v1.42.0

30 Apr 2026

Included Calico versions

Calico version: v3.32.0

Bug fixes

• Fixes configuration of Calico Windows Daemonset Requests and Limits. #4366 (@tmjd)

Other changes

• Update bundled Istio version to 1.29.2, including CVE fixes for moby/spdystream, prometheus/prometheus, and opentelemetry-go/otel/sdk. #4733 (@radixo)

• Update golang.org/x/* libraries to latest. #4727 (@rene-dekker)

• Grant the tigera-noncluster-host ClusterRole create access on linseed.tigera.io/policyactivity so non-cluster host policy activity logs reach Linseed. #4726 (@xiumozhan)

• None #4701 (@caseydavenport)

• Operator now passes the CA certificate CommonName to Voltron via VOLTRON_CA_SIGNER_NAME, enabling configurable CA issuer identification. #4673 (@rene-dekker)

• Always add --tunnelSecretName flag to the apiserver, so it will pick the correct secret for signing tunnel certificates. #4662 (@rene-dekker)

• Added label selector for networkpolicies selecting coredns on Canonical Kubernetes clusters. #4652 (@rene-dekker)

• Improve TigeraStatus to include more detailed information when readiness and liveness probes fail. #4646 (@caseydavenport)

• Bump bundled Envoy Gateway to v1.7.0. Kubernetes version floor raised to v1.32. #4637 (@pasanw)

• Give Policy Recommendation Controller the necessary RBAC to recommend policies for HostEndpoints. #4594 (@xiumozhan)

• Fix calico-apiserver RBAC to allow queryserver's authorization review to access tiers, uisettingsgroups, and managedclusters via the aggregated API. #4568 (@tianfeng92)

• Istio support is now available for Calico (OSS) installations. Previously, the Istio controller was restricted to Calico Enterprise only. With this change, OSS users can leverage the operator to manage Istio ambient mesh components (istiod, CNI, and ztunnel) alongside their Calico installation. #4536 (@radixo)

• Add validation for logstorage node count and replicas setting. #4529 (@tianfeng92)

• Allow Calico nodes to create and update BGPConfiguration resources. #4520 (@mazdakn)

• Fix pod creation failures during manifest-to-operator migration caused by the calico-cni-plugin #4514 (@caseydavenport)

• ClusterRoleBinding losing its kube-system subject before all nodes are migrated. #4514 (@caseydavenport)

• Config option to control whether BIRD or Felix manages intra-cluster routing. #4511 (@mazdakn)

• Set correct CA_TRUSTED_NODE_ACCOUNTS namespace on OpenShift #4510 (@electricjesus)

• Fix calico-apiserver TLS errors on upgrade to v3.31 for long-lived clusters. #4493 (@caseydavenport)

• The operator now correctly reissues certificates with updated SANs when the apiserver namespace changes, instead of treating legacy operator-signed certs as user-provided. #4493 (@caseydavenport)

• Operator now disables log forwarding and metrics scraping on enterprise license expiry while keeping the dataplane running, and reports license status in TigeraStatus. #4482 (@hjiawei)

• Surface certificate metadata (issuer, expiry, DNS SANs, IP SANs) as annotations and add filtering labels (secret-type, signer) on TLS secrets produced by Secret() and CreateSelfSignedSecret(). #4479 (@rene-dekker)

• Display the Degraded condition's message when running kubectl get tigerastatus, making it easier to see error details at a glance without needing to describe the resource. #4479 (@rene-dekker)

• Users can now override the resources and/or limits on the calico-dashboard-api container in the manager deployment. #4478 (@rene-dekker)

• Split kubernetes-services-endpoint configmap into KUBERNETES_SERVICE_HOST/PORT for host-networked pods (previous behaviour) and KUBERNETES_SERVICE_HOST_POD_NETWORK and KUBERNETES_SERVICE_PORT_POD_NETWORK for pod-networked pods. #4474 (@coutinhop)

• Fix Istio GKE platform detection: set platform=gke on istiod and ztunnel Helm charts in addition to the CNI chart, enabling the ztunnel ResourceQuota and PLATFORM=gke environment variable on istiod. #4463 (@electricjesus)

• Use backwards compatible schema configuration for prometheus endpoints on Openshift. #4454 (@rene-dekker)

• ECK certificates are now rotated 30d before expiry just like all certificates that are managed by this operator. #4453 (@rene-dekker)

• The Tier allow-tigera has been renamed to calico-system. #4438 (@radixo)

• If your Calico installation does not use the Tigera Operator, or if you have created custom Network Policies within this Tier, you must manually update your resources to reference the new Tier name. #4438 (@radixo)

• Please review and adjust any affected policies to ensure continued correct behavior. #4438 (@radixo)

• • Dropped support to the non-privileged mode and deprecated the Installation.spec.nonPrivileged field. The Operator ignores this setting and will mark Calico as Degraded if it is set to Enabled. #4433 (@lucastigera)

• Fixed rendering resource limits and requests for Egress Gateway. #4427 (@sridhartigera)

• Register NetworkAttachmentDefinition type in operator scheme for Istio OpenShift support. #4408 (@electricjesus)

• Bump Go to 1.25.7 #4403 (@alexh-tigera)

• Fix Istio service mesh components (istio-cni, istiod, ztunnel) failing on OpenShift due to missing platform detection. The operator now sets platform=openshift on all embedded Istio Helm charts, activating correct CNI binary paths (/var/lib/cni/bin), Multus provider configuration, SCC RBAC rules, SELinux contexts, and trusted ztunnel namespace settings. #4402 (@electricjesus)

• Auto-detect kube-proxy nftables/iptables mode. #4389 (@caseydavenport)

• Fix that operator would remove other controllers finalizers from objects it creates. #4381 (@caseydavenport)

• Prometheus Operator is updated from v0.84.0 to v0.88.0. #4379 (@hjiawei)

• Prometheus is updated from v3.4.1 to v3.9.1. #4379 (@hjiawei)

• Prometheus Alertmanager is updated from v0.28.0 to v0.30.1. #4379 (@hjiawei)

• Updated Elasticsearch NodeSet name generation to prevent unnecessary recreations of the Elasticsearch StatefulSet. #4378 (@pasanw)

• Added a required permission for setting up watches in the calico-apiserver on OCP 4.20 #4372 (@rene-dekker)

• Elasticsearch and Kibana are updated to v8.19.10. #4367 (@hjiawei)

• Updated the Tigera Operator runtime base image to UBI 9. #4365 (@hjiawei)

• Fixed an issue caused by manager_controller and apiserver_controller both writing the calico-management-cluster-connection secret to calico-system causing constant reconciliations. #4358 (@rene-dekker)

• Add rule to allow-tigera to allow traffic from intrusion detection controller to voltron #4350 (@xiumozhan)

• Update CRDs #4344 (@Josh-L)

• Added LINSEED_URL environment variable to tigera-dpi daemonset to fix an issue with forwarding alerts from a managed cluster running DPI to the management cluster. #4330 (@Josh-L)

• Fix a stack trace in the kibana logs as a result of timeouts from fleet. #4328 (@rene-dekker)

• Set recommended labels as per #4327 (@rene-dekker)

• https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/ #4327 (@rene-dekker)

• Fixed an issue where Guardian was missing the certificate of the Calico API server from it's CA bundle. This issue only impacted clusters that were created using an older version of the Operator that did not use a centralized signer. #4314 (@pasanw)

v1.40.9

24 Apr 2026

Included Calico versions

Calico version: v3.31.5
Calico Enterprise version: v3.22.3

Bug fixes

• Fix Kibana crashloop when upgrading frrom Calico Enterprise 3.20 or earlier to 3.22. The orphan ingest_manager_settings saved object left by Fleet 7.17 is now discarded during Kibana 8.x saved-object migration. #4744 (@tianfeng92)

Other changes

• Update bundled Istio version to 1.29.2, including CVE fixes for moby/spdystream, prometheus/prometheus, and opentelemetry-go/otel/sdk. #4735 (@radixo)
• Update spdystream to v0.5.1 and golang.org/x/* libraries to latest. #4724 (@rene-dekker)

v1.40.8

14 Apr 2026

Included Calico versions

Calico version: v3.31.5
Calico Enterprise version: v3.22.2

Other changes

• Operator now passes the CA certificate CommonName to Voltron via VOLTRON_CA_SIGNER_NAME, enabling configurable CA issuer identification. #4674 (@rene-dekker)
• Improve TigeraStatus to include more detailed information when readiness and liveness probes fail. #4648 (@caseydavenport)
• Remove logstorage validation warning message for node count exceeding replicas by 1. #4578 (@tianfeng92)
• Add validation for logstorage node count and replicas setting. #4555 (@tianfeng92)
• Fix calico-apiserver TLS errors on upgrade to v3.31 for long-lived clusters.
  The operator now correctly reissues certificates with updated SANs when the
  apiserver namespace changes, instead of treating legacy operator-signed certs
  as user-provided. #4542 (@rene-dekker)
• Set correct CA_TRUSTED_NODE_ACCOUNTS namespace on OpenShift #4538 (@electricjesus)
• Fix pod creation failures during manifest-to-operator migration caused by the calico-cni-plugin
  ClusterRoleBinding losing its kube-system subject before all nodes are migrated. #4519 (@caseydavenport)
• Surface certificate metadata (issuer, expiry, DNS SANs, IP SANs) as annotations and add filtering labels (secret-type, signer) on TLS secrets produced by Secret() and CreateSelfSignedSecret().
  Display the Degraded condition's message when running kubectl get tigerastatus, making it easier to see error details at a glance without needing to describe the resource. #4506 (@rene-dekker)
• Bump Elasticsearch and Kibana to 8.19.12. #4501 (@tianfeng92)
• ECK certificates are now rotated 30d before expiry just like all certificates that are managed by this operator. #4484 (@rene-dekker)
• Dropped support to the non-privileged mode and deprecated the Installation.spec.nonPrivileged field. The Operator ignores this setting and will mark Calico as Degraded if it is set to Enabled. #4465 (@lucastigera)

v1.38.13

19 Mar 2026

Included Calico versions

Calico version: v3.30.7
Calico Enterprise version: v3.21.6

Bug fixes

• Fixed rendering resource limits and requests for Egress Gateway. #4431 (@sridhartigera)

Other changes

• Add validation for logstorage node count and replicas setting. #4556 (@tianfeng92)
• Surface certificate metadata (issuer, expiry, DNS SANs, IP SANs) as annotations and add filtering labels (secret-type, signer) on TLS secrets produced by Secret() and CreateSelfSignedSecret(). Display the Degraded condition's message when running kubectl get tigerastatus, making it easier to see error details at a glance without needing to describe the resource. #4508 (@rene-dekker)
• ECK certificates are now rotated 30d before expiry just like all certificates that are managed by this operator. #4485 (@rene-dekker)
• Dropped support for non-privileged mode and deprecated the Installation.spec.nonPrivileged field. The Operator now ignores this setting and will mark Calico as Degraded if it is set to Enabled. #4467 (@lucastigera)

v1.40.7

21 Feb 2026

Included Calico versions

Calico version: v3.31.4
Calico Enterprise version: v3.22.2

Bug fixes

• Fixed rendering resource limits and requests for Egress Gateway. #4430 (@sridhartigera)
• Fix Istio service mesh components (istio-cni, istiod, ztunnel) failing on OpenShift due to missing platform detection. The operator now sets platform=openshift on all embedded Istio Helm charts, activating correct CNI binary paths (/var/lib/cni/bin), Multus provider configuration, SCC RBAC rules, SELinux contexts, and trusted ztunnel namespace settings. #4405 (@electricjesus)

Other changes

• Update Envoy Gateway from 1.5.6 to 1.5.7 #4416 (@nelljerram)

v1.40.6

20 Feb 2026

Included Calico versions

Calico version: v3.31.3
Calico Enterprise version: v3.22.2

Note

This version of Operator is being released to support Calico Enterprise hotfix version v3.22.2 and has no other changes.

v1.41.1

14 Feb 2026

Included Calico versions

Calico version: v3.31.3
Calico Enterprise version: v3.23.0-1.0

Note

This version of Operator fixes an issue that could arise if a cluster using Operator v1.41.0 was migrated from Calico Enterprise to Calico Open Source. There are no other user-visible changes.

Please see the Operator v1.41.0 release notes for information about this Operator release, including potentially breaking changes.

V1.41.0

13 Feb 2026

Included Calico versions

Calico Enterprise version: v3.23.0-1.0

Caution

This version of Operator contains breaking changes. If you are upgrading an existing cluster please read the release notes carefully.

Bug Fixes

• Fix Istio service mesh components (istio-cni, istiod, ztunnel) failing on OpenShift due to missing platform detection. The operator now sets platform=openshift on all embedded Istio Helm charts, activating correct CNI binary paths (/var/lib/cni/bin), Multus provider configuration, SCC RBAC rules, SELinux contexts, and trusted ztunnel namespace settings. #4406 (@electricjesus)
• Fixed an issue caused by manager_controller and apiserver_controller both writing the calico-management-cluster-connection secret to calico-system causing constant reconciliations. #4375 (@rene-dekker)
• Updated Elasticsearch NodeSet name generation to prevent unnecessary recreations of the Elasticsearch StatefulSet. #4390 (@pasanw)
• Added a required permission for setting up watches in the calico-apiserver on OCP 4.20 #4373 (@rene-dekker)
• Fix a stack trace in the kibana logs as a result of timeouts from fleet. #4333 (@rene-dekker)
• Fixed an issue where Guardian was missing the certificate of the Calico API server from it's CA bundle. This issue only impacted clusters that were created using an older version of the Operator that did not use a centralized signer. #4315 (@pasanw)
• Fix DPI ClusterRole so it can discover IP via endpointslices #4258 (@Dean-Coakley)
• Fixes an issue where the logger was not initialized before log statements were produced. #4235 (@rene-dekker)
• Fixed a race condition in tigerastatus monitor where the alertmanager and prometheus statefulsets hadn't been created yet, but the monitor was marked as Available. #4214 (@alexh-tigera)
• Fix policy sync check for CIG #4210 (@LorcanMcVeigh)
• Add finalizers to Installation CR to try to ensure it is safe to cleanup the CNI permissions #4207 (@tmjd)
• Fix that Whisker would not function on nodes with IPv6 support disabled. #4204 (@caseydavenport)
• Do not require LoadBalancer pools to have outgoing NAT enabled. #4183 (@MichalFupso)
• Improve uninstall stability while waiting for pods to be torn down. #4179 (@caseydavenport)
• Fix calico-system Namespace PSS Conflict where, under certain conditions, the calico-system would end up with a PSS value of restricted instead of privileged. This started happening on August 15, 2025 (so we may not have released an Enterprise version since). #4172 (@gantony)

Breaking changes

• Fixed the defaulting behavior for Authentication.Spec.OIDC.requestedScopes such that it now includes offline_access as documented in the API. In the unlikely case that your identity provider does not support offline_access and if you did previously not specify requestedScopes, you should set requestedScopes to [profile, openid, email] . #4173 (@rene-dekker)
• Contents of tigera-manager namespace have been moved to calico-system namespace on standalone and management clusters (managed clusters were moved in a previous release). Component names prefixed with "tigera-" have been renamed to use prefix "calico-" instead. An ExternalName service has been retained in the tigera-manager namespace to ease migration. Any ingress or gateway API resources that provided external access to the tigera-manager service will need to be updated. #4153 (@Josh-L)

Other changes

• Use backwards compatible schema configuration for prometheus endpoints on Openshift. #4420 (@rene-dekker)
• Prometheus Operator is updated from v0.84.0 to v0.88.0. Prometheus is updated from v3.4.1 to v3.9.1. Prometheus Alertmanager is updated from v0.28.0 to v0.30.1. #4397 (@hjiawei)
• Elasticsearch and Kibana are updated to v8.19.10. #4368 (@hjiawei)
• Add rule to allow-tigera to allow traffic from intrusion detection controller to voltron #4354 (@xiumozhan)
• Fix Annotation Removal when patching FelixConfiguration #4306 (@radixo)
• Update Istio from 1.27.3 to 1.28.1 #4287 (@radixo)
• updated RBAC for Gateway stats and logs collector #4282 (@electricjesus)
• Use CEL validation for CR names. #4280 (@caseydavenport)
• feat: operator.tigera.io/Istio CRD - installs and manages Istio for Calico #4256 (@radixo)
• Allow non-cluster hosts to remove failed CSRs before generating new requests. #4236 (@hjiawei)
• Tigera Operator is now built with Go 1.25. #4221 (@hjiawei)
• Remove unused env vars in l7 sidecar CIG gateway deployment #4202 (@LorcanMcVeigh)
• Added support for custom-signed Calico Node certificates on non-cluster hosts. #4181 (@hjiawei)
• Use gateway-specific l7 collector image. #4171 (@gantony)
• Calico Operator is now build with k8s v1.33 #4168 (@MichalFupso)
• add support for developmental builds of operator with custom image paths for components #4163 (@radTuti)
• Update RBAC for the new k8s ClusterNetworkPolicy API. #4155 (@mazdakn)
• Envoy Gateway updated to v1.5.0. This now includes envoy SecurityPolicy CRD #4130 (@electricjesus)
• The impersonation permissions on guardian are made configurable through the ManagementClusterConnection resource. #4085 (@rene-dekker)

v1.38.12

06 Feb 2026

Included Calico versions

Calico version: v3.30.6
Calico Enterprise version: v3.21.6

Note

This version of Operator is being released to support Calico Enterprise v3.21.6 and contains no other user-visible changes.

v1.40.5

26 Jan 2026

Included Calico versions

Calico version: v3.31.3
Calico Enterprise version: v3.22.1

Bug fixes

• Added a required permission for setting up watches in the calico-apiserver on OCP 4.20 #4371 (@rene-dekker)
• Added LINSEED_URL environment variable to tigera-dpi daemonset to fix an issue with forwarding alerts from a managed cluster running DPI to the management cluster. #4335 (@Josh-L)
• Fix a stack trace in the kibana logs as a result of timeouts from fleet. #4323 (@rene-dekker)
• Fixes an issue where the logger was not initialized before log statements were produced. #4319 (@rene-dekker)

Other changes

• Update golang to 1.24.12; Update ElasticSearch to 8.19.10; Update Kibana to 8.19.10 #4364 (@Josh-L)
• Add rule to allow-tigera to allow traffic from intrusion detection controller to voltron #4356 (@xiumozhan)