Release notes

The following table shows component versioning for Calico v3.9.

Use the version selector at the top-right of this page to view a different release.


Release archive with Kubernetes manifests, Docker images and binaries.

06 Nov 2019

Bug fixes

  • Make sure we include latest packages node #352 (@caseydavenport)
  • Fix issue where IPAM block affinity was not properly calculated libcalico-go #1157 (@beautytiger)
Component Version
calico/typha v3.9.3
calico/ctl v3.9.3
calico/node v3.9.3
calico/cni v3.9.3
calico/kube-controllers v3.9.3
networking-calico 3.9.2 v0.11.0
calico/dikastes v3.9.3
calico/pod2daemon-flexvol v3.9.3


Release archive with Kubernetes manifests, Docker images and binaries.

15 Oct 2019

Bug fixes

  • Support for BoundServiceAccountTokenVolumes in Kubernetes.
    • calico/node updates CNI kubeconfig when credentials change node #350 (@caseydavenport)
    • Update client-go to support BoundServiceAccountTokenVolumes node #350 (@caseydavenport)
    • Update client-go to support BoundServiceAccountTokenVolumes typha #322 (@caseydavenport)
    • Update client-go to support BoundServiceAccountTokenVolumes libcalico-go #1140 (@caseydavenport)
Component Version
calico/typha v3.9.2
calico/ctl v3.9.2
calico/node v3.9.2
calico/cni v3.9.2
calico/kube-controllers v3.9.2
networking-calico 3.9.2 v0.11.0
calico/dikastes v3.9.2
calico/pod2daemon-flexvol v3.9.2


Release archive with Kubernetes manifests, Docker images and binaries.

26 Sep 2019

Bug fixes

  • Fix that an incorrectly formatted error message from Calico’s FlexVolume driver could cause a flood of log entries that would lead to unnecessary use of storage space. pod2daemon #28 (@rafaelvanoni)
  • Ignore windows reserved IP addresses when deciding whether or not to release a block libcalico-go #1130 (@caseydavenport)
  • Use CNI spec version 0.3.1 calico #2882 (@caseydavenport)
Component Version
calico/typha v3.9.1
calico/ctl v3.9.1
calico/node v3.9.1
calico/cni v3.9.1
calico/kube-controllers v3.9.1
networking-calico 3.9.1 v0.11.0
calico/dikastes v3.9.1
calico/pod2daemon-flexvol v3.9.1


Release archive with Kubernetes manifests, Docker images and binaries.

11 Sep 2019

Support live migration from flannel to Calico

Calico now supports migration of existing flannel and canal cluster to use Calico VXLAN networking and network policy enforcement. See the getting started documentation for more information.

Cross-subnet VXLAN encapsulation

Calico can now selectively perform VXLAN encapsulation only for traffic which crosses a subnet boundary. This is similar to the existing functionality when using IP-in-IP encapsulation. This feature is useful in situations where encapsulation is not required within an L2 domain (for example, and AWS subnet) but is required for crossing a subnet boundary. For more information, see the documentation.

  • Add ability to configure VXLAN in cross-subnet mode libcalico-go #1114 (@Brian-McM)
  • Add VXLANMode CrossSubnet so routes use the VXLAN interface only when the destination is on a node in a different subnet felix #2101 (@Brian-McM)
  • Enable writing Felix routes with a dedicated route protocol set to differentiate routes originated by Felix. felix #2118 (@Marlinc)
  • Add Felix configuration option to ignore external routes on Calico-owned interfaces. libcalico-go #1119 (@Marlinc)
  • Add Felix configuration option to set custom routing protocol on Calico-owned routes. libcalico-go #1119 (@Marlinc)

Bug fixes

  • Fix that enabling VXLAN required restarting the calico/node pod confd #256 (@rene-dekker)
  • Remove tunnel address even if no other BGP configuration exists node #257 (@caseydavenport)
  • Fix issues where tunnel ip been reused incorrectly in kdd mode. node #254 (@song-jiang)
  • Fix Felix readiness checks when using non-default port node #241 (@jadech32)
  • Fix race condition where a non-Calico rule may be deleted. felix #2088 (@lmm)
  • Fix that tunnel addresses were not released on node deletion when using etcd data store. libcalico-go #1111 (@caseydavenport)
  • Fix missing calicoctl RBAC for viewing network policies calico #2750 (@fpicot)

Other changes

  • Respect etcd configuration options when datastore type is implicitly determined to be etcdv3. felix #2085 (@Brian-McM)
  • Support configuring Felix’s Prometheus metrics bind address felix #2081 (@rene-dekker)
  • Support configurable port for Felix readiness and liveness probes calico #2634 (@jadech32)
  • Felix now supports iptables 1.8 in nftables mode. The correct mode must be selected through configuration. felix #2070 (@fasaxc)
  • Add config option for iptables backend libcalico-go #1102 (@tmjd)
  • Add support for setting the source hint on routes programmed by Felix using the DeviceRouteSourceAddress configuration parameter. felix #2037 (@maxstr)
  • Add DeviceRouteSourceAddress option to FelixConfig libcalico-go #1097 (@maxstr)
  • Fix that kube-controllers would reconcile policies unnecessarily. libcalico-go #1107 (@rikatz)
  • Dikastes runs as a nonroot user by default for improved security app-policy #96 (@spikecurtis)
  • Retry on node update conflict in IPAM upgrade script cni-plugin #760 (@sbueringer)
  • Dikastes runs as non-root user for improved security. calico #2765 (@spikecurtis)
  • Prometheus host is now configurable calico #2728 (@rene-dekker)
Component Version
calico/typha v3.9.0
calico/ctl v3.9.0
calico/node v3.9.0
calico/cni v3.9.0
calico/kube-controllers v3.9.0
networking-calico 3.9.0 v0.11.0
calico/dikastes v3.9.0
calico/pod2daemon-flexvol v3.9.0