Author Archives: Chris Tomkins
Author Archives: Chris Tomkins
It’s right there on our community page—the statement that “Project Calico is first and foremost a community.”
With that in mind, we wanted to make it easier for new contributors to get involved. It’s a win-win scenario—developers experience less frustration, they can get their work done, and have their contributions considered. Plus, the project can easily benefit from the contributions.
Recently, we have been doing a lot of work to simplify the contribution process, and to encourage, recognize, thank, and reward contributors. For example, earlier this year we announced our Calico Big Cats ambassador program and began using a single monorepo architecture. Read on and we’ll dig into that more.
In my role as Lead Developer Advocate for Project Calico, up until now, when I wanted to make a bug fix or improve something, I needed to feed that back to the development team for them to implement. In this blog post, though, I’m going to test out the new contribution process myself, document it for others, make improvements, and see what I can learn.
The Project Calico home page is a great place to find a contribution to make, so I headed there. Following the “Find a good Continue reading
Project Calico has offered a production-ready data plane based on eBPF since September 2020, and it’s been available for technical evaluation for even longer (since February 2020).
The pre-requisites and limitations are simple to review, it’s easy to enable, and it’s easy to validate your configuration. So, there’s never been a better time to start experiencing the benefits!
You do know what those are, don’t you? Don’t worry if not! That’s what this blog post is about. We’ve reached a point where the journey is easy to make, if you know why you want to get there.
Calico is already the most widely deployed Kubernetes network security solution. What can eBPF do to help our winning formula further? I’ll dive into the details, but let’s look at the highest possible level first.
These three key benefits apply across all supported environments:
Calico’s eBPF data plane achieves high performance in several ways. Firstly, it achieves higher throughput and/or less CPU Continue reading
PlatformCon 2022 is just around the corner and I’m excited to be speaking at the conference alongside other platform practitioners and pioneers. My talk, Using open-source software to secure cloud-native applications, will examine—you guessed it—how to use open-source software like Kubernetes to secure cloud-native applications.
I’m looking forward to giving this talk because I think this topic is extremely relevant to the Platform Engineering community. Cloud-native microservices applications bring so many amazing advantages for many software application needs, but they also bring lots of security challenges, and if those are handled incorrectly it can be a minefield. Ephemeral workloads appear and disappear, workload network addressing is transient, and traditional firewalls can’t police the data path effectively.
Open-source orchestration solutions like Kubernetes define an application-centric component called ‘NetworkPolicy,’ but they do not implement it. In my session I’ll discuss how, with a change of tools and mindset, open-source software can help to implement security for cloud-native applications whilst still allowing the user to benefit from all the advantages. I’m excited to help people understand how to get on the right path and give them enough information to make their own informed decision on how to proceed
Hey everyone. We’re excited to announce the release of Calico v3.23! Thanks to everyone in the community who contributed to the release. We could not have fitted this many improvements in without you. To view the detailed release notes, please visit us here. While we have many improvements in this release, here’s a brief overview of some of the larger features to be aware of.
Calico now supports VXLAN encapsulation for IPv6 networks. This expands our support for any users who have adopted IPv6.
We are ecstatic to announce that the Calico VPP data plane has reached beta status! A huge thanks to the VPP team for working tirelessly over the last few releases to increase stability, performance, and feature compatibility. Try it out by visiting our documentation here.
You can now install Calico networking in your AKS clusters to take advantage of all of the Calico networking features. To try it out, follow the Calico on AKS installation instructions. To learn more about using your own network plugin in AKS, see the AKS documentation here.
We have added new configuration options to allow for Continue reading
In previous blog posts, my colleagues and I have introduced and explored the Calico eBPF data plane in detail, including learning how to validate that it is configured and running correctly. If you have the time, those are still a great read; you could dive in with the Calico eBPF Data Plane Deep-Dive.
However, sometimes a picture paints a thousand words! I was inspired by Daniele Polencic’s wonderful A Visual Guide on Troubleshooting Kubernetes Deployments. With his permission and kind encouragement, I decided to adapt the validation part of my previous deep-dive post to this easy-to-digest flowchart. Feel free to share it far and wide; wherever you think a Calico-learning colleague might benefit! It includes a link back here in case the diagram is updated in the future.
Did you know you can become a certified Calico operator? Learn container and Kubernetes networking and security fundamentals using Calico in this free, self-paced certification course.
There are additional level-two courses as well. One of them specifically addresses eBPF and the Calico eBPF data plane!
The post A visual guide to Calico eBPF data plane validation appeared first on Tigera.
Monitoring is a critical part of any computer system that has been brought in to a production-ready state. No IT system exists in true isolation, and even the simplest systems interact in interesting ways with the systems “surrounding” them. Since compute time, memory, and long-term storage are all finite, it’s necessary at the very least to understand how these things are being allocated.
Perhaps this question seems contrived. However, it’s always worth spending a moment thinking about reasons before adding any technical complexity to a distributed system! After all, they are already quite complicated! So why does the Calico eBPF data plane support metrics through Prometheus and Grafana?
Well, the Calico eBPF data plane is production ready and widely deployed, so a well-configured Kubernetes cluster with the Calico eBPF data plane correctly enabled will be stable and reliable. However, distributed systems are inherently complex and when dealing with them, it is generally good practice to instrument and baseline metrics wherever they are available. Doing so provides many benefits, especially for capacity planning, change management, and as an early-warning or smoke-testing system.
Additionally, seeing a running distributed system fully instrumented can be Continue reading
Yes, you read that right – in the comfort of your own laptop, as in, the entire environment running inside your laptop! Why? Well, read on. It’s a bit of a long one, but there is a lot of my learning that I would like to share.
I often find that Calico Open Source users ask me about BGP, and whether they need to use it, with a little trepidation. BGP carries an air of mystique for many IT engineers, for two reasons. Firstly, before its renaissance as a data center protocol, BGP was seen to be the domain of ISPs and service provider networks. Secondly, many high-profile and high-impact Internet outages have been due to BGP misuse or misconfiguration.
The short answer to the question is that in public cloud Kubernetes deployments, it is almost never necessary to configure or use BGP to make best use of Calico Open Source. Even in on-premise Kubernetes deployments, it is only needed in certain scenarios; you shouldn’t configure BGP unless you know why you need it. It is even less common to require complex BGP setups involving route reflectors and the like.
Calico is the industry standard for Kubernetes networking and security. It offers a proven platform for your workloads across a huge range of environments, including cloud, hybrid, and on-premises.
Calico has had a high-quality, production-ready, performant, eBPF data plane option for some time!
However, although many users are deploying it in production and benefitting, we still sometimes see users who don’t know that Calico has an eBPF data plane or feel confident deploying it, and:
We created the new CCO-L2-EBPF (Certified Calico Operator: eBPF) course specifically to address these points. The course will help you to understand the strengths of eBPF and when it is, or is not, the right choice. It will also help you see how easy it is to deploy the Calico eBPF data plane if you have made the choice that it is right for you and your cluster.
It’s that time again; we’re really happy to announce Calico v3.21! As always, thank you to everyone who contributed to this release! For detailed release notes, please go here. Alongside the usual-but-essential bug fixes and other improvements, there are some big new improvements to be aware of:
Calico supports BGP, which is used within the cluster in some scenarios, and to allow you to integrate cluster routing with your upstream network devices. Now though, you can even view the status of your BGP sessions, including RIB / FIB contents, and agent health via the new CalicoNodeStatus API. See the API documentation for more details.
In addition, you get more granular control; you can control BGP advertisement of certain prefixes using the new disableBGPExport option on each IP pool.
If you aren’t already familiar with them, the egress policy rules that can match on Kubernetes services, introduced in v3.20, are pretty transformative. However we have improved even further upon them in two ways:
This post will highlight and explain the importance of a pluggable data plane. But in order to do so, we first need an analogy. It’s time to talk about a brick garden wall!
Imagine you have been asked to repair a brick garden wall, because one brick has cracked through in the summer sun. You have the equipment you need, so the size of the job will depend to a great extent on how easily the brick can be removed from the wall without interfering with all the ones around it. Good luck.
Now that we have that wonderful imagery in mind, let’s look at how to go about designing walls — and how they can be maintained.
“Coupling” is the term used to describe the interdependence between pieces of software. Closely coupled systems are interdependent and difficult to separate; loosely coupled systems are more like building blocks designed to work together, but they come apart cleanly. So, since the bricks in our garden wall are closely coupled (in this case, by cement), attempting to remove just one creates difficult challenges.
We can think of software as being built in “walls,” Continue reading
Recently, we released our new “Calico Certified Operator: AWS Expert” course. You can read more about why we created this course and how it can benefit your organization in the introductory blog post.
This blog post is different; it’s an opportunity for you, the potential learner, to get a glimpse of just a few interesting parts of the course. You won’t learn all the answers here, but you’ll learn some of the questions!
If you find that you already know the answers, then you’re all set to grab yourself a shiny badge. If not, consider taking some time to invest in your personal development and pick up some new knowledge in AWS and container networking—really current and relevant knowledge.
Let’s take a sneak peek at what the “Calico Certified Operator: AWS Expert” course has to offer.
There are several ways to build a Kubernetes cluster in AWS. There is no single “right” way. What are the considerations your organization should have in mind, and how can you help your organization make an informed choice?
You will review, amongst many other things, how to decide:
Sometimes the best way to understand something is to take it apart and see how it works. This blog post will help you take the lid off your Calico eBPF data plane based Kubernetes cluster and see how the forwarding is actually happening. The bonus is, unlike home repairs, you don’t even have to try to figure out how to put it back together again!
The target audience for this post is users who are already running a cluster with the eBPF data plane, either as a proof-of-concept or in production. Therefore, we will not go through the steps to set up a cluster from scratch. If you would like to learn how to do that, the best starting point is this documentation.
In the best case and likely scenario, you will have no data plane issues in the future and this knowledge will still help you to make informed decisions about the Calico eBPF data plane and your future clusters, and how to get the best from them. Knowledge is power!
If you are unlucky enough to experience future issues, being armed with a good understanding of the underlying technologies will Continue reading
Calico is the industry standard for Kubernetes networking and security. It offers a proven platform for your workloads across a huge range of environments, including cloud, hybrid, and on-premises.
Given this incredibly wide support, why did we decide to create a course specifically about AWS?
Well, our previous online course continues to be a great success (it’s self-paced, so if you haven’t already, we would love for you to take it and become an expert in Kubernetes networking and security). The course covers how Kubernetes networking works, how to configure and manage a Calico network, and how to secure your Kubernetes cluster.
Once you know the underlying concepts, it becomes a more important consideration to identify the nuanced differences between possible implementations. These become even more relevant once you have selected a platform to move forward with.
Amazon’s cloud computing platform, AWS, has played a huge role in changing the landscape around how users consume compute resources and data. As little as ten years ago, it would have been difficult to anticipate the speed with which companies and other organizations would embrace moving their precious compute resources and data out of their Continue reading