Tigera extends cloud-native networking with Calico 3.30

Tigera is set to bring a host of new capabilities to cloud-native networking with the debut of the open-source Calico 3.30 release.

Calico got its start in 2016 as a networking technology for cloud-native environments, serving as a plug-in to the Kubernetes Container Networking Interface (CNI) component. Over the last decade, the technology has continued to expand, supporting more use cases and evolving network requirements.

The open-source Calico 3.30 update pushes the project further with multiple technical advancements including flow logging, enhanced observability and visualization, staged network policies for pre-implementation testing, and hierarchical policy management with tiers. The overall goal is to expand the scope and capabilities of Calico for open-source users, to provide more visibility and control of networking. The open-source release is freely available and is complemented by Tigera’s Calico enterprise and Calico cloud offerings that provide additional support for commercial deployments.

“We still absolutely operate in that space for core networking in Kubernetes. And also, beyond Kubernetes, we support VMs [virtual machines] and we have OpenStack support,” Peter Kelly, vice president of engineering at Tigera told Network World. “We’ve moved into network security, where we provide microsegmentation and advanced network policy, beyond standard Kubernetes network policy.”

Flow logging and visualization enhance troubleshooting

One of the primary technical advancements in open-source Calico 3.30 is the introduction of flow logging capabilities that were previously only available in Tigera’s commercial offerings.

“For the first time, we’ve added flow logs to open source,” Kelly explained. “These capture all of the flows that are going between your applications or services running inside Kubernetes, and it captures all the metadata of those flows, like what source pod the flow came from, destination pod and namespace it connected to, the bytes in and bytes out and what policy affected that flow.”

This logging capability is exposed through two new components:

1. Goldmane: A gRPC-based API endpoint that aggregates flow logs from Calico’s Felix component, which runs on each node.
2. Whisker: A web-based visualization tool built with React and TypeScript that connects to the Goldmane API.

The combination of these components provides detailed visibility into network traffic patterns within Kubernetes clusters, addressing a common pain point for Kubernetes administrators who need to troubleshoot connectivity issues or verify security policies.

Staged policies enable safer network policy implementation

Network policies in Kubernetes are powerful but potentially disruptive if misconfigured. Calico 3.30 introduces staged policies that allow administrators to test policy changes before enforcement.

Kelly explained that staged policy allows network administrators to do a dry run of what would happen if a particular policy is applied in a Kubernetes cluster. Calico 3.30 is able to generate flow logs to simulate the impact of how the application of a particular policy will impact the cluster. This approach significantly reduces the risk of service disruptions when implementing network policies, as administrators can validate policy behavior before committing to enforcement.

Hierarchical policy management with tiers

Beyond the ability to validate policy before implementation, Calico 3.30 adds new layers of policy granularity overall. Calico 3.30 also brings policy tiers to the open-source edition, enabling more sophisticated policy management.

The tier system allows organizations to implement defense-in-depth strategies and maintain clear separation between security policies and application-specific network rules. It also underpins Calico’s implementation of the Kubernetes Admin Network Policy feature, which is currently in alpha in the Kubernetes project.

“Tiers allows you to create a hierarchical set of policies, and you can have different RBAC [Role Based Access Control] controls for those policies,” Kelly said. “You could have a security team having a certain set of policies and that can have precedence over all the other policies that application developers apply into a cluster.”

How Calico supports eBPF as one of multiple data plane options

In recent years, cloud-native networking has increasingly relied on eBPF (extended Berkeley Packet Filter) as a foundational technology. The open-source Cilium project, which is led by Isovalent, a company that was recently acquired by Cisco, is one of the leading eBPF networking efforts.

Like Cilium, Calico has an eBPF data plane for processing and managing networking. However, Calico takes a slightly different technical approach compared to Cilium. Calico’s architecture includes support for multiple data plane implementations, offering flexibility for different environments.

Calico has a pluggable data plane system, so eBPF is one of multiple options alongside IP tables, nftables and the Microsoft Windows data plane. Kelly also noted that Calico has a Cisco vector packet processing (VPP) data plane as well that was contributed by Cisco to the open source project.

This pluggable approach allows Calico to operate effectively across different environments, from standard Linux clusters to Windows nodes.

Next up for Calico: AI?

Just like at every other technology vendor, AI is a topic of discussion at Tigera. So far, the approach to using AI with Calico is mostly exploratory.

“We’ve definitely been experimenting with AI inside the company like everyone has,” Kelly said.

That experimentation has included internal uses in coding, design and code reviews. For products, Kelly explained that Tigera is not developing a specific AI solution, but instead focusing on supporting AI workloads. Calico users are increasingly running AI workloads across the network, and there is a growing need to help enable that in cloud-native networks.

“Fundamentally, Calico is there to shuffle packets around the network and to help you manage networking and network security in your cluster,” Kelly said. “That’s what we’re focusing on, is helping customers identify how Calico can support AI workloads better.”