From 865f1763658ae6c3717c99dee5b0e9ec9de85d7c Mon Sep 17 00:00:00 2001
From: Tomas Hruby <tomas@tigera.io>
Date: Wed, 11 Mar 2026 13:07:50 -0700
Subject: [PATCH 1/3] Raise eBPF dataplane minimum kernel to v5.10

Drop support for kernels older than 5.10 for the eBPF dataplane.
Update minimum to v5.10 (RHEL 8.4 / v4.18.0-305), Ubuntu 22.04,
remove XDP row from feature table (v4.16 is below new minimum),
and simplify CO-RE warning since v5.10 already includes CO-RE.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 calico-cloud/operations/ebpf/enabling-ebpf.mdx  | 17 ++++++++---------
 .../operations/ebpf/enabling-ebpf.mdx           | 17 ++++++++---------
 calico-enterprise/operations/ebpf/install.mdx   | 17 ++++++++---------
 .../version-3.23-1/operations/ebpf/install.mdx  | 17 ++++++++---------
 calico/operations/ebpf/enabling-ebpf.mdx        |  6 +++---
 calico/operations/ebpf/install.mdx              | 15 +++++++--------
 .../operations/ebpf/enabling-ebpf.mdx           |  6 +++---
 .../version-3.31/operations/ebpf/install.mdx    | 15 +++++++--------
 8 files changed, 52 insertions(+), 58 deletions(-)

diff --git a/calico-cloud/operations/ebpf/enabling-ebpf.mdx b/calico-cloud/operations/ebpf/enabling-ebpf.mdx
index d9df4a1b91..a03be50b01 100644
--- a/calico-cloud/operations/ebpf/enabling-ebpf.mdx
+++ b/calico-cloud/operations/ebpf/enabling-ebpf.mdx
@@ -28,9 +28,9 @@ eBPF (or "extended Berkeley Packet Filter"), is a technology that allows safe mi
 - arm64 (little-endian)
 - Linux distribution/kernel:
 
-  - Ubuntu 20.04 or above.
-  - Red Hat v8.2 with Linux kernel v4.18.0-193 or above (Red Hat have backported the required features to that build).
-  - Another supported distribution with Linux kernel v5.3 or above.  {/*TODO-XREFS-CC */}
+  - Ubuntu 22.04 or above.
+  - Red Hat v8.4 with Linux kernel v4.18.0-305 or above (Red Hat have backported the required features to that build).
+  - Another supported distribution with Linux kernel v5.10 or above.  {/*TODO-XREFS-CC */}
   - Immutable operating systems (e.g., Talos Linux): Ensure the `CgroupV2Path` in the `FelixConfiguration` CRD is set to a writable path.
 
 #### Kernel version requirements for eBPF features
@@ -39,15 +39,14 @@ Some eBPF features require a higher kernel version than the base eBPF data plane
 
 | Feature | Minimum kernel version | Details |
 |---|---|---|
-| Base eBPF data plane | v5.3 (RHEL: v4.18.0-193) | v5.8+ with CO-RE recommended for better performance |
-| [XDP acceleration](../../network-policy/extreme-traffic/defend-dos-attack.mdx) | v4.16 | Used for DoS mitigation; when `bpfEnabled` is `true`, policy is always accelerated using best available BPF technology |
+| Base eBPF data plane | v5.10 (RHEL: v4.18.0-305) | CO-RE supported at this version for better performance |
 | Log rules in eBPF mode | v5.16 | Logs sent to trace pipe via `bpftool prog tracelog` |
 | [QoS bandwidth controls](../../networking/configuring/qos-controls.mdx) | v6.6 | Requires `tcx` support. Established connection limits not supported with eBPF |
 | [DNS policy inline mode](../../network-policy/domain-based-policy.mdx) | v5.17 (RHEL: v5.14) | `BPFDNSPolicyMode: Inline` parses DNS responses in eBPF before they reach the application. Only wildcard prefixes (`*.x.y.z`) supported. Falls back to `NoDelay` on older kernels |
 
 :::warning
 
-While v5.3 is the minimum kernel version required for the eBPF data plane, we strongly recommend using kernel v5.8 or above, which adds support for [CO-RE (Compile Once - Run Everywhere)](https://docs.ebpf.io/concepts/core/). CO-RE significantly improves compatibility and performance across kernel versions. For access to all eBPF features, we recommend kernel v6.6 or above.
+The minimum kernel version required for the eBPF data plane is v5.10, which includes support for [CO-RE (Compile Once - Run Everywhere)](https://docs.ebpf.io/concepts/core/). CO-RE significantly improves compatibility and performance across kernel versions. For access to all eBPF features, we recommend kernel v6.6 or above.
 
 :::
 
@@ -113,15 +112,15 @@ The output should look like this:
 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020
 ```
 
-In this case the kernel version is v5.4, which is suitable.
+In this case the kernel version is v5.4, which is not suitable (minimum is v5.10).
 
 On Red Hat-derived distributions, you may see something like this:
 
 ```
-4.18.0-193.el8.x86_64 (mockbuild@x86-vm-08.build.eng.bos.redhat.com)
+4.18.0-305.el8.x86_64 (mockbuild@x86-vm-08.build.eng.bos.redhat.com)
 ```
 
-Since the Red Hat kernel is v4.18 with at least build number 193, this kernel is suitable.
+Since the Red Hat kernel is v4.18 with at least build number 305 (RHEL 8.4), this kernel is suitable.
 
 ### Configure $[prodname] to talk directly to the API server
 
diff --git a/calico-cloud_versioned_docs/version-22-2/operations/ebpf/enabling-ebpf.mdx b/calico-cloud_versioned_docs/version-22-2/operations/ebpf/enabling-ebpf.mdx
index a47a466d0d..14575b9a18 100644
--- a/calico-cloud_versioned_docs/version-22-2/operations/ebpf/enabling-ebpf.mdx
+++ b/calico-cloud_versioned_docs/version-22-2/operations/ebpf/enabling-ebpf.mdx
@@ -28,9 +28,9 @@ eBPF (or "extended Berkeley Packet Filter"), is a technology that allows safe mi
 - arm64 (little-endian)
 - Linux distribution/kernel:
 
-  - Ubuntu 20.04 or above.
-  - Red Hat v8.2 with Linux kernel v4.18.0-193 or above (Red Hat have backported the required features to that build).
-  - Another supported distribution with Linux kernel v5.3 or above.  {/*TODO-XREFS-CC */}
+  - Ubuntu 22.04 or above.
+  - Red Hat v8.4 with Linux kernel v4.18.0-305 or above (Red Hat have backported the required features to that build).
+  - Another supported distribution with Linux kernel v5.10 or above.  {/*TODO-XREFS-CC */}
   - Immutable operating systems (e.g., Talos Linux): Ensure the `CgroupV2Path` in the `FelixConfiguration` CRD is set to a writable path.
 
 #### Kernel version requirements for eBPF features
@@ -39,15 +39,14 @@ Some eBPF features require a higher kernel version than the base eBPF data plane
 
 | Feature | Minimum kernel version | Details |
 |---|---|---|
-| Base eBPF data plane | v5.3 (RHEL: v4.18.0-193) | v5.8+ with CO-RE recommended for better performance |
-| [XDP acceleration](../../network-policy/extreme-traffic/defend-dos-attack.mdx) | v4.16 | Used for DoS mitigation; when `bpfEnabled` is `true`, policy is always accelerated using best available BPF technology |
+| Base eBPF data plane | v5.10 (RHEL: v4.18.0-305) | CO-RE supported at this version for better performance |
 | Log rules in eBPF mode | v5.16 | Logs sent to trace pipe via `bpftool prog tracelog` |
 | [QoS bandwidth controls](../../networking/configuring/qos-controls.mdx) | v6.6 | Requires `tcx` support. Established connection limits not supported with eBPF |
 | [DNS policy inline mode](../../network-policy/domain-based-policy.mdx) | v5.17 (RHEL: v5.14) | `BPFDNSPolicyMode: Inline` parses DNS responses in eBPF before they reach the application. Only wildcard prefixes (`*.x.y.z`) supported. Falls back to `NoDelay` on older kernels |
 
 :::warning
 
-While v5.3 is the minimum kernel version required for the eBPF data plane, we strongly recommend using kernel v5.8 or above, which adds support for [CO-RE (Compile Once - Run Everywhere)](https://docs.ebpf.io/concepts/core/). CO-RE significantly improves compatibility and performance across kernel versions. For access to all eBPF features, we recommend kernel v6.6 or above.
+The minimum kernel version required for the eBPF data plane is v5.10, which includes support for [CO-RE (Compile Once - Run Everywhere)](https://docs.ebpf.io/concepts/core/). CO-RE significantly improves compatibility and performance across kernel versions. For access to all eBPF features, we recommend kernel v6.6 or above.
 
 :::
 
@@ -113,15 +112,15 @@ The output should look like this:
 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020
 ```
 
-In this case the kernel version is v5.4, which is suitable.
+In this case the kernel version is v5.4, which is not suitable (minimum is v5.10).
 
 On Red Hat-derived distributions, you may see something like this:
 
 ```
-4.18.0-193.el8.x86_64 (mockbuild@x86-vm-08.build.eng.bos.redhat.com)
+4.18.0-305.el8.x86_64 (mockbuild@x86-vm-08.build.eng.bos.redhat.com)
 ```
 
-Since the Red Hat kernel is v4.18 with at least build number 193, this kernel is suitable.
+Since the Red Hat kernel is v4.18 with at least build number 305 (RHEL 8.4), this kernel is suitable.
 
 ### Configure $[prodname] to talk directly to the API server
 
diff --git a/calico-enterprise/operations/ebpf/install.mdx b/calico-enterprise/operations/ebpf/install.mdx
index bc4fa4f34e..f80b043b8e 100644
--- a/calico-enterprise/operations/ebpf/install.mdx
+++ b/calico-enterprise/operations/ebpf/install.mdx
@@ -35,9 +35,9 @@ and in particular, pushing the networking capabilities of the latest Linux kerne
 
 - Linux distribution/kernel:
 
-  - Ubuntu 20.04 or above.
-  - Red Hat v8.2 with Linux kernel v4.18.0-193 or above (Red Hat have backported the required features to that build).
-  - Another [supported distribution](../../getting-started/install-on-clusters/requirements.mdx) with Linux kernel v5.3 or above.
+  - Ubuntu 22.04 or above.
+  - Red Hat v8.4 with Linux kernel v4.18.0-305 or above (Red Hat have backported the required features to that build).
+  - Another [supported distribution](../../getting-started/install-on-clusters/requirements.mdx) with Linux kernel v5.10 or above.
   - Immutable operating systems (e.g., Talos Linux): Ensure the `CgroupV2Path` in the `FelixConfiguration` CRD is set to a writable path.
 
 #### Kernel version requirements for eBPF features
@@ -46,15 +46,14 @@ Some eBPF features require a higher kernel version than the base eBPF data plane
 
 | Feature | Minimum kernel version | Details |
 |---|---|---|
-| Base eBPF data plane | v5.3 (RHEL: v4.18.0-193) | v5.8+ with CO-RE recommended for better performance |
-| [XDP acceleration](../../network-policy/extreme-traffic/defend-dos-attack.mdx) | v4.16 | Used for DoS mitigation; when `bpfEnabled` is `true`, policy is always accelerated using best available BPF technology |
+| Base eBPF data plane | v5.10 (RHEL: v4.18.0-305) | CO-RE supported at this version for better performance |
 | Log rules in eBPF mode | v5.16 | Logs sent to trace pipe via `bpftool prog tracelog` |
 | [QoS bandwidth controls](../../networking/configuring/qos-controls.mdx) | v6.6 | Requires `tcx` support. Established connection limits not supported with eBPF |
 | [DNS policy inline mode](../../network-policy/domain-based-policy.mdx) | v5.17 (RHEL: v5.14) | `BPFDNSPolicyMode: Inline` parses DNS responses in eBPF before they reach the application. Only wildcard prefixes (`*.x.y.z`) supported. Falls back to `NoDelay` on older kernels |
 
 :::warning
 
-While v5.3 is the minimum kernel version required for the eBPF data plane, we strongly recommend using kernel v5.8 or above, which adds support for [CO-RE (Compile Once - Run Everywhere)](https://docs.ebpf.io/concepts/core/). CO-RE significantly improves compatibility and performance across kernel versions. For access to all eBPF features, we recommend kernel v6.6 or above.
+The minimum kernel version required for the eBPF data plane is v5.10, which includes support for [CO-RE (Compile Once - Run Everywhere)](https://docs.ebpf.io/concepts/core/). CO-RE significantly improves compatibility and performance across kernel versions. For access to all eBPF features, we recommend kernel v6.6 or above.
 
 :::
 
@@ -124,7 +123,7 @@ Select the appropriate tab below for distribution-specific instructions:
 <Tabs groupId="k8s-distro">
 <TabItem label="Generic or kubeadm" value="Generic or kubeadm-0">
 
-`kubeadm` supports a number of base OSes; as long as the base OS chosen (such as Ubuntu 20.04) meets the kernel
+`kubeadm` supports a number of base OSes; as long as the base OS chosen (such as Ubuntu 22.04) meets the kernel
 requirements, `kubeadm`-provisioned clusters are supported.
 
 Since `kube-proxy` is not required in eBPF mode, you must disable `kube-proxy` at install time. With `kubeadm`
@@ -137,7 +136,7 @@ kubeadm init --skip-phases=addon/kube-proxy
 </TabItem>
 <TabItem label="kOps" value="kOps-1">
 
-`kops` supports a number of base OSes; as long as the base OS chosen (such as Ubuntu 20.04 or RHEL 8.2) meets the kernel
+`kops` supports a number of base OSes; as long as the base OS chosen (such as Ubuntu 22.04 or RHEL 8.4) meets the kernel
 requirements, `kops`-provisioned clusters are supported.
 
 Since `kube-proxy` is not required in eBPF mode, you must disable `kube-proxy` at install time. With `kops` you
@@ -153,7 +152,7 @@ kubeProxy:
 
 OpenShift supports a number of base OSes; as long as the base OS chosen has a recent enough kernel, OpenShift clusters are
 fully supported. Since Red Hat have backported the eBPF features required by $[prodname] the Red Hat kernel
-version required is lower than the mainline: v4.18.0-193 or above.
+version required is lower than the mainline: v4.18.0-305 or above.
 
 </TabItem>
 <TabItem label="AKS" value="AKS-3">
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/operations/ebpf/install.mdx b/calico-enterprise_versioned_docs/version-3.23-1/operations/ebpf/install.mdx
index 9935457e1e..cdfac82ab7 100644
--- a/calico-enterprise_versioned_docs/version-3.23-1/operations/ebpf/install.mdx
+++ b/calico-enterprise_versioned_docs/version-3.23-1/operations/ebpf/install.mdx
@@ -35,9 +35,9 @@ and in particular, pushing the networking capabilities of the latest Linux kerne
 
 - Linux distribution/kernel:
 
-  - Ubuntu 20.04 or above.
-  - Red Hat v8.2 with Linux kernel v4.18.0-193 or above (Red Hat have backported the required features to that build).
-  - Another [supported distribution](../../getting-started/install-on-clusters/requirements.mdx) with Linux kernel v5.3 or above.
+  - Ubuntu 22.04 or above.
+  - Red Hat v8.4 with Linux kernel v4.18.0-305 or above (Red Hat have backported the required features to that build).
+  - Another [supported distribution](../../getting-started/install-on-clusters/requirements.mdx) with Linux kernel v5.10 or above.
   - Immutable operating systems (e.g., Talos Linux): Ensure the `CgroupV2Path` in the `FelixConfiguration` CRD is set to a writable path.
 
 #### Kernel version requirements for eBPF features
@@ -46,15 +46,14 @@ Some eBPF features require a higher kernel version than the base eBPF data plane
 
 | Feature | Minimum kernel version | Details |
 |---|---|---|
-| Base eBPF data plane | v5.3 (RHEL: v4.18.0-193) | v5.8+ with CO-RE recommended for better performance |
-| [XDP acceleration](../../network-policy/extreme-traffic/defend-dos-attack.mdx) | v4.16 | Used for DoS mitigation; when `bpfEnabled` is `true`, policy is always accelerated using best available BPF technology |
+| Base eBPF data plane | v5.10 (RHEL: v4.18.0-305) | CO-RE supported at this version for better performance |
 | Log rules in eBPF mode | v5.16 | Logs sent to trace pipe via `bpftool prog tracelog` |
 | [QoS bandwidth controls](../../networking/configuring/qos-controls.mdx) | v6.6 | Requires `tcx` support. Established connection limits not supported with eBPF |
 | [DNS policy inline mode](../../network-policy/domain-based-policy.mdx) | v5.17 (RHEL: v5.14) | `BPFDNSPolicyMode: Inline` parses DNS responses in eBPF before they reach the application. Only wildcard prefixes (`*.x.y.z`) supported. Falls back to `NoDelay` on older kernels |
 
 :::warning
 
-While v5.3 is the minimum kernel version required for the eBPF data plane, we strongly recommend using kernel v5.8 or above, which adds support for [CO-RE (Compile Once - Run Everywhere)](https://docs.ebpf.io/concepts/core/). CO-RE significantly improves compatibility and performance across kernel versions. For access to all eBPF features, we recommend kernel v6.6 or above.
+The minimum kernel version required for the eBPF data plane is v5.10, which includes support for [CO-RE (Compile Once - Run Everywhere)](https://docs.ebpf.io/concepts/core/). CO-RE significantly improves compatibility and performance across kernel versions. For access to all eBPF features, we recommend kernel v6.6 or above.
 
 :::
 
@@ -124,7 +123,7 @@ Select the appropriate tab below for distribution-specific instructions:
 <Tabs groupId="k8s-distro">
 <TabItem label="Generic or kubeadm" value="Generic or kubeadm-0">
 
-`kubeadm` supports a number of base OSes; as long as the base OS chosen (such as Ubuntu 20.04) meets the kernel
+`kubeadm` supports a number of base OSes; as long as the base OS chosen (such as Ubuntu 22.04) meets the kernel
 requirements, `kubeadm`-provisioned clusters are supported.
 
 Since `kube-proxy` is not required in eBPF mode, you must disable `kube-proxy` at install time. With `kubeadm`
@@ -137,7 +136,7 @@ kubeadm init --skip-phases=addon/kube-proxy
 </TabItem>
 <TabItem label="kOps" value="kOps-1">
 
-`kops` supports a number of base OSes; as long as the base OS chosen (such as Ubuntu 20.04 or RHEL 8.2) meets the kernel
+`kops` supports a number of base OSes; as long as the base OS chosen (such as Ubuntu 22.04 or RHEL 8.4) meets the kernel
 requirements, `kops`-provisioned clusters are supported.
 
 Since `kube-proxy` is not required in eBPF mode, you must disable `kube-proxy` at install time. With `kops` you
@@ -153,7 +152,7 @@ kubeProxy:
 
 OpenShift supports a number of base OSes; as long as the base OS chosen has a recent enough kernel, OpenShift clusters are
 fully supported. Since Red Hat have backported the eBPF features required by $[prodname] the Red Hat kernel
-version required is lower than the mainline: v4.18.0-193 or above.
+version required is lower than the mainline: v4.18.0-305 or above.
 
 </TabItem>
 <TabItem label="AKS" value="AKS-3">
diff --git a/calico/operations/ebpf/enabling-ebpf.mdx b/calico/operations/ebpf/enabling-ebpf.mdx
index 6a1701f721..4ba5714e60 100644
--- a/calico/operations/ebpf/enabling-ebpf.mdx
+++ b/calico/operations/ebpf/enabling-ebpf.mdx
@@ -69,9 +69,9 @@ This section explains how to enable the eBPF data plane on all compatible cluste
   - RKE (RKE2 recommended because it supports disabling `kube-proxy`)
   - MKE
 - Linux distribution/kernel:
-  - Ubuntu 20.04.
-  - Red Hat v8.2 with Linux kernel v4.18.0-193 or above (Red Hat have backported the required features to that build).
-  - Another [supported distribution](../../getting-started/kubernetes/requirements.mdx) with Linux kernel v5.3 or above. Kernel v5.8 or above with CO-RE enabled is recommended for better performance.
+  - Ubuntu 22.04.
+  - Red Hat v8.4 with Linux kernel v4.18.0-305 or above (Red Hat have backported the required features to that build).
+  - Another [supported distribution](../../getting-started/kubernetes/requirements.mdx) with Linux kernel v5.10 or above.
 - An underlying network fabric that allows VXLAN traffic between hosts. In eBPF mode, VXLAN is used to forward Kubernetes NodePort traffic.
 - IPv6
 
diff --git a/calico/operations/ebpf/install.mdx b/calico/operations/ebpf/install.mdx
index e6736c2917..4e722423b2 100644
--- a/calico/operations/ebpf/install.mdx
+++ b/calico/operations/ebpf/install.mdx
@@ -52,9 +52,9 @@ and in particular, pushing the networking capabilities of the latest Linux kerne
 
 - Linux distribution/kernel:
 
-  - Ubuntu 20.04 or above.
-  - Red Hat v8.2 with Linux kernel v4.18.0-193 or above (Red Hat have backported the required features to that build).
-  - Another [supported distribution](../../getting-started/kubernetes/requirements.mdx) with Linux kernel v5.3 or above.
+  - Ubuntu 22.04 or above.
+  - Red Hat v8.4 with Linux kernel v4.18.0-305 or above (Red Hat have backported the required features to that build).
+  - Another [supported distribution](../../getting-started/kubernetes/requirements.mdx) with Linux kernel v5.10 or above.
   - Immutable operating systems (e.g., Talos Linux): Ensure the `CgroupV2Path` in the `FelixConfiguration` CRD is set to a writable path.
 
 #### Kernel version requirements for eBPF features
@@ -63,14 +63,13 @@ Some eBPF features require a higher kernel version than the base eBPF data plane
 
 | Feature | Minimum kernel version | Details |
 |---|---|---|
-| Base eBPF data plane | v5.3 (RHEL: v4.18.0-193) | v5.8+ with CO-RE recommended for better performance |
-| [XDP acceleration](../../network-policy/extreme-traffic/defend-dos-attack.mdx) | v4.16 | Used for DoS mitigation; when `bpfEnabled` is `true`, policy is always accelerated using best available BPF technology |
+| Base eBPF data plane | v5.10 (RHEL: v4.18.0-305) | CO-RE supported at this version for better performance |
 | [Log rules in eBPF mode](../../network-policy/policy-rules/log-rules.mdx) | v5.16 | Logs sent to trace pipe via `bpftool prog tracelog` |
 | [QoS bandwidth controls](../../networking/configuring/qos-controls.mdx) | v6.6 | Requires `tcx` support. Established connection limits not supported with eBPF |
 
 :::warning
 
-While v5.3 is the minimum kernel version required for the eBPF data plane, we strongly recommend using kernel v5.8 or above, which adds support for [CO-RE (Compile Once - Run Everywhere)](https://docs.ebpf.io/concepts/core/). CO-RE significantly improves compatibility and performance across kernel versions. For access to all eBPF features, we recommend kernel v6.6 or above.
+The minimum kernel version required for the eBPF data plane is v5.10, which includes support for [CO-RE (Compile Once - Run Everywhere)](https://docs.ebpf.io/concepts/core/). CO-RE significantly improves compatibility and performance across kernel versions. For access to all eBPF features, we recommend kernel v6.6 or above.
 
 :::
 
@@ -153,7 +152,7 @@ Select the appropriate tab below for distribution-specific instructions:
   If you're installing $[prodname] on a self-managed kubeadm cluster, you can enable eBPF mode automatically following the operator installation method in [Install Calico for on-premises deployments](../../getting-started/kubernetes/self-managed-onprem/onpremises.mdx). For this category of clusters, eBPF mode is the default data plane, and you don't need to follow the steps in this guide.
 
   :::
-`kubeadm` supports a number of base OSes; as long as the base OS chosen (such as Ubuntu 20.04) meets the kernel
+`kubeadm` supports a number of base OSes; as long as the base OS chosen (such as Ubuntu 22.04) meets the kernel
 requirements, `kubeadm`-provisioned clusters are supported.
 
 Since `kube-proxy` is not required in eBPF mode, you must disable `kube-proxy` at install time. With `kubeadm`
@@ -167,7 +166,7 @@ kubeadm init --skip-phases=addon/kube-proxy
 
 <TabItem label="kOps" value="kOps-1">
 
-`kops` supports a number of base OSes; as long as the base OS chosen (such as Ubuntu 20.04 or RHEL 8.2) meets the kernel
+`kops` supports a number of base OSes; as long as the base OS chosen (such as Ubuntu 22.04 or RHEL 8.4) meets the kernel
 requirements, `kops`-provisioned clusters are supported.
 
 Since `kube-proxy` is not required in eBPF mode, you must disable `kube-proxy` at install time. With `kops` you
diff --git a/calico_versioned_docs/version-3.31/operations/ebpf/enabling-ebpf.mdx b/calico_versioned_docs/version-3.31/operations/ebpf/enabling-ebpf.mdx
index 936f522ad1..3528a02967 100644
--- a/calico_versioned_docs/version-3.31/operations/ebpf/enabling-ebpf.mdx
+++ b/calico_versioned_docs/version-3.31/operations/ebpf/enabling-ebpf.mdx
@@ -69,9 +69,9 @@ This section explains how to enable the eBPF data plane on all compatible cluste
   - RKE (RKE2 recommended because it supports disabling `kube-proxy`)
   - MKE
 - Linux distribution/kernel:
-  - Ubuntu 20.04.
-  - Red Hat v8.2 with Linux kernel v4.18.0-193 or above (Red Hat have backported the required features to that build).
-  - Another [supported distribution](../../getting-started/kubernetes/requirements.mdx) with Linux kernel v5.3 or above. Kernel v5.8 or above with CO-RE enabled is recommended for better performance.
+  - Ubuntu 22.04.
+  - Red Hat v8.4 with Linux kernel v4.18.0-305 or above (Red Hat have backported the required features to that build).
+  - Another [supported distribution](../../getting-started/kubernetes/requirements.mdx) with Linux kernel v5.10 or above.
 - An underlying network fabric that allows VXLAN traffic between hosts. In eBPF mode, VXLAN is used to forward Kubernetes NodePort traffic.
 - IPv6
 
diff --git a/calico_versioned_docs/version-3.31/operations/ebpf/install.mdx b/calico_versioned_docs/version-3.31/operations/ebpf/install.mdx
index ce15834f0c..6e279c2e97 100644
--- a/calico_versioned_docs/version-3.31/operations/ebpf/install.mdx
+++ b/calico_versioned_docs/version-3.31/operations/ebpf/install.mdx
@@ -52,9 +52,9 @@ and in particular, pushing the networking capabilities of the latest Linux kerne
 
 - Linux distribution/kernel:
 
-  - Ubuntu 20.04 or above.
-  - Red Hat v8.2 with Linux kernel v4.18.0-193 or above (Red Hat have backported the required features to that build).
-  - Another [supported distribution](../../getting-started/kubernetes/requirements.mdx) with Linux kernel v5.3 or above.
+  - Ubuntu 22.04 or above.
+  - Red Hat v8.4 with Linux kernel v4.18.0-305 or above (Red Hat have backported the required features to that build).
+  - Another [supported distribution](../../getting-started/kubernetes/requirements.mdx) with Linux kernel v5.10 or above.
   - Immutable operating systems (e.g., Talos Linux): Ensure the `CgroupV2Path` in the `FelixConfiguration` CRD is set to a writable path.
 
 #### Kernel version requirements for eBPF features
@@ -63,14 +63,13 @@ Some eBPF features require a higher kernel version than the base eBPF data plane
 
 | Feature | Minimum kernel version | Details |
 |---|---|---|
-| Base eBPF data plane | v5.3 (RHEL: v4.18.0-193) | v5.8+ with CO-RE recommended for better performance |
-| [XDP acceleration](../../network-policy/extreme-traffic/defend-dos-attack.mdx) | v4.16 | Used for DoS mitigation; when `bpfEnabled` is `true`, policy is always accelerated using best available BPF technology |
+| Base eBPF data plane | v5.10 (RHEL: v4.18.0-305) | CO-RE supported at this version for better performance |
 | [Log rules in eBPF mode](../../network-policy/policy-rules/log-rules.mdx) | v5.16 | Logs sent to trace pipe via `bpftool prog tracelog` |
 | [QoS bandwidth controls](../../networking/configuring/qos-controls.mdx) | v6.6 | Requires `tcx` support. Established connection limits not supported with eBPF |
 
 :::warning
 
-While v5.3 is the minimum kernel version required for the eBPF data plane, we strongly recommend using kernel v5.8 or above, which adds support for [CO-RE (Compile Once - Run Everywhere)](https://docs.ebpf.io/concepts/core/). CO-RE significantly improves compatibility and performance across kernel versions. For access to all eBPF features, we recommend kernel v6.6 or above.
+The minimum kernel version required for the eBPF data plane is v5.10, which includes support for [CO-RE (Compile Once - Run Everywhere)](https://docs.ebpf.io/concepts/core/). CO-RE significantly improves compatibility and performance across kernel versions. For access to all eBPF features, we recommend kernel v6.6 or above.
 
 :::
 
@@ -153,7 +152,7 @@ Select the appropriate tab below for distribution-specific instructions:
   If you're installing $[prodname] on a self-managed kubeadm cluster, you can enable eBPF mode automatically following the operator installation method in [Install Calico for on-premises deployments](../../getting-started/kubernetes/self-managed-onprem/onpremises.mdx). For this category of clusters, eBPF mode is the default data plane, and you don't need to follow the steps in this guide.
 
   :::
-`kubeadm` supports a number of base OSes; as long as the base OS chosen (such as Ubuntu 20.04) meets the kernel
+`kubeadm` supports a number of base OSes; as long as the base OS chosen (such as Ubuntu 22.04) meets the kernel
 requirements, `kubeadm`-provisioned clusters are supported.
 
 Since `kube-proxy` is not required in eBPF mode, you must disable `kube-proxy` at install time. With `kubeadm`
@@ -167,7 +166,7 @@ kubeadm init --skip-phases=addon/kube-proxy
 
 <TabItem label="kOps" value="kOps-1">
 
-`kops` supports a number of base OSes; as long as the base OS chosen (such as Ubuntu 20.04 or RHEL 8.2) meets the kernel
+`kops` supports a number of base OSes; as long as the base OS chosen (such as Ubuntu 22.04 or RHEL 8.4) meets the kernel
 requirements, `kops`-provisioned clusters are supported.
 
 Since `kube-proxy` is not required in eBPF mode, you must disable `kube-proxy` at install time. With `kops` you

From b49f4bf6058dfc40983da753c9ba7844cf668c4f Mon Sep 17 00:00:00 2001
From: Tomas Hruby <tomas@tigera.io>
Date: Wed, 11 Mar 2026 13:32:25 -0700
Subject: [PATCH 2/3] Address PR review: fix uname examples and Felix config
 reference

- Update uname example to show v5.10 kernel as suitable output
  instead of showing v5.4 as not suitable (per reviewer feedback)
- Update Felix configuration reference to require v5.10 kernel
  for eBPF dataplane

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 calico-cloud/operations/ebpf/enabling-ebpf.mdx                | 4 ++--
 .../component-resources/node/felix/configuration.mdx          | 2 +-
 .../version-22-2/operations/ebpf/enabling-ebpf.mdx            | 4 ++--
 .../component-resources/node/felix/configuration.mdx          | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/calico-cloud/operations/ebpf/enabling-ebpf.mdx b/calico-cloud/operations/ebpf/enabling-ebpf.mdx
index a03be50b01..2c720f4f64 100644
--- a/calico-cloud/operations/ebpf/enabling-ebpf.mdx
+++ b/calico-cloud/operations/ebpf/enabling-ebpf.mdx
@@ -109,10 +109,10 @@ uname -rv
 The output should look like this:
 
 ```
-5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020
+5.10.0-26-generic #28~20.04.1-Ubuntu SMP Fri Jan 27 14:30:10 UTC 2023
 ```
 
-In this case the kernel version is v5.4, which is not suitable (minimum is v5.10).
+In this case the kernel version is v5.10, which is suitable.
 
 On Red Hat-derived distributions, you may see something like this:
 
diff --git a/calico-cloud/reference/component-resources/node/felix/configuration.mdx b/calico-cloud/reference/component-resources/node/felix/configuration.mdx
index 9d2df35fca..4e58b33903 100644
--- a/calico-cloud/reference/component-resources/node/felix/configuration.mdx
+++ b/calico-cloud/reference/component-resources/node/felix/configuration.mdx
@@ -148,7 +148,7 @@ The Kubernetes API datastore driver reads its configuration from Kubernetes-prov
 
 eBPF data plane mode uses the Linux Kernel's eBPF virtual machine to implement networking and policy instead of iptables. When BPFEnabled is set to `true`, Felix will:
 
-- Require a v5.3 Linux kernel.
+- Require a v5.10 Linux kernel.
 - Implement policy with eBPF programs instead of iptables.
 - Activate its embedded implementation of `kube-proxy` to implement Kubernetes service load balancing.
 - Disable support for IPv6.
diff --git a/calico-cloud_versioned_docs/version-22-2/operations/ebpf/enabling-ebpf.mdx b/calico-cloud_versioned_docs/version-22-2/operations/ebpf/enabling-ebpf.mdx
index 14575b9a18..0914416fe7 100644
--- a/calico-cloud_versioned_docs/version-22-2/operations/ebpf/enabling-ebpf.mdx
+++ b/calico-cloud_versioned_docs/version-22-2/operations/ebpf/enabling-ebpf.mdx
@@ -109,10 +109,10 @@ uname -rv
 The output should look like this:
 
 ```
-5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020
+5.10.0-26-generic #28~20.04.1-Ubuntu SMP Fri Jan 27 14:30:10 UTC 2023
 ```
 
-In this case the kernel version is v5.4, which is not suitable (minimum is v5.10).
+In this case the kernel version is v5.10, which is suitable.
 
 On Red Hat-derived distributions, you may see something like this:
 
diff --git a/calico-cloud_versioned_docs/version-22-2/reference/component-resources/node/felix/configuration.mdx b/calico-cloud_versioned_docs/version-22-2/reference/component-resources/node/felix/configuration.mdx
index 9d2df35fca..4e58b33903 100644
--- a/calico-cloud_versioned_docs/version-22-2/reference/component-resources/node/felix/configuration.mdx
+++ b/calico-cloud_versioned_docs/version-22-2/reference/component-resources/node/felix/configuration.mdx
@@ -148,7 +148,7 @@ The Kubernetes API datastore driver reads its configuration from Kubernetes-prov
 
 eBPF data plane mode uses the Linux Kernel's eBPF virtual machine to implement networking and policy instead of iptables. When BPFEnabled is set to `true`, Felix will:
 
-- Require a v5.3 Linux kernel.
+- Require a v5.10 Linux kernel.
 - Implement policy with eBPF programs instead of iptables.
 - Activate its embedded implementation of `kube-proxy` to implement Kubernetes service load balancing.
 - Disable support for IPv6.

From 332e1d268113e03afbf3970c68233a32d614b2b6 Mon Sep 17 00:00:00 2001
From: Tomas Hruby <tomas@tigera.io>
Date: Wed, 11 Mar 2026 13:35:17 -0700
Subject: [PATCH 3/3] Update TCP socket stats minimum kernel to
 v5.10.0/v4.18.0-305

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 calico-cloud/observability/elastic/flow/tcpstats.mdx          | 4 ++--
 .../version-22-2/observability/elastic/flow/tcpstats.mdx      | 4 ++--
 calico-enterprise/observability/elastic/flow/tcpstats.mdx     | 4 ++--
 .../version-3.23-1/observability/elastic/flow/tcpstats.mdx    | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/calico-cloud/observability/elastic/flow/tcpstats.mdx b/calico-cloud/observability/elastic/flow/tcpstats.mdx
index 48faa1936b..6b6830675b 100644
--- a/calico-cloud/observability/elastic/flow/tcpstats.mdx
+++ b/calico-cloud/observability/elastic/flow/tcpstats.mdx
@@ -6,7 +6,7 @@ description: Enabling TCP socket stats information in flow logs
 
 ## Big picture
 
-Configure $[prodname] to collect additional TCP socket statistics. While this feature is available in both iptables and eBPF data plane modes, it uses eBPF to collect the statistics. Therefore it requires a recent Linux kernel (at least v5.3.0/v4.18.0-193 for RHEL).
+Configure $[prodname] to collect additional TCP socket statistics. While this feature is available in both iptables and eBPF data plane modes, it uses eBPF to collect the statistics. Therefore it requires a recent Linux kernel (at least v5.10.0/v4.18.0-305 for RHEL).
 
 ## Value
 
@@ -21,7 +21,7 @@ eBPF is a Linux kernel technology that allows safe mini-programs to be attached
 ## Before you begin
 
 Ensure that your kernel contains support for eBPF that $[prodname] uses. The minimum supported
-kernel for tcp socket stats is: `v5.3.0`. For distros based on RHEL, the minimum kernel version is `v4.18.0-193`.
+kernel for tcp socket stats is: `v5.10.0`. For distros based on RHEL, the minimum kernel version is `v4.18.0-305`.
 
 # How to
 
diff --git a/calico-cloud_versioned_docs/version-22-2/observability/elastic/flow/tcpstats.mdx b/calico-cloud_versioned_docs/version-22-2/observability/elastic/flow/tcpstats.mdx
index 48faa1936b..6b6830675b 100644
--- a/calico-cloud_versioned_docs/version-22-2/observability/elastic/flow/tcpstats.mdx
+++ b/calico-cloud_versioned_docs/version-22-2/observability/elastic/flow/tcpstats.mdx
@@ -6,7 +6,7 @@ description: Enabling TCP socket stats information in flow logs
 
 ## Big picture
 
-Configure $[prodname] to collect additional TCP socket statistics. While this feature is available in both iptables and eBPF data plane modes, it uses eBPF to collect the statistics. Therefore it requires a recent Linux kernel (at least v5.3.0/v4.18.0-193 for RHEL).
+Configure $[prodname] to collect additional TCP socket statistics. While this feature is available in both iptables and eBPF data plane modes, it uses eBPF to collect the statistics. Therefore it requires a recent Linux kernel (at least v5.10.0/v4.18.0-305 for RHEL).
 
 ## Value
 
@@ -21,7 +21,7 @@ eBPF is a Linux kernel technology that allows safe mini-programs to be attached
 ## Before you begin
 
 Ensure that your kernel contains support for eBPF that $[prodname] uses. The minimum supported
-kernel for tcp socket stats is: `v5.3.0`. For distros based on RHEL, the minimum kernel version is `v4.18.0-193`.
+kernel for tcp socket stats is: `v5.10.0`. For distros based on RHEL, the minimum kernel version is `v4.18.0-305`.
 
 # How to
 
diff --git a/calico-enterprise/observability/elastic/flow/tcpstats.mdx b/calico-enterprise/observability/elastic/flow/tcpstats.mdx
index 48faa1936b..6b6830675b 100644
--- a/calico-enterprise/observability/elastic/flow/tcpstats.mdx
+++ b/calico-enterprise/observability/elastic/flow/tcpstats.mdx
@@ -6,7 +6,7 @@ description: Enabling TCP socket stats information in flow logs
 
 ## Big picture
 
-Configure $[prodname] to collect additional TCP socket statistics. While this feature is available in both iptables and eBPF data plane modes, it uses eBPF to collect the statistics. Therefore it requires a recent Linux kernel (at least v5.3.0/v4.18.0-193 for RHEL).
+Configure $[prodname] to collect additional TCP socket statistics. While this feature is available in both iptables and eBPF data plane modes, it uses eBPF to collect the statistics. Therefore it requires a recent Linux kernel (at least v5.10.0/v4.18.0-305 for RHEL).
 
 ## Value
 
@@ -21,7 +21,7 @@ eBPF is a Linux kernel technology that allows safe mini-programs to be attached
 ## Before you begin
 
 Ensure that your kernel contains support for eBPF that $[prodname] uses. The minimum supported
-kernel for tcp socket stats is: `v5.3.0`. For distros based on RHEL, the minimum kernel version is `v4.18.0-193`.
+kernel for tcp socket stats is: `v5.10.0`. For distros based on RHEL, the minimum kernel version is `v4.18.0-305`.
 
 # How to
 
diff --git a/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/flow/tcpstats.mdx b/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/flow/tcpstats.mdx
index 48faa1936b..6b6830675b 100644
--- a/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/flow/tcpstats.mdx
+++ b/calico-enterprise_versioned_docs/version-3.23-1/observability/elastic/flow/tcpstats.mdx
@@ -6,7 +6,7 @@ description: Enabling TCP socket stats information in flow logs
 
 ## Big picture
 
-Configure $[prodname] to collect additional TCP socket statistics. While this feature is available in both iptables and eBPF data plane modes, it uses eBPF to collect the statistics. Therefore it requires a recent Linux kernel (at least v5.3.0/v4.18.0-193 for RHEL).
+Configure $[prodname] to collect additional TCP socket statistics. While this feature is available in both iptables and eBPF data plane modes, it uses eBPF to collect the statistics. Therefore it requires a recent Linux kernel (at least v5.10.0/v4.18.0-305 for RHEL).
 
 ## Value
 
@@ -21,7 +21,7 @@ eBPF is a Linux kernel technology that allows safe mini-programs to be attached
 ## Before you begin
 
 Ensure that your kernel contains support for eBPF that $[prodname] uses. The minimum supported
-kernel for tcp socket stats is: `v5.3.0`. For distros based on RHEL, the minimum kernel version is `v4.18.0-193`.
+kernel for tcp socket stats is: `v5.10.0`. For distros based on RHEL, the minimum kernel version is `v4.18.0-305`.
 
 # How to