Introducing Calico 3.30: A New Era of Open Source Network Security and Observability for Kubernetes

When we first launched Project Calico in 2016, we set out to make Kubernetes networking easy, reliable, and scalable for all organizations. Our goal was to abstract away the complexity and performance overheads of other CNI plugins while simultaneously extending Kubernetes network policy to make it easier to secure your Kubernetes workloads.

Over the last 9 years, we’ve seen our community grow alongside Calico Open Source, which has become the most widely adopted Kubernetes networking tool that now powers over 8 million nodes across more than 166 countries. We’ve seen the challenges our community has faced as more organizations adopt Kubernetes, and as the scale and complexity of these Kubernetes deployments has increased. Through our commercial offerings, we’ve helped solve networking and network security challenges for some of the world’s largest Kubernetes deployments, from financial institutions to telcos.

Calico OSS 3.30

With the release of Calico OSS 3.30 in May, we are open sourcing our battle-tested observability and security tools from our commercial editions. This includes the following key features:

  • Goldmane – A gRPC-based API for accessing and capturing flow logs and policy evaluation metrics
  • Whisker – A web-based tool for viewing and filtering flow logs to troubleshoot connectivity issues and author and maintain Calico network security policies
  • GlobalStagedNetworkPolicy and StagedNetworkPolicy – New custom resources that allow you to audit the behavior of a new policy before you actively enforce it
  • Calico Ingress Gateway – Our 100% upstream, enterprise-ready implementation of the Gateway API that is based on Envoy Gateway
  • Calico Cloud ready – Every OSS cluster includes the required components to connect to a stateless, read-only, and free version of Calico Cloud

With these new features, it is easier than ever for all organizations to get visibility into and secure their service-to-service communications and extend Calico deployments to manage ingress for their clusters

We truly mean every organization: it doesn’t matter if you are running ten or ten thousand nodes, we are the only solution to offer data plane support for eBPF, iptables, nftables, Windows, or VPP. Calico provides unparalleled flexibility across three critical dimensions:

  • Multi-Distribution Compatibility – Supports any Kubernetes distribution including upstream Kubernetes, Red Hat OpenShift, SUSE Rancher, Mirantis, AKS, EKS, GKE & many more
  • Choice of infrastructure – Deploy efficiently across diverse environments—from data centers to public clouds and edge locations
  • Pluggable Data Plane Support – Leverage your choice of networking technologies including eBPF, nftables, iptables, Windows, VPP, and future innovations

By decoupling networking from infrastructure constraints, Calico enables enterprise teams to design more resilient, future-proof Kubernetes architectures. Our approach avoids vendor lock-in, minimizes migration complexity, and maximizes architectural choice, ensuring your networking strategy remains as dynamic as your business.

We celebrate the diversity of our community and their Kubernetes deployments, and we are committed to providing you with the same reliability and scalability regardless of your size or technology stack.

Visibility into workload communications with Calico’s flow logs, metrics, and Whisker

Troubleshooting applications running in Kubernetes is a major pain for DevOps teams and developers. Because of the dynamic and ephemeral nature of Kubernetes workloads, it is extremely difficult to make sense of network traffic inside the cluster as well as to resources outside the cluster.

Goldmane is a new gRPC-based API endpoint that can be used to access Calico’s flow logs and metrics. This makes it easier and more efficient for DevOps teams to troubleshoot their clusters by providing increased visibility into service-to-service communications alongside workload-specific context. Further, flow logs and metrics makes it easier for DevOps teams to collaborate with developers and security teams to share logs and visibility into application traffic flows.

When used alongside Calico network sets, flow logs become a powerful tool for getting visibility into where traffic is going across public and private IP spaces. The user-defined network sets appear as additional metadata in flow logs, cutting down the time spent troubleshooting during an incident from days to minutes.

Calico also includes Whisker, a simple web-based tool that connects to Goldmane so you can get immediate access to the flow logs generated by Calico. It includes filtering capabilities and the ability to view all flow log metadata so you can easily troubleshoot connectivity issues and author new policies.

We’ve spent years iterating and improving upon flow logs in real-world, large-scale deployments. Starting today, OSS users can benefit from the same visibility that the world’s largest banks and telcos rely on to troubleshoot their Kubernetes deployments. You can check out the Calico documentation to learn more about flow logs and how to get started with them.

Microsegmentation made easier with staged policies

We’ve seen some of the largest Kubernetes deployments in the world use Calico to improve the security posture of their clusters by explicitly authorizing workload communication with network policies. However, it can be a challenging process to get started given the power of these policies—one misstep and you could easily break your cluster.

Calico now includes support for GlobalStagedNetworkPolicy and StagedNetworkPolicy, two APIs from our commercial editions that have been invaluable tools to aid the process of implementing namespace isolation and other forms of microsegmentation. Staged policies enable you to test and audit the behavior of a Calico policy before you actively enforce it. They appear in flow logs and generate metrics just like any other policy, and can easily be converted to a CalicoNetworkPolicy by simply changing the resource type.

Calico UI showing StagedGlobalNetworkPolicy configuration, highlighting microsegmentation capabilities

Calico and the Kubernetes Gateway API

Last but not least, Calico OSS 3.30 includes Calico Ingress Gateway, our 100% upstream, enterprise-ready implementation of the Kubernetes Gateway API based on Envoy Gateway, an open source project that uses the Envoy Proxy for flexible, high-performance ingress control.

Calico Ingress Gateway handling an HTTP request.
Calico Ingress Gateway handling an HTTP request

The Kubernetes Gateway API has generated a lot of excitement in the Kubernetes community for providing a comprehensive set of APIs that establishes a portable solution to manage ingress for your cluster, for everything from load balancing, failover strategies, to rate limiting. Its hierarchical and role-oriented set of resources also enables teams to delegate the management of routes to development teams and reduce the operational overhead of managing ingress.

Calico Cloud Free Tier for Calico OSS 3.30 users

Not only are we including these new features in Calico, but we’re launching a new free service so you can get value from them immediately. With the release of Calico 3.30, an open-source cluster can connect to our free-forever edition of Calico Cloud without having to install any additional components.

Calico Cloud Free Tier provides read-only, stateless access to your cluster to manage policy tiers and polices, visualize workload communication with Service Graph and dashboards, and automatically generate recommended policies for namespace isolation.

Calico Cloud Service Graph showing workload communication between 'storefront' and 'twilio-api', highlighting policy insights

The Free Tier expands on Calico Open Source to tackle key challenges faced by Kubernetes operators and platform engineers. It aims to resolve issues such as limited observability of workload communication, the complexity and risks associated with deploying network policies for microsegmentation, and the difficulty in crafting effective network security policies.

To address these challenges, Calico Cloud Free Tier offers several enhanced capabilities:

  • Improved Observability: Provides the Calico Dynamic Service Graph, a visual tool for viewing dynamic workload communication, with quick access to logs for faster analysis and troubleshooting, moving beyond the basic visibility of Calico Open Source.
  • Simplified Microsegmentation: Includes tools like Policy Board for viewing enforced and staged policies, and policy tiers that enable multiple teams to collaborate on policy creation and deployment without conflict.
  • Intuitive Dashboards: Offers Calico Dashboards for straightforward cluster health monitoring, traffic volume analysis, and troubleshooting.
  • Simplified Network Policy Management: Streamlines workflows with Calico Policy Board, making it easier to view, manage tiered policies, and stage and preview policy behavior.
  • Seamless Upgrade to Calico Cloud: Allows access to advanced networking, security, and observability features, including firewall integration, multi-cluster networking, and automated namespace isolation.

Compared to Calico Open Source 3.30+, Calico Cloud Free Tier adds key features such as a view-only Policy Board, Dynamic Service Graph, and Dashboards, while both include Policy Tiers and Flow logs. It is important to note that the Calico Cloud Free Tier is limited to a single user and a single Kubernetes cluster. Future enhancements are planned to further improve usability, add more observability features, and simplify policy management.

How Calico Cloud Free Tier Enhances Calico Open Source

Feature Comparison: Calico Open Source and Calico Cloud Free Tier

Feature Calico Open Source 3.30+ Calico Cloud Free Tier
Policy Tiers Y Y
Policy Board N View only
Dynamic Service Graph N Y
Dashboards N Y
Flow logs Y Y

Note: Calico Cloud Free Tier is limited to a single user and a single Kubernetes cluster. See a full feature comparison.

Summary

We’re excited to share this landmark release of Calico and we’re looking forward to seeing how our community leverages these new capabilities to improve the network security and observability of their Kubernetes environments. You can learn more about these features in our docs and release notes once the release comes out in May, along with other capabilities such as more granular controls for defining automatic HostEndpoints, quality-of-service (QoS) policies, and IP Address Management (IPAM) for load balancers.

Looking for more information on Calico features and capabilities? Check out the Calico documentation to learn more.

Upgrade to Calico 3.30 now

Join our mailing list

Get updates on blog posts, workshops, certification programs, new releases, and more!

X