What’s New in Calico – Summer 2025

As Kubernetes adoption scales across enterprise architectures, platform architects face mounting pressure to implement consistent security guardrails across distributed, multi-cluster environments while maintaining operational velocity. Modern infrastructure demands a security architecture that can adapt without introducing complexity or performance penalties. Traditional approaches force architects to cobble together separate solutions for ingress protection, network policies, and application-layer security, creating operational friction and increasing attack surface.

Today, we’re announcing significant enhancements to Calico that eliminate this architectural complexity. This release introduces native Web Application Firewall (WAF) capabilities integrated directly into Calico’s Ingress Gateway, enabling platform architects to deploy a single technology stack for both ingress management and HTTP-layer threat protection. Combined with enhanced Role-Based Access Controls (RBAC) controls, and centralized observability across heterogeneous workloads, platform architects can now design and implement comprehensive security all within a unified platform.

The new features in this release can be grouped under two main categories:

  1. Security at Scale with a Unified Platform: This release introduces critical security features that make it easier to secure and scale Kubernetes workloads.
  2. Simplified Operations for Kubernetes, VM, and bare metal workloads: Reducing complexity is key to scaling Kubernetes, VM, and bare metal workloads, and this release introduces features that make security management more automated and scalable.

 

Security at Scale with a Unified Platform

Calico Ingress Gateway with Integrated WAF

Ingress traffic into a Kubernetes cluster is a common entry point for attacks, so it’s critical to inspect and proactively secure it. Since clusters often receive traffic directly from the public internet, analyzing application-layer protocols like HTTP and gRPC for threats is a fundamental security requirement. While there are options to deploy a standalone Web Application Firewall (WAF) with your ingress controller, using an integrated WAF simplifies operations and can reduce both complexity and cost.

Calico Ingress Gateway, our implementation of the Kubernetes Gateway API, now includes a built-in WAF that allows you to inspect, authorize, and secure ingress traffic at runtime. The WAF that is integrated with Ingress Gateway is the same as the one used in Calico’s workload-based WAF, giving you consistent threat detection across both ingress points and internal services. With this built-in WAF, you can define and enforce security rules directly within the Ingress Gateway, enabling deep inspection of HTTP and gRPC traffic and blocking known threats before they reach your workloads.

Using a WAF that is integrated with Calico Ingress Gateway supports a defense-in-depth approach by adding another layer of protection at the cluster boundary. Many customers have emphasized the importance of WAF integration at ingress to help detect and respond to malicious traffic entering Kubernetes environments.

Granular Dashboard access with new RBAC and UI enhancements

Role-Based Access Control (RBAC) is essential for securely managing access in shared Kubernetes environments. It is especially valuable for platform operators who need to provide broader access to observability data to their applications teams. By enforcing strict boundaries between tenants, RBAC ensures that users only see observability data relevant to their own namespaces. This supports secure multi-tenancy, helps meet compliance requirements by limiting exposure to sensitive data, and enables platform and application teams to collaborate safely. With proper RBAC in place, developers can access the insights they need to troubleshoot and monitor their workloads, without risking data leaks across teams or violating access policies.

Calico Cloud now includes enhanced RBAC controls for accessing observability data within Calico Dashboards. This empowers platform operators to confidently provision access to monitoring data, with the assurance that application developers can only view data related to their applications. This helps organizations confidently scale their use of Calico while maintaining strong access boundaries.

This release also includes additional improvements to the Calico Dashboards, such as clearer card labels and the ability to customize which columns are shown. These updates make it easier for users to tailor their views and focus on the data that matters most to them.

Calico Dashboard interface showing options to customize table columns and labels.

Set the labels on dashboard cards for every field, and choose which fields to display.

 

Simplified Operations for Kubernetes, VM, and bare metal workloads

Policy Recommendations Now Available in Calico Cloud Free Tier

One of the biggest challenges Kubernetes DevOps and platform teams face when securing Kubernetes environments is the lack of actionable visibility into-service-to-service communication, without clear insights into how workloads interact or depend on each other. This is especially difficult when platform engineers inherit existing microservices and are not familiar with the dependencies and workflows of the existing applications. These combined factors make it difficult to define effective policies and leads to two major risks: overly permissive policies, that can expose applications to lateral movement and data exfiltration, and overly restrictive policies that can inadvertently block essential communication. Because of these formidable challenges and risks many teams choose to avoid implementing network policies altogether, leaving their application exposed.

To help deal with the difficulty of authoring network policies and these two major policy risks, we are excited to announce that Calico Cloud Free Tier now enables open-source clusters to connect to this free service and use policy recommendations. This means you can generate policy recommendations for the cluster you connect to Calico Cloud Free Tier. The ability to recommend policies at the namespace level and at the pod level makes it easy for Kubernetes platform and security teams to implement namespace isolation without extensive experience in authoring network policies or detailed knowledge of how application workloads are communicating. Calico Cloud analyzes the flow logs that are generated from workloads, and automatically recommends staged policies for each namespace that can be used for isolation.

Recommendations work in very similar way to the Policy Recommendation engine in the commercial versions of Calico, except that the Calico Cloud Free Tier has the following key differences:

  • Calico Cloud Free Tier only has 24 hours of log data compared to the 7 days available in the commercial versions of Calico, so the commercial versions are better suited to observing traffic over longer periods of time.
  • Policy Recommendations in the commercial versions of Calico can generate DNS rules for egress traffic whereas Calico Cloud Free Tier generates rules that specify IP addresses.

Centralized log forwarding for VM and bare metal hosts

Calico Enterprise and Calico Cloud provide robust microsegmentation capabilities not only for containers and Kubernetes workloads, but also for hosts and virtual machines (VMs). This unified, cloud-native segmentation model allows you to define and enforce network security policies across all your environments, including hosts, VMs, containers, and Kubernetes components, ensuring consistent security and simplified management in hybrid and multi-cloud infrastructures.

For organizations running Calico on hosts and VMs outside of Kubernetes, a significant operational challenge has been the distributed nature of log forwarding. Without a centralized log forwarding solution, configuring log forwarding to third-party data stores like Elastic or Splunk requires individual setup and authorization on each host or VM. This node-by-node approach is a large scalability problem, especially for larger deployments with hundreds or thousands of hosts, hindering operational efficiency.

To address this configuration challenge, Calico supports centralized log forwarding for VM and bare metal hosts running outside of Kubernetes. Instead of setting up log forwarding on each individual external host, logs can be collected at a central point, either at the management cluster or a standalone cluster that manages these VM and bare metal hosts. From these centralized points, logs can then be easily forwarded to your preferred external log store, like Splunk or Elastic. Using this method you can also configure log forwarding specifically for VM and bare metal hosts, allowing you to filter out other log sources if you want to reduce data volume and storage costs.

This centralized approach to log forwarding significantly improves scalability and simplifies operations for large environments. Instead of managing log configurations across hundreds or thousands of individual VM and bare metal hosts, you can now control everything from a central point. This reduces operational overhead, minimizes the risk of misconfiguration, and makes it easier to maintain consistent logging across your infrastructure. It’s an extremely efficient and reliable way to configure the forwarding of logs from Calico-enabled hosts running outside of Kubernetes.

Improved visualization of VM and bare metal hosts in Calico Service Graph

Calico’s Dynamic Service Graph now has new improved iconography to clearly differentiate between Kubernetes cluster nodes and standalone VM and bare metal hosts that are running Calico outside of Kubernetes. This enhanced iconography clearly differentiates between these two types of nodes, grouping and displaying them separately with expandable and collapsible sections, similar to how namespaces are handled.

Many of our customers are increasingly using a mixture of workload types, including both VMs and containers. Customers often choose to keep their databases running on VMs because they are highly performance-tuned. And when troubleshooting, it is incredibly helpful for these customers to easily and visually identify each workload type (VM/container/bare metal) and see the traffic flowing between them.

Network diagram showing connections between kube-system, networks, hosts, and cluster nodes.

VM and bare metal hosts are now clearly indicated with a “hosts” icon in Calico Service Graph as shown above. The VM host that is depicted has several cluster nodes and you can click on any of the icons or flow arrows to drill down for more information.

Connections for external VM and bare metal hosts can be selected on the Service Graph in the same way as you can for intracluster Kubernetes traffic, allowing you to automatically filter and view flow logs associated with these connections.

Summary

Calico’s Summer 2025 update introduces major new capabilities to simplify and strengthen Kubernetes security and observability. Highlights include policy recommendations that are now available in Calico Cloud Free Tier, to help teams easily isolate namespaces based on real traffic analysis. The update also introduces a built-in Web Application Firewall (WAF) for the Calico Ingress Gateway, providing an extra layer of protection against application-layer threats. Additional enhancements include advanced RBAC for dashboards, UI improvements for dashboards, centralized log forwarding for VMs and bare-metal hosts, and improved visualization of external VMs and bare-metal nodes in Service Graph. Together, these features make it easier than ever to secure, observe, and manage Kubernetes environments at scale.

To learn more about these new product capabilities and see them in action, schedule a demo.

Join our mailing list

Get updates on blog posts, workshops, certification programs, new releases, and more!

X