diff --git a/calico-cloud/compliance/istio/about-istio-ambient.mdx b/calico-cloud/compliance/istio/about-istio-ambient.mdx new file mode 100644 index 0000000000..67d3c6587f --- /dev/null +++ b/calico-cloud/compliance/istio/about-istio-ambient.mdx @@ -0,0 +1,53 @@ +--- +description: An overview of Calico's bundled version of Istio Ambient Mode +--- + +# Istio Ambient Mode + +You can use $[prodname] to deploy and manage an Istio service mesh on your cluster. +$[prodname] installs Istio in ambient mode, which conserves resources while providing the same robust mTLS encryption for your services. + +:::note + +Istio Ambient Mode is a tech preview feature. +Tech preview features are subject to significant changes before they become GA. + +::: + +## About Istio Ambient Mode + +Istio is a service mesh that manages and secures communication between microservices. +Typically, Istio uses sidecar proxies that are deployed alongside every pod in the service mesh. +At scale, running these sidecar proxies can be difficult to manage and a drain on resources. + +Istio Ambient Mode is a simplified service mesh architecture that removes the need for a sidecar proxy next to every pod. +Instead, it uses node-level components for shared security and a layered approach for advanced traffic management. +This design saves on computing resources and simplifies operations. + +## About Istio Ambient Mode on Calico + +$[prodname] provides a bundled version of Istio that can be installed and managed by the Tigera Operator. + +This integration automates the lifecycle of the Istio components to reduce manual configuration overhead. +CVEs are addressed as part of the regular $[prodname] patch release cadence. +Administrators provision the Istio service mesh by defining a standard `Istio` custom resource. + +### The enhanced zTunnel proxy + +The zTunnel component in Istio Ambient Mode is a lightweight proxy that runs on every node. + +Its main job is to handle encryption, authentication, and policy enforcement for traffic at Layer 4. + +A challenge in the original Istio Ambient Mode is that when traffic is routed through the zTunnel, it gets placed into a tunnel on a specific port (15008). +This change makes it impossible for existing Layer 3 or Layer 4 network policies (like those from Calico) to see the original destination port of the traffic. + +Calico addresses this by using an enhanced zTunnel that is modified to preserve the original destination port. +This modification allows existing Calico and Kubernetes network policies to continue functioning exactly as they did before, without needing any rewrites, even though the traffic is now encrypted with mTLS. + +These zTunnel enhancements are not compatible with Istio's application-layer Waypoint proxy. +If you deploy Waypoint, the reported destination ports will follow the original behavior. +Existing network policies need to be adapted to allow communication to port 15008. + +## Additional resources +* [Overview of Istio ambient mode](https://istio.io/latest/docs/ambient/overview/). +* [Ambient and Kubernetes NetworkPolicy](https://istio.io/latest/docs/ambient/usage/networkpolicy/) diff --git a/calico-cloud/compliance/istio/deploy-istio-ambient.mdx b/calico-cloud/compliance/istio/deploy-istio-ambient.mdx new file mode 100644 index 0000000000..a2f650eb59 --- /dev/null +++ b/calico-cloud/compliance/istio/deploy-istio-ambient.mdx @@ -0,0 +1,161 @@ +--- +description: This page explains how to deploy Calico's bundled version of Istio in ambient mode. +--- + +# Deploy Istio Ambient Mode on your cluster + +You can deploy Calico's bundled version of Istio in ambient mode to provide mTLS encryption to your workloads. + +:::note + +Istio Ambient Mode is a tech preview feature. +Tech preview features are subject to significant changes before they become GA. + +::: + +## Limitations + +* [Application layer network policies](../../network-policy/application-layer-policies/alp.mdx) are not compatible with the Istio service mesh. +* Istio Ambient Mode does not work together with [workload-based web application firewalls](../../threat/web-application-firewall.mdx). +* The service mesh is not supported for use on clusters that are also part of a [cluster mesh](../../multicluster/index.mdx). +* Destination ports are preserved only when Istio is deployed without Waypoint. + If you deploy Waypoint, all traffic through Waypoint will show port 15008 as its destination port. +* Connect-time load balancing with the eBPF data plane is not compatible with Waypoint. + +## Prerequisites + +* $[prodname] is installed and managed by the Tigera Operator. + +## Install Istio in ambient mode on your cluster + +You can create an Istio service mesh in ambient mode by creating the `Istio` custom resource. + +* To install Istio in ambient mode, apply the `Istio` custom resource to your cluster: + + ```bash + cat < istio.io/dataplane-mode=ambient + ``` + Replace `` with the namespace you want to include in the mesh. + + ```bash title='Adding a service to the Istio service mesh' + kubectl label service --namespace= istio.io/dataplane-mode=ambient + ``` + Replace the following: + * ``: The name of the service you want to include in the mesh. + * ``: The namespace your service is in. + +## Removing Istio + +If you want to remove Istio, first remove the labels you applied to services and namespaces. +When that's done, you can delete the `Istio` custom resource. + +1. Remove the label from namespaces and services by running the following commands: + + ```bash + kubectl label namespaces --all istio.io/dataplane-mode=ambient- + kubectl label services --all --all-namespaces istio.io/dataplane-mode=ambient- + ``` +1. Remove the `Istio` custom resource: + + ```bash + kubectl delete istio.operator.tigera.io default + ``` + +## Troubleshooting commands + +Check whether Istio pods are deployed: + +```bash +kubectl get pods -n calico-system | grep 'istio\|ztunnel' +``` + +Check whether Istio CRDs are deployed: + +```bash +kubectl get crd | grep istio +``` + +Check which services and namespaces are in the mesh: + +* Requires [istioctl](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/). + +```bash +istioctl ztunnel-config workloads -n calico-system +``` + +Check for errors logged by the zTunnel component: + +```bash +ZTUNNEL_PODS=$(kubectl get pod -n calico-system \ + -l app.kubernetes.io/name=ztunnel \ + -o jsonpath='{.items[*].metadata.name}') + +for P in $ZTUNNEL_PODS; do + echo "--- Checking logs for pod: $P ---" + kubectl logs $P -n calico-system 2>/dev/null | \ + grep -i error | \ + grep -i app1 +done +``` + +## Additional resources + +* [Overview of Istio ambient mode](https://istio.io/latest/docs/ambient/overview/). +* [Configuration options](../../reference/installation/api). \ No newline at end of file diff --git a/calico-enterprise/compliance/istio/about-istio-ambient.mdx b/calico-enterprise/compliance/istio/about-istio-ambient.mdx new file mode 100644 index 0000000000..67d3c6587f --- /dev/null +++ b/calico-enterprise/compliance/istio/about-istio-ambient.mdx @@ -0,0 +1,53 @@ +--- +description: An overview of Calico's bundled version of Istio Ambient Mode +--- + +# Istio Ambient Mode + +You can use $[prodname] to deploy and manage an Istio service mesh on your cluster. +$[prodname] installs Istio in ambient mode, which conserves resources while providing the same robust mTLS encryption for your services. + +:::note + +Istio Ambient Mode is a tech preview feature. +Tech preview features are subject to significant changes before they become GA. + +::: + +## About Istio Ambient Mode + +Istio is a service mesh that manages and secures communication between microservices. +Typically, Istio uses sidecar proxies that are deployed alongside every pod in the service mesh. +At scale, running these sidecar proxies can be difficult to manage and a drain on resources. + +Istio Ambient Mode is a simplified service mesh architecture that removes the need for a sidecar proxy next to every pod. +Instead, it uses node-level components for shared security and a layered approach for advanced traffic management. +This design saves on computing resources and simplifies operations. + +## About Istio Ambient Mode on Calico + +$[prodname] provides a bundled version of Istio that can be installed and managed by the Tigera Operator. + +This integration automates the lifecycle of the Istio components to reduce manual configuration overhead. +CVEs are addressed as part of the regular $[prodname] patch release cadence. +Administrators provision the Istio service mesh by defining a standard `Istio` custom resource. + +### The enhanced zTunnel proxy + +The zTunnel component in Istio Ambient Mode is a lightweight proxy that runs on every node. + +Its main job is to handle encryption, authentication, and policy enforcement for traffic at Layer 4. + +A challenge in the original Istio Ambient Mode is that when traffic is routed through the zTunnel, it gets placed into a tunnel on a specific port (15008). +This change makes it impossible for existing Layer 3 or Layer 4 network policies (like those from Calico) to see the original destination port of the traffic. + +Calico addresses this by using an enhanced zTunnel that is modified to preserve the original destination port. +This modification allows existing Calico and Kubernetes network policies to continue functioning exactly as they did before, without needing any rewrites, even though the traffic is now encrypted with mTLS. + +These zTunnel enhancements are not compatible with Istio's application-layer Waypoint proxy. +If you deploy Waypoint, the reported destination ports will follow the original behavior. +Existing network policies need to be adapted to allow communication to port 15008. + +## Additional resources +* [Overview of Istio ambient mode](https://istio.io/latest/docs/ambient/overview/). +* [Ambient and Kubernetes NetworkPolicy](https://istio.io/latest/docs/ambient/usage/networkpolicy/) diff --git a/calico-enterprise/compliance/istio/deploy-istio-ambient.mdx b/calico-enterprise/compliance/istio/deploy-istio-ambient.mdx new file mode 100644 index 0000000000..a2f650eb59 --- /dev/null +++ b/calico-enterprise/compliance/istio/deploy-istio-ambient.mdx @@ -0,0 +1,161 @@ +--- +description: This page explains how to deploy Calico's bundled version of Istio in ambient mode. +--- + +# Deploy Istio Ambient Mode on your cluster + +You can deploy Calico's bundled version of Istio in ambient mode to provide mTLS encryption to your workloads. + +:::note + +Istio Ambient Mode is a tech preview feature. +Tech preview features are subject to significant changes before they become GA. + +::: + +## Limitations + +* [Application layer network policies](../../network-policy/application-layer-policies/alp.mdx) are not compatible with the Istio service mesh. +* Istio Ambient Mode does not work together with [workload-based web application firewalls](../../threat/web-application-firewall.mdx). +* The service mesh is not supported for use on clusters that are also part of a [cluster mesh](../../multicluster/index.mdx). +* Destination ports are preserved only when Istio is deployed without Waypoint. + If you deploy Waypoint, all traffic through Waypoint will show port 15008 as its destination port. +* Connect-time load balancing with the eBPF data plane is not compatible with Waypoint. + +## Prerequisites + +* $[prodname] is installed and managed by the Tigera Operator. + +## Install Istio in ambient mode on your cluster + +You can create an Istio service mesh in ambient mode by creating the `Istio` custom resource. + +* To install Istio in ambient mode, apply the `Istio` custom resource to your cluster: + + ```bash + cat < istio.io/dataplane-mode=ambient + ``` + Replace `` with the namespace you want to include in the mesh. + + ```bash title='Adding a service to the Istio service mesh' + kubectl label service --namespace= istio.io/dataplane-mode=ambient + ``` + Replace the following: + * ``: The name of the service you want to include in the mesh. + * ``: The namespace your service is in. + +## Removing Istio + +If you want to remove Istio, first remove the labels you applied to services and namespaces. +When that's done, you can delete the `Istio` custom resource. + +1. Remove the label from namespaces and services by running the following commands: + + ```bash + kubectl label namespaces --all istio.io/dataplane-mode=ambient- + kubectl label services --all --all-namespaces istio.io/dataplane-mode=ambient- + ``` +1. Remove the `Istio` custom resource: + + ```bash + kubectl delete istio.operator.tigera.io default + ``` + +## Troubleshooting commands + +Check whether Istio pods are deployed: + +```bash +kubectl get pods -n calico-system | grep 'istio\|ztunnel' +``` + +Check whether Istio CRDs are deployed: + +```bash +kubectl get crd | grep istio +``` + +Check which services and namespaces are in the mesh: + +* Requires [istioctl](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/). + +```bash +istioctl ztunnel-config workloads -n calico-system +``` + +Check for errors logged by the zTunnel component: + +```bash +ZTUNNEL_PODS=$(kubectl get pod -n calico-system \ + -l app.kubernetes.io/name=ztunnel \ + -o jsonpath='{.items[*].metadata.name}') + +for P in $ZTUNNEL_PODS; do + echo "--- Checking logs for pod: $P ---" + kubectl logs $P -n calico-system 2>/dev/null | \ + grep -i error | \ + grep -i app1 +done +``` + +## Additional resources + +* [Overview of Istio ambient mode](https://istio.io/latest/docs/ambient/overview/). +* [Configuration options](../../reference/installation/api). \ No newline at end of file diff --git a/calico-enterprise/getting-started/install-on-clusters/rancher.mdx b/calico-enterprise/getting-started/install-on-clusters/rancher.mdx index bd9cc8fe3b..5dcd1ea2a2 100644 --- a/calico-enterprise/getting-started/install-on-clusters/rancher.mdx +++ b/calico-enterprise/getting-started/install-on-clusters/rancher.mdx @@ -29,7 +29,7 @@ The geeky details of what you get: - Configure your cluster for $[prodname] CNI - - Create a [Cluster Config File](https://rancher.com/docs/rancher/en/cluster-provisioning/rke-clusters/options/#cluster-config-file). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. + - Create a [Cluster Config File](https://rke.docs.rancher.com/example-yamls). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. :::note diff --git a/calico-enterprise_versioned_docs/version-3.19-2/getting-started/install-on-clusters/rancher.mdx b/calico-enterprise_versioned_docs/version-3.19-2/getting-started/install-on-clusters/rancher.mdx index e4c2518bdf..0d22af31f4 100644 --- a/calico-enterprise_versioned_docs/version-3.19-2/getting-started/install-on-clusters/rancher.mdx +++ b/calico-enterprise_versioned_docs/version-3.19-2/getting-started/install-on-clusters/rancher.mdx @@ -29,7 +29,7 @@ The geeky details of what you get: - Configure your cluster for $[prodname] CNI - - Create a [Cluster Config File](https://ranchermanager.docs.rancher.com/reference-guides/cluster-configuration/rancher-server-configuration/rke1-cluster-configuration#rke-cluster-config-file-reference). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. + - Create a [Cluster Config File](https://rke.docs.rancher.com/example-yamls). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. :::note diff --git a/calico-enterprise_versioned_docs/version-3.20-2/getting-started/install-on-clusters/rancher.mdx b/calico-enterprise_versioned_docs/version-3.20-2/getting-started/install-on-clusters/rancher.mdx index e4c2518bdf..0d22af31f4 100644 --- a/calico-enterprise_versioned_docs/version-3.20-2/getting-started/install-on-clusters/rancher.mdx +++ b/calico-enterprise_versioned_docs/version-3.20-2/getting-started/install-on-clusters/rancher.mdx @@ -29,7 +29,7 @@ The geeky details of what you get: - Configure your cluster for $[prodname] CNI - - Create a [Cluster Config File](https://ranchermanager.docs.rancher.com/reference-guides/cluster-configuration/rancher-server-configuration/rke1-cluster-configuration#rke-cluster-config-file-reference). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. + - Create a [Cluster Config File](https://rke.docs.rancher.com/example-yamls). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. :::note diff --git a/calico-enterprise_versioned_docs/version-3.21-2/getting-started/install-on-clusters/rancher.mdx b/calico-enterprise_versioned_docs/version-3.21-2/getting-started/install-on-clusters/rancher.mdx index 9c601c1736..5dcd1ea2a2 100644 --- a/calico-enterprise_versioned_docs/version-3.21-2/getting-started/install-on-clusters/rancher.mdx +++ b/calico-enterprise_versioned_docs/version-3.21-2/getting-started/install-on-clusters/rancher.mdx @@ -29,7 +29,7 @@ The geeky details of what you get: - Configure your cluster for $[prodname] CNI - - Create a [Cluster Config File](https://ranchermanager.docs.rancher.com/reference-guides/cluster-configuration/rancher-server-configuration/rke1-cluster-configuration#rke-cluster-config-file-reference). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. + - Create a [Cluster Config File](https://rke.docs.rancher.com/example-yamls). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. :::note diff --git a/calico-enterprise_versioned_docs/version-3.21-2/release-notes/index.mdx b/calico-enterprise_versioned_docs/version-3.21-2/release-notes/index.mdx index ef9773e7bf..fb250e9773 100644 --- a/calico-enterprise_versioned_docs/version-3.21-2/release-notes/index.mdx +++ b/calico-enterprise_versioned_docs/version-3.21-2/release-notes/index.mdx @@ -152,7 +152,7 @@ November 05, 2025 ##### Service Graph Enhancements -We've improved the Service Graph for clusters which have a very high volume of flows. When a high volume of flows is detected for a time range, a new namespaced-focused experience provides quicker access to insights from the graph. +We've improved the Service Graph for clusters that have a very high volume of flows. When a high volume of flows is detected for a time range, a new namespaced-focused experience provides quicker access to insights from the graph. We've also added more feedback into the UI to keep you informed on the progress of graph computation. ##### Additional Enhancements diff --git a/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/about-istio-ambient.mdx b/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/about-istio-ambient.mdx new file mode 100644 index 0000000000..67d3c6587f --- /dev/null +++ b/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/about-istio-ambient.mdx @@ -0,0 +1,53 @@ +--- +description: An overview of Calico's bundled version of Istio Ambient Mode +--- + +# Istio Ambient Mode + +You can use $[prodname] to deploy and manage an Istio service mesh on your cluster. +$[prodname] installs Istio in ambient mode, which conserves resources while providing the same robust mTLS encryption for your services. + +:::note + +Istio Ambient Mode is a tech preview feature. +Tech preview features are subject to significant changes before they become GA. + +::: + +## About Istio Ambient Mode + +Istio is a service mesh that manages and secures communication between microservices. +Typically, Istio uses sidecar proxies that are deployed alongside every pod in the service mesh. +At scale, running these sidecar proxies can be difficult to manage and a drain on resources. + +Istio Ambient Mode is a simplified service mesh architecture that removes the need for a sidecar proxy next to every pod. +Instead, it uses node-level components for shared security and a layered approach for advanced traffic management. +This design saves on computing resources and simplifies operations. + +## About Istio Ambient Mode on Calico + +$[prodname] provides a bundled version of Istio that can be installed and managed by the Tigera Operator. + +This integration automates the lifecycle of the Istio components to reduce manual configuration overhead. +CVEs are addressed as part of the regular $[prodname] patch release cadence. +Administrators provision the Istio service mesh by defining a standard `Istio` custom resource. + +### The enhanced zTunnel proxy + +The zTunnel component in Istio Ambient Mode is a lightweight proxy that runs on every node. + +Its main job is to handle encryption, authentication, and policy enforcement for traffic at Layer 4. + +A challenge in the original Istio Ambient Mode is that when traffic is routed through the zTunnel, it gets placed into a tunnel on a specific port (15008). +This change makes it impossible for existing Layer 3 or Layer 4 network policies (like those from Calico) to see the original destination port of the traffic. + +Calico addresses this by using an enhanced zTunnel that is modified to preserve the original destination port. +This modification allows existing Calico and Kubernetes network policies to continue functioning exactly as they did before, without needing any rewrites, even though the traffic is now encrypted with mTLS. + +These zTunnel enhancements are not compatible with Istio's application-layer Waypoint proxy. +If you deploy Waypoint, the reported destination ports will follow the original behavior. +Existing network policies need to be adapted to allow communication to port 15008. + +## Additional resources +* [Overview of Istio ambient mode](https://istio.io/latest/docs/ambient/overview/). +* [Ambient and Kubernetes NetworkPolicy](https://istio.io/latest/docs/ambient/usage/networkpolicy/) diff --git a/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/deploy-istio-ambient.mdx b/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/deploy-istio-ambient.mdx new file mode 100644 index 0000000000..a2f650eb59 --- /dev/null +++ b/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/deploy-istio-ambient.mdx @@ -0,0 +1,161 @@ +--- +description: This page explains how to deploy Calico's bundled version of Istio in ambient mode. +--- + +# Deploy Istio Ambient Mode on your cluster + +You can deploy Calico's bundled version of Istio in ambient mode to provide mTLS encryption to your workloads. + +:::note + +Istio Ambient Mode is a tech preview feature. +Tech preview features are subject to significant changes before they become GA. + +::: + +## Limitations + +* [Application layer network policies](../../network-policy/application-layer-policies/alp.mdx) are not compatible with the Istio service mesh. +* Istio Ambient Mode does not work together with [workload-based web application firewalls](../../threat/web-application-firewall.mdx). +* The service mesh is not supported for use on clusters that are also part of a [cluster mesh](../../multicluster/index.mdx). +* Destination ports are preserved only when Istio is deployed without Waypoint. + If you deploy Waypoint, all traffic through Waypoint will show port 15008 as its destination port. +* Connect-time load balancing with the eBPF data plane is not compatible with Waypoint. + +## Prerequisites + +* $[prodname] is installed and managed by the Tigera Operator. + +## Install Istio in ambient mode on your cluster + +You can create an Istio service mesh in ambient mode by creating the `Istio` custom resource. + +* To install Istio in ambient mode, apply the `Istio` custom resource to your cluster: + + ```bash + cat < istio.io/dataplane-mode=ambient + ``` + Replace `` with the namespace you want to include in the mesh. + + ```bash title='Adding a service to the Istio service mesh' + kubectl label service --namespace= istio.io/dataplane-mode=ambient + ``` + Replace the following: + * ``: The name of the service you want to include in the mesh. + * ``: The namespace your service is in. + +## Removing Istio + +If you want to remove Istio, first remove the labels you applied to services and namespaces. +When that's done, you can delete the `Istio` custom resource. + +1. Remove the label from namespaces and services by running the following commands: + + ```bash + kubectl label namespaces --all istio.io/dataplane-mode=ambient- + kubectl label services --all --all-namespaces istio.io/dataplane-mode=ambient- + ``` +1. Remove the `Istio` custom resource: + + ```bash + kubectl delete istio.operator.tigera.io default + ``` + +## Troubleshooting commands + +Check whether Istio pods are deployed: + +```bash +kubectl get pods -n calico-system | grep 'istio\|ztunnel' +``` + +Check whether Istio CRDs are deployed: + +```bash +kubectl get crd | grep istio +``` + +Check which services and namespaces are in the mesh: + +* Requires [istioctl](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/). + +```bash +istioctl ztunnel-config workloads -n calico-system +``` + +Check for errors logged by the zTunnel component: + +```bash +ZTUNNEL_PODS=$(kubectl get pod -n calico-system \ + -l app.kubernetes.io/name=ztunnel \ + -o jsonpath='{.items[*].metadata.name}') + +for P in $ZTUNNEL_PODS; do + echo "--- Checking logs for pod: $P ---" + kubectl logs $P -n calico-system 2>/dev/null | \ + grep -i error | \ + grep -i app1 +done +``` + +## Additional resources + +* [Overview of Istio ambient mode](https://istio.io/latest/docs/ambient/overview/). +* [Configuration options](../../reference/installation/api). \ No newline at end of file diff --git a/calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/rancher.mdx b/calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/rancher.mdx index bd9cc8fe3b..5dcd1ea2a2 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/rancher.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/rancher.mdx @@ -29,7 +29,7 @@ The geeky details of what you get: - Configure your cluster for $[prodname] CNI - - Create a [Cluster Config File](https://rancher.com/docs/rancher/en/cluster-provisioning/rke-clusters/options/#cluster-config-file). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. + - Create a [Cluster Config File](https://rke.docs.rancher.com/example-yamls). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. :::note diff --git a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx index 93db8e18df..d1ec5cfffb 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx @@ -30,6 +30,13 @@ This release adds customization options for specifying external load balancers f For more information, see [Customize gateway deployment and features](../networking/ingress-gateway/customize-ingress-gateway.mdx#customize-gateway-deployment-and-features). +### Istio Ambient Mode (tech preview) + +Calico now provides a bundled version of Istio in ambient mode, a sidecarless architecture that delivers robust mTLS encryption and service mesh security while significantly reducing resource consumption and operational overhead. +This implementation, managed by the Tigera Operator, features an enhanced zTunnel proxy that preserves original destination ports to ensure existing Calico and Kubernetes network policies continue to function seamlessly without requiring rewrites. + +For more information, see [Istio Ambient Mode](../compliance/istio/about-istio-ambient.mdx). + ### HTTP header-based matching for application layer policies This release includes support for HTTP header-based matching for application layer policies. @@ -167,3 +174,37 @@ This Calico Enterprise release is based on [Calico Open Source 3.31](https://doc #### Upgrading To update an existing installation of Calico Enterprise 3.22, see [Install a patch release](../getting-started/manifest-archive.mdx). + +### Calico Enterprise 3.22.0-3.0 (early preview) + +December 23, 2025 + +Calico Enterprise 3.22.0-3.0 is now available as an early preview release. +This release is for previewing and testing purposes only. +It is not supported for use in production. + +This release adds the following features: +* [Istio Ambient Mode](#istio-ambient-mode-tech-preview) + +#### Enhancements + +* We've improved the Service Graph for clusters that have a very high volume of flows. When a high volume of flows is detected for a time range, a new namespaced-focused experience provides quicker access to insights from the graph. +We've also added more feedback into the UI to keep you informed on the progress of graph computation. +* The namespace-focused experience will now also highlight namespaces that are estimated to take a long time to load with an orange indicator. +* We now support installation of $[prodname] on MKE 4k. +* ebpf: Added a new Felix configuration option `CgroupV2Path` to set a custom cgroupV2 mount path, improving compatibility with immutable OSes like Talos Linux. + +#### Bug fixes + +* eBPF - Fixed an issue with map operations for older kernels. + +#### Known issues + +* If you use the nftables data plane with L7 features (WAF or L7 logging) on a platform without legacy iptables support, such as OpenShift 4.20, these capabilities will fail to initialize. + This occurs because some Calico images are missing the required nftables binaries and incorrectly rely on legacy iptables modules that have been removed from newer operating systems. + As a workaround, ensure your host platform has legacy iptables kernel modules installed and loaded until a full fix is delivered in an upcoming patch release. +* Kibana attempts external API calls that are blocked by network policies related to Elastic Fleet. Errors will show in the logs. There is no further impact. + +#### Upgrading +To update an existing installation of Calico Enterprise 3.22, see [Install a patch release](../getting-started/manifest-archive.mdx). + diff --git a/calico-enterprise_versioned_docs/version-3.22-2/releases.json b/calico-enterprise_versioned_docs/version-3.22-2/releases.json index 02bdec714b..2fec3a9f20 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/releases.json +++ b/calico-enterprise_versioned_docs/version-3.22-2/releases.json @@ -1,4 +1,273 @@ [ + { + "title": "v3.22.0-3.0", + "tigera-operator": { + "version": "v1.40.4", + "image": "tigera/operator", + "registry": "quay.io" + }, + "calico": { + "minor_version": "v3.31", + "archive_path": "archive" + }, + "components": { + "alertmanager": { + "version": "v3.22.0-3.0", + "image": "tigera/alertmanager" + }, + "calicoctl": { + "version": "v3.22.0-3.0", + "image": "tigera/calicoctl" + }, + "calicoq": { + "version": "v3.22.0-3.0", + "image": "tigera/calicoq" + }, + "apiserver": { + "version": "v3.22.0-3.0", + "image": "tigera/apiserver" + }, + "kube-controllers": { + "version": "v3.22.0-3.0", + "image": "tigera/kube-controllers" + }, + "manager": { + "version": "v3.22.0-3.0", + "image": "tigera/manager" + }, + "manager-proxy": { + "version": "v3.22.0-3.0", + "image": "tigera/manager-proxy" + }, + "node": { + "version": "v3.22.0-3.0", + "image": "tigera/node" + }, + "node-windows": { + "version": "v3.22.0-3.0", + "image": "tigera/node-windows" + }, + "queryserver": { + "version": "v3.22.0-3.0", + "image": "tigera/queryserver" + }, + "compliance-benchmarker": { + "version": "v3.22.0-3.0", + "image": "tigera/compliance-benchmarker" + }, + "compliance-controller": { + "version": "v3.22.0-3.0", + "image": "tigera/compliance-controller" + }, + "compliance-reporter": { + "version": "v3.22.0-3.0", + "image": "tigera/compliance-reporter" + }, + "compliance-server": { + "version": "v3.22.0-3.0", + "image": "tigera/compliance-server" + }, + "compliance-snapshotter": { + "version": "v3.22.0-3.0", + "image": "tigera/compliance-snapshotter" + }, + "coreos-alertmanager": { + "version": "v0.28.1" + }, + "coreos-config-reloader": { + "version": "v0.84.0" + }, + "coreos-dex": { + "version": "v2.41.1" + }, + "coreos-fluentd": { + "version": "1.18.0" + }, + "coreos-prometheus": { + "version": "v3.4.1" + }, + "coreos-prometheus-operator": { + "version": "v0.84.0" + }, + "csi": { + "version": "v3.22.0-3.0", + "image": "tigera/csi" + }, + "csi-node-driver-registrar": { + "version": "v3.22.0-3.0", + "image": "tigera/node-driver-registrar" + }, + "deep-packet-inspection": { + "version": "v3.22.0-3.0", + "image": "tigera/deep-packet-inspection" + }, + "dex": { + "version": "v3.22.0-3.0", + "image": "tigera/dex" + }, + "dikastes": { + "version": "v3.22.0-3.0", + "image": "tigera/dikastes" + }, + "eck-elasticsearch": { + "version": "8.19.8" + }, + "eck-elasticsearch-operator": { + "version": "2.16.1" + }, + "eck-kibana": { + "version": "8.19.8" + }, + "egress-gateway": { + "version": "v3.22.0-3.0", + "image": "tigera/egress-gateway" + }, + "elastic-tsee-installer": { + "version": "v3.22.0-3.0", + "image": "tigera/intrusion-detection-job-installer" + }, + "elasticsearch": { + "version": "v3.22.0-3.0", + "image": "tigera/elasticsearch" + }, + "elasticsearch-metrics": { + "version": "v3.22.0-3.0", + "image": "tigera/elasticsearch-metrics" + }, + "elasticsearch-operator": { + "version": "v3.22.0-3.0", + "image": "tigera/eck-operator" + }, + "envoy": { + "version": "v3.22.0-3.0", + "image": "tigera/envoy" + }, + "envoy-init": { + "version": "v3.22.0-3.0", + "image": "tigera/envoy-init" + }, + "es-gateway": { + "version": "v3.22.0-3.0", + "image": "tigera/es-gateway" + }, + "firewall-integration": { + "version": "v3.22.0-3.0", + "image": "tigera/firewall-integration" + }, + "flexvol": { + "version": "v3.22.0-3.0", + "image": "tigera/pod2daemon-flexvol" + }, + "fluentd": { + "version": "v3.22.0-3.0", + "image": "tigera/fluentd" + }, + "fluentd-windows": { + "version": "v3.22.0-3.0", + "image": "tigera/fluentd-windows" + }, + "gateway-api-envoy-gateway": { + "version": "v3.22.0-3.0", + "image": "tigera/envoy-gateway" + }, + "gateway-api-envoy-proxy": { + "version": "v3.22.0-3.0", + "image": "tigera/envoy-proxy" + }, + "gateway-api-envoy-ratelimit": { + "version": "v3.22.0-3.0", + "image": "tigera/envoy-ratelimit" + }, + "guardian": { + "version": "v3.22.0-3.0", + "image": "tigera/guardian" + }, + "ingress-collector": { + "version": "v3.22.0-3.0", + "image": "tigera/ingress-collector" + }, + "intrusion-detection-controller": { + "version": "v3.22.0-3.0", + "image": "tigera/intrusion-detection-controller" + }, + "key-cert-provisioner": { + "version": "v3.22.0-3.0", + "image": "tigera/key-cert-provisioner" + }, + "kibana": { + "version": "v3.22.0-3.0", + "image": "tigera/kibana" + }, + "l7-admission-controller": { + "version": "v3.22.0-3.0", + "image": "tigera/l7-admission-controller" + }, + "l7-collector": { + "version": "v3.22.0-3.0", + "image": "tigera/l7-collector" + }, + "license-agent": { + "version": "v3.22.0-3.0", + "image": "tigera/license-agent" + }, + "linseed": { + "version": "v3.22.0-3.0", + "image": "tigera/linseed" + }, + "packetcapture": { + "version": "v3.22.0-3.0", + "image": "tigera/packetcapture" + }, + "policy-recommendation": { + "version": "v3.22.0-3.0", + "image": "tigera/policy-recommendation" + }, + "prometheus": { + "version": "v3.22.0-3.0", + "image": "tigera/prometheus" + }, + "prometheus-config-reloader": { + "version": "v3.22.0-3.0", + "image": "tigera/prometheus-config-reloader" + }, + "prometheus-operator": { + "version": "v3.22.0-3.0", + "image": "tigera/prometheus-operator" + }, + "tigera-cni": { + "version": "v3.22.0-3.0", + "image": "tigera/cni" + }, + "tigera-cni-windows": { + "version": "v3.22.0-3.0", + "image": "tigera/cni-windows" + }, + "tigera-prometheus-service": { + "version": "v3.22.0-3.0", + "image": "tigera/prometheus-service" + }, + "typha": { + "version": "v3.22.0-3.0", + "image": "tigera/typha" + }, + "ui-apis": { + "version": "v3.22.0-3.0", + "image": "tigera/ui-apis" + }, + "voltron": { + "version": "v3.22.0-3.0", + "image": "tigera/voltron" + }, + "waf-http-filter": { + "version": "v3.22.0-3.0", + "image": "tigera/waf-http-filter" + }, + "webhooks-processor": { + "version": "v3.22.0-3.0", + "image": "tigera/webhooks-processor" + } + } + }, { "title": "v3.22.0-2.0", "tigera-operator": { @@ -267,5 +536,274 @@ "image": "tigera/webhooks-processor" } } + }, + { + "title": "v3.22.0-1.0", + "tigera-operator": { + "version": "v1.39.0", + "image": "tigera/operator", + "registry": "quay.io" + }, + "calico": { + "minor_version": "v3.30", + "archive_path": "archive" + }, + "components": { + "alertmanager": { + "version": "v3.22.0-1.0", + "image": "tigera/alertmanager" + }, + "calicoctl": { + "version": "v3.22.0-1.0", + "image": "tigera/calicoctl" + }, + "calicoq": { + "version": "v3.22.0-1.0", + "image": "tigera/calicoq" + }, + "cnx-apiserver": { + "version": "v3.22.0-1.0", + "image": "tigera/cnx-apiserver" + }, + "cnx-kube-controllers": { + "version": "v3.22.0-1.0", + "image": "tigera/kube-controllers" + }, + "cnx-manager": { + "version": "v3.22.0-1.0", + "image": "tigera/cnx-manager" + }, + "cnx-manager-proxy": { + "version": "v3.22.0-1.0", + "image": "tigera/cnx-manager-proxy" + }, + "cnx-node": { + "version": "v3.22.0-1.0", + "image": "tigera/cnx-node" + }, + "cnx-node-windows": { + "version": "v3.22.0-1.0", + "image": "tigera/cnx-node-windows" + }, + "cnx-queryserver": { + "version": "v3.22.0-1.0", + "image": "tigera/cnx-queryserver" + }, + "compliance-benchmarker": { + "version": "v3.22.0-1.0", + "image": "tigera/compliance-benchmarker" + }, + "compliance-controller": { + "version": "v3.22.0-1.0", + "image": "tigera/compliance-controller" + }, + "compliance-reporter": { + "version": "v3.22.0-1.0", + "image": "tigera/compliance-reporter" + }, + "compliance-server": { + "version": "v3.22.0-1.0", + "image": "tigera/compliance-server" + }, + "compliance-snapshotter": { + "version": "v3.22.0-1.0", + "image": "tigera/compliance-snapshotter" + }, + "coreos-alertmanager": { + "version": "v0.28.1" + }, + "coreos-config-reloader": { + "version": "v0.84.0" + }, + "coreos-dex": { + "version": "v2.41.1" + }, + "coreos-fluentd": { + "version": "1.18.0" + }, + "coreos-prometheus": { + "version": "v3.4.1" + }, + "coreos-prometheus-operator": { + "version": "v0.84.0" + }, + "csi": { + "version": "v3.22.0-1.0", + "image": "tigera/csi" + }, + "csi-node-driver-registrar": { + "version": "v3.22.0-1.0", + "image": "tigera/node-driver-registrar" + }, + "deep-packet-inspection": { + "version": "v3.22.0-1.0", + "image": "tigera/deep-packet-inspection" + }, + "dex": { + "version": "v3.22.0-1.0", + "image": "tigera/dex" + }, + "dikastes": { + "version": "v3.22.0-1.0", + "image": "tigera/dikastes" + }, + "eck-elasticsearch": { + "version": "8.18.4" + }, + "eck-elasticsearch-operator": { + "version": "2.16.1" + }, + "eck-kibana": { + "version": "8.18.4" + }, + "egress-gateway": { + "version": "v3.22.0-1.0", + "image": "tigera/egress-gateway" + }, + "elastic-tsee-installer": { + "version": "v3.22.0-1.0", + "image": "tigera/intrusion-detection-job-installer" + }, + "elasticsearch": { + "version": "v3.22.0-1.0", + "image": "tigera/elasticsearch" + }, + "elasticsearch-metrics": { + "version": "v3.22.0-1.0", + "image": "tigera/elasticsearch-metrics" + }, + "elasticsearch-operator": { + "version": "v3.22.0-1.0", + "image": "tigera/eck-operator" + }, + "envoy": { + "version": "v3.22.0-1.0", + "image": "tigera/envoy" + }, + "envoy-init": { + "version": "v3.22.0-1.0", + "image": "tigera/envoy-init" + }, + "es-gateway": { + "version": "v3.22.0-1.0", + "image": "tigera/es-gateway" + }, + "firewall-integration": { + "version": "v3.22.0-1.0", + "image": "tigera/firewall-integration" + }, + "flexvol": { + "version": "v3.22.0-1.0", + "image": "tigera/pod2daemon-flexvol" + }, + "fluentd": { + "version": "v3.22.0-1.0", + "image": "tigera/fluentd" + }, + "fluentd-windows": { + "version": "v3.22.0-1.0", + "image": "tigera/fluentd-windows" + }, + "gateway-api-envoy-gateway": { + "version": "v3.22.0-1.0", + "image": "tigera/envoy-gateway" + }, + "gateway-api-envoy-proxy": { + "version": "v3.22.0-1.0", + "image": "tigera/envoy-proxy" + }, + "gateway-api-envoy-ratelimit": { + "version": "v3.22.0-1.0", + "image": "tigera/envoy-ratelimit" + }, + "guardian": { + "version": "v3.22.0-1.0", + "image": "tigera/guardian" + }, + "ingress-collector": { + "version": "v3.22.0-1.0", + "image": "tigera/ingress-collector" + }, + "intrusion-detection-controller": { + "version": "v3.22.0-1.0", + "image": "tigera/intrusion-detection-controller" + }, + "key-cert-provisioner": { + "version": "v3.22.0-1.0", + "image": "tigera/key-cert-provisioner" + }, + "kibana": { + "version": "v3.22.0-1.0", + "image": "tigera/kibana" + }, + "l7-admission-controller": { + "version": "v3.22.0-1.0", + "image": "tigera/l7-admission-controller" + }, + "l7-collector": { + "version": "v3.22.0-1.0", + "image": "tigera/l7-collector" + }, + "license-agent": { + "version": "v3.22.0-1.0", + "image": "tigera/license-agent" + }, + "linseed": { + "version": "v3.22.0-1.0", + "image": "tigera/linseed" + }, + "packetcapture": { + "version": "v3.22.0-1.0", + "image": "tigera/packetcapture" + }, + "policy-recommendation": { + "version": "v3.22.0-1.0", + "image": "tigera/policy-recommendation" + }, + "prometheus": { + "version": "v3.22.0-1.0", + "image": "tigera/prometheus" + }, + "prometheus-config-reloader": { + "version": "v3.22.0-1.0", + "image": "tigera/prometheus-config-reloader" + }, + "prometheus-operator": { + "version": "v3.22.0-1.0", + "image": "tigera/prometheus-operator" + }, + "tigera-cni": { + "version": "v3.22.0-1.0", + "image": "tigera/cni" + }, + "tigera-cni-windows": { + "version": "v3.22.0-1.0", + "image": "tigera/cni-windows" + }, + "tigera-prometheus-service": { + "version": "v3.22.0-1.0", + "image": "tigera/prometheus-service" + }, + "typha": { + "version": "v3.22.0-1.0", + "image": "tigera/typha" + }, + "ui-apis": { + "version": "v3.22.0-1.0", + "image": "tigera/ui-apis" + }, + "voltron": { + "version": "v3.22.0-1.0", + "image": "tigera/voltron" + }, + "waf-http-filter": { + "version": "v3.22.0-1.0", + "image": "tigera/waf-http-filter" + }, + "webhooks-processor": { + "version": "v3.22.0-1.0", + "image": "tigera/webhooks-processor" + } + } } ] diff --git a/calico-enterprise_versioned_docs/version-3.22-2/variables.js b/calico-enterprise_versioned_docs/version-3.22-2/variables.js index c97bef1f14..d77de0df27 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/variables.js +++ b/calico-enterprise_versioned_docs/version-3.22-2/variables.js @@ -2,13 +2,13 @@ const releases = require('./releases.json'); const componentImage = require('../../src/components/utils/componentImage'); const variables = { - releaseTitle: 'v3.22.0-2.0', + releaseTitle: 'v3.22.0-3.0', prodname: 'Calico Enterprise', prodnamedash: 'calico-enterprise', version: 'v3.22', openSourceVersion: releases[0].calico.minor_version.slice(1), baseUrl: '/calico-enterprise/3.22', - filesUrl: 'https://downloads.tigera.io/ee/v3.22.0-2.0', + filesUrl: 'https://downloads.tigera.io/ee/v3.22.0-3.0', rpmsUrl: 'https://downloads.tigera.io/ee/rpms/' + releases[0].title.slice(0, 5), tutorialFilesURL: 'https://docs.tigera.io/files', tmpScriptsURL: 'https://docs.tigera.io/calico-enterprise/3.22', @@ -20,7 +20,7 @@ const variables = { rootDirWindows: 'C:\\TigeraCalico', registry: 'quay.io/', envoyVersion: '1.5.0', - chart_version_name: 'v3.22.0-2.0-0', + chart_version_name: 'v3.22.0-3.0-0', tigeraOperator: releases[0]['tigera-operator'], dikastesVersion: releases[0].components.dikastes.version, releases, diff --git a/calico-enterprise_versioned_sidebars/version-3.22-2-sidebars.json b/calico-enterprise_versioned_sidebars/version-3.22-2-sidebars.json index 7a5181f6fc..fe3ae3c444 100644 --- a/calico-enterprise_versioned_sidebars/version-3.22-2-sidebars.json +++ b/calico-enterprise_versioned_sidebars/version-3.22-2-sidebars.json @@ -589,6 +589,15 @@ "id": "compliance/index" }, "items": [ + { + "type": "category", + "label": "Istio Ambient Mode", + "link": null, + "items": [ + "compliance/istio/about-istio-ambient", + "compliance/istio/deploy-istio-ambient" + ] + }, "compliance/enable-compliance", "compliance/overview", "compliance/compliance-reports-cis", diff --git a/sidebars-calico-cloud.js b/sidebars-calico-cloud.js index a04a34fea4..d57e0e6adb 100644 --- a/sidebars-calico-cloud.js +++ b/sidebars-calico-cloud.js @@ -306,6 +306,15 @@ module.exports = { label: 'Compliance and security', link: {type: 'doc', id: 'compliance/index'}, items: [ + { + type: 'category', + label: 'Istio Ambient Mode', + link: null, + items: [ + 'compliance/istio/about-istio-ambient', + 'compliance/istio/deploy-istio-ambient', + ], + }, 'compliance/enable-compliance', 'compliance/overview', 'compliance/compliance-reports-cis', diff --git a/sidebars-calico-enterprise.js b/sidebars-calico-enterprise.js index e05498a0e2..f4b0683cb9 100644 --- a/sidebars-calico-enterprise.js +++ b/sidebars-calico-enterprise.js @@ -464,6 +464,15 @@ module.exports = { label: 'Compliance and security', link: { type: 'doc', id: 'compliance/index' }, items: [ + { + type: 'category', + label: 'Istio Ambient Mode', + link: null, + items: [ + 'compliance/istio/about-istio-ambient', + 'compliance/istio/deploy-istio-ambient', + ], + }, 'compliance/enable-compliance', 'compliance/overview', 'compliance/compliance-reports-cis',