Mirror Calico OSS 3.32 features into CC next#2755
Open
ctauchen wants to merge 7 commits into
Open
Conversation
Calico OSS 3.32 adds Kubernetes 1.36 support; mirror the version bump into CC next system-requirements. Upstream: calico/calico OSS 3.32 release notes Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mirror the OSS 3.32 selector-scoped FelixConfiguration support into CC next reference docs. Adds a "Selector-scoped configuration" section covering the example, precedence rules, overlapping-selector behavior, and restrictions. Upstream: calico/calico#11977, calico/calico#12497 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
CE next already documents the validating admission webhook that enforces tier-based RBAC on (Global)NetworkPolicy and staged-policy CRUD when using native v3 CRDs. Mirror the same wording into CC next so both products describe the admission-webhook enforcement and its known read-side limitation (GET/LIST/WATCH not enforced). The link to ../../operations/native-v3-crds.mdx in CC is added in a later commit in this PR. Upstream: calico/calico#11803 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…iteria and route ops Mirror the OSS 3.32 BGPFilter additions into CC next reference docs to match CE. Adds peerType / priority / communities match criteria and the operations list (addCommunity / prependASPath / setPriority) on both v4 and v6 rule schemas. Adds the new sub-resource sections (Community Match, Operation, AddCommunity, PrependASPath, SetPriority) and the previously missing Prefix Length section that the v4/v6 rules already linked to. Also corrects a typo where the v4 rule cidr field described an IPv6 range. CE was already at this content level (came in via tigera#2612); no CE change in this commit. Upstream: calico/calico#12002 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
✅ Deploy Preview succeeded!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
5 tasks
✅ Deploy Preview for calico-docs-preview-next ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR syncs Calico Cloud “next” documentation with headline Calico OSS 3.32 documentation updates, including new/updated resource fields, tier naming changes, and new operational workflows.
Changes:
- Updates CC docs for the
allow-tigera→calico-systemtier rename (content updates, sidebar/nav updates, and a Netlify redirect). - Mirrors OSS 3.32 reference updates for FelixConfiguration selector-scoped configuration and BGPFilter new match/operation fields.
- Adds CC operations docs for “native v3 CRDs” enablement and datastore migration, and updates tier/RBAC guidance accordingly.
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| static/_redirects | Adds redirect from old allow-tigera doc path to calico-system. |
| sidebars-calico-cloud.js | Updates sidebar entries for calico-system and adds new operations docs. |
| calico-cloud/reference/resources/felixconfig.mdx | Documents selector-scoped FelixConfiguration via nodeSelector. |
| calico-cloud/reference/resources/bgpfilter.mdx | Documents new BGPFilter match criteria and route modification operations. |
| calico-cloud/operations/native-v3-crds.mdx | New guide for enabling native projectcalico.org/v3 CRDs (tech preview). |
| calico-cloud/operations/crd-migration.mdx | New guide for migrating from API server mode to native CRDs. |
| calico-cloud/operations/monitor/metrics/recommended-metrics.mdx | Updates example metric labels to calico-system tier. |
| calico-cloud/operations/disconnect.mdx | Updates disconnect guidance to reference calico-system tier. |
| calico-cloud/network-policy/policy-tiers/tiered-policy.mdx | Updates tier docs (incl. kube-admin/kube-baseline) and references calico-system. |
| calico-cloud/network-policy/policy-tiers/rbac-tiered-policies.mdx | Adds native-CRD-mode RBAC behavior note and links to new ops doc. |
| calico-cloud/network-policy/policy-tiers/calico-system.mdx | New replacement doc for “Change calico-system tier behavior”. |
| calico-cloud/network-policy/policy-tiers/allow-tigera.mdx | Removes old “allow-tigera tier behavior” doc page. |
| calico-cloud/network-policy/index.mdx | Updates doc card link to point to calico-system. |
| calico-cloud/get-started/system-requirements.mdx | Adds Kubernetes 1.36 and 1.35 to supported versions list. |
| calico-cloud/compliance/configure-http-proxy.mdx | Updates text to reference calico-system tier. |
| #### Restrictions | ||
|
|
||
| - The `nodeSelector` field cannot be set on the `default` resource or on `node.<nodename>` resources. These names have fixed scoping semantics. | ||
| - The `nodeSelector` field uses the same [selector syntax](../resources/networkpolicy.mdx#selectors) as other Calico resources. |
|
|
||
| ### Validation and defaulting | ||
|
|
||
| When using native `projectcalico.org/v3` CRDs, resource validation and defaulting are handled by native CRD validation and defaulting, as well as ValidatingAdmissionPolicies and MutatingAdmissionPolicies. $[prodname] uses [MutatingAdmissionPolicies](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) for defaulting, which are currently a **beta** Kubernetes feature. You must ensure that the `MutatingAdmissionPolicy` feature gate is enabled on your Kubernetes API server before using native `projectcalico.org/v3` CRDs. |
Comment on lines
+38
to
+42
| If you want to change the way traffic is enforced by the `calico-system` tier, you must create policy in an adjacent tier to meet your needs. For example, if a policy in the `calico-system` tier allows or denies traffic, and you want to change how that traffic is enforced, you can create a policy in a tier before `calico-system` that selects the same traffic to make your desired changes. Similarly, if a policy in the `calico-system` tier passes or does not select traffic that you want to enforce, you can create a policy in a tier after `calico-system` to select this traffic to meet the desired behavior. | ||
|
|
||
| ### Example: use preceding tier to tighten security | ||
|
|
||
| Let's say an `calico-system` policy allows ingress traffic from a $[prodname] component that you do not use, and you want to tighten enforcement to not allow this traffic. |
| - action: Pass | ||
| ``` | ||
|
|
||
| This example shows how you can change the impact of the `calico-system` tier on traffic without modifying the tier itself. This makes your changes more maintainable, and allows the calico-system tier to continue to receive updates as $[prodname] evolves without you needing to reconcile your changes each release. |
Comment on lines
+55
to
+59
| spec: | ||
| # Place in a tier prior to calico-system. | ||
| tier: preceding-tier | ||
|
|
||
| # Select the same endpoint as the original policy. |
Mirror the OSS 3.32 tier rename into CC next: - Rename network-policy/policy-tiers/allow-tigera.mdx -> calico-system.mdx - Replace 'allow-tigera' -> 'calico-system' throughout the page body, the tiered-policy / network-policy index / configure-http-proxy / recommended-metrics / operations/disconnect cross-references, and the sidebar entry Versioned trees (calico-cloud_versioned_docs) are intentionally left untouched. Note on applicability: the OSS rename is operator-driven (release notes say it only requires manual policy updates 'If your Calico installation does not use the Tigera Operator, or if you have created custom Network Policies within this Tier'). CC always runs the Tigera Operator, so the operator should rename the tier automatically. Upstream: calico/calico#11842 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Port the CE next operations/native-v3-crds.mdx and operations/crd-migration.mdx pages to CC next and wire them into sidebars-calico-cloud.js mirroring the CE position (after the eBPF group, before component-logs). The only edits versus CE are the frontmatter description product-name swaps. The body uses $[prodname] substitution so it renders correctly in CC; helm chart / manifest URLs use $[manifestsUrl] and $[releaseTitle] which are CC-product-aware. Open question for @caseydavenport: Calico Cloud is a SaaS control plane that manages CRDs server-side, so it is unclear how much of the native v3 CRDs install / migration flow applies cleanly to CC-connected clusters. Verification ping on this commit asks whether this content belongs in CC as written, needs a SaaS-specific caveat, or should be dropped entirely. Upstream: calico/calico#10447 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replace the AdminNetworkPolicy / BaselineAdminNetworkPolicy tier sections in CC next tiered-policy.mdx with the new ClusterNetworkPolicy story from OSS 3.32: - kube-admin tier (auto-created, order 1,000) holds ClusterNetworkPolicy resources with spec.tier: Admin. Sample YAML included. - kube-baseline tier (auto-created, order 10,000,000) holds ClusterNetworkPolicy resources with spec.tier: Baseline. Sample YAML included. - Each section ends with a deprecation note pointing users from the old adminnetworkpolicy / baselineadminnetworkpolicy tier names to the new kube-admin / kube-baseline tier names, and noting that the upstream AdminNetworkPolicy / BaselineAdminNetworkPolicy resources are no longer enforced and must be migrated to ClusterNetworkPolicy before upgrade. Mirrors the OSS 3.32 tiered-policy.mdx content verbatim (s/Calico Open Source/$[prodname]/) so the products stay aligned on the new policy API. Upstream: calico/calico#10810, calico/calico#11144, calico/calico#12227 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ctauchen
force-pushed
the
docs/ce-3.23-ep2-oss-3.32-mirror-cc
branch
from
7db7762 to
7603f92
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Calico Enterprise 3.23 EP2 picks up the Calico OSS 3.32 stream (confirmed via three Confluence pages: PM/3565355009, ENG/3605364738, ENG/3650289665). This PR mirrors the headline OSS 3.32 reference / how-to content into CC next (
/calico-cloud/) so CC stays in sync on the new resources, fields, and tiers introduced upstream.CE-side changes are in a separate PR.
No release-notes content is in this PR. Release-notes lines are drafted in a side document and will be incorporated into the CC release-notes page in a separate PR.
Commits
nodeSelector(tech preview)allow-tigeratier →calico-systemOSS 3.32 items intentionally not in this PR (CC-side):
calicoctldocs at all; thekubeVirtVMAddressPersistencefield is already incalico-cloud/reference/resources/ipamconfig.mdx.Open questions for reviewers
Test plan
make start-next)get-started/system-requirements,reference/resources/felixconfig,reference/resources/bgpfilter,network-policy/policy-tiers/rbac-tiered-policies,network-policy/policy-tiers/calico-system,network-policy/policy-tiers/tiered-policy,operations/native-v3-crds,operations/crd-migrationgrep -rn "allow-tigera" calico-cloud/returns no hits (versioned tree untouched)grep -rn "kube-admin\|kube-baseline\|ClusterNetworkPolicy" calico-cloud/returns hits in tiered-policy.mdx🤖 Generated with Claude Code