Calico Update overview.md #262
Conversation
added bulletin for Calico mirroring
|
Learn Build status updates of commit 69ad706: ✅ Validation status: passed
For more details, please refer to the build report. |
| **Published Date**: June 25, 2025 | ||
|
|
||
| ### Description | ||
| This bulletin provides an update on the security patching model for Calico in Azure Kubernetes Service (AKS). AKS-managed Calico is now fully aligned with upstream [Calico releases](https://github.com/projectcalico/calico/releases). This means that AKS will no longer independently patch Calico images but will instead mirror upstream Calico builds directly. |
There was a problem hiding this comment.
technically these reelases as well https://github.com/tigera/operator/releases
| ### Description | ||
| This bulletin provides an update on the security patching model for Calico in Azure Kubernetes Service (AKS). AKS-managed Calico is now fully aligned with upstream [Calico releases](https://github.com/projectcalico/calico/releases). This means that AKS will no longer independently patch Calico images but will instead mirror upstream Calico builds directly. | ||
|
|
||
| As a result, CVEs affecting Calico will remain unpatched in AKS until a fix is available upstream. This change ensures consistency with upstream behavior and improves transparency in patch timelines. |
There was a problem hiding this comment.
Should we also point out that upstream might choose not to fix an CVE if they deem it as not effecting their product?
| #### [**AKS Cluster**](#tab/aks-cluster) | ||
|
|
||
| **Affected Versions** | ||
| - All AKS supported versions using AKS managed Calico |
There was a problem hiding this comment.
mention calico was never supported for lts?
| - All AKS supported versions using AKS managed Calico | ||
|
|
||
| **Resolutions** | ||
| No immediate action is required. Customers are encouraged to monitor upstream Calico releases and the [AKS CVE Status Tracker](https://releases.aks.azure.com/webpage/index.html) for updates. |
There was a problem hiding this comment.
Addthis? If this creates an unreasonable security burdon customers may remove calico by setting netowkr policy to none https://learn.microsoft.com/en-us/azure/aks/use-network-policies#uninstall-azure-network-policy-manager-or-calico
|
|
||
| As a result, CVEs affecting Calico will remain unpatched in AKS until a fix is available upstream. This change ensures consistency with upstream behavior and improves transparency in patch timelines. | ||
|
|
||
| ### References |
There was a problem hiding this comment.
Assume its not worth it/bad to mention we don't do this because of the complexitity of some of calico nodes image builds. I've been pretty transparent tigera about this so I don't think they would take offense but assume we don't normally give reasons.
|
@bcho - Can you review the proposed changes? IMPORTANT: When the changes are ready for publication, adding a #label:"aq-pr-triaged" |
|
This pull request has been inactive for at least 14 days. If you are finished with your changes, don't forget to sign off. See the contributor guide for instructions. |
added bulletin for Calico mirroring