diff --git a/config/crd/projectcalico.org_bgpconfigurations.yaml b/config/crd/projectcalico.org_bgpconfigurations.yaml
index 3b18633e..6a11cd0b 100644
--- a/config/crd/projectcalico.org_bgpconfigurations.yaml
+++ b/config/crd/projectcalico.org_bgpconfigurations.yaml
@@ -82,7 +82,7 @@ spec:
                     x-kubernetes-map-type: atomic
                   maxItems: 500
                   type: array
-                  x-kubernetes-list-type: set
+                  x-kubernetes-list-type: atomic
                 extensions:
                   additionalProperties:
                     type: string
@@ -211,7 +211,7 @@ spec:
                     x-kubernetes-map-type: atomic
                   maxItems: 500
                   type: array
-                  x-kubernetes-list-type: set
+                  x-kubernetes-list-type: atomic
                 programClusterRoutes:
                   description: |-
                     ProgramClusterRoutes controls how a cluster node gets a route to a workload on another node,
@@ -237,7 +237,7 @@ spec:
                     type: object
                     x-kubernetes-map-type: atomic
                   type: array
-                  x-kubernetes-list-type: set
+                  x-kubernetes-list-type: atomic
                 serviceExternalIPs:
                   description: |-
                     ServiceExternalIPs are the CIDR blocks for Kubernetes Service External IPs.
@@ -253,7 +253,7 @@ spec:
                     type: object
                     x-kubernetes-map-type: atomic
                   type: array
-                  x-kubernetes-list-type: set
+                  x-kubernetes-list-type: atomic
                 serviceLoadBalancerAggregation:
                   default: Enabled
                   description: |-
@@ -280,7 +280,7 @@ spec:
                     type: object
                     x-kubernetes-map-type: atomic
                   type: array
-                  x-kubernetes-list-type: set
+                  x-kubernetes-list-type: atomic
               type: object
               x-kubernetes-validations:
                 - message:
diff --git a/config/crd/projectcalico.org_felixconfigurations.yaml b/config/crd/projectcalico.org_felixconfigurations.yaml
index 7a7282f5..e3c428e0 100644
--- a/config/crd/projectcalico.org_felixconfigurations.yaml
+++ b/config/crd/projectcalico.org_felixconfigurations.yaml
@@ -322,6 +322,14 @@ spec:
                     [Default: unset - read from net.ipv4.ipfrag_time]
                   pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                   type: string
+                bpfIPFragmentReassemblyEnabled:
+                  description: |-
+                    BPFIPFragmentReassemblyEnabled controls whether Felix loads the BPF program that
+                    reassembles out-of-order IP fragments from external networks. This program requires
+                    a kernel newer than 5.10. When enabled (the default) and the program fails to load,
+                    Felix reports not-ready until the user sets this to false. When false, fragmented
+                    packets from external sources are dropped. [Default: true]
+                  type: boolean
                 bpfJITHardening:
                   allOf:
                     - enum:
@@ -1709,6 +1717,22 @@ spec:
                     "NftablesRefreshInterval controls the interval at which
                     Felix periodically refreshes the nftables rules. [Default: 90s]"
                   type: string
+                nodeSelector:
+                  description: |-
+                    NodeSelector is an optional label selector that restricts this FelixConfiguration
+                    to apply only to nodes that match the given selector. This field is only valid
+                    on FelixConfiguration resources whose name is not "default" and does not start
+                    with "node.". For resources named "default", the configuration applies globally
+                    to all nodes. For resources named "node.<nodename>", the configuration applies to
+                    the named node only.
+
+                    At most one selector-scoped FelixConfiguration should match any given node.
+                    If multiple selector-scoped resources match, the oldest (by creation
+                    timestamp) is used and a warning is logged. This prevents an accidentally
+                    created conflicting resource from disrupting an existing, working
+                    configuration.
+                  maxLength: 1024
+                  type: string
                 openstackRegion:
                   description: |-
                     OpenstackRegion is the name of the region that a particular Felix belongs to. In a multi-region
@@ -2195,5 +2219,13 @@ spec:
             - metadata
             - spec
           type: object
+          x-kubernetes-validations:
+            - message:
+                nodeSelector must not be set on the 'default' or per-node ('node.*')
+                FelixConfiguration
+              reason: FieldValueForbidden
+              rule:
+                "self.metadata.name == 'default' || self.metadata.name.startsWith('node.')
+                ? !has(self.spec.nodeSelector) : true"
       served: true
       storage: true
diff --git a/config/crd/projectcalico.org_ippools.yaml b/config/crd/projectcalico.org_ippools.yaml
index 285389ad..e9bfd125 100644
--- a/config/crd/projectcalico.org_ippools.yaml
+++ b/config/crd/projectcalico.org_ippools.yaml
@@ -70,14 +70,16 @@ spec:
                   items:
                     description: |-
                       IPPoolAllowedUse defines the allowed uses for an IP pool.
-                      It can be one of "Workload", "Tunnel", or "LoadBalancer".
+                      It can be one of "Workload", "Tunnel", "LoadBalancer" or "HostSecondaryInterface".
                       - "Workload" means the pool is used for workload IP addresses.
                       - "Tunnel" means the pool is used for tunnel IP addresses.
                       - "LoadBalancer" means the pool is used for load balancer IP addresses.
+                      - "HostSecondaryInterface" means the pool is used for host secondary interface IP addresses.
                     enum:
                       - Workload
                       - Tunnel
                       - LoadBalancer
+                      - HostSecondaryInterface
                     type: string
                   maxItems: 10
                   type: array
diff --git a/config/crd/projectcalico.org_licensekeys.yaml b/config/crd/projectcalico.org_licensekeys.yaml
index d976e115..c93478b4 100644
--- a/config/crd/projectcalico.org_licensekeys.yaml
+++ b/config/crd/projectcalico.org_licensekeys.yaml
@@ -24,6 +24,9 @@ spec:
         - jsonPath: .status.maxnodes
           name: Max-Nodes
           type: integer
+        - jsonPath: .status.maxcores
+          name: Max-Cores
+          type: integer
         - jsonPath: .status.conditions[?(@.type=='Valid')].status
           name: Valid
           type: string
@@ -149,8 +152,11 @@ spec:
                     GracePeriod is how long after expiry the license remains
                     functional (e.g. "90d")
                   type: string
+                maxcores:
+                  description: Maximum Number of Allowed CPU Cores.
+                  type: integer
                 maxnodes:
-                  description: Maximum Number of Allowed Nodes
+                  description: Maximum Number of Allowed Nodes.
                   type: integer
                 package:
                   description:
diff --git a/deps.txt b/deps.txt
index ca5f796d..f9f12578 100644
--- a/deps.txt
+++ b/deps.txt
@@ -1,14 +1,14 @@
 !!! GENERATED FILE, DO NOT EDIT !!!
 Run 'make gen-deps-files' to regenerate.
 
-go 1.26.1
+go 1.26.2
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 github.com/emicklei/go-restful v2.15.0+incompatible
 github.com/emicklei/go-restful/v3 v3.13.0
 github.com/fxamacker/cbor/v2 v2.9.0
 github.com/go-logr/logr v1.4.3
-github.com/go-openapi/jsonpointer v0.22.4
-github.com/go-openapi/jsonreference v0.21.4
+github.com/go-openapi/jsonpointer v0.22.5
+github.com/go-openapi/jsonreference v0.21.5
 github.com/go-openapi/swag v0.23.1
 github.com/google/gnostic-models v0.7.0
 github.com/google/uuid v1.6.0
@@ -25,29 +25,30 @@ github.com/spf13/pflag v1.0.10
 github.com/x448/float16 v0.8.4
 go.yaml.in/yaml/v2 v2.4.4
 go.yaml.in/yaml/v3 v3.0.4
-golang.org/x/net v0.52.0
+golang.org/x/net v0.53.0
 golang.org/x/oauth2 v0.36.0
-golang.org/x/sys v0.42.0
-golang.org/x/term v0.41.0
-golang.org/x/text v0.35.0
+golang.org/x/sys v0.43.0
+golang.org/x/term v0.42.0
+golang.org/x/text v0.36.0
 golang.org/x/time v0.15.0
 google.golang.org/protobuf v1.36.11
 gopkg.in/evanphx/json-patch.v4 v4.13.0
 gopkg.in/inf.v0 v0.9.1
 gopkg.in/yaml.v3 v3.0.1
-k8s.io/api v0.35.3
-k8s.io/apiextensions-apiserver v0.35.3
-k8s.io/apimachinery v0.35.3
-k8s.io/apiserver v0.35.3
-k8s.io/client-go v0.35.3
+k8s.io/api v0.35.4
+k8s.io/apiextensions-apiserver v0.35.4
+k8s.io/apimachinery v0.35.4
+k8s.io/apiserver v0.35.4
+k8s.io/client-go v0.35.4
 k8s.io/klog v0.2.0
 k8s.io/klog/v2 v2.140.0
 k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
 k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730
 sigs.k8s.io/randfill v1.0.0
-sigs.k8s.io/structured-merge-diff/v6 v6.3.2
+sigs.k8s.io/structured-merge-diff/v6 v6.4.0
 sigs.k8s.io/yaml v1.6.0
 
+local:api/pkg/apis/projectcalico/v3
 local:api/pkg/lib/numorstring
 local:api/pkg/openapi
diff --git a/go.mod b/go.mod
index ef61cb6c..115d0e76 100644
--- a/go.mod
+++ b/go.mod
@@ -1,19 +1,19 @@
 module github.com/tigera/api
 
-go 1.26.1
+go 1.26.2
 
 require (
 	github.com/jinzhu/copier v0.4.0
-	github.com/onsi/ginkgo/v2 v2.28.1
-	github.com/onsi/gomega v1.39.1
-	github.com/projectcalico/api v0.0.0-20260303210141-543421943355
-	k8s.io/api v0.35.3
-	k8s.io/apiextensions-apiserver v0.35.3
-	k8s.io/apimachinery v0.35.3
-	k8s.io/apiserver v0.35.3
-	k8s.io/client-go v0.35.3
+	github.com/onsi/ginkgo/v2 v2.28.3
+	github.com/onsi/gomega v1.40.0
+	github.com/projectcalico/api v0.0.0-20260415222737-ebf7b29bd308
+	k8s.io/api v0.35.4
+	k8s.io/apiextensions-apiserver v0.35.4
+	k8s.io/apimachinery v0.35.4
+	k8s.io/apiserver v0.35.4
+	k8s.io/client-go v0.35.4
 	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912
-	sigs.k8s.io/structured-merge-diff/v6 v6.3.0
+	sigs.k8s.io/structured-merge-diff/v6 v6.4.0
 	sigs.k8s.io/yaml v1.6.0
 )
 
@@ -29,7 +29,7 @@ require (
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 // indirect
+	github.com/google/pprof v0.0.0-20260402051712-545e8a4df936 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -42,15 +42,15 @@ require (
 	github.com/x448/float16 v0.8.4 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/mod v0.32.0 // indirect
-	golang.org/x/net v0.49.0 // indirect
+	golang.org/x/mod v0.35.0 // indirect
+	golang.org/x/net v0.53.0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.40.0 // indirect
-	golang.org/x/term v0.39.0 // indirect
-	golang.org/x/text v0.33.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/term v0.42.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
-	golang.org/x/tools v0.41.0 // indirect
+	golang.org/x/tools v0.44.0 // indirect
 	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
@@ -62,29 +62,29 @@ require (
 )
 
 replace (
-	k8s.io/api => k8s.io/api v0.35.3
-	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.35.3
-	k8s.io/apimachinery => k8s.io/apimachinery v0.35.3
-	k8s.io/apiserver => k8s.io/apiserver v0.35.3
-	k8s.io/cli-runtime => k8s.io/cli-runtime v0.35.3
-	k8s.io/client-go => k8s.io/client-go v0.35.3
-	k8s.io/cloud-provider => k8s.io/cloud-provider v0.35.3
-	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.35.3
-	k8s.io/code-generator => k8s.io/code-generator v0.35.3
-	k8s.io/component-base => k8s.io/component-base v0.35.3
-	k8s.io/component-helpers => k8s.io/component-helpers v0.35.3
-	k8s.io/controller-manager => k8s.io/controller-manager v0.35.3
-	k8s.io/cri-api => k8s.io/cri-api v0.35.3
-	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.35.3
-	k8s.io/externaljwt => k8s.io/externaljwt v0.35.3
-	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.35.3
-	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.35.3
-	k8s.io/kube-proxy => k8s.io/kube-proxy v0.35.3
-	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.35.3
-	k8s.io/kubectl => k8s.io/kubectl v0.35.3
-	k8s.io/kubelet => k8s.io/kubelet v0.35.3
-	k8s.io/metrics => k8s.io/metrics v0.35.3
-	k8s.io/mount-utils => k8s.io/mount-utils v0.35.3
-	k8s.io/node-api => k8s.io/node-api v0.35.3
-	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.35.3
+	k8s.io/api => k8s.io/api v0.35.4
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.35.4
+	k8s.io/apimachinery => k8s.io/apimachinery v0.35.4
+	k8s.io/apiserver => k8s.io/apiserver v0.35.4
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.35.4
+	k8s.io/client-go => k8s.io/client-go v0.35.4
+	k8s.io/cloud-provider => k8s.io/cloud-provider v0.35.4
+	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.35.4
+	k8s.io/code-generator => k8s.io/code-generator v0.35.4
+	k8s.io/component-base => k8s.io/component-base v0.35.4
+	k8s.io/component-helpers => k8s.io/component-helpers v0.35.4
+	k8s.io/controller-manager => k8s.io/controller-manager v0.35.4
+	k8s.io/cri-api => k8s.io/cri-api v0.35.4
+	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.35.4
+	k8s.io/externaljwt => k8s.io/externaljwt v0.35.4
+	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.35.4
+	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.35.4
+	k8s.io/kube-proxy => k8s.io/kube-proxy v0.35.4
+	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.35.4
+	k8s.io/kubectl => k8s.io/kubectl v0.35.4
+	k8s.io/kubelet => k8s.io/kubelet v0.35.4
+	k8s.io/metrics => k8s.io/metrics v0.35.4
+	k8s.io/mount-utils => k8s.io/mount-utils v0.35.4
+	k8s.io/node-api => k8s.io/node-api v0.35.4
+	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.35.4
 )
diff --git a/go.sum b/go.sum
index 78128b35..02beef55 100644
--- a/go.sum
+++ b/go.sum
@@ -34,8 +34,8 @@ github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7O
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 h1:z2ogiKUYzX5Is6zr/vP9vJGqPwcdqsWjOt+V8J7+bTc=
-github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI=
+github.com/google/pprof v0.0.0-20260402051712-545e8a4df936 h1:EwtI+Al+DeppwYX2oXJCETMO23COyaKGP6fHVpkpWpg=
+github.com/google/pprof v0.0.0-20260402051712-545e8a4df936/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
@@ -67,14 +67,14 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFd
 github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/onsi/ginkgo/v2 v2.28.1 h1:S4hj+HbZp40fNKuLUQOYLDgZLwNUVn19N3Atb98NCyI=
-github.com/onsi/ginkgo/v2 v2.28.1/go.mod h1:CLtbVInNckU3/+gC8LzkGUb9oF+e8W8TdUsxPwvdOgE=
-github.com/onsi/gomega v1.39.1 h1:1IJLAad4zjPn2PsnhH70V4DKRFlrCzGBNrNaru+Vf28=
-github.com/onsi/gomega v1.39.1/go.mod h1:hL6yVALoTOxeWudERyfppUcZXjMwIMLnuSfruD2lcfg=
+github.com/onsi/ginkgo/v2 v2.28.3 h1:4JvMdwtFU0imd8fHx25OJXoDMRexnf8v5NHKYSTTji4=
+github.com/onsi/ginkgo/v2 v2.28.3/go.mod h1:+aXOY+vzZ5mu2iI2HpTZUPmM//oQfsNFX6gU9kNcA44=
+github.com/onsi/gomega v1.40.0 h1:Vtol0e1MghCD2ZVIilPDIg44XSL9l2QAn8ZNaljWcJc=
+github.com/onsi/gomega v1.40.0/go.mod h1:M/Uqpu/8qTjtzCLUA2zJHX9Iilrau25x1PdoSRbWh5A=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/projectcalico/api v0.0.0-20260303210141-543421943355 h1:nz3rpu5iJMZyrtlJzGozf4/lKEl3MRH5LHvLcg6SgAg=
-github.com/projectcalico/api v0.0.0-20260303210141-543421943355/go.mod h1:SRPurzoi23s+lg9pp3Ox2xZsM7z+BAPDm/H3YOuHNWs=
+github.com/projectcalico/api v0.0.0-20260415222737-ebf7b29bd308 h1:TdeUR3c5JJkfY6T2NBaNouXqdr8U9dYS9aOFYADq0mU=
+github.com/projectcalico/api v0.0.0-20260415222737-ebf7b29bd308/go.mod h1:pfbDD0JEeZugRa5YxjVoCna9RVyYWjsI8qZjY5TKSqs=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
@@ -106,24 +106,24 @@ go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
 go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
-golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
-golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
-golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
+golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
+golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
 golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
 golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
-golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
-golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
-golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
-golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
+golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
-golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
+golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
+golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
 google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
 google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -136,16 +136,16 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.35.3 h1:pA2fiBc6+N9PDf7SAiluKGEBuScsTzd2uYBkA5RzNWQ=
-k8s.io/api v0.35.3/go.mod h1:9Y9tkBcFwKNq2sxwZTQh1Njh9qHl81D0As56tu42GA4=
-k8s.io/apiextensions-apiserver v0.35.3 h1:2fQUhEO7P17sijylbdwt0nBdXP0TvHrHj0KeqHD8FiU=
-k8s.io/apiextensions-apiserver v0.35.3/go.mod h1:tK4Kz58ykRpwAEkXUb634HD1ZAegEElktz/B3jgETd8=
-k8s.io/apimachinery v0.35.3 h1:MeaUwQCV3tjKP4bcwWGgZ/cp/vpsRnQzqO6J6tJyoF8=
-k8s.io/apimachinery v0.35.3/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns=
-k8s.io/apiserver v0.35.3 h1:D2eIcfJ05hEAEewoSDg+05e0aSRwx8Y4Agvd/wiomUI=
-k8s.io/apiserver v0.35.3/go.mod h1:JI0n9bHYzSgIxgIrfe21dbduJ9NHzKJ6RchcsmIKWKY=
-k8s.io/client-go v0.35.3 h1:s1lZbpN4uI6IxeTM2cpdtrwHcSOBML1ODNTCCfsP1pg=
-k8s.io/client-go v0.35.3/go.mod h1:RzoXkc0mzpWIDvBrRnD+VlfXP+lRzqQjCmKtiwZ8Q9c=
+k8s.io/api v0.35.4 h1:P7nFYKl5vo9AGUp1Z+Pmd3p2tA7bX2wbFWCvDeRv988=
+k8s.io/api v0.35.4/go.mod h1:yl4lqySWOgYJJf9RERXKUwE9g2y+CkuwG+xmcOK8wXU=
+k8s.io/apiextensions-apiserver v0.35.4 h1:HeP+Upp7ItdvnyGmub0yoix+2z5+ev4M5cE5TCgtOUU=
+k8s.io/apiextensions-apiserver v0.35.4/go.mod h1:ogQlk+stIE8mnoRthSYCwlOS12fVqgWFiErMwPaXA7c=
+k8s.io/apimachinery v0.35.4 h1:xtdom9RG7e+yDp71uoXoJDWEE2eOiHgeO4GdBzwWpds=
+k8s.io/apimachinery v0.35.4/go.mod h1:NNi1taPOpep0jOj+oRha3mBJPqvi0hGdaV8TCqGQ+cc=
+k8s.io/apiserver v0.35.4 h1:vtuFqNFmF9bPRdHDL2lpK6qCTPWDreZJL4LRPwVM6ho=
+k8s.io/apiserver v0.35.4/go.mod h1:JnBcb+J8kFXKpZkgcbcUnPBBHi4qgBii1I7dLxFY/oo=
+k8s.io/client-go v0.35.4 h1:DN6fyaGuzK64UvnKO5fOA6ymSjvfGAnCAHAR0C66kD8=
+k8s.io/client-go v0.35.4/go.mod h1:2Pg9WpsS4NeOpoYTfHHfMxBG8zFMSAUi4O/qoiJC3nY=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
@@ -156,7 +156,7 @@ sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5E
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
-sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
-sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
+sigs.k8s.io/structured-merge-diff/v6 v6.4.0 h1:qmp2e3ZfFi1/jJbDGpD4mt3wyp6PE1NfKHCYLqgNQJo=
+sigs.k8s.io/structured-merge-diff/v6 v6.4.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
 sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
diff --git a/hack/openapi-violations-known.list b/hack/openapi-violations-known.list
index edfe8855..ba1f69b3 100644
--- a/hack/openapi-violations-known.list
+++ b/hack/openapi-violations-known.list
@@ -29,5 +29,6 @@ API rule violation: names_match,github.com/tigera/api/pkg/apis/projectcalico/v3,
 API rule violation: names_match,github.com/tigera/api/pkg/apis/projectcalico/v3,FelixConfigurationSpec,WindowsDNSExtraTTL
 API rule violation: names_match,github.com/tigera/api/pkg/apis/projectcalico/v3,FelixConfigurationSpec,WireguardPersistentKeepAlive
 API rule violation: names_match,github.com/tigera/api/pkg/apis/projectcalico/v3,IPAMBlockSpec,DeprecatedStrictAffinity
+API rule violation: names_match,github.com/tigera/api/pkg/apis/projectcalico/v3,LicenseKeyStatus,MaxCores
 API rule violation: names_match,github.com/tigera/api/pkg/apis/projectcalico/v3,LicenseKeyStatus,MaxNodes
 API rule violation: names_match,github.com/tigera/api/pkg/apis/projectcalico/v3,MigrationControllerConfig,PolicyNameMigrator
diff --git a/lib.Makefile b/lib.Makefile
index 28426a83..98b6a2cf 100644
--- a/lib.Makefile
+++ b/lib.Makefile
@@ -1,8 +1,13 @@
 # Find path to the repo root dir (i.e. this files's dir).  Must be first in the file, before including anything.
-REPO_DIR:=$(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
+# Use Make builtins instead of `dirname` so this works under PowerShell on Windows agents too.
+REPO_DIR := $(patsubst %/,%,$(dir $(realpath $(lastword $(MAKEFILE_LIST)))))
 
 # Always install the git hooks to prevent publishing closed source code to a non-private repo.
-install_hooks:=$(shell $(REPO_DIR)/hack/install-git-hooks)
+# The install script is bash-only; skip on Windows agents where every $(shell ...) call would
+# spawn a PowerShell that adds startup latency to every sub-make.
+ifneq ($(OS),Windows_NT)
+install_hooks := $(shell $(REPO_DIR)/hack/install-git-hooks)
+endif
 
 # Disable built-in rules
 .SUFFIXES:
@@ -61,14 +66,18 @@ endif
 # The list of sub-projects which build non-cluster host RPMs
 NON_CLUSTER_HOST_SUBDIRS := selinux fluent-bit node
 
-# detect the local outbound ip address
+# detect the local outbound ip address (only used by FV/etcd targets that don't run on Windows)
+ifneq ($(OS),Windows_NT)
 LOCAL_IP_ENV?=$(shell ip route get 8.8.8.8 | head -1 | awk '{print $$7}')
+endif
 
 LATEST_IMAGE_TAG?=latest
 
 # these macros create a list of valid architectures for pushing manifests
 comma := ,
+ifneq ($(OS),Windows_NT)
 double_quote := $(shell echo '"')
+endif
 
 ## Targets used when cross building.
 .PHONY: native register
@@ -108,7 +117,10 @@ THIRD_PARTY_REGISTRY_CI=gcr.io/unique-caldron-775/third-party-ci
 THIRD_PARTY_REGISTRY_CD=gcr.io/unique-caldron-775/cnx/tigera/third-party
 # THIRD_PARTY_REGISTRY configures the third-party registry that serves intermediate base image
 # for some Calico Enterprise components. They are never released directly to public.
-THIRD_PARTY_RELEASE_BRANCH ?= $(if $(SEMAPHORE_GIT_BRANCH),$(SEMAPHORE_GIT_BRANCH),master)
+# Only master and release-calient-* branches have third-party base images published under
+# their branch name. For any other branch (feature branches, or PRs whose base is a feature
+# branch such as stacked PRs), fall back to the master-tagged images.
+THIRD_PARTY_RELEASE_BRANCH ?= $(if $(filter master release-calient-%,$(SEMAPHORE_GIT_BRANCH)),$(SEMAPHORE_GIT_BRANCH),master)
 ifeq ($(SEMAPHORE_GIT_REF_TYPE), branch)
     # on master and release-calient branches
     THIRD_PARTY_REGISTRY?=$(THIRD_PARTY_REGISTRY_CD)
@@ -164,6 +176,28 @@ CALICO_BUILD    = $(GO_BUILD_IMAGE):$(GO_BUILD_VER)
 RUST_BUILD_IMAGE ?= calico/rust-build
 CALICO_RUST_BUILD = $(RUST_BUILD_IMAGE):$(RUST_BUILD_VER)
 
+# Cross-compilation support using clang.  When building on amd64 for a different
+# target architecture, we use clang as a cross-compiler (it natively supports all
+# targets) with a per-arch sysroot containing the target libraries.  This avoids
+# slow QEMU emulation for CGO builds.
+#
+# Map Go ARCH names to clang target triples.
+# Only arm64 and ppc64le need cross-compilation support (CGO is not enabled for s390x).
+CLANG_CROSS_TRIPLE_arm64   := aarch64-linux-gnu
+CLANG_CROSS_TRIPLE_ppc64le := powerpc64le-linux-gnu
+
+# Set CROSS_CC and CROSS_SYSROOT when cross-compiling from amd64.
+ifeq ($(BUILDARCH),amd64)
+ifneq ($(ARCH),amd64)
+ifneq ($(CLANG_CROSS_TRIPLE_$(ARCH)),)
+CROSS_TRIPLE := $(CLANG_CROSS_TRIPLE_$(ARCH))
+CROSS_SYSROOT := /usr/$(CROSS_TRIPLE)/sys-root
+CROSS_CC := clang --target=$(CROSS_TRIPLE) --sysroot=$(CROSS_SYSROOT)
+CROSS_LDFLAGS := -fuse-ld=lld
+endif
+endif
+endif
+
 # Build a binary with boring crypto support.
 # This function expects you to pass in two arguments:
 #   1st arg: path/to/input/package(s)
@@ -174,6 +208,7 @@ CALICO_RUST_BUILD = $(RUST_BUILD_IMAGE):$(RUST_BUILD_VER)
 define build_cgo_boring_binary
 	$(DOCKER_RUN) \
 		-e CGO_ENABLED=1 \
+		$(if $(CROSS_CC),-e CC="$(CROSS_CC)") \
 		-e CGO_CFLAGS=$(CGO_CFLAGS) \
 		-e CGO_LDFLAGS=$(CGO_LDFLAGS) \
 		$(CALICO_BUILD) \
@@ -185,6 +220,7 @@ endef
 define build_cgo_binary
 	$(DOCKER_RUN) \
 		-e CGO_ENABLED=1 \
+		$(if $(CROSS_CC),-e CC="$(CROSS_CC)") \
 		-e CGO_CFLAGS=$(CGO_CFLAGS) \
 		-e CGO_LDFLAGS=$(CGO_LDFLAGS) \
 		$(CALICO_BUILD) \
@@ -220,7 +256,7 @@ define build_cgo_windows_binary
 		-e GOOS=windows \
 		-e GOEXPERIMENT=nodwarf5 \
 		$(CALICO_BUILD) \
-		sh -c '$(GIT_CONFIG_SSH) go build -o $(2) $(if $(BUILD_TAGS),-tags $(BUILD_TAGS)) -v -buildvcs=false -ldflags "$(LDFLAGS)" $(1)'
+		sh -c '$(GIT_CONFIG_SSH) go build -o $(2) $(if $(BUILD_TAGS),-tags $(BUILD_TAGS)) -v -buildvcs=false -ldflags "$(LDFLAGS) -s -w" $(1)'
 endef
 
 # For windows builds that do not require cgo.
@@ -231,7 +267,7 @@ define build_windows_binary
 		-e GOOS=windows \
 		-e GOEXPERIMENT=nodwarf5 \
 		$(CALICO_BUILD) \
-		sh -c '$(GIT_CONFIG_SSH) go build -o $(2) $(if $(BUILD_TAGS),-tags $(BUILD_TAGS)) -v -buildvcs=false -ldflags "$(LDFLAGS)" $(1)'
+		sh -c '$(GIT_CONFIG_SSH) go build -o $(2) $(if $(BUILD_TAGS),-tags $(BUILD_TAGS)) -v -buildvcs=false -ldflags "$(LDFLAGS) -s -w" $(1)'
 endef
 
 # Images used in build / test across multiple directories.
@@ -250,6 +286,12 @@ endif
 # Get version from git. We allow setting this manually for the hashrelease process.
 # By default, includes commit count and hash (--long). During releases (RELEASE=true),
 # only the tag is used without the commit count suffix.
+#
+# Skip on Windows: these LDFLAGS-related vars use bash `||` fallbacks that PowerShell
+# can't parse, and Windows builds (e.g. fluentd-base) don't link Go binaries that
+# embed buildinfo. Each $(shell git ...) call would otherwise spawn PowerShell on
+# every sub-make recursion, multiplying parse time noticeably.
+ifneq ($(OS),Windows_NT)
 GIT_VERSION ?= $(shell git describe --tags --dirty --always --abbrev=12 --long)
 ifeq ($(RELEASE),true)
 	GIT_VERSION := $(shell git describe --tags --dirty --always --abbrev=12)
@@ -265,6 +307,7 @@ BUILD_ID:=$(shell git rev-parse HEAD || uuidgen | sed 's/-//g')
 # Variables elsewhere that depend on this (such as LDFLAGS) must also be lazy.
 GIT_DESCRIPTION=$(shell git describe --tags --dirty --always --abbrev=12 || echo '<unknown>')
 ENTERPRISE_VERSION?=$(call git-release-tag-from-dev-tag)
+endif
 
 # Calculate a timestamp for any build artifacts.
 ifneq ($(OS),Windows_NT)
@@ -335,6 +378,11 @@ CERTS_PATH := $(REPO_ROOT)/hack/test/certs
 # <main-repo>/.git/worktrees/<name>.  When Docker containers need git access,
 # the main .git directory must also be mounted, and GIT_DIR / GIT_WORK_TREE
 # must be set so that git can find objects and the correct working tree.
+#
+# Skip on Windows: this only configures Linux Docker mounts, and the bash `2>/dev/null`
+# redirection PowerShell tries to interpret as `2 > /dev/null` (writing to a file at
+# C:\dev\null), which fails noisily on every parse.
+ifneq ($(OS),Windows_NT)
 _GIT_DIR := $(shell git rev-parse --absolute-git-dir 2>/dev/null)
 _GIT_COMMON_DIR := $(realpath $(shell git rev-parse --git-common-dir 2>/dev/null))
 ifneq ($(_GIT_DIR),$(_GIT_COMMON_DIR))
@@ -350,6 +398,7 @@ DOCKER_GIT_WORKTREE_ARGS := \
 else
 DOCKER_GIT_WORKTREE_ARGS :=
 endif
+endif
 
 # Configure the Calico API group to use. Projects importing this Makefile can override this variable
 # if they need to.
@@ -411,6 +460,7 @@ DOCKER_GO_BUILD := $(DOCKER_RUN) $(CALICO_BUILD)
 DOCKER_RUST_BUILD := mkdir -p bin && \
 	docker run --rm \
 		--init \
+		--platform=linux/$(ARCH) \
 		--user $(LOCAL_USER_ID):$(LOCAL_GROUP_ID) \
 		$(EXTRA_DOCKER_ARGS) \
 		-v $(REPO_ROOT):/rust/src/github.com/projectcalico/calico:rw \
@@ -420,11 +470,32 @@ DOCKER_RUST_BUILD := mkdir -p bin && \
 # Host native build images
 HOST_NATIVE_BUILD_IMAGE ?= calico/host-native-build
 
-.PHONY: host-native-build
-host-native-build: $(wildcard $(REPO_DIR)/third_party/host-native/Dockerfile.*)
-	cd $(REPO_DIR)/third_party/host-native && \
+# Go release for the rhel8 host-native image, derived from GO_BUILD_VER.
+# Sole source of truth — bake file and Dockerfile carry no default.
+RHEL8_GO_VERSION = $(firstword $(subst -, ,$(GO_BUILD_VER)))
+
+# Distros for which we maintain a host-native build image — discovered from
+# Dockerfiles in third_party/host-native/. New distros are picked up
+# automatically by adding a Dockerfile.<distro>.
+HOST_NATIVE_DISTROS := $(patsubst Dockerfile.%,%,$(notdir $(wildcard $(REPO_DIR)/third_party/host-native/Dockerfile.*)))
+
+.PHONY: host-native-build $(addprefix host-native-build-,$(HOST_NATIVE_DISTROS))
+
+# Umbrella — build host-native images for every supported distro.
+host-native-build: $(addprefix host-native-build-,$(HOST_NATIVE_DISTROS))
+
+# Per-distro — build only the named host-native image. Package targets should
+# depend on `host-native-build-<distro>` to avoid triggering bakes of images
+# they don't use. Generated as explicit rules per distro because GNU make
+# does not apply pattern rules to .PHONY targets.
+define host_native_build_rule
+host-native-build-$(1): $$(REPO_DIR)/third_party/host-native/Dockerfile.$(1)
+	cd $$(REPO_DIR)/third_party/host-native && \
+		RHEL8_GO_VERSION=$$(RHEL8_GO_VERSION) \
 		docker buildx bake --load --pull \
-		-f $(REPO_DIR)/third_party/host-native/host-native-build-bake.hcl
+		-f $$(REPO_DIR)/third_party/host-native/host-native-build-bake.hcl $(1)
+endef
+$(foreach d,$(HOST_NATIVE_DISTROS),$(eval $(call host_native_build_rule,$(d))))
 
 DOCKER_HOST_NATIVE_RUN := docker run --rm \
 	--net=host \
@@ -435,6 +506,9 @@ DOCKER_HOST_NATIVE_RUN := docker run --rm \
 	-w /go/src/$(PACKAGE_NAME)
 
 # This function replaces the version string in the spec template and builds the rpm package.
+# Args: $(1) distro, $(2) package name, $(3) component version (passed to
+# generate-package-version.sh), $(4) optional sourcedir override (relative to
+# component directory; defaults to component dir itself).
 define host_native_rpm_build
 	$(eval version := $(shell $(REPO_ROOT)/hack/generate-package-version.sh $(REPO_ROOT) rpm "" $(3)))
 
@@ -444,7 +518,7 @@ define host_native_rpm_build
 		$(HOST_NATIVE_BUILD_IMAGE):$(1) \
 			sh -c 'rpmbuild \
 				--define "_topdir $$PWD/package/$(1)" \
-				--define "_sourcedir $$PWD" \
+				--define "_sourcedir $$PWD$(if $(4),/$(4),)" \
 				-ba rhel/$(2).spec'
 endef
 
@@ -498,16 +572,25 @@ endef
 # IMAGE_DEPS lists non-Go files that the Docker image depends on (Dockerfiles,
 # config templates, scripts, etc.). Components should override or append to
 # this variable and include $(IMAGE_DEPS) in their .image.created prereqs.
+#
+# Skip on Windows: this is dependency tracking for Linux Go-based image stamps;
+# Windows components (e.g. third_party/fluentd-base) build pure Docker images.
+# Each $(shell find ... grep ... cut ...) call would otherwise spawn PowerShell
+# (no find/grep/cut available) on every sub-make recursion. With ~20 components
+# referenced from .image.created-* prerequisites below, this was the dominant
+# contributor to the Windows publish job hitting Semaphore's 3h timeout.
 ###############################################################################
+IMAGE_DEPS ?= Dockerfile
+
+ifneq ($(OS),Windows_NT)
 ifneq ($(wildcard deps.txt),)
 SRC_FILES := $(shell find $(addprefix $(REPO_ROOT)/,$(shell grep '^local:' deps.txt | cut -d: -f2-)) -name '*.go' 2>/dev/null)
 endif
 
-IMAGE_DEPS ?= Dockerfile
-
 # Expand a component's deps.txt local entries to the list of .go files.
 # Usage: $(call local-deps-go-files,<component-dir>)
 local-deps-go-files = $(shell find $(addprefix $(REPO_ROOT)/,$(shell grep '^local:' $(REPO_ROOT)/$(1)/deps.txt | cut -d: -f2-)) -name '*.go' 2>/dev/null)
+endif
 
 # A target that does nothing but it always stale, used to force a rebuild on certain targets based on some non-file criteria.
 .PHONY: force-rebuild
@@ -601,7 +684,6 @@ define update_calico_base_pin
 		fi'
 endef
 
-GIT_REMOTE?=origin
 API_BRANCH?=$(PIN_BRANCH)
 API_REPO?=github.com/projectcalico/calico/api
 BASE_API_REPO?=github.com/projectcalico/calico/api
@@ -869,7 +951,7 @@ fix-changed go-fmt-changed goimports-changed:
 fix-all go-fmt-all goimports-all:
 	$(DOCKER_RUN) $(CALICO_BUILD) $(REPO_REL_DIR)/hack/format-all-files.sh
 
-GOMODDER=./hack/cmd/gomodder/main.go
+GOMODDER=$(REPO_REL_DIR)/hack/cmd/gomodder/main.go
 
 .PHONY: verify-go-mods
 verify-go-mods:
@@ -1127,9 +1209,28 @@ retag-build-image-arch-with-registry-%: var-require-all-REGISTRY-BUILD_IMAGE-IMA
 		$(NOECHO) $(NOOP)\
 	)
 
+# validate-dev-registries fails if any entry in DEV_REGISTRIES is not prefixed
+# by an entry in ALLOWED_DEV_REGISTRIES. Intended to prevent accidental pushes
+# to registries outside Tigera control - notably the OSS quay.io/calico and
+# docker.io/calico paths owned by projectcalico/calico, which previously got
+# clobbered by an Enterprise CI job.
+validate-dev-registries:
+	@if [ -z "$(strip $(ALLOWED_DEV_REGISTRIES))" ]; then exit 0; fi; \
+	for r in $(DEV_REGISTRIES); do \
+		ok=0; \
+		for a in $(ALLOWED_DEV_REGISTRIES); do \
+			case "$$r" in $$a*) ok=1; break;; esac; \
+		done; \
+		if [ "$$ok" = "0" ]; then \
+			echo "ERROR: DEV_REGISTRIES contains '$$r', which is not prefixed by any value in ALLOWED_DEV_REGISTRIES (\"$(ALLOWED_DEV_REGISTRIES)\")."; \
+			echo "       Update ALLOWED_DEV_REGISTRIES in metadata.mk if this push target is now legitimate."; \
+			exit 1; \
+		fi; \
+	done
+
 # push-images-to-registries pushes the build / arch images specified by BUILD_IMAGES and VALIDARCHES to the registries
 # specified by DEV_REGISTRY.
-push-images-to-registries: $(addprefix push-images-to-registry-,$(call escapefs,$(DEV_REGISTRIES)))
+push-images-to-registries: validate-dev-registries $(addprefix push-images-to-registry-,$(call escapefs,$(DEV_REGISTRIES)))
 
 # push-images-to-registry-% pushes the build / arch images specified by BUILD_IMAGES and VALIDARCHES to the registry
 # specified by %*.
@@ -1157,6 +1258,14 @@ endif
 
 # retry_docker_cmd retries a docker command up to a specified number of times.
 # Usage: $(call retry_docker_cmd,<description>,<docker command>,<max retries>,<retry delay>)
+#
+# Windows agents (Semaphore) execute recipe lines under PowerShell, which can't parse
+# the bash retry loop used elsewhere; emit a single-line PowerShell loop instead.
+ifeq ($(OS),Windows_NT)
+define retry_docker_cmd
+	for ($$i=1; $$i -le $(3); $$i++) { $(2); if ($$LASTEXITCODE -eq 0) { break }; Write-Host ('WARNING: $(1) failed (attempt {0}/$(3)), retrying in $(4)s...' -f $$i); if ($$i -eq $(3)) { exit 1 }; Start-Sleep -Seconds $(4) }
+endef
+else
 define retry_docker_cmd
 	i=1; \
 	while [ $$i -le $(3) ]; do \
@@ -1167,40 +1276,56 @@ define retry_docker_cmd
 		i=$$((i + 1)); \
 	done
 endef
+endif
 
 # Configuration options for retrying docker commands
 MANIFEST_RETRIES ?= 5
 MANIFEST_RETRY_DELAY ?= 5
 
+# log_step prints a grep-able timing record. Bracket a long-running shell
+# step with start/end calls so per-step durations can be computed from the
+# CI log without per-line instrumentation.
+# Usage: $(call log_step,start,<label>)  ...  $(call log_step,end,<label>)
+define log_step
+	echo "==> step=$(1) label=\"$(2)\" epoch=$$(date +%s) at=$$(date -u +%FT%TZ)"
+endef
+
 # push-image-arch-to-registry-% pushes the build / arch image specified by $* and BUILD_IMAGE to the registry
 # specified by REGISTRY.
 push-image-arch-to-registry-%:
 # If the registry we want to push to doesn't not support manifests don't push the ARCH image.
+	@$(call log_step,start,push $(call filter-registry,$(REGISTRY))$(BUILD_IMAGE):$(IMAGETAG)-$*)
 	$(call retry_docker_cmd,docker push with quiet flag,$(DOCKER) push --quiet $(call filter-registry,$(REGISTRY))$(BUILD_IMAGE):$(IMAGETAG)-$*,$(MANIFEST_RETRIES),$(MANIFEST_RETRY_DELAY))
+	@$(call log_step,end,push $(call filter-registry,$(REGISTRY))$(BUILD_IMAGE):$(IMAGETAG)-$*)
 	$(if $(filter $*,amd64),\
-		$(call retry_docker_cmd,docker push,$(DOCKER) push $(REGISTRY)/$(BUILD_IMAGE):$(IMAGETAG),$(MANIFEST_RETRIES),$(MANIFEST_RETRY_DELAY))\
-		$(NOECHO) $(NOOP)\
+		$(call log_step,start,push $(REGISTRY)/$(BUILD_IMAGE):$(IMAGETAG)); \
+		$(call retry_docker_cmd,docker push,$(DOCKER) push $(REGISTRY)/$(BUILD_IMAGE):$(IMAGETAG),$(MANIFEST_RETRIES),$(MANIFEST_RETRY_DELAY)); \
+		$(call log_step,end,push $(REGISTRY)/$(BUILD_IMAGE):$(IMAGETAG)) \
 	)
 
 # push multi-arch manifest where supported.
-push-manifests: var-require-all-IMAGETAG  $(addprefix sub-manifest-,$(call escapefs,$(PUSH_MANIFEST_IMAGES)))
+push-manifests: var-require-all-IMAGETAG validate-dev-registries $(addprefix sub-manifest-,$(call escapefs,$(PUSH_MANIFEST_IMAGES)))
 sub-manifest-%:
 	@if [ -z "$(MANIFEST_RETRIES)" ] || ! printf '%s\n' "$(MANIFEST_RETRIES)" | grep -Eq '^[0-9]+$$' || [ "$(MANIFEST_RETRIES)" -lt 1 ]; then \
 		echo "ERROR: MANIFEST_RETRIES must be a positive integer, got '$(MANIFEST_RETRIES)'"; \
 		exit 1; \
 	fi
+	@$(call log_step,start,manifest-create $(call unescapefs,$*):$(IMAGETAG))
 	$(call retry_docker_cmd,docker manifest create,$(DOCKER) manifest create $(call unescapefs,$*):$(IMAGETAG) $(addprefix --amend ,$(addprefix $(call unescapefs,$*):$(IMAGETAG)-,$(VALIDARCHES))),$(MANIFEST_RETRIES),$(MANIFEST_RETRY_DELAY))
+	@$(call log_step,end,manifest-create $(call unescapefs,$*):$(IMAGETAG))
+	@$(call log_step,start,manifest-push $(call unescapefs,$*):$(IMAGETAG))
 	$(call retry_docker_cmd,docker manifest push,$(DOCKER) manifest push --purge $(call unescapefs,$*):$(IMAGETAG),$(MANIFEST_RETRIES),$(MANIFEST_RETRY_DELAY))
+	@$(call log_step,end,manifest-push $(call unescapefs,$*):$(IMAGETAG))
 
 push-manifests-with-tag: var-require-one-of-CONFIRM-DRYRUN var-require-all-BRANCH_NAME
-	$(MAKE) push-manifests IMAGETAG=$(if $(IMAGETAG_PREFIX),$(IMAGETAG_PREFIX)-)$(BRANCH_NAME) EXCLUDEARCH="$(EXCLUDEARCH)"
-	$(MAKE) push-manifests IMAGETAG=$(if $(IMAGETAG_PREFIX),$(IMAGETAG_PREFIX)-)$(GIT_VERSION) EXCLUDEARCH="$(EXCLUDEARCH)"
+	$(MAKE) push-manifests IMAGETAG=$(if $(IMAGETAG_PREFIX),$(IMAGETAG_PREFIX)-)$(BRANCH_NAME) VALIDARCHES="$(VALIDARCHES)"
+	$(MAKE) push-manifests IMAGETAG=$(if $(IMAGETAG_PREFIX),$(IMAGETAG_PREFIX)-)$(GIT_VERSION) VALIDARCHES="$(VALIDARCHES)"
 
 # cd-common tags and pushes images with the branch name and git version. This target uses PUSH_IMAGES, BUILD_IMAGES,
 # and BRANCH_NAME env variables to figure out what to tag and where to push them to.
 cd-common: var-require-one-of-CONFIRM-DRYRUN var-require-all-BRANCH_NAME
-	$(MAKE) retag-build-images-with-registries push-images-to-registries IMAGETAG=$(if $(IMAGETAG_PREFIX),$(IMAGETAG_PREFIX)-)$(BRANCH_NAME) EXCLUDEARCH="$(EXCLUDEARCH)"
-	$(MAKE) retag-build-images-with-registries push-images-to-registries IMAGETAG=$(if $(IMAGETAG_PREFIX),$(IMAGETAG_PREFIX)-)$(GIT_VERSION) EXCLUDEARCH="$(EXCLUDEARCH)"
+	$(MAKE) retag-build-images-with-registries push-images-to-registries IMAGETAG=$(if $(IMAGETAG_PREFIX),$(IMAGETAG_PREFIX)-)$(BRANCH_NAME) VALIDARCHES="$(VALIDARCHES)"
+	$(MAKE) retag-build-images-with-registries push-images-to-registries IMAGETAG=$(if $(IMAGETAG_PREFIX),$(IMAGETAG_PREFIX)-)$(GIT_VERSION) VALIDARCHES="$(VALIDARCHES)"
 
 ###############################################################################
 # Release targets and helpers
@@ -1600,8 +1725,21 @@ KIND_CONFIG ?= $(KIND_DIR)/kind.config
 KIND_NAME = $(basename $(notdir $(KIND_CONFIG)))
 KIND_KUBECONFIG?=$(KIND_DIR)/$(KIND_NAME)-kubeconfig.yaml
 
+.PHONY: kind-registry-up kind-registry-destroy
+## Start the local kind image registry (idempotent). Persists across cluster recreates.
+kind-registry-up:
+	$(REPO_ROOT)/hack/test/kind/registry.sh up
+
+## Remove the local kind image registry. Forces a full re-push on next kind-up.
+# `make push` skips work based on `.dev-stamps/*pushed-id` (keyed on local
+# image IDs), so dropping the registry alone would leave it empty after the
+# next kind-build-images. Clear the push stamps so the next build re-pushes.
+kind-registry-destroy:
+	$(REPO_ROOT)/hack/test/kind/registry.sh down
+	rm -f $(REPO_ROOT)/.dev-stamps/*pushed-id 2>/dev/null || true
+
 kind-cluster-create: $(REPO_ROOT)/.$(KIND_NAME).created
-$(REPO_ROOT)/.$(KIND_NAME).created: $(KUBECTL) $(KIND)
+$(REPO_ROOT)/.$(KIND_NAME).created: $(KUBECTL) $(KIND) kind-registry-up
 	# First make sure any previous cluster is deleted
 	$(MAKE) kind-cluster-destroy
 
@@ -1612,6 +1750,11 @@ $(REPO_ROOT)/.$(KIND_NAME).created: $(KUBECTL) $(KIND)
 		--name $(KIND_NAME) \
 		--image kindest/node:$(KINDEST_NODE_VERSION)
 
+	# Connect the registry to the kind network now that the network exists,
+	# and write per-node containerd config so localhost:5000 redirects to it.
+	$(REPO_ROOT)/hack/test/kind/registry.sh up
+	KIND_NAME=$(KIND_NAME) $(REPO_ROOT)/hack/test/kind/registry.sh configure-nodes
+
 	# Wait for controller manager to be running and healthy, then create Calico CRDs.
 	while ! KUBECONFIG=$(KIND_KUBECONFIG) $(KUBECTL) get serviceaccount default; do echo "Waiting for default serviceaccount to be created..."; sleep 2; done
 	while ! KUBECONFIG=$(KIND_KUBECONFIG) $(KUBECTL) create -f $(REPO_ROOT)/charts/crd.projectcalico.org.v1/templates/; do echo "Waiting for operator CRDs to be created"; sleep 2; done
@@ -1712,34 +1855,21 @@ bin/yq:
 KIND_INFRA_DIR := $(REPO_ROOT)/hack/test/kind/infra
 KIND_TEST_BUILD_TAG = test-build
 
-# Calico images built locally with latest-$(ARCH) tags. kind-build-images
-# re-tags each as :test-build for the kind cluster.
+# Locally-built Calico images. dev-build.sh re-tags each as
+# localhost:5000/tigera/<name>:test-build for the kind cluster.
+# Most components are provided by the combined tigera/calico image, which
+# uses "calico <subcommand>" as the container command. Only node remains
+# as a separate image (it ships its own runit/bird/iptables filesystem).
 KIND_CALICO_IMAGES = \
 	tigera/node:$(KIND_TEST_BUILD_TAG) \
-	tigera/typha:$(KIND_TEST_BUILD_TAG) \
-	tigera/apiserver:$(KIND_TEST_BUILD_TAG) \
-	tigera/calicoctl:$(KIND_TEST_BUILD_TAG) \
-	tigera/cni:$(KIND_TEST_BUILD_TAG) \
-	tigera/csi:$(KIND_TEST_BUILD_TAG) \
-	tigera/node-driver-registrar:$(KIND_TEST_BUILD_TAG) \
-	tigera/pod2daemon-flexvol:$(KIND_TEST_BUILD_TAG) \
-	tigera/kube-controllers:$(KIND_TEST_BUILD_TAG) \
-	tigera/webhooks:$(KIND_TEST_BUILD_TAG)
-
-# Operator is built separately (build-operator.sh tags it directly as
-# :test-build), so it's not in KIND_CALICO_IMAGES.
-KIND_OPERATOR_IMAGE = docker.io/tigera/operator:$(KIND_TEST_BUILD_TAG)
-
-# All images loaded onto the kind cluster.
-KIND_IMAGES = $(KIND_OPERATOR_IMAGE) $(KIND_CALICO_IMAGES)
+	tigera/calico:$(KIND_TEST_BUILD_TAG)
 
 # Enterprise-only: paths to license and pull secret for kind cluster setup.
 GCR_IO_PULL_SECRET ?= $(HOME)/secrets/docker_cfg.json
 TSEE_TEST_LICENSE ?= $(HOME)/secrets/license.yaml
 
-# Enterprise-only images (all images loaded onto the kind cluster).
 # Enterprise images built locally with latest-$(ARCH) tags. kind-build-images
-# re-tags each as :test-build for the kind cluster.
+# pushes each as localhost:5000/tigera/<name>:test-build for the kind cluster.
 KIND_ENTERPRISE_LOCAL_IMAGES = \
 	tigera/egress-gateway:$(KIND_TEST_BUILD_TAG) \
 	tigera/queryserver:$(KIND_TEST_BUILD_TAG) \
@@ -1751,6 +1881,7 @@ KIND_ENTERPRISE_LOCAL_IMAGES = \
 	tigera/es-gateway:$(KIND_TEST_BUILD_TAG) \
 	tigera/linseed:$(KIND_TEST_BUILD_TAG) \
 	tigera/intrusion-detection-controller:$(KIND_TEST_BUILD_TAG) \
+	tigera/deep-packet-inspection:$(KIND_TEST_BUILD_TAG) \
 	tigera/webhooks-processor:$(KIND_TEST_BUILD_TAG) \
 	tigera/intrusion-detection-job-installer:$(KIND_TEST_BUILD_TAG) \
 	tigera/elasticsearch-metrics:$(KIND_TEST_BUILD_TAG) \
@@ -1764,13 +1895,11 @@ KIND_ENTERPRISE_PULLED_IMAGES = \
 	tigera/prometheus:$(KIND_TEST_BUILD_TAG) \
 	tigera/alertmanager:$(KIND_TEST_BUILD_TAG) \
 	tigera/manager:$(KIND_TEST_BUILD_TAG) \
-	tigera/kibana:$(KIND_TEST_BUILD_TAG) \
 	tigera/elasticsearch:$(KIND_TEST_BUILD_TAG)
 
 # All enterprise images = locally built + pulled from registry.
 KIND_CALICO_ENTERPRISE_IMAGES = $(KIND_ENTERPRISE_LOCAL_IMAGES) $(KIND_ENTERPRISE_PULLED_IMAGES)
 
-KIND_IMAGES += $(KIND_CALICO_ENTERPRISE_IMAGES)
 
 # .image.created markers: the per-component image build stamp files.
 # Each depends on its source files via deps.txt so Make knows when
@@ -1778,66 +1907,33 @@ KIND_IMAGES += $(KIND_CALICO_ENTERPRISE_IMAGES)
 # runs when sources are newer.
 KIND_IMAGE_MARKERS = \
 	$(REPO_ROOT)/node/.image.created-$(ARCH) \
-	$(REPO_ROOT)/typha/.image.created-$(ARCH) \
-	$(REPO_ROOT)/apiserver/.image.created-$(ARCH) \
-	$(REPO_ROOT)/cni-plugin/.image.created-$(ARCH) \
-	$(REPO_ROOT)/pod2daemon/.image.created-$(ARCH) \
-	$(REPO_ROOT)/calicoctl/.image.created-$(ARCH) \
-	$(REPO_ROOT)/kube-controllers/.image.created-$(ARCH) \
-	$(REPO_ROOT)/webhooks/.image.created-$(ARCH)
-
-$(REPO_ROOT)/node/.image.created-$(ARCH): $(call local-deps-go-files,node)
+	$(REPO_ROOT)/cmd/calico/.image.created-$(ARCH)
+
+# Shared libbpf marker. Both node and cmd/calico (and felix-internal
+# build steps invoked from them) need libbpf, and `kind-build-images` runs
+# the per-image markers under `make -j`. Without a shared prereq, the
+# parallel sub-makes race in felix/bpf-gpl on both the clone (each runs
+# `rm -rf libbpf && git clone`, one fails with "destination path 'libbpf'
+# already exists") and the compile (both write to the same .o paths).
+# Point both image markers at the compiled libbpf.a so Make builds it
+# exactly once, serially, before the parallel image builds start.
+LIBBPF_MARKER = $(REPO_ROOT)/felix/bpf-gpl/libbpf/src/$(ARCH)/libbpf.a
+
+$(LIBBPF_MARKER):
+	$(MAKE) -C $(REPO_ROOT)/felix libbpf
+
+$(REPO_ROOT)/node/.image.created-$(ARCH): $(LIBBPF_MARKER) $(call local-deps-go-files,node)
 	$(MAKE) -C $(REPO_ROOT)/node image
 	touch $@
 
-$(REPO_ROOT)/typha/.image.created-$(ARCH): $(call local-deps-go-files,typha)
-	$(MAKE) -C $(REPO_ROOT)/typha image
-	touch $@
-
-$(REPO_ROOT)/apiserver/.image.created-$(ARCH): $(call local-deps-go-files,apiserver)
-	$(MAKE) -C $(REPO_ROOT)/apiserver image
-	touch $@
-
-$(REPO_ROOT)/cni-plugin/.image.created-$(ARCH): $(call local-deps-go-files,cni-plugin)
-	$(MAKE) -C $(REPO_ROOT)/cni-plugin image
-	touch $@
-
-$(REPO_ROOT)/pod2daemon/.image.created-$(ARCH): $(call local-deps-go-files,pod2daemon)
-	$(MAKE) -C $(REPO_ROOT)/pod2daemon image
-	touch $@
-
-$(REPO_ROOT)/calicoctl/.image.created-$(ARCH): $(call local-deps-go-files,calicoctl)
-	$(MAKE) -C $(REPO_ROOT)/calicoctl image
-	touch $@
-
-$(REPO_ROOT)/kube-controllers/.image.created-$(ARCH): $(call local-deps-go-files,kube-controllers)
-	$(MAKE) -C $(REPO_ROOT)/kube-controllers image
-	touch $@
-
-$(REPO_ROOT)/goldmane/.image.created-$(ARCH): $(call local-deps-go-files,goldmane)
-	$(MAKE) -C $(REPO_ROOT)/goldmane image
-	touch $@
-
-$(REPO_ROOT)/webhooks/.image.created-$(ARCH): $(call local-deps-go-files,webhooks)
-	$(MAKE) -C $(REPO_ROOT)/webhooks image
+$(REPO_ROOT)/cmd/calico/.image.created-$(ARCH): $(LIBBPF_MARKER) $(call local-deps-go-files,cmd)
+	$(MAKE) -C $(REPO_ROOT)/cmd/calico image
 	touch $@
 
 $(REPO_ROOT)/whisker/.image.created-$(ARCH):
 	$(MAKE) -C $(REPO_ROOT)/whisker image
 	touch $@
 
-$(REPO_ROOT)/whisker-backend/.image.created-$(ARCH): $(call local-deps-go-files,whisker-backend)
-	$(MAKE) -C $(REPO_ROOT)/whisker-backend image
-	touch $@
-
-# Operator is built from a separate repo/branch. It only needs the
-# calico_versions.yml and enterprise_versions.yml files (static files with
-# version strings), not the actual built images, so it can run in parallel
-# with component builds.
-$(REPO_ROOT)/.stamp.operator: $(KIND_INFRA_DIR)/calico_versions.yml $(KIND_INFRA_DIR)/enterprise_versions.yml
-	cd $(KIND_INFRA_DIR) && BRANCH=$(OPERATOR_BRANCH) ./build-operator.sh
-	touch $@
-
 # Enterprise-only image markers for locally-built components. These follow
 # the same pattern as KIND_IMAGE_MARKERS: source deps so Make knows when
 # to rebuild. Components with deps.txt use local-deps-go-files; third_party
@@ -1853,6 +1949,7 @@ KIND_ENTERPRISE_IMAGE_MARKERS = \
 	$(REPO_ROOT)/es-gateway/.image.created-$(ARCH) \
 	$(REPO_ROOT)/linseed/.image.created-$(ARCH) \
 	$(REPO_ROOT)/intrusion-detection-controller/.image.created-$(ARCH) \
+	$(REPO_ROOT)/deep-packet-inspection/.image.created-$(ARCH) \
 	$(REPO_ROOT)/webhooks-processor/.image.created-$(ARCH) \
 	$(REPO_ROOT)/intrusion-detection-controller/.dashboards-installer.image.created-$(ARCH) \
 	$(REPO_ROOT)/elasticsearch-metrics/.image.created-$(ARCH) \
@@ -1866,20 +1963,21 @@ KIND_ENTERPRISE_PULLED_IMAGE_MARKERS = \
 	$(REPO_ROOT)/.stamp.prometheus \
 	$(REPO_ROOT)/.stamp.alertmanager \
 	$(REPO_ROOT)/.stamp.manager \
-	$(REPO_ROOT)/.stamp.kibana \
 	$(REPO_ROOT)/.stamp.elastic
 
-## Build all component images needed for kind cluster testing, then tag them.
+## Build all component images and push them to the local kind registry.
+# This invokes the same `make push` pipeline used by the release flow, with
+# kind-flavored DEV_IMAGE_REGISTRY/PATH/TAG so images land at
+# localhost:5000/tigera/<name>:test-build. dev-build.sh handles tag,
+# operator-build (via build-operator.sh dev-mode), and push. The host pushes
+# via the 127.0.0.1:5000 port mapping on the registry container; containerd
+# inside the kind nodes mirrors localhost:5000 to http://kind-registry:5000.
 .PHONY: kind-build-images
-kind-build-images: $(KIND_IMAGE_MARKERS) $(REPO_ROOT)/.stamp.operator $(KIND_ENTERPRISE_IMAGE_MARKERS) $(KIND_ENTERPRISE_PULLED_IMAGE_MARKERS)
-	@for img in $(KIND_CALICO_IMAGES); do \
-	  base=$${img%%:*}; \
-	  docker tag $$base:latest-$(ARCH) $$img; \
-	done
-	@for img in $(KIND_CALICO_ENTERPRISE_IMAGES); do \
-	  base=$${img%%:*}; \
-	  docker tag $$base:latest-$(ARCH) $$img; \
-	done
+kind-build-images: kind-registry-up
+	$(MAKE) -C $(REPO_ROOT) push \
+	    DEV_IMAGE_REGISTRY=localhost:5000 \
+	    DEV_IMAGE_PATH=tigera \
+	    DEV_IMAGE_TAG=$(KIND_TEST_BUILD_TAG)
 
 # Create a kind cluster and deploy Calico on it via Helm. Assumes images are
 # already built and tagged as test-build in the local Docker daemon. If a
@@ -1887,8 +1985,9 @@ kind-build-images: $(KIND_IMAGE_MARKERS) $(REPO_ROOT)/.stamp.operator $(KIND_ENT
 # Default to v3 CRDs for kind clusters. Override with KIND_CALICO_API_GROUP=crd.projectcalico.org/v1 if needed.
 KIND_CALICO_API_GROUP ?= projectcalico.org/v3
 
-# Load images, install Calico via Helm, and wait for readiness on an existing
-# kind cluster. Use kind-up for end-to-end bringup (images + cluster + deploy).
+# Install Calico via Helm and wait for readiness on an existing kind cluster.
+# Images are pulled from the local kind-registry on demand, so no image
+# loading happens here. Use kind-up for end-to-end bringup.
 .PHONY: kind-deploy
 kind-deploy:
 	$(MAKE) -C $(REPO_ROOT) chart CALICO_API_GROUP=$(KIND_CALICO_API_GROUP)
@@ -1901,21 +2000,18 @@ kind-deploy:
 	CALICO_API_GROUP=$(KIND_CALICO_API_GROUP) \
 	TSEE_TEST_LICENSE=$(TSEE_TEST_LICENSE) \
 	GCR_IO_PULL_SECRET=$(GCR_IO_PULL_SECRET) \
-	KIND_IMAGES="$(KIND_IMAGES)" \
 	$(REPO_ROOT)/hack/test/kind/deploy_resources.sh
 
-# Rebuild any images whose source files have changed, load onto the kind
-# cluster, upgrade the Helm release, and restart pods. The chart rebuild
-# and helm upgrade are both fast no-ops when nothing has changed.
+# Rebuild any images whose source files have changed, push changed layers to
+# the local registry, upgrade the Helm release, and restart pods so kubelet
+# re-pulls the new digests under the test-build tag (PullAlways).
 .PHONY: kind-reload
 kind-reload:
 	$(MAKE) -j$$(nproc) kind-build-images
 	$(MAKE) -C $(REPO_ROOT) chart CALICO_API_GROUP=$(KIND_CALICO_API_GROUP)
-	KIND=$(KIND) KIND_NAME=$(KIND_NAME) $(REPO_ROOT)/hack/test/kind/load_images.sh $(KIND_IMAGES)
 	KUBECONFIG=$(KIND_KUBECONFIG) $(REPO_ROOT)/bin/helm upgrade calico \
-		--reuse-values \
 		$(REPO_ROOT)/bin/tigera-operator-$(GIT_VERSION).tgz \
-		-f $(KIND_INFRA_DIR)/values.yaml \
+		--reuse-values \
 		-n tigera-operator
 	KUBECONFIG=$(KIND_KUBECONFIG) $(KUBECTL) delete pods -n calico-system --all
 	KUBECONFIG=$(KIND_KUBECONFIG) $(KUBECTL) apply -f $(KIND_INFRA_DIR)/calicoctl.yaml
@@ -1960,32 +2056,44 @@ $(REPO_ROOT)/linseed/.image.created-$(ARCH): $(call local-deps-go-files,linseed)
 	$(MAKE) -C $(REPO_ROOT)/linseed image
 	touch $@
 
-$(REPO_ROOT)/intrusion-detection-controller/.image.created-$(ARCH): $(call local-deps-go-files,intrusion-detection-controller)
+# Grouped target (&:) — `make image` in this dir builds both the IDS
+# controller and job-installer images. Without grouping, parallel `make
+# -j` fires two sub-makes that race on the shared
+# bin/intrusion-detection-job-installer binary and the job-installer
+# docker image tag.
+$(REPO_ROOT)/intrusion-detection-controller/.image.created-$(ARCH) $(REPO_ROOT)/intrusion-detection-controller/.dashboards-installer.image.created-$(ARCH) &: $(call local-deps-go-files,intrusion-detection-controller)
 	$(MAKE) -C $(REPO_ROOT)/intrusion-detection-controller image
+	touch $(REPO_ROOT)/intrusion-detection-controller/.image.created-$(ARCH)
+	touch $(REPO_ROOT)/intrusion-detection-controller/.dashboards-installer.image.created-$(ARCH)
+
+$(REPO_ROOT)/deep-packet-inspection/.image.created-$(ARCH): $(call local-deps-go-files,deep-packet-inspection)
+	$(MAKE) -C $(REPO_ROOT)/deep-packet-inspection image
 	touch $@
 
 $(REPO_ROOT)/webhooks-processor/.image.created-$(ARCH): $(call local-deps-go-files,webhooks-processor)
 	$(MAKE) -C $(REPO_ROOT)/webhooks-processor image
 	touch $@
 
-$(REPO_ROOT)/intrusion-detection-controller/.dashboards-installer.image.created-$(ARCH): $(call local-deps-go-files,intrusion-detection-controller)
-	$(MAKE) -C $(REPO_ROOT)/intrusion-detection-controller intrusion-detection-job-installer
-	touch $@
-
 $(REPO_ROOT)/elasticsearch-metrics/.image.created-$(ARCH): $(call local-deps-go-files,elasticsearch-metrics)
 	$(MAKE) -C $(REPO_ROOT)/elasticsearch-metrics image
 	touch $@
 
 # Third-party locally-built images: use find for source deps since these
 # don't have deps.txt. The component Makefiles create the marker files.
-$(REPO_ROOT)/third_party/prometheus-operator/.prometheus-operator.created-$(ARCH): $(shell find $(REPO_ROOT)/third_party/prometheus-operator -name '*.go')
-	$(MAKE) -C $(REPO_ROOT)/third_party/prometheus-operator image
-
-$(REPO_ROOT)/third_party/prometheus-operator/.prometheus-config-reloader.created-$(ARCH): $(shell find $(REPO_ROOT)/third_party/prometheus-operator -name '*.go')
+# Grouped target (&:) — a single sub-make produces both stamps. Without
+# grouping, parallel `make -j` fires two sub-makes that race on the shared
+# prometheus-operator/ source tarball and corrupt the embedded YAML
+# (unexpected length 583168 != 794599) during go build.
+#
+# Skip on Windows: these stamps are KIND/Linux-only, and the bare $(shell find ...)
+# fires at parse time with `find` unavailable in PowerShell.
+ifneq ($(OS),Windows_NT)
+$(REPO_ROOT)/third_party/prometheus-operator/.prometheus-operator.created-$(ARCH) $(REPO_ROOT)/third_party/prometheus-operator/.prometheus-config-reloader.created-$(ARCH) &: $(shell find $(REPO_ROOT)/third_party/prometheus-operator -name '*.go')
 	$(MAKE) -C $(REPO_ROOT)/third_party/prometheus-operator image
 
 $(REPO_ROOT)/third_party/eck-operator/.eck-operator.created-$(ARCH): $(shell find $(REPO_ROOT)/third_party/eck-operator -name '*.go')
 	$(MAKE) -C $(REPO_ROOT)/third_party/eck-operator image
+endif
 
 # GCR-pulled images: no local source deps, use stamp files. Tag as
 # latest-$(ARCH) so the common tagging loop handles the final tag.
@@ -2007,12 +2115,6 @@ $(REPO_ROOT)/.stamp.manager:
 	docker tag gcr.io/unique-caldron-775/cnx/tigera/manager:$(THIRD_PARTY_RELEASE_BRANCH) tigera/manager:latest-$(ARCH)
 	touch $@
 
-$(REPO_ROOT)/.stamp.kibana:
-	# TODO: Can we run without kibana? Requires operator change.
-	docker pull gcr.io/unique-caldron-775/cnx/tigera/kibana:$(THIRD_PARTY_RELEASE_BRANCH)
-	docker tag gcr.io/unique-caldron-775/cnx/tigera/kibana:$(THIRD_PARTY_RELEASE_BRANCH) tigera/kibana:latest-$(ARCH)
-	touch $@
-
 $(REPO_ROOT)/.stamp.elastic:
 	# TODO: Build this.
 	docker pull gcr.io/unique-caldron-775/cnx/tigera/elasticsearch:$(THIRD_PARTY_RELEASE_BRANCH)
@@ -2026,7 +2128,10 @@ ENVTEST_DIR := $(REPO_ROOT)/hack/test/envtest
 ENVTEST_CONTAINER_DIR := /go/src/github.com/projectcalico/calico/hack/test/envtest
 # Derive major.minor from K8S_VERSION (e.g. v1.34.3 -> 1.34.x) for setup-envtest.
 # Envtest publishes binaries per minor version, not per patch, so we use a wildcard.
+# Skip on Windows: envtest is Linux-only test infra; bash sed/cut would error otherwise.
+ifneq ($(OS),Windows_NT)
 ENVTEST_K8S_VERSION ?= $(shell echo $(K8S_VERSION) | sed 's/^v//' | cut -d. -f1,2).x
+endif
 ENVTEST_ASSETS_MARKER := $(ENVTEST_DIR)/.envtest-$(ENVTEST_K8S_VERSION)
 
 ## Download envtest binaries (kube-apiserver, etcd) for use by tests that use controller-runtime envtest.
@@ -2043,9 +2148,11 @@ $(ENVTEST_ASSETS_MARKER):
 
 # Minimum supported Kubernetes version for CEL IP/CIDR library (available in 1.31+).
 MIN_K8S_VERSION ?= v1.31.0
+ifneq ($(OS),Windows_NT)
 ENVTEST_MIN_K8S_VERSION ?= $(shell echo $(MIN_K8S_VERSION) | sed 's/^v//' | cut -d. -f1,2).x
 # Major.minor prefix for globbing the downloaded envtest directory (e.g. "1.29").
 ENVTEST_MIN_K8S_MINOR := $(shell echo $(MIN_K8S_VERSION) | sed 's/^v//' | cut -d. -f1,2)
+endif
 ENVTEST_MIN_ASSETS_MARKER := $(ENVTEST_DIR)/.envtest-min-$(ENVTEST_MIN_K8S_VERSION)
 
 ## Download envtest binaries for the minimum supported Kubernetes version.
@@ -2128,10 +2235,14 @@ help:
 # Common functions for launching a local Elastic instance.
 ###############################################################################
 ELASTIC_USERNAME := elastic
+# Skip on Windows: bash-only pipeline (cat /dev/urandom, tr, head); the local-elastic
+# targets below run on Linux only and Windows components don't reference these vars.
+ifneq ($(OS),Windows_NT)
 BOOTSTRAP_PASSWORD := $(shell cat /dev/urandom | LC_CTYPE=C tr -dc A-Za-z0-9 | head -c16)
 ELASTIC_PASSWORD := $(BOOTSTRAP_PASSWORD)
 
 ELASTIC_IMAGE   ?= docker.elastic.co/elasticsearch/elasticsearch:$(shell grep -o '^ELASTIC_VERSION=[0-9\.]*' $(REPO_ROOT)/third_party/elasticsearch/Makefile | cut -d "=" -f 2)
+endif
 ELASTIC_EXTRA_DOCKER_ARGS ?=
 ELASTIC_MEMORY ?= 2GB
 
diff --git a/metadata.mk b/metadata.mk
index 8cb10c04..bd82df00 100644
--- a/metadata.mk
+++ b/metadata.mk
@@ -3,24 +3,24 @@
 #################################################################################################
 
 # Calico toolchain versions and the calico/base image to use.
-GO_BUILD_VER=1.26.2-llvm20.1.8-k8s1.35.3
+GO_BUILD_VER=1.26.2-llvm20.1.8-k8s1.35.4-1
 RUST_BUILD_VER=1.94.1
 
 # Calico Enterprise shipping images now builds on UBI 10. For Calico OSS to Enterprise merges,
 # please don't downgrade the base image back to UBI 9.
-CALICO_BASE_VER=ubi10-1775601218
+CALICO_BASE_VER=ubi10-1777576815
 
 # Version of Kubernetes to use for tests, rancher/kubectl, and kubectl binary release.
-K8S_VERSION=v1.35.2
+K8S_VERSION=v1.35.4
 
 # Version of various tools used in the build and tests.
 COREDNS_VERSION=1.5.2
-CRANE_VERSION=v0.21.3
-ETCD_VERSION=v3.5.24
-GHR_VERSION=v0.17.0
-GITHUB_CLI_VERSION=2.76.2
+CRANE_VERSION=v0.21.5
+ETCD_VERSION=v3.5.29
+GHR_VERSION=v0.18.3
+GITHUB_CLI_VERSION=2.90.0
 GOTESTSUM_VERSION=v1.13.0
-HELM_VERSION=v3.16.4
+HELM_VERSION=v3.20.2
 KINDEST_NODE_VERSION=v1.35.1
 KINDEST_NODE_VERSION_DUAL_TOR=v1.24.7
 KIND_VERSION=v0.31.0
@@ -44,6 +44,7 @@ endif
 # differently for a forked repo.
 ORGANIZATION  ?= tigera
 GIT_REPO      ?= calico-private
+GIT_REMOTE    ?= origin
 
 RELEASE_BRANCH_PREFIX ?=release-calient
 DEV_TAG_SUFFIX        ?= calient-0.dev
@@ -65,6 +66,15 @@ BIRD_VERSION=v0.3.3-211-g9111ec3c
 # repository.
 DEV_REGISTRIES ?= tigera
 
+# ALLOWED_DEV_REGISTRIES is the prefix allowlist enforced on every DEV_REGISTRIES
+# entry at push time (see validate-dev-registries in lib.Makefile). Entries in
+# DEV_REGISTRIES must start with one of these prefixes or the push fails. The
+# intent is to keep every dev and CD push inside Tigera-controlled registries
+# even when DEV_REGISTRIES is overridden ad-hoc, so that a misconfigured CI job
+# or a slipped command line cannot publish Enterprise images to a public OSS
+# registry path.
+ALLOWED_DEV_REGISTRIES ?= gcr.io/unique-caldron-775 quay.io/tigeradev
+
 # RELEASE_REGISTRIES configures the container images registries which are published to
 # as part of an official release.
 RELEASE_REGISTRIES ?= quay.io/tigera
diff --git a/pkg/apis/projectcalico/v3/bgpconfig.go b/pkg/apis/projectcalico/v3/bgpconfig.go
index 2c223e02..8f122518 100644
--- a/pkg/apis/projectcalico/v3/bgpconfig.go
+++ b/pkg/apis/projectcalico/v3/bgpconfig.go
@@ -88,17 +88,17 @@ type BGPConfigurationSpec struct {
 
 	// ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes Service LoadBalancer IPs.
 	// Kubernetes Service status.LoadBalancer.Ingress IPs will only be advertised if they are within one of these blocks.
-	// +listType=set
+	// +listType=atomic
 	ServiceLoadBalancerIPs []ServiceLoadBalancerIPBlock `json:"serviceLoadBalancerIPs,omitempty" validate:"omitempty,dive" confignamev1:"svc_loadbalancer_ips"`
 
 	// ServiceExternalIPs are the CIDR blocks for Kubernetes Service External IPs.
 	// Kubernetes Service ExternalIPs will only be advertised if they are within one of these blocks.
-	// +listType=set
+	// +listType=atomic
 	ServiceExternalIPs []ServiceExternalIPBlock `json:"serviceExternalIPs,omitempty" validate:"omitempty,dive" confignamev1:"svc_external_ips"`
 
 	// ServiceClusterIPs are the CIDR blocks from which service cluster IPs are allocated.
 	// If specified, Calico will advertise these blocks, as well as any cluster IPs within them.
-	// +listType=set
+	// +listType=atomic
 	ServiceClusterIPs []ServiceClusterIPBlock `json:"serviceClusterIPs,omitempty" validate:"omitempty,dive" confignamev1:"svc_cluster_ips"`
 
 	// ServiceLoadBalancerAggregation controls how LoadBalancer service IPs are advertised.
@@ -110,12 +110,12 @@ type BGPConfigurationSpec struct {
 
 	// Communities is a list of BGP community values and their arbitrary names for tagging routes.
 	// +kubebuilder:validation:MaxItems=500
-	// +listType=set
+	// +listType=atomic
 	Communities []Community `json:"communities,omitempty" validate:"omitempty,dive" confignamev1:"communities"`
 
 	// PrefixAdvertisements contains per-prefix advertisement configuration.
 	// +kubebuilder:validation:MaxItems=500
-	// +listType=set
+	// +listType=atomic
 	PrefixAdvertisements []PrefixAdvertisement `json:"prefixAdvertisements,omitempty" validate:"omitempty,dive" confignamev1:"prefix_advertisements"`
 
 	// ListenPort is the port where BGP protocol should listen. Defaults to 179
diff --git a/pkg/apis/projectcalico/v3/felixconfig.go b/pkg/apis/projectcalico/v3/felixconfig.go
index e20c1fd2..ed20c6b5 100644
--- a/pkg/apis/projectcalico/v3/felixconfig.go
+++ b/pkg/apis/projectcalico/v3/felixconfig.go
@@ -36,6 +36,7 @@ type FelixConfigurationList struct {
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:resource:scope=Cluster
+// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'default' || self.metadata.name.startsWith('node.') ? !has(self.spec.nodeSelector) : true",message="nodeSelector must not be set on the 'default' or per-node ('node.*') FelixConfiguration",reason=FieldValueForbidden
 
 type FelixConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
@@ -207,6 +208,22 @@ const (
 // +kubebuilder:validation:XValidation:rule="!has(self.deviceRouteSourceAddress) || size(self.deviceRouteSourceAddress) == 0 || (isIP(self.deviceRouteSourceAddress) && ip(self.deviceRouteSourceAddress).family() == 4)",message="deviceRouteSourceAddress must be a valid IPv4 address",reason=FieldValueInvalid
 // +kubebuilder:validation:XValidation:rule="!has(self.deviceRouteSourceAddressIPv6) || size(self.deviceRouteSourceAddressIPv6) == 0 || (isIP(self.deviceRouteSourceAddressIPv6) && ip(self.deviceRouteSourceAddressIPv6).family() == 6)",message="deviceRouteSourceAddressIPv6 must be a valid IPv6 address",reason=FieldValueInvalid
 type FelixConfigurationSpec struct {
+	// NodeSelector is an optional label selector that restricts this FelixConfiguration
+	// to apply only to nodes that match the given selector. This field is only valid
+	// on FelixConfiguration resources whose name is not "default" and does not start
+	// with "node.". For resources named "default", the configuration applies globally
+	// to all nodes. For resources named "node.<nodename>", the configuration applies to
+	// the named node only.
+	//
+	// At most one selector-scoped FelixConfiguration should match any given node.
+	// If multiple selector-scoped resources match, the oldest (by creation
+	// timestamp) is used and a warning is logged. This prevents an accidentally
+	// created conflicting resource from disrupting an existing, working
+	// configuration.
+	// +optional
+	// +kubebuilder:validation:MaxLength=1024
+	NodeSelector *string `json:"nodeSelector,omitempty" confignamev1:"-"`
+
 	// UseInternalDataplaneDriver, if true, Felix will use its internal dataplane programming logic.  If false, it
 	// will launch an external dataplane driver and communicate with it over protobuf.
 	UseInternalDataplaneDriver *bool `json:"useInternalDataplaneDriver,omitempty"`
@@ -953,6 +970,13 @@ type FelixConfigurationSpec struct {
 	// workloads and services. [Default: true - bypass Linux conntrack]
 	BPFHostConntrackBypass *bool `json:"bpfHostConntrackBypass,omitempty"`
 
+	// BPFIPFragmentReassemblyEnabled controls whether Felix loads the BPF program that
+	// reassembles out-of-order IP fragments from external networks. This program requires
+	// a kernel newer than 5.10. When enabled (the default) and the program fails to load,
+	// Felix reports not-ready until the user sets this to false. When false, fragmented
+	// packets from external sources are dropped. [Default: true]
+	BPFIPFragmentReassemblyEnabled *bool `json:"bpfIPFragmentReassemblyEnabled,omitempty" validate:"omitempty"`
+
 	// BPFEnforceRPF enforce strict RPF on all host interfaces with BPF programs regardless of
 	// what is the per-interfaces or global setting. Possible values are Disabled, Strict
 	// or Loose. [Default: Loose]
diff --git a/pkg/apis/projectcalico/v3/ippool.go b/pkg/apis/projectcalico/v3/ippool.go
index e2c8fe12..b551861f 100644
--- a/pkg/apis/projectcalico/v3/ippool.go
+++ b/pkg/apis/projectcalico/v3/ippool.go
@@ -156,11 +156,12 @@ type IPPoolSpec struct {
 }
 
 // IPPoolAllowedUse defines the allowed uses for an IP pool.
-// It can be one of "Workload", "Tunnel", or "LoadBalancer".
+// It can be one of "Workload", "Tunnel", "LoadBalancer" or "HostSecondaryInterface".
 // - "Workload" means the pool is used for workload IP addresses.
 // - "Tunnel" means the pool is used for tunnel IP addresses.
 // - "LoadBalancer" means the pool is used for load balancer IP addresses.
-// +kubebuilder:validation:Enum=Workload;Tunnel;LoadBalancer
+// - "HostSecondaryInterface" means the pool is used for host secondary interface IP addresses.
+// +kubebuilder:validation:Enum=Workload;Tunnel;LoadBalancer;HostSecondaryInterface
 type IPPoolAllowedUse string
 
 const (
diff --git a/pkg/apis/projectcalico/v3/licensekey.go b/pkg/apis/projectcalico/v3/licensekey.go
index 7dc005e0..e17eb280 100644
--- a/pkg/apis/projectcalico/v3/licensekey.go
+++ b/pkg/apis/projectcalico/v3/licensekey.go
@@ -41,6 +41,7 @@ const (
 // +kubebuilder:printcolumn:name="Expiry",type="string",JSONPath=".status.expiry"
 // +kubebuilder:printcolumn:name="Grace-Period",type="string",JSONPath=".status.gracePeriod"
 // +kubebuilder:printcolumn:name="Max-Nodes",type="integer",JSONPath=".status.maxnodes"
+// +kubebuilder:printcolumn:name="Max-Cores",type="integer",JSONPath=".status.maxcores"
 // +kubebuilder:printcolumn:name="Valid",type="string",JSONPath=".status.conditions[?(@.type=='Valid')].status"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
 
@@ -74,10 +75,14 @@ type LicenseKeyStatus struct {
 	// +optional
 	GracePeriod string `json:"gracePeriod,omitempty" yaml:"gracePeriod" validate:"omitempty"`
 
-	// Maximum Number of Allowed Nodes
+	// Maximum Number of Allowed Nodes.
 	// +optional
 	MaxNodes int `json:"maxnodes,omitempty" yaml:"maxnodes" validate:"omitempty"`
 
+	// Maximum Number of Allowed CPU Cores.
+	// +optional
+	MaxCores int `json:"maxcores,omitempty" yaml:"maxcores" validate:"omitempty"`
+
 	// License package defines type of Calico license that is being enforced
 	// +optional
 	Package LicensePackageType `json:"package,omitempty" yaml:"package" validate:"omitempty"`
diff --git a/pkg/apis/projectcalico/v3/zz_generated.deepcopy.go b/pkg/apis/projectcalico/v3/zz_generated.deepcopy.go
index 49a9262a..5116a513 100644
--- a/pkg/apis/projectcalico/v3/zz_generated.deepcopy.go
+++ b/pkg/apis/projectcalico/v3/zz_generated.deepcopy.go
@@ -2770,6 +2770,11 @@ func (in *FelixConfigurationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FelixConfigurationSpec) DeepCopyInto(out *FelixConfigurationSpec) {
 	*out = *in
+	if in.NodeSelector != nil {
+		in, out := &in.NodeSelector, &out.NodeSelector
+		*out = new(string)
+		**out = **in
+	}
 	if in.UseInternalDataplaneDriver != nil {
 		in, out := &in.UseInternalDataplaneDriver, &out.UseInternalDataplaneDriver
 		*out = new(bool)
@@ -3291,6 +3296,11 @@ func (in *FelixConfigurationSpec) DeepCopyInto(out *FelixConfigurationSpec) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.BPFIPFragmentReassemblyEnabled != nil {
+		in, out := &in.BPFIPFragmentReassemblyEnabled, &out.BPFIPFragmentReassemblyEnabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.BPFPolicyDebugEnabled != nil {
 		in, out := &in.BPFPolicyDebugEnabled, &out.BPFPolicyDebugEnabled
 		*out = new(bool)
diff --git a/pkg/client/applyconfiguration_generated/projectcalico/v3/felixconfigurationspec.go b/pkg/client/applyconfiguration_generated/projectcalico/v3/felixconfigurationspec.go
index fc36663d..6fda45b7 100644
--- a/pkg/client/applyconfiguration_generated/projectcalico/v3/felixconfigurationspec.go
+++ b/pkg/client/applyconfiguration_generated/projectcalico/v3/felixconfigurationspec.go
@@ -15,6 +15,19 @@ import (
 //
 // FelixConfigurationSpec contains the values of the Felix configuration.
 type FelixConfigurationSpecApplyConfiguration struct {
+	// NodeSelector is an optional label selector that restricts this FelixConfiguration
+	// to apply only to nodes that match the given selector. This field is only valid
+	// on FelixConfiguration resources whose name is not "default" and does not start
+	// with "node.". For resources named "default", the configuration applies globally
+	// to all nodes. For resources named "node.<nodename>", the configuration applies to
+	// the named node only.
+	//
+	// At most one selector-scoped FelixConfiguration should match any given node.
+	// If multiple selector-scoped resources match, the oldest (by creation
+	// timestamp) is used and a warning is logged. This prevents an accidentally
+	// created conflicting resource from disrupting an existing, working
+	// configuration.
+	NodeSelector *string `json:"nodeSelector,omitempty"`
 	// UseInternalDataplaneDriver, if true, Felix will use its internal dataplane programming logic.  If false, it
 	// will launch an external dataplane driver and communicate with it over protobuf.
 	UseInternalDataplaneDriver *bool `json:"useInternalDataplaneDriver,omitempty"`
@@ -547,6 +560,12 @@ type FelixConfigurationSpecApplyConfiguration struct {
 	// BPFHostConntrackBypass Controls whether to bypass Linux conntrack in BPF mode for
 	// workloads and services. [Default: true - bypass Linux conntrack]
 	BPFHostConntrackBypass *bool `json:"bpfHostConntrackBypass,omitempty"`
+	// BPFIPFragmentReassemblyEnabled controls whether Felix loads the BPF program that
+	// reassembles out-of-order IP fragments from external networks. This program requires
+	// a kernel newer than 5.10. When enabled (the default) and the program fails to load,
+	// Felix reports not-ready until the user sets this to false. When false, fragmented
+	// packets from external sources are dropped. [Default: true]
+	BPFIPFragmentReassemblyEnabled *bool `json:"bpfIPFragmentReassemblyEnabled,omitempty"`
 	// BPFEnforceRPF enforce strict RPF on all host interfaces with BPF programs regardless of
 	// what is the per-interfaces or global setting. Possible values are Disabled, Strict
 	// or Loose. [Default: Loose]
@@ -1158,6 +1177,14 @@ func FelixConfigurationSpec() *FelixConfigurationSpecApplyConfiguration {
 	return &FelixConfigurationSpecApplyConfiguration{}
 }
 
+// WithNodeSelector sets the NodeSelector field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the NodeSelector field is set to the value of the last call.
+func (b *FelixConfigurationSpecApplyConfiguration) WithNodeSelector(value string) *FelixConfigurationSpecApplyConfiguration {
+	b.NodeSelector = &value
+	return b
+}
+
 // WithUseInternalDataplaneDriver sets the UseInternalDataplaneDriver field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the UseInternalDataplaneDriver field is set to the value of the last call.
@@ -2323,6 +2350,14 @@ func (b *FelixConfigurationSpecApplyConfiguration) WithBPFHostConntrackBypass(va
 	return b
 }
 
+// WithBPFIPFragmentReassemblyEnabled sets the BPFIPFragmentReassemblyEnabled field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the BPFIPFragmentReassemblyEnabled field is set to the value of the last call.
+func (b *FelixConfigurationSpecApplyConfiguration) WithBPFIPFragmentReassemblyEnabled(value bool) *FelixConfigurationSpecApplyConfiguration {
+	b.BPFIPFragmentReassemblyEnabled = &value
+	return b
+}
+
 // WithBPFEnforceRPF sets the BPFEnforceRPF field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the BPFEnforceRPF field is set to the value of the last call.
diff --git a/pkg/client/applyconfiguration_generated/projectcalico/v3/licensekeystatus.go b/pkg/client/applyconfiguration_generated/projectcalico/v3/licensekeystatus.go
index 8aae6d68..339c85a5 100644
--- a/pkg/client/applyconfiguration_generated/projectcalico/v3/licensekeystatus.go
+++ b/pkg/client/applyconfiguration_generated/projectcalico/v3/licensekeystatus.go
@@ -19,8 +19,10 @@ type LicenseKeyStatusApplyConfiguration struct {
 	Expiry *v1.Time `json:"expiry,omitempty"`
 	// GracePeriod is how long after expiry the license remains functional (e.g. "90d")
 	GracePeriod *string `json:"gracePeriod,omitempty"`
-	// Maximum Number of Allowed Nodes
+	// Maximum Number of Allowed Nodes.
 	MaxNodes *int `json:"maxnodes,omitempty"`
+	// Maximum Number of Allowed CPU Cores.
+	MaxCores *int `json:"maxcores,omitempty"`
 	// License package defines type of Calico license that is being enforced
 	Package *projectcalicov3.LicensePackageType `json:"package,omitempty"`
 	// List of features that are available via the applied license
@@ -59,6 +61,14 @@ func (b *LicenseKeyStatusApplyConfiguration) WithMaxNodes(value int) *LicenseKey
 	return b
 }
 
+// WithMaxCores sets the MaxCores field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the MaxCores field is set to the value of the last call.
+func (b *LicenseKeyStatusApplyConfiguration) WithMaxCores(value int) *LicenseKeyStatusApplyConfiguration {
+	b.MaxCores = &value
+	return b
+}
+
 // WithPackage sets the Package field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Package field is set to the value of the last call.
diff --git a/pkg/openapi/generated.openapi.go b/pkg/openapi/generated.openapi.go
index 1bb43383..e2a9c273 100644
--- a/pkg/openapi/generated.openapi.go
+++ b/pkg/openapi/generated.openapi.go
@@ -1710,7 +1710,7 @@ func schema_pkg_apis_projectcalico_v3_BGPConfigurationSpec(ref common.ReferenceC
 					"serviceLoadBalancerIPs": {
 						VendorExtensible: spec.VendorExtensible{
 							Extensions: spec.Extensions{
-								"x-kubernetes-list-type": "set",
+								"x-kubernetes-list-type": "atomic",
 							},
 						},
 						SchemaProps: spec.SchemaProps{
@@ -1729,7 +1729,7 @@ func schema_pkg_apis_projectcalico_v3_BGPConfigurationSpec(ref common.ReferenceC
 					"serviceExternalIPs": {
 						VendorExtensible: spec.VendorExtensible{
 							Extensions: spec.Extensions{
-								"x-kubernetes-list-type": "set",
+								"x-kubernetes-list-type": "atomic",
 							},
 						},
 						SchemaProps: spec.SchemaProps{
@@ -1748,7 +1748,7 @@ func schema_pkg_apis_projectcalico_v3_BGPConfigurationSpec(ref common.ReferenceC
 					"serviceClusterIPs": {
 						VendorExtensible: spec.VendorExtensible{
 							Extensions: spec.Extensions{
-								"x-kubernetes-list-type": "set",
+								"x-kubernetes-list-type": "atomic",
 							},
 						},
 						SchemaProps: spec.SchemaProps{
@@ -1774,7 +1774,7 @@ func schema_pkg_apis_projectcalico_v3_BGPConfigurationSpec(ref common.ReferenceC
 					"communities": {
 						VendorExtensible: spec.VendorExtensible{
 							Extensions: spec.Extensions{
-								"x-kubernetes-list-type": "set",
+								"x-kubernetes-list-type": "atomic",
 							},
 						},
 						SchemaProps: spec.SchemaProps{
@@ -1793,7 +1793,7 @@ func schema_pkg_apis_projectcalico_v3_BGPConfigurationSpec(ref common.ReferenceC
 					"prefixAdvertisements": {
 						VendorExtensible: spec.VendorExtensible{
 							Extensions: spec.Extensions{
-								"x-kubernetes-list-type": "set",
+								"x-kubernetes-list-type": "atomic",
 							},
 						},
 						SchemaProps: spec.SchemaProps{
@@ -5862,6 +5862,13 @@ func schema_pkg_apis_projectcalico_v3_FelixConfigurationSpec(ref common.Referenc
 				Description: "FelixConfigurationSpec contains the values of the Felix configuration.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
+					"nodeSelector": {
+						SchemaProps: spec.SchemaProps{
+							Description: "NodeSelector is an optional label selector that restricts this FelixConfiguration to apply only to nodes that match the given selector. This field is only valid on FelixConfiguration resources whose name is not \"default\" and does not start with \"node.\". For resources named \"default\", the configuration applies globally to all nodes. For resources named \"node.<nodename>\", the configuration applies to the named node only.\n\nAt most one selector-scoped FelixConfiguration should match any given node. If multiple selector-scoped resources match, the oldest (by creation timestamp) is used and a warning is logged. This prevents an accidentally created conflicting resource from disrupting an existing, working configuration.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
 					"useInternalDataplaneDriver": {
 						SchemaProps: spec.SchemaProps{
 							Description: "UseInternalDataplaneDriver, if true, Felix will use its internal dataplane programming logic.  If false, it will launch an external dataplane driver and communicate with it over protobuf.",
@@ -6891,6 +6898,13 @@ func schema_pkg_apis_projectcalico_v3_FelixConfigurationSpec(ref common.Referenc
 							Format:      "",
 						},
 					},
+					"bpfIPFragmentReassemblyEnabled": {
+						SchemaProps: spec.SchemaProps{
+							Description: "BPFIPFragmentReassemblyEnabled controls whether Felix loads the BPF program that reassembles out-of-order IP fragments from external networks. This program requires a kernel newer than 5.10. When enabled (the default) and the program fails to load, Felix reports not-ready until the user sets this to false. When false, fragmented packets from external sources are dropped. [Default: true]",
+							Type:        []string{"boolean"},
+							Format:      "",
+						},
+					},
 					"bpfEnforceRPF": {
 						SchemaProps: spec.SchemaProps{
 							Description: "BPFEnforceRPF enforce strict RPF on all host interfaces with BPF programs regardless of what is the per-interfaces or global setting. Possible values are Disabled, Strict or Loose. [Default: Loose]",
@@ -11052,7 +11066,14 @@ func schema_pkg_apis_projectcalico_v3_LicenseKeyStatus(ref common.ReferenceCallb
 					},
 					"maxnodes": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Maximum Number of Allowed Nodes",
+							Description: "Maximum Number of Allowed Nodes.",
+							Type:        []string{"integer"},
+							Format:      "int32",
+						},
+					},
+					"maxcores": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Maximum Number of Allowed CPU Cores.",
 							Type:        []string{"integer"},
 							Format:      "int32",
 						},