tigera · ctauchen · Feb 12, 2025 · Feb 6, 2025 · Feb 6, 2025 · Feb 10, 2025
@@ -31,23 +31,23 @@
 
 | $[prodname] version    | $[prodname] support                                                                                                                        |
 | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
-| 3.18 to current release | - $[prodname] CNI with network policy<br />- Azure CNI with $[prodname] network policy <br />- Azure CNI with $[prodname] network policy |
+| 3.19 to current release | - $[prodname] CNI with network policy<br />- Azure CNI with $[prodname] network policy <br />- Azure CNI with $[prodname] network policy |
 
 ## EKS
 
 Kubernetes version support aligns with [upstream Kubernetes](#kubernetes-kubeadm) to the latest version if available.
 
 | $[prodname] version    | $[prodname] support                                                                   |
 | ----------------------- | -------------------------------------------------------------------------------------- |
-| 3.18 to current release | - $[prodname] CNI with network policy<br />- AWS CNI with $[prodname] network policy |
+| 3.19 to current release | - $[prodname] CNI with network policy<br />- AWS CNI with $[prodname] network policy |
 
 ## GKE
 
 Kubernetes version support aligns with [upstream Kubernetes](#kubernetes-kubeadm) to the latest version if available.
 
 | $[prodname] version    | $[prodname] support                       |
 | ----------------------- | ------------------------------------------ |
-| 3.18 to current release | - GKE CNI with $[prodname] network policy |
+| 3.19 to current release | - GKE CNI with $[prodname] network policy |
 
 ## kOps on AWS
 
@@ -56,7 +56,6 @@
 | 3.21                 | 1.29 - 1.31                  | - $[prodname] CNI with network policy<br />- AWS CNI with $[prodname] network policy |
 | 3.20                 | 1.29 - 1.30                  | - $[prodname] CNI with network policy<br />- AWS CNI with $[prodname] network policy |
 | 3.19                 | 1.28 - 1.29                  | - $[prodname] CNI with network policy<br />- AWS CNI with $[prodname] network policy |
-| 3.18                 | 1.26 - 1.28                  | - $[prodname] CNI with network policy<br />- AWS CNI with $[prodname] network policy |
 
 ## Kubernetes-kubeadm
 
@@ -65,7 +64,6 @@
 | 3.21                 | 1.29 - 1.31                 | $[prodname] CNI with network policy |
 | 3.20                 | 1.29 - 1.31                 | $[prodname] CNI with network policy |
 | 3.19                 | 1.28 - 1.30                 | $[prodname] CNI with network policy |
-| 3.18                 | 1.26 - 1.28                 | $[prodname] CNI with network policy |
 
 ## MKE
 
@@ -74,7 +72,6 @@
 | 3.21                 | MKE 3.8     | $[prodname] CNI with network policy | 1.31                |
 | 3.20                 | MKE 3.8     | $[prodname] CNI with network policy | 1.31                |
 | 3.19                 | MKE 3.7     | $[prodname] CNI with network policy | 1.27                |
-| 3.18                 | MKE 3.7     | $[prodname] CNI with network policy | 1.27                |
 
 ## OpenShift
 
@@ -83,7 +80,6 @@
 | 3.21                 | 4.16 - 4.17                       | $[prodname] CNI with network policy |
 | 3.20                 | 4.15 - 4.17                       | $[prodname] CNI with network policy |
 | 3.19                 | 4.14 - 4.15                       | $[prodname] CNI with network policy |
-| 3.18                 | 4.12 - 4.14                       | $[prodname] CNI with network policy |
 
 ## RKE
 
@@ -92,7 +88,6 @@
 | 3.21                 | 1.7         | $[prodname] CNI with network policy | 1.31                |
 | 3.20                 | 1.7         | $[prodname] CNI with network policy | 1.31                |
 | 3.19                 | 1.5         | $[prodname] CNI with network policy | 1.28                |
-| 3.18                 | 1.4         | $[prodname] CNI with network policy | 1.26                |
 
 ## RKE2
 
@@ -101,15 +96,6 @@
 | 3.21                 | $[prodname] CNI with network policy | 1.29 - 1.31         |
 | 3.20                 | $[prodname] CNI with network policy | 1.29 - 1.31         |
 | 3.19                 | $[prodname] CNI with network policy | 1.28 - 1.30         |
-| 3.18                 | $[prodname] CNI with network policy | 1.26 - 1.28         |
-
-## TKG
-
-| $[prodname] version | TKG version | $[prodname] support                 | Kubernetes versions |
-| -------------------- | ----------- | ------------------------------------ | ------------------- |
-| 3.20                 | 2.4         | $[prodname] CNI with network policy | 1.27                |
-| 3.19                 | 2.4         | $[prodname] CNI with network policy | 1.27                |
-| 3.18                 | 2.4         | $[prodname] CNI with network policy | 1.27                |
 
 ## Supported browsers
 

@@ -63,6 +63,9 @@
         "image": "tigera/dex",
         "version": "v3.20.1"
       },
+      "coreos-dex": {
+        "version": "v2.41.1"
+      },
       "fluentd": {
         "image": "tigera/fluentd",
         "version": "v3.20.1"
@@ -71,6 +74,9 @@
         "image": "tigera/fluentd-windows",
         "version": "v3.20.1"
       },
+      "coreos-fluentd": {
+        "version": "1.17.1"
+      },
       "es-proxy": {
         "image": "tigera/es-proxy",
         "version": "v3.20.1"
@@ -1015,4 +1021,4 @@
       }
     }
   }
-]
+]
@@ -31,23 +31,23 @@
 
 | $[prodname] version    | $[prodname] support                                                                                                                        |
 | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
-| 3.18 to current release | - $[prodname] CNI with network policy<br />- Azure CNI with $[prodname] network policy <br />- Azure CNI with $[prodname] network policy |
+| 3.19 to current release | - $[prodname] CNI with network policy<br />- Azure CNI with $[prodname] network policy <br />- Azure CNI with $[prodname] network policy |
 
 ## EKS
 
 Kubernetes version support aligns with [upstream Kubernetes](#kubernetes-kubeadm) to the latest version if available.
 
 | $[prodname] version    | $[prodname] support                                                                   |
 | ----------------------- | -------------------------------------------------------------------------------------- |
-| 3.18 to current release | - $[prodname] CNI with network policy<br />- AWS CNI with $[prodname] network policy |
+| 3.19 to current release | - $[prodname] CNI with network policy<br />- AWS CNI with $[prodname] network policy |
 
 ## GKE
 
 Kubernetes version support aligns with [upstream Kubernetes](#kubernetes-kubeadm) to the latest version if available.
 
 | $[prodname] version    | $[prodname] support                       |
 | ----------------------- | ------------------------------------------ |
-| 3.18 to current release | - GKE CNI with $[prodname] network policy |
+| 3.19 to current release | - GKE CNI with $[prodname] network policy |
 
 ## kOps on AWS
 
@@ -56,7 +56,6 @@
 | 3.21                 | 1.29 - 1.31                  | - $[prodname] CNI with network policy<br />- AWS CNI with $[prodname] network policy |
 | 3.20                 | 1.29 - 1.30                  | - $[prodname] CNI with network policy<br />- AWS CNI with $[prodname] network policy |
 | 3.19                 | 1.28 - 1.29                  | - $[prodname] CNI with network policy<br />- AWS CNI with $[prodname] network policy |
-| 3.18                 | 1.26 - 1.28                  | - $[prodname] CNI with network policy<br />- AWS CNI with $[prodname] network policy |
 
 ## Kubernetes-kubeadm
 
@@ -65,7 +64,6 @@
 | 3.21                 | 1.29 - 1.31                 | $[prodname] CNI with network policy |
 | 3.20                 | 1.29 - 1.31                 | $[prodname] CNI with network policy |
 | 3.19                 | 1.28 - 1.30                 | $[prodname] CNI with network policy |
-| 3.18                 | 1.26 - 1.28                 | $[prodname] CNI with network policy |
 
 ## MKE
 
@@ -74,7 +72,6 @@
 | 3.21                 | MKE 3.8     | $[prodname] CNI with network policy | 1.31                |
 | 3.20                 | MKE 3.8     | $[prodname] CNI with network policy | 1.31                |
 | 3.19                 | MKE 3.7     | $[prodname] CNI with network policy | 1.27                |
-| 3.18                 | MKE 3.7     | $[prodname] CNI with network policy | 1.27                |
 
 ## OpenShift
 
@@ -83,7 +80,6 @@
 | 3.21                 | 4.16 - 4.17                       | $[prodname] CNI with network policy |
 | 3.20                 | 4.15 - 4.17                       | $[prodname] CNI with network policy |
 | 3.19                 | 4.14 - 4.15                       | $[prodname] CNI with network policy |
-| 3.18                 | 4.12 - 4.14                       | $[prodname] CNI with network policy |
 
 ## RKE
 
@@ -92,7 +88,6 @@
 | 3.21                 | 1.7         | $[prodname] CNI with network policy | 1.31                |
 | 3.20                 | 1.7         | $[prodname] CNI with network policy | 1.31                |
 | 3.19                 | 1.5         | $[prodname] CNI with network policy | 1.28                |
-| 3.18                 | 1.4         | $[prodname] CNI with network policy | 1.26                |
 
 ## RKE2
 
@@ -101,15 +96,6 @@
 | 3.21                 | $[prodname] CNI with network policy | 1.29 - 1.31         |
 | 3.20                 | $[prodname] CNI with network policy | 1.29 - 1.31         |
 | 3.19                 | $[prodname] CNI with network policy | 1.28 - 1.30         |
-| 3.18                 | $[prodname] CNI with network policy | 1.26 - 1.28         |
-
-## TKG
-
-| $[prodname] version | TKG version | $[prodname] support                 | Kubernetes versions |
-| -------------------- | ----------- | ------------------------------------ | ------------------- |
-| 3.20                 | 2.4         | $[prodname] CNI with network policy | 1.27                |
-| 3.19                 | 2.4         | $[prodname] CNI with network policy | 1.27                |
-| 3.18                 | 2.4         | $[prodname] CNI with network policy | 1.27                |
 
 ## Supported browsers
 

@@ -2,7 +2,7 @@
 description: Enable support for the Kubernetes Gateway API.
 ---
 
-# Gateway API
+# Configure an ingress gateway
 
 ## Big picture
 

@@ -3,11 +3,11 @@ description: What's new, and why features provide value for upgrading.
 title: Release notes
 ---
 
-# Calico Enterprise 3.19 release notes
+# Calico Enterprise 3.21 release notes
 
 :::info early preview release
 
-Calico Enterprise 3.19 can be used for previewing and testing purposes only.
+Calico Enterprise 3.21 can be used for previewing and testing purposes only.
 It is not supported for use in production.
 
 :::
@@ -16,80 +16,42 @@ Learn about the new features, bug fixes, and other updates in this release of $[
 
 ## New features and enhancements
 
-### Improved flow log filtering for destination domains
+### Introducing Calico Ingress Gateway (tech-preview)
 
-We’ve updated the Felix parameter (`dest_domains`) for DNS policy to make it easy to find only domain names that the deployment actually connected to (not all the domain names that got translated to the same IP address).
-For more information, see [Flow log data types](../visibility/elastic/flow/datatypes.mdx).
+$[prodname] now includes the ability to deploy Calico Ingress Gateway which is an Enterprise hardened, 100% upstream distribution of Envoy Gateway.
+Envoy Gateway is an implementation of the Kubernetes Gateway API with several extensions that provide advanced security and traffic management features.
 
-### New flow logs panel on Endpoints page
+For more information, see [Configure an ingress gateway](../networking/gateway-api.mdx).
 
-We've updated the Endpoints page in the web console with a new flow logs panel so you can view and filter Endpoints associated with denied traffic. Flow log metadata includes the source, destination, ports, protocols, and other key forms. We've also updated the Policy Board to highlight policies with denied traffic.
+### IPAM for load balancers
 
-### Improvements to security events dashboard
+$[prodname] now extends its IPAM capabilities to support service LoadBalancer IP allocation, providing a centralized, automated approach to managing LoadBalancer IPs within Kubernetes clusters.
 
-We've added the following improvements to the [Security events dashboard](../threat/security-event-management.mdx):
+For more information, see [LoadBalancer IP address management](../networking/ipam/service-loadbalancer.mdx)
 
-- Jira and Slack webhook integration for security event alerts
+### Enhancements
 
-   By [configuring webhooks](../threat/configuring-webhooks.mdx), you can now push alerts from the Security Overview dashboard in the web console to Jira and Slack so incident response and security teams can use native tools to respond to security event alerts.
+* **Control-plane label customization for AKS:**
+  We added support for customizing the namespace labels on AKS clusters.
+  By default we apply a `control-plane` label to namespaces so that they are exempt from Azure Policy.
+  If you wish to apply Azure Policy to our namespaces, you can now override this label.
 
-- Added threat feed alerts
+* **Log levels for api-server component:**
+  You can now tune the log level for the API server to better support production deployments and troubleshooting scenarios.
 
-   If you have implemented global threat feeds for suspicious activity (domains or suspicious IPs), alerts are now visible in the Security Overview dashboard. For more information on threatfeeds, see  [Trace and block suspicious IPs](../threat/suspicious-ips).
-
-### Deprecated and removed features
-
-* The anomaly detection feature was removed in v3.18.1 If anomaly detection is enabled and you upgrade to $[prodname] 3.18, you will stop receiving anomaly detection alerts.
-* [Manual install for Windows](../getting-started/install-on-clusters/windows-calico/manual-install/) will be deprecated in a future release. Starting in v3.18.1, the [standard installation is operator-based](../getting-started/install-on-clusters/windows-calico/operator).
-
-## Technology Preview features
-
-- [Web application firewall](../threat/web-application-firewall)
-
-   Protect cloud-native applications from application layer attacks.
-
-- [Security events management](../threat/security-event-management)
-
-   Get alerts on security events that may indicate a threat is present in your Kubernetes cluster.
-
-- [DNS policy for Windows](../getting-started/install-on-clusters/windows-calico/limitations#dns-policy-limitations)
-
-   Use domain names in policies to identify services outside the cluster, which is often operationally simpler and more robust than using IP addresses.
-
-<!-- ## Bug fixes -->
-
-<!-- Follow this template: Problem-Cause-Fix-Result -->
-
-<!--
-* Bug 1.
-* Bug 2.
--->
-<!--
-## Security fixes
-
-* Security fix.
--->
-
-## Known issues
-
-* Flow logs for the Windows workloads currently do not display entries with a Deny action.
-* Before upgrading a $[prodname] cluster on MKE v3.6 to the latest $[prodname] version: 1) upgrade MKE from 3.6 to 3.7, then 2) upgrade $[prodname].
-* L7 logs with source name `pvt` is not visible in Service Graph.
-* *Multi-cluster management users only*. If the `manager-tls` and `internal-manager-tls` secrets have overlapping DNS names, components such as `es-calico-kube-controllers` will log certificate errors. If you have previously installed a version older than v3.13.0 and never changed your manager-tls secret from the tigera-operator namespace, you must delete both of these secrets. This applies to you if the following command prints a certificate: `$ kubectl get secret manager-tls -n tigera-operator -o "jsonpath={.data['cert']}"`.
-* Upgrading to $[prodname] 3.18.0 on Rancher/RKE from $[prodname] 3.13.0 currently requires manually terminating the calico-node container for an upgrade to proceed.
-* Calico panics if kube-proxy or other components are using native `nftables` rules instead of the `iptables-nft` compatibility shim. Until Calico supports native nftables mode, we recommend that you continue to use the iptables-nft compatibility layer for all components. (The compatibility layer was the only option before Kubernetes v1.29 added alpha-level `nftables` support.) Do not run Calico in "legacy" iptables mode on a system that is also using `nftables`. Although this combination does not panic or fail (at least on kernels that support both), the interaction between `iptables` "legacy" mode and `nftables` is confusing: both `iptables` and `nftables` rules can be executed on the same packet, leading to policy verdicts being "overturned".
-* Linseed deployment needs to be manually restarted after an upgrade. Without a restart, Linseed can't ingest data because it can't authenticate with Elastic.
+* **Clusterrolebindings have reduced privileges:**
+  Clusterrolebindings for the `tigera-operator`, `calico-kube-controller`, and `calico-prometheus-operator` components have been changed to improve $[prodname]'s least-privileged security model.
 
 ## Release details
 
-### Calico Enterprise 3.19.0 (early preview)
+### Calico Enterprise 3.21.0-1.0 (early preview)
 
-January xx, 2024
+February 11, 2025
 
-Calico Enterprise 3.19.0 is now available as an early preview release.
+Calico Enterprise 3.21-1.0 is now available as an early preview release.
 This release is for previewing and testing purposes only.
 It is not supported for use in production.
 
-<!--
-To update an existing installation of Calico Enterprise 3.18, see [Install a patch release](../getting-started/manifest-archive.mdx).
--->
+{/*
+To update an existing installation of Calico Enterprise 3.21, see [Install a patch release](../getting-started/manifest-archive.mdx).
+*/}