diff --git a/README.md b/README.md
index b006fa9987f6cf98c74782bd58e8cbf7fedc1844..fbab509548e98ec2c2accb93a54d5a5f62c3ceac 100644
--- a/README.md
+++ b/README.md
@@ -167,7 +167,7 @@ Note: Upstart/SysV init based OS types are not supported.
- [cri-o](http://cri-o.io/) v1.30.3 (experimental: see [CRI-O Note](docs/CRI/cri-o.md). Only on fedora, ubuntu and centos based OS)
- Network Plugin
- [cni-plugins](https://github.com/containernetworking/plugins) v1.2.0
- - [calico](https://github.com/projectcalico/calico) v3.27.3
+ - [calico](https://github.com/projectcalico/calico) v3.28.1
- [cilium](https://github.com/cilium/cilium) v1.15.4
- [flannel](https://github.com/flannel-io/flannel) v0.22.0
- [kube-ovn](https://github.com/alauda/kube-ovn) v1.12.21
diff --git a/roles/kubespray-defaults/defaults/main/checksums.yml b/roles/kubespray-defaults/defaults/main/checksums.yml
index f96d8e7b9e725c87c5d9a858fc7ba181fd3b8f39..517f654df5a3b53cdd0f2a497d5cca44148fa48a 100644
--- a/roles/kubespray-defaults/defaults/main/checksums.yml
+++ b/roles/kubespray-defaults/defaults/main/checksums.yml
@@ -466,6 +466,8 @@ cni_binary_checksums:
v1.0.0: 1a055924b1b859c54a97dc14894ecaa9b81d6d949530b9544f0af4173f5a8f2a
calicoctl_binary_checksums:
arm:
+ v3.28.1: 0
+ v3.28.0: 0
v3.27.3: 0
v3.27.2: 0
v3.27.1: 0
@@ -488,6 +490,8 @@ calicoctl_binary_checksums:
v3.23.5: 0
v3.23.4: 0
arm64:
+ v3.28.1: c062d13534498a427c793a4a9190be4df3cf796a3feb29e4a501e1d6f48daa7c
+ v3.28.0: c4ca8563d2a920729116a3a30171c481580c8c447938ce974ce14d7ce25a31bf
v3.27.3: 1fc5f58a18d8b1c487b4663fc5cbe23b45bd9d31617debd309f6dfac7c11a8ef
v3.27.2: 0fd1f65a511338cf9940835987d420c94ab95b5386288ba9673b736a4d347463
v3.27.1: 0
@@ -510,6 +514,8 @@ calicoctl_binary_checksums:
v3.23.5: 0941ad0deeb03d8fda96340948cdbc15d14062086438150cf3ec5ee2767b22c3
v3.23.4: c54b7d122d9315bbab1a88707b7168a0934a80c4f2a94c9e871bcc8a8cf11c11
amd64:
+ v3.28.1: 22ec5727c38dbe19001792b4ca64ac760a6e2985d5c1a231d919dbebe5bca171
+ v3.28.0: 4ea270699e67ca29e5533ddb0a68d370cb0005475796c7e841f83047da6297b6
v3.27.3: e22b8bb41684f8ffb5143b50bf3b2ab76985604d774d397cfb6fb11d8a19f326
v3.27.2: 692f69dc656e41cd35e23e24f56c98c4aeeb723fed129985b46f71e6eb5e1594
v3.27.1: 0
@@ -532,6 +538,8 @@ calicoctl_binary_checksums:
v3.23.5: 4c777881709ddaabcf4b56dcbe683125d7ed5743c036fee9273c5295e522082f
v3.23.4: 1ea0d3b6543645612e8239978878b6adefdb7619a16ecbdb8e6dc2687538f689
ppc64le:
+ v3.28.1: 985caad36fed7b883a2cd4cf91e556974bcca95fe4e6b7ff4cb64d8d8fbe9223
+ v3.28.0: 0789cb0d1478ec3f0a44db265b19042be9dfc18bc1776343c7ea8d246561d12b
v3.27.3: 5f2ac510c0ec31ec4c02ff2660f2502b68b655616d5b766a51bd99d2e3604fbc
v3.27.2: f918bb88de1d01de3d143e1e75d0ee1256f247c5cbabec7d665aaf8d1fd3cc6c
v3.27.1: 0
@@ -599,6 +607,8 @@ ciliumcli_binary_checksums:
v0.15.16: 0
v0.15.15: 0
calico_crds_archive_checksums:
+ v3.28.1: c56f1530e7ded9d5b4afb9d83a7a24da6d2959ef7ad38521813f1c2bf138182d
+ v3.28.0: ee721337db0cd847e91aae1cdfd420596896ebcb865575fd913c2f12ac2cdb76
v3.27.3: d11a32919bff389f642af5df8180ad3cec586030decd35adb2a7d4a8aa3b298e
v3.27.2: 8154bb4aad887f2a5500b505fe203a918f72c4e602b04c688c4b94f76a26e925
v3.27.1: 76abb0db222af279e3514cfae02be9259097b565bbb2ffcb776ca00566480edb
diff --git a/roles/kubespray-defaults/defaults/main/download.yml b/roles/kubespray-defaults/defaults/main/download.yml
index b1003d04ff289a8af2e10c0910d69888fed0938d..2eae9adcc19bba055db9e96c2c14d67733e912d7 100644
--- a/roles/kubespray-defaults/defaults/main/download.yml
+++ b/roles/kubespray-defaults/defaults/main/download.yml
@@ -100,7 +100,7 @@ github_image_repo: "ghcr.io"
# TODO(mattymo): Move calico versions to roles/network_plugins/calico/defaults
# after migration to container download
-calico_version: "v3.27.3"
+calico_version: "v3.28.1"
calico_ctl_version: "{{ calico_version }}"
calico_cni_version: "{{ calico_version }}"
calico_flexvol_version: "{{ calico_version }}"
diff --git a/roles/network_plugin/calico/templates/calico-apiserver.yml.j2 b/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
index ca25eeb21be309fef4d778f1f387ff6f44b8a9c3..769c78cff60b43825c5fc619678fc2837c8fe744 100644
--- a/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
@@ -72,6 +72,15 @@ spec:
initialDelaySeconds: 90
periodSeconds: 10
name: calico-apiserver
+{% if calico_version is version('v3.28.0', '>=') %}
+ readinessProbe:
+ httpGet:
+ path: /readyz
+ port: 5443
+ scheme: HTTPS
+ timeoutSeconds: 5
+ periodSeconds: 60
+{% else %}
readinessProbe:
exec:
command:
@@ -79,6 +88,7 @@ spec:
failureThreshold: 5
initialDelaySeconds: 5
periodSeconds: 10
+{% endif %}
securityContext:
privileged: false
runAsUser: 0
@@ -173,7 +183,16 @@ rules:
- create
- update
- delete
-
+{% if calico_version is version('v3.28.0', '>=') %}
+- apiGroups:
+ - policy
+ resourceNames:
+ - calico-apiserver
+ resources:
+ - podsecuritypolicies
+ verbs:
+ - use
+{% endif %}
---
apiVersion: rbac.authorization.k8s.io/v1
diff --git a/roles/network_plugin/calico/templates/calico-node.yml.j2 b/roles/network_plugin/calico/templates/calico-node.yml.j2
index 6642ef2f689f51a6e861b8ba37d963c7a7986b26..ff85a5123df5d9f1b090b399b92c32da178dd024 100644
--- a/roles/network_plugin/calico/templates/calico-node.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node.yml.j2
@@ -411,9 +411,11 @@ spec:
- name: var-run-calico
hostPath:
path: /var/run/calico
+ type: DirectoryOrCreate
- name: var-lib-calico
hostPath:
path: /var/lib/calico
+ type: DirectoryOrCreate
# Used to install CNI.
- name: cni-net-dir
hostPath:
@@ -421,6 +423,7 @@ spec:
- name: cni-bin-dir
hostPath:
path: /opt/cni/bin
+ type: DirectoryOrCreate
{% if calico_datastore == "etcd" %}
# Mount in the etcd TLS secrets.
- name: etcd-certs