From 78f92c7af4329081a11428361c047eab6545fbc5 Mon Sep 17 00:00:00 2001 From: Christopher Tauchen Date: Mon, 22 Dec 2025 17:03:42 +0000 Subject: [PATCH 01/10] Change bad link --- .../getting-started/install-on-clusters/rancher.mdx | 2 +- .../getting-started/install-on-clusters/rancher.mdx | 2 +- .../getting-started/install-on-clusters/rancher.mdx | 2 +- .../getting-started/install-on-clusters/rancher.mdx | 2 +- .../getting-started/install-on-clusters/rancher.mdx | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/calico-enterprise/getting-started/install-on-clusters/rancher.mdx b/calico-enterprise/getting-started/install-on-clusters/rancher.mdx index bd9cc8fe3b..5dcd1ea2a2 100644 --- a/calico-enterprise/getting-started/install-on-clusters/rancher.mdx +++ b/calico-enterprise/getting-started/install-on-clusters/rancher.mdx @@ -29,7 +29,7 @@ The geeky details of what you get: - Configure your cluster for $[prodname] CNI - - Create a [Cluster Config File](https://rancher.com/docs/rancher/en/cluster-provisioning/rke-clusters/options/#cluster-config-file). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. + - Create a [Cluster Config File](https://rke.docs.rancher.com/example-yamls). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. :::note diff --git a/calico-enterprise_versioned_docs/version-3.19-2/getting-started/install-on-clusters/rancher.mdx b/calico-enterprise_versioned_docs/version-3.19-2/getting-started/install-on-clusters/rancher.mdx index e4c2518bdf..0d22af31f4 100644 --- a/calico-enterprise_versioned_docs/version-3.19-2/getting-started/install-on-clusters/rancher.mdx +++ b/calico-enterprise_versioned_docs/version-3.19-2/getting-started/install-on-clusters/rancher.mdx @@ -29,7 +29,7 @@ The geeky details of what you get: - Configure your cluster for $[prodname] CNI - - Create a [Cluster Config File](https://ranchermanager.docs.rancher.com/reference-guides/cluster-configuration/rancher-server-configuration/rke1-cluster-configuration#rke-cluster-config-file-reference). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. + - Create a [Cluster Config File](https://rke.docs.rancher.com/example-yamls). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. :::note diff --git a/calico-enterprise_versioned_docs/version-3.20-2/getting-started/install-on-clusters/rancher.mdx b/calico-enterprise_versioned_docs/version-3.20-2/getting-started/install-on-clusters/rancher.mdx index e4c2518bdf..0d22af31f4 100644 --- a/calico-enterprise_versioned_docs/version-3.20-2/getting-started/install-on-clusters/rancher.mdx +++ b/calico-enterprise_versioned_docs/version-3.20-2/getting-started/install-on-clusters/rancher.mdx @@ -29,7 +29,7 @@ The geeky details of what you get: - Configure your cluster for $[prodname] CNI - - Create a [Cluster Config File](https://ranchermanager.docs.rancher.com/reference-guides/cluster-configuration/rancher-server-configuration/rke1-cluster-configuration#rke-cluster-config-file-reference). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. + - Create a [Cluster Config File](https://rke.docs.rancher.com/example-yamls). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. :::note diff --git a/calico-enterprise_versioned_docs/version-3.21-2/getting-started/install-on-clusters/rancher.mdx b/calico-enterprise_versioned_docs/version-3.21-2/getting-started/install-on-clusters/rancher.mdx index 9c601c1736..5dcd1ea2a2 100644 --- a/calico-enterprise_versioned_docs/version-3.21-2/getting-started/install-on-clusters/rancher.mdx +++ b/calico-enterprise_versioned_docs/version-3.21-2/getting-started/install-on-clusters/rancher.mdx @@ -29,7 +29,7 @@ The geeky details of what you get: - Configure your cluster for $[prodname] CNI - - Create a [Cluster Config File](https://ranchermanager.docs.rancher.com/reference-guides/cluster-configuration/rancher-server-configuration/rke1-cluster-configuration#rke-cluster-config-file-reference). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. + - Create a [Cluster Config File](https://rke.docs.rancher.com/example-yamls). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. :::note diff --git a/calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/rancher.mdx b/calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/rancher.mdx index bd9cc8fe3b..5dcd1ea2a2 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/rancher.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/rancher.mdx @@ -29,7 +29,7 @@ The geeky details of what you get: - Configure your cluster for $[prodname] CNI - - Create a [Cluster Config File](https://rancher.com/docs/rancher/en/cluster-provisioning/rke-clusters/options/#cluster-config-file). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. + - Create a [Cluster Config File](https://rke.docs.rancher.com/example-yamls). In the config file under `network`, set the [network plugin](https://rancher.com/docs/rke/latest/en/config-options/add-ons/network-plugins/) to `plugin: none`. :::note From dc7f4a9ec48b95fbf8a0ac28e1f279f3aa8d27a2 Mon Sep 17 00:00:00 2001 From: Christopher Tauchen Date: Tue, 16 Dec 2025 14:44:30 +0000 Subject: [PATCH 02/10] Add docs for Istio Ambient Mode DOCS-2798 --- .../compliance/istio/about-istio-ambient.mdx | 46 ++++++ .../compliance/istio/deploy-istio-ambient.mdx | 154 ++++++++++++++++++ .../compliance/istio/about-istio-ambient.mdx | 46 ++++++ .../compliance/istio/deploy-istio-ambient.mdx | 154 ++++++++++++++++++ .../compliance/istio/about-istio-ambient.mdx | 46 ++++++ .../compliance/istio/deploy-istio-ambient.mdx | 154 ++++++++++++++++++ .../version-3.22-2-sidebars.json | 9 + sidebars-calico-cloud.js | 9 + sidebars-calico-enterprise.js | 9 + 9 files changed, 627 insertions(+) create mode 100644 calico-cloud/compliance/istio/about-istio-ambient.mdx create mode 100644 calico-cloud/compliance/istio/deploy-istio-ambient.mdx create mode 100644 calico-enterprise/compliance/istio/about-istio-ambient.mdx create mode 100644 calico-enterprise/compliance/istio/deploy-istio-ambient.mdx create mode 100644 calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/about-istio-ambient.mdx create mode 100644 calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/deploy-istio-ambient.mdx diff --git a/calico-cloud/compliance/istio/about-istio-ambient.mdx b/calico-cloud/compliance/istio/about-istio-ambient.mdx new file mode 100644 index 0000000000..bd2f8328dd --- /dev/null +++ b/calico-cloud/compliance/istio/about-istio-ambient.mdx @@ -0,0 +1,46 @@ +--- +description: An overview of Calico's bundled version of Istio Ambient Mode +--- + +# Istio Ambient Mode + +You can use $[prodname] to deploy and manage an Istio service mesh on your cluster. +$[prodname] installs Istio in ambient mode, which conserves resources while providing the same robust mTLS encryption for your services. + +## About Istio Ambient Mode + +Istio is a service mesh that manages and secures communication between microservices. +Typically, Istio uses sidecar proxies that are deployed alongside every pod in the service mesh. +At scale, running these sidecar proxies can be difficult to manage and a drain on resources. + +Istio Ambient Mode is a simplified service mesh architecture that removes the need for a sidecar proxy next to every pod. +Instead, it uses node-level components for shared security and a layered approach for advanced traffic management. +This design saves on computing resources and simplifies operations. + +## About Istio Ambient Mode on Calico + +$[prodname] provides a bundled version of Istio that can be installed and managed by the Tigera Operator. + +This integration automates the lifecycle of the Istio components to reduce manual configuration overhead. +CVEs are addressed as part of the regular $[prodname] patch release cadence. +Administrators provision the Istio service mesh by defining a standard `Istio` custom resource. + +### The enhanced zTunnel proxy + +The zTunnel component in Istio Ambient Mode is a lightweight proxy that runs on every node. + +Its main job is to handle encryption, authentication, and policy enforcement for traffic at Layer 4. + +A challenge in the original Istio Ambient Mode is that when traffic is routed through the zTunnel, it gets placed into a tunnel on a specific port (15008). +This change makes it impossible for existing Layer 3 or Layer 4 network policies (like those from Calico) to see the original destination port of the traffic. + +Calico addresses this by using an enhanced zTunnel that is modified to preserve the original destination port. +This modification allows existing Calico and Kubernetes network policies to continue functioning exactly as they did before, without needing any rewrites, even though the traffic is now encrypted with mTLS. + +These zTunnel enhancements are not compatible with Istio's application-layer Waypoint proxy. +If you deploy Waypoint, the reported destination ports will follow the original behavior. +Existing network policies need to be adapted to allow communication to port 15008. + +## Additional resources +* [Overview of Istio ambient mode](https://istio.io/latest/docs/ambient/overview/). +* [Ambient and Kubernetes NetworkPolicy](https://istio.io/latest/docs/ambient/usage/networkpolicy/) diff --git a/calico-cloud/compliance/istio/deploy-istio-ambient.mdx b/calico-cloud/compliance/istio/deploy-istio-ambient.mdx new file mode 100644 index 0000000000..4f3c7c2b3f --- /dev/null +++ b/calico-cloud/compliance/istio/deploy-istio-ambient.mdx @@ -0,0 +1,154 @@ +--- +description: This page explains how to deploy Calico's bundled version of Istio in ambient mode. +--- + +# Deploy Istio Ambient Mode on your cluster + +You can deploy Calico's bundled version of Istio in ambient mode to provide mTLS encryption to your workloads. + +## Limitations + +* [Application layer network policies](../../network-policy/application-layer-policies/alp.mdx) are not compatible with the Istio service mesh. +* Istio Ambient Mode does not work together with [workload-based web application firewalls](../../threat/web-application-firewall.mdx). +* The service mesh is not supported for use on clusters that are also part of a [cluster mesh](../../multicluster/index.mdx). +* Destination ports are preserved only when Istio is deployed without Waypoint. + If you deploy Waypoint, all traffic through Waypoint will show port 15008 as its destination port. +* Connect-time load balancing with the eBPF data plane is not compatible with Waypoint. + +## Prerequisites + +* $[prodname] is installed and managed by the Tigera Operator. + +## Install Istio in ambient mode on your cluster + +You can create an Istio service mesh in ambient mode by creating the `Istio` custom resource. + +* To install Istio in ambient mode, apply the `Istio` custom resource to your cluster: + + ```bash + cat < istio.io/dataplane-mode=ambient + ``` + Replace `` with the namespace you want to include in the mesh. + + ```bash title='Adding a service to the Istio service mesh' + kubectl label service --namespace= istio.io/dataplane-mode=ambient + ``` + Replace the following: + * ``: The name of the service you want to include in the mesh. + * ``: The namespace your service is in. + +## Removing Istio + +If you want to remove Istio, first remove the labels you applied to services and namespaces. +When that's done, you can delete the `Istio` custom resource. + +1. Remove the label from namespaces and services by running the following commands: + + ```bash + kubectl label namespaces --all istio.io/dataplane-mode=ambient- + kubectl label services --all --all-namespaces istio.io/dataplane-mode=ambient- + ``` +1. Remove the `Istio` custom resource: + + ```bash + kubectl delete istio.operator.tigera.io default + ``` + +## Troubleshooting commands + +Check whether Istio pods are deployed: + +```bash +kubectl get pods -n calico-system | grep 'istio\|ztunnel' +``` + +Check whether Istio CRDs are deployed: + +```bash +kubectl get crd | grep istio +``` + +Check which services and namespaces are in the mesh: + +* Requires [istioctl](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/). + +```bash +istioctl ztunnel-config workloads -n calico-system +``` + +Check for errors logged by the zTunnel component: + +```bash +ZTUNNEL_PODS=$(kubectl get pod -n calico-system \ + -l app.kubernetes.io/name=ztunnel \ + -o jsonpath='{.items[*].metadata.name}') + +for P in $ZTUNNEL_PODS; do + echo "--- Checking logs for pod: $P ---" + kubectl logs $P -n calico-system 2>/dev/null | \ + grep -i error | \ + grep -i app1 +done +``` + +## Additional resources + +* [Overview of Istio ambient mode](https://istio.io/latest/docs/ambient/overview/). +* [Configuration options](../../reference/installation/api). \ No newline at end of file diff --git a/calico-enterprise/compliance/istio/about-istio-ambient.mdx b/calico-enterprise/compliance/istio/about-istio-ambient.mdx new file mode 100644 index 0000000000..bd2f8328dd --- /dev/null +++ b/calico-enterprise/compliance/istio/about-istio-ambient.mdx @@ -0,0 +1,46 @@ +--- +description: An overview of Calico's bundled version of Istio Ambient Mode +--- + +# Istio Ambient Mode + +You can use $[prodname] to deploy and manage an Istio service mesh on your cluster. +$[prodname] installs Istio in ambient mode, which conserves resources while providing the same robust mTLS encryption for your services. + +## About Istio Ambient Mode + +Istio is a service mesh that manages and secures communication between microservices. +Typically, Istio uses sidecar proxies that are deployed alongside every pod in the service mesh. +At scale, running these sidecar proxies can be difficult to manage and a drain on resources. + +Istio Ambient Mode is a simplified service mesh architecture that removes the need for a sidecar proxy next to every pod. +Instead, it uses node-level components for shared security and a layered approach for advanced traffic management. +This design saves on computing resources and simplifies operations. + +## About Istio Ambient Mode on Calico + +$[prodname] provides a bundled version of Istio that can be installed and managed by the Tigera Operator. + +This integration automates the lifecycle of the Istio components to reduce manual configuration overhead. +CVEs are addressed as part of the regular $[prodname] patch release cadence. +Administrators provision the Istio service mesh by defining a standard `Istio` custom resource. + +### The enhanced zTunnel proxy + +The zTunnel component in Istio Ambient Mode is a lightweight proxy that runs on every node. + +Its main job is to handle encryption, authentication, and policy enforcement for traffic at Layer 4. + +A challenge in the original Istio Ambient Mode is that when traffic is routed through the zTunnel, it gets placed into a tunnel on a specific port (15008). +This change makes it impossible for existing Layer 3 or Layer 4 network policies (like those from Calico) to see the original destination port of the traffic. + +Calico addresses this by using an enhanced zTunnel that is modified to preserve the original destination port. +This modification allows existing Calico and Kubernetes network policies to continue functioning exactly as they did before, without needing any rewrites, even though the traffic is now encrypted with mTLS. + +These zTunnel enhancements are not compatible with Istio's application-layer Waypoint proxy. +If you deploy Waypoint, the reported destination ports will follow the original behavior. +Existing network policies need to be adapted to allow communication to port 15008. + +## Additional resources +* [Overview of Istio ambient mode](https://istio.io/latest/docs/ambient/overview/). +* [Ambient and Kubernetes NetworkPolicy](https://istio.io/latest/docs/ambient/usage/networkpolicy/) diff --git a/calico-enterprise/compliance/istio/deploy-istio-ambient.mdx b/calico-enterprise/compliance/istio/deploy-istio-ambient.mdx new file mode 100644 index 0000000000..4f3c7c2b3f --- /dev/null +++ b/calico-enterprise/compliance/istio/deploy-istio-ambient.mdx @@ -0,0 +1,154 @@ +--- +description: This page explains how to deploy Calico's bundled version of Istio in ambient mode. +--- + +# Deploy Istio Ambient Mode on your cluster + +You can deploy Calico's bundled version of Istio in ambient mode to provide mTLS encryption to your workloads. + +## Limitations + +* [Application layer network policies](../../network-policy/application-layer-policies/alp.mdx) are not compatible with the Istio service mesh. +* Istio Ambient Mode does not work together with [workload-based web application firewalls](../../threat/web-application-firewall.mdx). +* The service mesh is not supported for use on clusters that are also part of a [cluster mesh](../../multicluster/index.mdx). +* Destination ports are preserved only when Istio is deployed without Waypoint. + If you deploy Waypoint, all traffic through Waypoint will show port 15008 as its destination port. +* Connect-time load balancing with the eBPF data plane is not compatible with Waypoint. + +## Prerequisites + +* $[prodname] is installed and managed by the Tigera Operator. + +## Install Istio in ambient mode on your cluster + +You can create an Istio service mesh in ambient mode by creating the `Istio` custom resource. + +* To install Istio in ambient mode, apply the `Istio` custom resource to your cluster: + + ```bash + cat < istio.io/dataplane-mode=ambient + ``` + Replace `` with the namespace you want to include in the mesh. + + ```bash title='Adding a service to the Istio service mesh' + kubectl label service --namespace= istio.io/dataplane-mode=ambient + ``` + Replace the following: + * ``: The name of the service you want to include in the mesh. + * ``: The namespace your service is in. + +## Removing Istio + +If you want to remove Istio, first remove the labels you applied to services and namespaces. +When that's done, you can delete the `Istio` custom resource. + +1. Remove the label from namespaces and services by running the following commands: + + ```bash + kubectl label namespaces --all istio.io/dataplane-mode=ambient- + kubectl label services --all --all-namespaces istio.io/dataplane-mode=ambient- + ``` +1. Remove the `Istio` custom resource: + + ```bash + kubectl delete istio.operator.tigera.io default + ``` + +## Troubleshooting commands + +Check whether Istio pods are deployed: + +```bash +kubectl get pods -n calico-system | grep 'istio\|ztunnel' +``` + +Check whether Istio CRDs are deployed: + +```bash +kubectl get crd | grep istio +``` + +Check which services and namespaces are in the mesh: + +* Requires [istioctl](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/). + +```bash +istioctl ztunnel-config workloads -n calico-system +``` + +Check for errors logged by the zTunnel component: + +```bash +ZTUNNEL_PODS=$(kubectl get pod -n calico-system \ + -l app.kubernetes.io/name=ztunnel \ + -o jsonpath='{.items[*].metadata.name}') + +for P in $ZTUNNEL_PODS; do + echo "--- Checking logs for pod: $P ---" + kubectl logs $P -n calico-system 2>/dev/null | \ + grep -i error | \ + grep -i app1 +done +``` + +## Additional resources + +* [Overview of Istio ambient mode](https://istio.io/latest/docs/ambient/overview/). +* [Configuration options](../../reference/installation/api). \ No newline at end of file diff --git a/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/about-istio-ambient.mdx b/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/about-istio-ambient.mdx new file mode 100644 index 0000000000..1487b9aa2f --- /dev/null +++ b/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/about-istio-ambient.mdx @@ -0,0 +1,46 @@ +--- +description: An overview of Calico's bundled version of Istio Ambient Mode +--- + +# Istio Ambient Mode + +You can use $[prodname] to deploy and manage an Istio service mesh on your cluster. +$[prodname] installs Istio in ambient mode, which conserves resources while providing the same robust mTLS encryption for your services. + +## About Istio Ambient Mode + +Istio is a service mesh that manages and secures communication between microservices. +Typically, Istio uses sidecar proxies that are deployed alongside every pod in the service mesh. +At scale, running these sidecar proxies can be difficult to manage and a drain on resources. + +Istio Ambient Mode is a simplified service mesh architecture that removes the need for a sidecar proxy next to every pod. +Instead, it uses node-level components for shared security and a layered approach for advanced traffic management. +This design saves on computing resources and simplifies operations. + +## About Istio Ambient Mode on Calico + +$[prodname] provides a bundled version of Istio that can be installed and managed by the Tigera Operator. + +This integration automates the lifecycle of the Istio components to reduce manual configuration overhead. +CVEs are addressed as part of the regular $[prodname] patch release cadence. +Administrators provision the Istio service mesh by defining a standard `Istio` custom resource. + +### The enhanced zTunnel proxy + +The zTunnel component in Istio Ambient Mode is a lightweight proxy that runs on every node. + +Its main job is to handle encryption, authentication, and policy enforcement for traffic at Layer 4. + +A challenge in the original Istio Ambient Mode is that when traffic is routed through the zTunnel, it gets placed into a tunnel on a specific port (15008). +This change makes it impossible for existing Layer 3 or Layer 4 network policies (like those from Calico) to see the original destination port of the traffic. + +Calico addresses this by using an enhanced zTunnel that is modified to preserve the original destination port. +This modification allows existing Calico and Kubernetes network policies to continue functioning exactly as they did before, without needing any rewrites, even though the traffic is now encrypted with mTLS. + +These zTunnel enhancements are not compatible with Istio's application-layer Waypoint proxy. +If you deploy Waypoint, the reported destination ports will follow the original behavior. +Existing network policies need to be adapted to allow communication to port 15008. + +## Additional resources +* [Overview of Istio ambient mode](https://istio.io/latest/docs/ambient/overview/). +* [Ambient and Kubernetes NetworkPolicy](https://istio.io/latest/docs/ambient/usage/networkpolicy/) \ No newline at end of file diff --git a/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/deploy-istio-ambient.mdx b/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/deploy-istio-ambient.mdx new file mode 100644 index 0000000000..4f3c7c2b3f --- /dev/null +++ b/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/deploy-istio-ambient.mdx @@ -0,0 +1,154 @@ +--- +description: This page explains how to deploy Calico's bundled version of Istio in ambient mode. +--- + +# Deploy Istio Ambient Mode on your cluster + +You can deploy Calico's bundled version of Istio in ambient mode to provide mTLS encryption to your workloads. + +## Limitations + +* [Application layer network policies](../../network-policy/application-layer-policies/alp.mdx) are not compatible with the Istio service mesh. +* Istio Ambient Mode does not work together with [workload-based web application firewalls](../../threat/web-application-firewall.mdx). +* The service mesh is not supported for use on clusters that are also part of a [cluster mesh](../../multicluster/index.mdx). +* Destination ports are preserved only when Istio is deployed without Waypoint. + If you deploy Waypoint, all traffic through Waypoint will show port 15008 as its destination port. +* Connect-time load balancing with the eBPF data plane is not compatible with Waypoint. + +## Prerequisites + +* $[prodname] is installed and managed by the Tigera Operator. + +## Install Istio in ambient mode on your cluster + +You can create an Istio service mesh in ambient mode by creating the `Istio` custom resource. + +* To install Istio in ambient mode, apply the `Istio` custom resource to your cluster: + + ```bash + cat < istio.io/dataplane-mode=ambient + ``` + Replace `` with the namespace you want to include in the mesh. + + ```bash title='Adding a service to the Istio service mesh' + kubectl label service --namespace= istio.io/dataplane-mode=ambient + ``` + Replace the following: + * ``: The name of the service you want to include in the mesh. + * ``: The namespace your service is in. + +## Removing Istio + +If you want to remove Istio, first remove the labels you applied to services and namespaces. +When that's done, you can delete the `Istio` custom resource. + +1. Remove the label from namespaces and services by running the following commands: + + ```bash + kubectl label namespaces --all istio.io/dataplane-mode=ambient- + kubectl label services --all --all-namespaces istio.io/dataplane-mode=ambient- + ``` +1. Remove the `Istio` custom resource: + + ```bash + kubectl delete istio.operator.tigera.io default + ``` + +## Troubleshooting commands + +Check whether Istio pods are deployed: + +```bash +kubectl get pods -n calico-system | grep 'istio\|ztunnel' +``` + +Check whether Istio CRDs are deployed: + +```bash +kubectl get crd | grep istio +``` + +Check which services and namespaces are in the mesh: + +* Requires [istioctl](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/). + +```bash +istioctl ztunnel-config workloads -n calico-system +``` + +Check for errors logged by the zTunnel component: + +```bash +ZTUNNEL_PODS=$(kubectl get pod -n calico-system \ + -l app.kubernetes.io/name=ztunnel \ + -o jsonpath='{.items[*].metadata.name}') + +for P in $ZTUNNEL_PODS; do + echo "--- Checking logs for pod: $P ---" + kubectl logs $P -n calico-system 2>/dev/null | \ + grep -i error | \ + grep -i app1 +done +``` + +## Additional resources + +* [Overview of Istio ambient mode](https://istio.io/latest/docs/ambient/overview/). +* [Configuration options](../../reference/installation/api). \ No newline at end of file diff --git a/calico-enterprise_versioned_sidebars/version-3.22-2-sidebars.json b/calico-enterprise_versioned_sidebars/version-3.22-2-sidebars.json index 7a5181f6fc..fe3ae3c444 100644 --- a/calico-enterprise_versioned_sidebars/version-3.22-2-sidebars.json +++ b/calico-enterprise_versioned_sidebars/version-3.22-2-sidebars.json @@ -589,6 +589,15 @@ "id": "compliance/index" }, "items": [ + { + "type": "category", + "label": "Istio Ambient Mode", + "link": null, + "items": [ + "compliance/istio/about-istio-ambient", + "compliance/istio/deploy-istio-ambient" + ] + }, "compliance/enable-compliance", "compliance/overview", "compliance/compliance-reports-cis", diff --git a/sidebars-calico-cloud.js b/sidebars-calico-cloud.js index a04a34fea4..d57e0e6adb 100644 --- a/sidebars-calico-cloud.js +++ b/sidebars-calico-cloud.js @@ -306,6 +306,15 @@ module.exports = { label: 'Compliance and security', link: {type: 'doc', id: 'compliance/index'}, items: [ + { + type: 'category', + label: 'Istio Ambient Mode', + link: null, + items: [ + 'compliance/istio/about-istio-ambient', + 'compliance/istio/deploy-istio-ambient', + ], + }, 'compliance/enable-compliance', 'compliance/overview', 'compliance/compliance-reports-cis', diff --git a/sidebars-calico-enterprise.js b/sidebars-calico-enterprise.js index e05498a0e2..f4b0683cb9 100644 --- a/sidebars-calico-enterprise.js +++ b/sidebars-calico-enterprise.js @@ -464,6 +464,15 @@ module.exports = { label: 'Compliance and security', link: { type: 'doc', id: 'compliance/index' }, items: [ + { + type: 'category', + label: 'Istio Ambient Mode', + link: null, + items: [ + 'compliance/istio/about-istio-ambient', + 'compliance/istio/deploy-istio-ambient', + ], + }, 'compliance/enable-compliance', 'compliance/overview', 'compliance/compliance-reports-cis', From 95a593fc62d4a4fd19fe94180637b07de3377620 Mon Sep 17 00:00:00 2001 From: Christopher Tauchen Date: Mon, 22 Dec 2025 19:11:27 +0000 Subject: [PATCH 03/10] Prepare for CE release 3.22 EP3 --- .../version-3.22-2/release-notes/index.mdx | 20 + .../version-3.22-2/releases.json | 538 ++++++++++++++++++ .../version-3.22-2/variables.js | 8 +- 3 files changed, 562 insertions(+), 4 deletions(-) diff --git a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx index 93db8e18df..a1b544c9b7 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx @@ -167,3 +167,23 @@ This Calico Enterprise release is based on [Calico Open Source 3.31](https://doc #### Upgrading To update an existing installation of Calico Enterprise 3.22, see [Install a patch release](../getting-started/manifest-archive.mdx). + +### Calico Enterprise 3.22.0-3.0 (early preview) + +December 23, 2025 + +Calico Enterprise 3.22.0-3.0 is now available as an early preview release. +This release is for previewing and testing purposes only. +It is not supported for use in production. + +#### Enhancements + +* TBD + +#### Bug fixes + +* TBD + +#### Upgrading +To update an existing installation of Calico Enterprise 3.22, see [Install a patch release](../getting-started/manifest-archive.mdx). + diff --git a/calico-enterprise_versioned_docs/version-3.22-2/releases.json b/calico-enterprise_versioned_docs/version-3.22-2/releases.json index 02bdec714b..b9c99d62e2 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/releases.json +++ b/calico-enterprise_versioned_docs/version-3.22-2/releases.json @@ -1,4 +1,273 @@ [ + { + "title": "v3.22.0-3.0", + "tigera-operator": { + "version": "v1.40.1", + "image": "tigera/operator", + "registry": "quay.io" + }, + "calico": { + "minor_version": "v3.31", + "archive_path": "archive" + }, + "components": { + "alertmanager": { + "version": "v3.22.0-3.0", + "image": "tigera/alertmanager" + }, + "calicoctl": { + "version": "v3.22.0-3.0", + "image": "tigera/calicoctl" + }, + "calicoq": { + "version": "v3.22.0-3.0", + "image": "tigera/calicoq" + }, + "apiserver": { + "version": "v3.22.0-3.0", + "image": "tigera/apiserver" + }, + "kube-controllers": { + "version": "v3.22.0-3.0", + "image": "tigera/kube-controllers" + }, + "manager": { + "version": "v3.22.0-3.0", + "image": "tigera/manager" + }, + "manager-proxy": { + "version": "v3.22.0-3.0", + "image": "tigera/manager-proxy" + }, + "node": { + "version": "v3.22.0-3.0", + "image": "tigera/node" + }, + "node-windows": { + "version": "v3.22.0-3.0", + "image": "tigera/node-windows" + }, + "queryserver": { + "version": "v3.22.0-3.0", + "image": "tigera/queryserver" + }, + "compliance-benchmarker": { + "version": "v3.22.0-3.0", + "image": "tigera/compliance-benchmarker" + }, + "compliance-controller": { + "version": "v3.22.0-3.0", + "image": "tigera/compliance-controller" + }, + "compliance-reporter": { + "version": "v3.22.0-3.0", + "image": "tigera/compliance-reporter" + }, + "compliance-server": { + "version": "v3.22.0-3.0", + "image": "tigera/compliance-server" + }, + "compliance-snapshotter": { + "version": "v3.22.0-3.0", + "image": "tigera/compliance-snapshotter" + }, + "coreos-alertmanager": { + "version": "v0.28.1" + }, + "coreos-config-reloader": { + "version": "v0.84.0" + }, + "coreos-dex": { + "version": "v2.41.1" + }, + "coreos-fluentd": { + "version": "1.18.0" + }, + "coreos-prometheus": { + "version": "v3.4.1" + }, + "coreos-prometheus-operator": { + "version": "v0.84.0" + }, + "csi": { + "version": "v3.22.0-3.0", + "image": "tigera/csi" + }, + "csi-node-driver-registrar": { + "version": "v3.22.0-3.0", + "image": "tigera/node-driver-registrar" + }, + "deep-packet-inspection": { + "version": "v3.22.0-3.0", + "image": "tigera/deep-packet-inspection" + }, + "dex": { + "version": "v3.22.0-3.0", + "image": "tigera/dex" + }, + "dikastes": { + "version": "v3.22.0-3.0", + "image": "tigera/dikastes" + }, + "eck-elasticsearch": { + "version": "8.18.4" + }, + "eck-elasticsearch-operator": { + "version": "2.16.1" + }, + "eck-kibana": { + "version": "8.18.4" + }, + "egress-gateway": { + "version": "v3.22.0-3.0", + "image": "tigera/egress-gateway" + }, + "elastic-tsee-installer": { + "version": "v3.22.0-3.0", + "image": "tigera/intrusion-detection-job-installer" + }, + "elasticsearch": { + "version": "v3.22.0-3.0", + "image": "tigera/elasticsearch" + }, + "elasticsearch-metrics": { + "version": "v3.22.0-3.0", + "image": "tigera/elasticsearch-metrics" + }, + "elasticsearch-operator": { + "version": "v3.22.0-3.0", + "image": "tigera/eck-operator" + }, + "envoy": { + "version": "v3.22.0-3.0", + "image": "tigera/envoy" + }, + "envoy-init": { + "version": "v3.22.0-3.0", + "image": "tigera/envoy-init" + }, + "es-gateway": { + "version": "v3.22.0-3.0", + "image": "tigera/es-gateway" + }, + "firewall-integration": { + "version": "v3.22.0-3.0", + "image": "tigera/firewall-integration" + }, + "flexvol": { + "version": "v3.22.0-3.0", + "image": "tigera/pod2daemon-flexvol" + }, + "fluentd": { + "version": "v3.22.0-3.0", + "image": "tigera/fluentd" + }, + "fluentd-windows": { + "version": "v3.22.0-3.0", + "image": "tigera/fluentd-windows" + }, + "gateway-api-envoy-gateway": { + "version": "v3.22.0-3.0", + "image": "tigera/envoy-gateway" + }, + "gateway-api-envoy-proxy": { + "version": "v3.22.0-3.0", + "image": "tigera/envoy-proxy" + }, + "gateway-api-envoy-ratelimit": { + "version": "v3.22.0-3.0", + "image": "tigera/envoy-ratelimit" + }, + "guardian": { + "version": "v3.22.0-3.0", + "image": "tigera/guardian" + }, + "ingress-collector": { + "version": "v3.22.0-3.0", + "image": "tigera/ingress-collector" + }, + "intrusion-detection-controller": { + "version": "v3.22.0-3.0", + "image": "tigera/intrusion-detection-controller" + }, + "key-cert-provisioner": { + "version": "v3.22.0-3.0", + "image": "tigera/key-cert-provisioner" + }, + "kibana": { + "version": "v3.22.0-3.0", + "image": "tigera/kibana" + }, + "l7-admission-controller": { + "version": "v3.22.0-3.0", + "image": "tigera/l7-admission-controller" + }, + "l7-collector": { + "version": "v3.22.0-3.0", + "image": "tigera/l7-collector" + }, + "license-agent": { + "version": "v3.22.0-3.0", + "image": "tigera/license-agent" + }, + "linseed": { + "version": "v3.22.0-3.0", + "image": "tigera/linseed" + }, + "packetcapture": { + "version": "v3.22.0-3.0", + "image": "tigera/packetcapture" + }, + "policy-recommendation": { + "version": "v3.22.0-3.0", + "image": "tigera/policy-recommendation" + }, + "prometheus": { + "version": "v3.22.0-3.0", + "image": "tigera/prometheus" + }, + "prometheus-config-reloader": { + "version": "v3.22.0-3.0", + "image": "tigera/prometheus-config-reloader" + }, + "prometheus-operator": { + "version": "v3.22.0-3.0", + "image": "tigera/prometheus-operator" + }, + "tigera-cni": { + "version": "v3.22.0-3.0", + "image": "tigera/cni" + }, + "tigera-cni-windows": { + "version": "v3.22.0-3.0", + "image": "tigera/cni-windows" + }, + "tigera-prometheus-service": { + "version": "v3.22.0-3.0", + "image": "tigera/prometheus-service" + }, + "typha": { + "version": "v3.22.0-3.0", + "image": "tigera/typha" + }, + "ui-apis": { + "version": "v3.22.0-3.0", + "image": "tigera/ui-apis" + }, + "voltron": { + "version": "v3.22.0-3.0", + "image": "tigera/voltron" + }, + "waf-http-filter": { + "version": "v3.22.0-3.0", + "image": "tigera/waf-http-filter" + }, + "webhooks-processor": { + "version": "v3.22.0-3.0", + "image": "tigera/webhooks-processor" + } + } + }, { "title": "v3.22.0-2.0", "tigera-operator": { @@ -267,5 +536,274 @@ "image": "tigera/webhooks-processor" } } + }, + { + "title": "v3.22.0-1.0", + "tigera-operator": { + "version": "v1.39.0", + "image": "tigera/operator", + "registry": "quay.io" + }, + "calico": { + "minor_version": "v3.30", + "archive_path": "archive" + }, + "components": { + "alertmanager": { + "version": "v3.22.0-1.0", + "image": "tigera/alertmanager" + }, + "calicoctl": { + "version": "v3.22.0-1.0", + "image": "tigera/calicoctl" + }, + "calicoq": { + "version": "v3.22.0-1.0", + "image": "tigera/calicoq" + }, + "cnx-apiserver": { + "version": "v3.22.0-1.0", + "image": "tigera/cnx-apiserver" + }, + "cnx-kube-controllers": { + "version": "v3.22.0-1.0", + "image": "tigera/kube-controllers" + }, + "cnx-manager": { + "version": "v3.22.0-1.0", + "image": "tigera/cnx-manager" + }, + "cnx-manager-proxy": { + "version": "v3.22.0-1.0", + "image": "tigera/cnx-manager-proxy" + }, + "cnx-node": { + "version": "v3.22.0-1.0", + "image": "tigera/cnx-node" + }, + "cnx-node-windows": { + "version": "v3.22.0-1.0", + "image": "tigera/cnx-node-windows" + }, + "cnx-queryserver": { + "version": "v3.22.0-1.0", + "image": "tigera/cnx-queryserver" + }, + "compliance-benchmarker": { + "version": "v3.22.0-1.0", + "image": "tigera/compliance-benchmarker" + }, + "compliance-controller": { + "version": "v3.22.0-1.0", + "image": "tigera/compliance-controller" + }, + "compliance-reporter": { + "version": "v3.22.0-1.0", + "image": "tigera/compliance-reporter" + }, + "compliance-server": { + "version": "v3.22.0-1.0", + "image": "tigera/compliance-server" + }, + "compliance-snapshotter": { + "version": "v3.22.0-1.0", + "image": "tigera/compliance-snapshotter" + }, + "coreos-alertmanager": { + "version": "v0.28.1" + }, + "coreos-config-reloader": { + "version": "v0.84.0" + }, + "coreos-dex": { + "version": "v2.41.1" + }, + "coreos-fluentd": { + "version": "1.18.0" + }, + "coreos-prometheus": { + "version": "v3.4.1" + }, + "coreos-prometheus-operator": { + "version": "v0.84.0" + }, + "csi": { + "version": "v3.22.0-1.0", + "image": "tigera/csi" + }, + "csi-node-driver-registrar": { + "version": "v3.22.0-1.0", + "image": "tigera/node-driver-registrar" + }, + "deep-packet-inspection": { + "version": "v3.22.0-1.0", + "image": "tigera/deep-packet-inspection" + }, + "dex": { + "version": "v3.22.0-1.0", + "image": "tigera/dex" + }, + "dikastes": { + "version": "v3.22.0-1.0", + "image": "tigera/dikastes" + }, + "eck-elasticsearch": { + "version": "8.18.4" + }, + "eck-elasticsearch-operator": { + "version": "2.16.1" + }, + "eck-kibana": { + "version": "8.18.4" + }, + "egress-gateway": { + "version": "v3.22.0-1.0", + "image": "tigera/egress-gateway" + }, + "elastic-tsee-installer": { + "version": "v3.22.0-1.0", + "image": "tigera/intrusion-detection-job-installer" + }, + "elasticsearch": { + "version": "v3.22.0-1.0", + "image": "tigera/elasticsearch" + }, + "elasticsearch-metrics": { + "version": "v3.22.0-1.0", + "image": "tigera/elasticsearch-metrics" + }, + "elasticsearch-operator": { + "version": "v3.22.0-1.0", + "image": "tigera/eck-operator" + }, + "envoy": { + "version": "v3.22.0-1.0", + "image": "tigera/envoy" + }, + "envoy-init": { + "version": "v3.22.0-1.0", + "image": "tigera/envoy-init" + }, + "es-gateway": { + "version": "v3.22.0-1.0", + "image": "tigera/es-gateway" + }, + "firewall-integration": { + "version": "v3.22.0-1.0", + "image": "tigera/firewall-integration" + }, + "flexvol": { + "version": "v3.22.0-1.0", + "image": "tigera/pod2daemon-flexvol" + }, + "fluentd": { + "version": "v3.22.0-1.0", + "image": "tigera/fluentd" + }, + "fluentd-windows": { + "version": "v3.22.0-1.0", + "image": "tigera/fluentd-windows" + }, + "gateway-api-envoy-gateway": { + "version": "v3.22.0-1.0", + "image": "tigera/envoy-gateway" + }, + "gateway-api-envoy-proxy": { + "version": "v3.22.0-1.0", + "image": "tigera/envoy-proxy" + }, + "gateway-api-envoy-ratelimit": { + "version": "v3.22.0-1.0", + "image": "tigera/envoy-ratelimit" + }, + "guardian": { + "version": "v3.22.0-1.0", + "image": "tigera/guardian" + }, + "ingress-collector": { + "version": "v3.22.0-1.0", + "image": "tigera/ingress-collector" + }, + "intrusion-detection-controller": { + "version": "v3.22.0-1.0", + "image": "tigera/intrusion-detection-controller" + }, + "key-cert-provisioner": { + "version": "v3.22.0-1.0", + "image": "tigera/key-cert-provisioner" + }, + "kibana": { + "version": "v3.22.0-1.0", + "image": "tigera/kibana" + }, + "l7-admission-controller": { + "version": "v3.22.0-1.0", + "image": "tigera/l7-admission-controller" + }, + "l7-collector": { + "version": "v3.22.0-1.0", + "image": "tigera/l7-collector" + }, + "license-agent": { + "version": "v3.22.0-1.0", + "image": "tigera/license-agent" + }, + "linseed": { + "version": "v3.22.0-1.0", + "image": "tigera/linseed" + }, + "packetcapture": { + "version": "v3.22.0-1.0", + "image": "tigera/packetcapture" + }, + "policy-recommendation": { + "version": "v3.22.0-1.0", + "image": "tigera/policy-recommendation" + }, + "prometheus": { + "version": "v3.22.0-1.0", + "image": "tigera/prometheus" + }, + "prometheus-config-reloader": { + "version": "v3.22.0-1.0", + "image": "tigera/prometheus-config-reloader" + }, + "prometheus-operator": { + "version": "v3.22.0-1.0", + "image": "tigera/prometheus-operator" + }, + "tigera-cni": { + "version": "v3.22.0-1.0", + "image": "tigera/cni" + }, + "tigera-cni-windows": { + "version": "v3.22.0-1.0", + "image": "tigera/cni-windows" + }, + "tigera-prometheus-service": { + "version": "v3.22.0-1.0", + "image": "tigera/prometheus-service" + }, + "typha": { + "version": "v3.22.0-1.0", + "image": "tigera/typha" + }, + "ui-apis": { + "version": "v3.22.0-1.0", + "image": "tigera/ui-apis" + }, + "voltron": { + "version": "v3.22.0-1.0", + "image": "tigera/voltron" + }, + "waf-http-filter": { + "version": "v3.22.0-1.0", + "image": "tigera/waf-http-filter" + }, + "webhooks-processor": { + "version": "v3.22.0-1.0", + "image": "tigera/webhooks-processor" + } + } } ] diff --git a/calico-enterprise_versioned_docs/version-3.22-2/variables.js b/calico-enterprise_versioned_docs/version-3.22-2/variables.js index c97bef1f14..0b41aabdbe 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/variables.js +++ b/calico-enterprise_versioned_docs/version-3.22-2/variables.js @@ -2,13 +2,13 @@ const releases = require('./releases.json'); const componentImage = require('../../src/components/utils/componentImage'); const variables = { - releaseTitle: 'v3.22.0-2.0', + releaseTitle: 'v3.22.0-3.0', prodname: 'Calico Enterprise', prodnamedash: 'calico-enterprise', version: 'v3.22', openSourceVersion: releases[0].calico.minor_version.slice(1), - baseUrl: '/calico-enterprise/3.22', - filesUrl: 'https://downloads.tigera.io/ee/v3.22.0-2.0', + baseUrl: '/calico-enterprise/latest', + filesUrl: 'https://downloads.tigera.io/ee/v3.22.0-3.0', rpmsUrl: 'https://downloads.tigera.io/ee/rpms/' + releases[0].title.slice(0, 5), tutorialFilesURL: 'https://docs.tigera.io/files', tmpScriptsURL: 'https://docs.tigera.io/calico-enterprise/3.22', @@ -20,7 +20,7 @@ const variables = { rootDirWindows: 'C:\\TigeraCalico', registry: 'quay.io/', envoyVersion: '1.5.0', - chart_version_name: 'v3.22.0-2.0-0', + chart_version_name: 'v3.22.0-3.0-0', tigeraOperator: releases[0]['tigera-operator'], dikastesVersion: releases[0].components.dikastes.version, releases, From c2ca27d5102464172733b5837cd637b6a9946e82 Mon Sep 17 00:00:00 2001 From: Christopher Tauchen Date: Mon, 22 Dec 2025 15:15:00 +0000 Subject: [PATCH 04/10] Add tech preview status for Istio Ambient Mode --- calico-cloud/compliance/istio/about-istio-ambient.mdx | 7 +++++++ calico-cloud/compliance/istio/deploy-istio-ambient.mdx | 7 +++++++ .../compliance/istio/about-istio-ambient.mdx | 7 +++++++ .../compliance/istio/deploy-istio-ambient.mdx | 7 +++++++ .../compliance/istio/about-istio-ambient.mdx | 9 ++++++++- .../compliance/istio/deploy-istio-ambient.mdx | 7 +++++++ .../version-3.22-2/release-notes/index.mdx | 7 +++++++ .../version-3.22-2/variables.js | 2 +- 8 files changed, 51 insertions(+), 2 deletions(-) diff --git a/calico-cloud/compliance/istio/about-istio-ambient.mdx b/calico-cloud/compliance/istio/about-istio-ambient.mdx index bd2f8328dd..67d3c6587f 100644 --- a/calico-cloud/compliance/istio/about-istio-ambient.mdx +++ b/calico-cloud/compliance/istio/about-istio-ambient.mdx @@ -7,6 +7,13 @@ description: An overview of Calico's bundled version of Istio Ambient Mode You can use $[prodname] to deploy and manage an Istio service mesh on your cluster. $[prodname] installs Istio in ambient mode, which conserves resources while providing the same robust mTLS encryption for your services. +:::note + +Istio Ambient Mode is a tech preview feature. +Tech preview features are subject to significant changes before they become GA. + +::: + ## About Istio Ambient Mode Istio is a service mesh that manages and secures communication between microservices. diff --git a/calico-cloud/compliance/istio/deploy-istio-ambient.mdx b/calico-cloud/compliance/istio/deploy-istio-ambient.mdx index 4f3c7c2b3f..a2f650eb59 100644 --- a/calico-cloud/compliance/istio/deploy-istio-ambient.mdx +++ b/calico-cloud/compliance/istio/deploy-istio-ambient.mdx @@ -6,6 +6,13 @@ description: This page explains how to deploy Calico's bundled version of Istio You can deploy Calico's bundled version of Istio in ambient mode to provide mTLS encryption to your workloads. +:::note + +Istio Ambient Mode is a tech preview feature. +Tech preview features are subject to significant changes before they become GA. + +::: + ## Limitations * [Application layer network policies](../../network-policy/application-layer-policies/alp.mdx) are not compatible with the Istio service mesh. diff --git a/calico-enterprise/compliance/istio/about-istio-ambient.mdx b/calico-enterprise/compliance/istio/about-istio-ambient.mdx index bd2f8328dd..67d3c6587f 100644 --- a/calico-enterprise/compliance/istio/about-istio-ambient.mdx +++ b/calico-enterprise/compliance/istio/about-istio-ambient.mdx @@ -7,6 +7,13 @@ description: An overview of Calico's bundled version of Istio Ambient Mode You can use $[prodname] to deploy and manage an Istio service mesh on your cluster. $[prodname] installs Istio in ambient mode, which conserves resources while providing the same robust mTLS encryption for your services. +:::note + +Istio Ambient Mode is a tech preview feature. +Tech preview features are subject to significant changes before they become GA. + +::: + ## About Istio Ambient Mode Istio is a service mesh that manages and secures communication between microservices. diff --git a/calico-enterprise/compliance/istio/deploy-istio-ambient.mdx b/calico-enterprise/compliance/istio/deploy-istio-ambient.mdx index 4f3c7c2b3f..a2f650eb59 100644 --- a/calico-enterprise/compliance/istio/deploy-istio-ambient.mdx +++ b/calico-enterprise/compliance/istio/deploy-istio-ambient.mdx @@ -6,6 +6,13 @@ description: This page explains how to deploy Calico's bundled version of Istio You can deploy Calico's bundled version of Istio in ambient mode to provide mTLS encryption to your workloads. +:::note + +Istio Ambient Mode is a tech preview feature. +Tech preview features are subject to significant changes before they become GA. + +::: + ## Limitations * [Application layer network policies](../../network-policy/application-layer-policies/alp.mdx) are not compatible with the Istio service mesh. diff --git a/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/about-istio-ambient.mdx b/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/about-istio-ambient.mdx index 1487b9aa2f..67d3c6587f 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/about-istio-ambient.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/about-istio-ambient.mdx @@ -7,6 +7,13 @@ description: An overview of Calico's bundled version of Istio Ambient Mode You can use $[prodname] to deploy and manage an Istio service mesh on your cluster. $[prodname] installs Istio in ambient mode, which conserves resources while providing the same robust mTLS encryption for your services. +:::note + +Istio Ambient Mode is a tech preview feature. +Tech preview features are subject to significant changes before they become GA. + +::: + ## About Istio Ambient Mode Istio is a service mesh that manages and secures communication between microservices. @@ -43,4 +50,4 @@ Existing network policies need to be adapted to allow communication to port 1500 ## Additional resources * [Overview of Istio ambient mode](https://istio.io/latest/docs/ambient/overview/). -* [Ambient and Kubernetes NetworkPolicy](https://istio.io/latest/docs/ambient/usage/networkpolicy/) \ No newline at end of file +* [Ambient and Kubernetes NetworkPolicy](https://istio.io/latest/docs/ambient/usage/networkpolicy/) diff --git a/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/deploy-istio-ambient.mdx b/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/deploy-istio-ambient.mdx index 4f3c7c2b3f..a2f650eb59 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/deploy-istio-ambient.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/deploy-istio-ambient.mdx @@ -6,6 +6,13 @@ description: This page explains how to deploy Calico's bundled version of Istio You can deploy Calico's bundled version of Istio in ambient mode to provide mTLS encryption to your workloads. +:::note + +Istio Ambient Mode is a tech preview feature. +Tech preview features are subject to significant changes before they become GA. + +::: + ## Limitations * [Application layer network policies](../../network-policy/application-layer-policies/alp.mdx) are not compatible with the Istio service mesh. diff --git a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx index a1b544c9b7..59b6534fa4 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx @@ -30,6 +30,10 @@ This release adds customization options for specifying external load balancers f For more information, see [Customize gateway deployment and features](../networking/ingress-gateway/customize-ingress-gateway.mdx#customize-gateway-deployment-and-features). +### Istio Ambient Mode (tech preview) +Calico now provides a bundled version of Istio in ambient mode, a sidecarless architecture that delivers robust mTLS encryption and service mesh security while significantly reducing resource consumption and operational overhead. This implementation, managed by the Tigera Operator, features an enhanced zTunnel proxy that preserves original destination ports to ensure existing Calico and Kubernetes network policies continue to function seamlessly without requiring rewrites. + +For more information, see [Istio Ambient Mode](../compliance/istio/about-istio-ambient.mdx). ### HTTP header-based matching for application layer policies This release includes support for HTTP header-based matching for application layer policies. @@ -176,6 +180,9 @@ Calico Enterprise 3.22.0-3.0 is now available as an early preview release. This release is for previewing and testing purposes only. It is not supported for use in production. +This release adds the following features: +* [Istio Ambient Mode](#istio-ambient-mode-tech-preview) + #### Enhancements * TBD diff --git a/calico-enterprise_versioned_docs/version-3.22-2/variables.js b/calico-enterprise_versioned_docs/version-3.22-2/variables.js index 0b41aabdbe..d77de0df27 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/variables.js +++ b/calico-enterprise_versioned_docs/version-3.22-2/variables.js @@ -7,7 +7,7 @@ const variables = { prodnamedash: 'calico-enterprise', version: 'v3.22', openSourceVersion: releases[0].calico.minor_version.slice(1), - baseUrl: '/calico-enterprise/latest', + baseUrl: '/calico-enterprise/3.22', filesUrl: 'https://downloads.tigera.io/ee/v3.22.0-3.0', rpmsUrl: 'https://downloads.tigera.io/ee/rpms/' + releases[0].title.slice(0, 5), tutorialFilesURL: 'https://docs.tigera.io/files', From d1f50c4c22cefdcd972788ef8f614c09c0abe9e0 Mon Sep 17 00:00:00 2001 From: Christopher Tauchen Date: Mon, 22 Dec 2025 15:28:37 +0000 Subject: [PATCH 05/10] Update release date and add known issue --- .../version-3.22-2/release-notes/index.mdx | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx index 59b6534fa4..ce2eed34db 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx @@ -31,9 +31,12 @@ This release adds customization options for specifying external load balancers f For more information, see [Customize gateway deployment and features](../networking/ingress-gateway/customize-ingress-gateway.mdx#customize-gateway-deployment-and-features). ### Istio Ambient Mode (tech preview) -Calico now provides a bundled version of Istio in ambient mode, a sidecarless architecture that delivers robust mTLS encryption and service mesh security while significantly reducing resource consumption and operational overhead. This implementation, managed by the Tigera Operator, features an enhanced zTunnel proxy that preserves original destination ports to ensure existing Calico and Kubernetes network policies continue to function seamlessly without requiring rewrites. + +Calico now provides a bundled version of Istio in ambient mode, a sidecarless architecture that delivers robust mTLS encryption and service mesh security while significantly reducing resource consumption and operational overhead. +This implementation, managed by the Tigera Operator, features an enhanced zTunnel proxy that preserves original destination ports to ensure existing Calico and Kubernetes network policies continue to function seamlessly without requiring rewrites. For more information, see [Istio Ambient Mode](../compliance/istio/about-istio-ambient.mdx). + ### HTTP header-based matching for application layer policies This release includes support for HTTP header-based matching for application layer policies. @@ -187,6 +190,12 @@ This release adds the following features: * TBD +#### Known issues + +* If you use the nftables data plane with L7 features (WAF or L7 logging) on a platform without legacy iptables support, such as OpenShift 4.20, these capabilities will fail to initialize. + This occurs because some Calico images are missing the required nftables binaries and incorrectly rely on legacy iptables modules that have been removed from newer operating systems. + As a workaround, ensure your host platform has legacy iptables kernel modules installed and loaded until a full fix is delivered in an upcoming patch release. + #### Bug fixes * TBD From 8d827fe936bbd7900aaa83ba176bc1b24406c17f Mon Sep 17 00:00:00 2001 From: Rene Dekker Date: Mon, 22 Dec 2025 16:05:15 -0800 Subject: [PATCH 06/10] docs: Added release notes for v3.22.0-3.0 --- .../version-3.21-2/release-notes/index.mdx | 2 +- .../version-3.22-2/release-notes/index.mdx | 9 ++++----- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/calico-enterprise_versioned_docs/version-3.21-2/release-notes/index.mdx b/calico-enterprise_versioned_docs/version-3.21-2/release-notes/index.mdx index ef9773e7bf..fb250e9773 100644 --- a/calico-enterprise_versioned_docs/version-3.21-2/release-notes/index.mdx +++ b/calico-enterprise_versioned_docs/version-3.21-2/release-notes/index.mdx @@ -152,7 +152,7 @@ November 05, 2025 ##### Service Graph Enhancements -We've improved the Service Graph for clusters which have a very high volume of flows. When a high volume of flows is detected for a time range, a new namespaced-focused experience provides quicker access to insights from the graph. +We've improved the Service Graph for clusters that have a very high volume of flows. When a high volume of flows is detected for a time range, a new namespaced-focused experience provides quicker access to insights from the graph. We've also added more feedback into the UI to keep you informed on the progress of graph computation. ##### Additional Enhancements diff --git a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx index ce2eed34db..637abc479f 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx @@ -188,17 +188,16 @@ This release adds the following features: #### Enhancements -* TBD +* We've improved the Service Graph for clusters that have a very high volume of flows. When a high volume of flows is detected for a time range, a new namespaced-focused experience provides quicker access to insights from the graph. +We've also added more feedback into the UI to keep you informed on the progress of graph computation. +* The namespace-focused experience will now also highlight namespaces that are estimated to take a long time to load with an orange indicator. #### Known issues * If you use the nftables data plane with L7 features (WAF or L7 logging) on a platform without legacy iptables support, such as OpenShift 4.20, these capabilities will fail to initialize. This occurs because some Calico images are missing the required nftables binaries and incorrectly rely on legacy iptables modules that have been removed from newer operating systems. As a workaround, ensure your host platform has legacy iptables kernel modules installed and loaded until a full fix is delivered in an upcoming patch release. - -#### Bug fixes - -* TBD +* Kibana attempts external API calls that are blocked by network policies related to Elastic Fleet. Errors will show in the logs. There is no further impact. #### Upgrading To update an existing installation of Calico Enterprise 3.22, see [Install a patch release](../getting-started/manifest-archive.mdx). From ad04bdec91df34b5396527995f664613d99c89ff Mon Sep 17 00:00:00 2001 From: Daniel Fox Date: Mon, 22 Dec 2025 18:43:41 -0800 Subject: [PATCH 07/10] Update operator version --- calico-enterprise_versioned_docs/version-3.22-2/releases.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/calico-enterprise_versioned_docs/version-3.22-2/releases.json b/calico-enterprise_versioned_docs/version-3.22-2/releases.json index b9c99d62e2..9440859e11 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/releases.json +++ b/calico-enterprise_versioned_docs/version-3.22-2/releases.json @@ -2,7 +2,7 @@ { "title": "v3.22.0-3.0", "tigera-operator": { - "version": "v1.40.1", + "version": "v1.40.4", "image": "tigera/operator", "registry": "quay.io" }, From c2faf7a20418df0e77bef34e49289f1c285e927f Mon Sep 17 00:00:00 2001 From: Daniel Fox Date: Mon, 22 Dec 2025 18:44:11 -0800 Subject: [PATCH 08/10] Bump eck-* versions --- calico-enterprise_versioned_docs/version-3.22-2/releases.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/calico-enterprise_versioned_docs/version-3.22-2/releases.json b/calico-enterprise_versioned_docs/version-3.22-2/releases.json index 9440859e11..2fec3a9f20 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/releases.json +++ b/calico-enterprise_versioned_docs/version-3.22-2/releases.json @@ -110,13 +110,13 @@ "image": "tigera/dikastes" }, "eck-elasticsearch": { - "version": "8.18.4" + "version": "8.19.8" }, "eck-elasticsearch-operator": { "version": "2.16.1" }, "eck-kibana": { - "version": "8.18.4" + "version": "8.19.8" }, "egress-gateway": { "version": "v3.22.0-3.0", From e8870f6e56242ae9823e0f426689a1269291d4ce Mon Sep 17 00:00:00 2001 From: Saba Date: Tue, 23 Dec 2025 00:45:38 -0800 Subject: [PATCH 09/10] Add release note for support of MKE4k with Calico Enterprise --- .../version-3.22-2/release-notes/index.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx index 637abc479f..9aca24a409 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx @@ -191,6 +191,7 @@ This release adds the following features: * We've improved the Service Graph for clusters that have a very high volume of flows. When a high volume of flows is detected for a time range, a new namespaced-focused experience provides quicker access to insights from the graph. We've also added more feedback into the UI to keep you informed on the progress of graph computation. * The namespace-focused experience will now also highlight namespaces that are estimated to take a long time to load with an orange indicator. +* We now support installation of $[prodname] on MKE 4k. #### Known issues From 1e39265c0d9eb7f49a5a5096fca3b70ba49fc3af Mon Sep 17 00:00:00 2001 From: Saba Date: Tue, 23 Dec 2025 01:03:48 -0800 Subject: [PATCH 10/10] Add bug fixes information --- .../version-3.22-2/release-notes/index.mdx | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx index 9aca24a409..d1ec5cfffb 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/release-notes/index.mdx @@ -192,6 +192,11 @@ This release adds the following features: We've also added more feedback into the UI to keep you informed on the progress of graph computation. * The namespace-focused experience will now also highlight namespaces that are estimated to take a long time to load with an orange indicator. * We now support installation of $[prodname] on MKE 4k. +* ebpf: Added a new Felix configuration option `CgroupV2Path` to set a custom cgroupV2 mount path, improving compatibility with immutable OSes like Talos Linux. + +#### Bug fixes + +* eBPF - Fixed an issue with map operations for older kernels. #### Known issues