarting Calico on a node that reports itself as unhealthy.
Calico v2.4.0 introduces Pre-DNAT Policy – a new flavor of Calico Policy that is enforced before any DNAT that a cluster node may do (for example kube-proxy). Pre-DNAT Policy is useful for securing the perimeter of a cluster against incoming traffic, except for pinholes that are expressed in terms of particular IP addresses and/or ports that external clients are allowed to connect in to. For more information please see the documentation on pre-DNAT Policy.
Calico v2.4.0 introduces support for BGP global configuration and BGP peering configuration when using the Kubernetes API datastore driver (KDD). This lets you configure Calico to peer with route reflectors or on-premise infrastructure using the calicoctl command line tool. For more information, see the documentation on configuring BGP peers.
Calico Policies now support the “nets” and “notNets” fields, which allow for the specification of multiple CIDRs in a single policy rule. This makes declaring a policy which matches multiple networks much easier. The “net” and “notNet” fields have been deprecated.
Calico v2.3.0 introduced support for the `networking.k8s.io/v1` NetworkPolicy API when using the Kubernetes API datastore driver as discussed in this blog post. Calico v2.4.0 brings those features to Calico when using the etcd datastore.
View the full list as well as specific updates to individual components in the 2.4 Release Notes.