We are currently running calico version 2.2.0. While up to now, it's been sufficient, things have progressed on the calico field as well as the kubernetes front. NetworkPolicy API is marked GA since 1.8 and calico has moved on to that and uses a different pattern in 2.4.
From https://github.com/projectcalico/calico/releases/tag/v2.4.0
#105: Calico now implements the networking.k8s.io/NetworkPolicy API semantics as defined by Kubernetes when using the etcd datastore Note: This represents a change in how existing Kubernetes NetworkPolicies are enforced by Calico. To maintain existing behavior when upgrading, follow these steps: * In Namespaces that previously did not have the “DefaultDeny” annotation, you should delete any existing NetworkPolicy objects. * In Namespaces that previously did have the “DefaultDeny” annotation, you can create the equivalent semantics by creating a NetworkPolicy that selects all pods but does not allow any traffic. (@caseydavenport)
So this means we need to do a careful migration of the policies beforehand