Archive

Category Archives for "Tigera.io"

Securing Kubernetes Traffic with Calico Ingress Gateway

If you’ve managed traffic in Kubernetes, you’ve likely navigated the world of Ingress controllers. For years, Ingress has been the standard way of getting our HTTP/S services exposed. But let’s be honest, it often felt like a compromise. We wrestled with controller-specific annotations to unlock critical features, blurred the lines between infrastructure and application concerns, and sometimes wished for richer protocol support or a more standardized approach. This “pile of vendor annotations,” while functional, highlighted the limitations of a standard that struggled to keep pace with the complex demands of modern, multi-team environments and even led to security vulnerabilities.

Wait a second, is this the ‘Ingress vs. Gateway API’ debate?

Yes, and it’s a crucial one. The Kubernetes Gateway API isn’t just an Ingress v2; it’s a fundamental redesign, the “future” of Kubernetes ingress, built by the community to address these very challenges head-on.

What makes Gateway API different?

There are three main points that I came across while evaluating GatewayAPI and Ingress controllers:

  1. Standardization & Portability: It aims to provide a core, standard way to manage ingress, reducing reliance on vendor-specific hacks and making it easier to switch implementations – change the class, and it should “just work.”
  2. Continue reading

Secure and Scalable Kubernetes for Multi-Cluster Management

This story is becoming more and more common in the Kubernetes world. What starts as a manageable cluster or two can quickly balloon into a sprawling, multi-cluster architecture spanning public clouds, private data centers, or a bit of both. And with that growth comes a whole new set of headaches. How do you keep tabs on compliance across wildly different configurations? When a service goes down across multiple clusters, how do you pinpoint the cause amidst the chaos? And what about those hard-to-diagnose latency issues that seem to crop up between regions?

The truth is, achieving secure and scalable multi-cluster Kubernetes isn’t about throwing more tools at the problem. It’s about having the right tools and adopting the right best practices. This is where a solution like Calico Cluster Mesh shines, offering those essential capabilities for a seamless multi-cluster experience without the complexity or overhead that you expect with traditional service meshes.

The Multi-Cluster Challenge: When Complexity Takes Over

So, why are so many organizations finding themselves in this multi-cluster maze? Often, it’s driven by solid business reasons:

  • High Availability and Disaster Recovery: Spreading workloads across multiple regions or clusters means that if one goes down, your users shouldn’t notice.
  • Continue reading

Is It Time to Migrate? A Practical Look at Kubernetes Ingress vs. Gateway API

If you’ve managed traffic in Kubernetes, you’ve likely navigated the world of Ingress controllers. For years, Ingress has been the standard way of getting HTTP/S services exposed. But let’s be honest, it often felt like a compromise. We wrestled with controller-specific annotations to unlock critical features, blurred the lines between infrastructure and application concerns, this complexity didn’t just make portability more difficult, it sometimes led to security vulnerabilities and other complications.

As part of Calico Open Source v3.30, we have released a free and open source Calico Ingress Gateway that implements a custom built Envoy proxy with the Kubernetes Gateway API standard to help you navigate Ingress complexities with style. This blog post is designed to get you up to speed on why such a change might be the missing link in your environment.

The Situation: The Ingress Rut

The challenge with traditional Ingress wasn’t a lack of effort, since the landscape is full of innovative solutions. However, the problem was the lack of a unified, expressive, and role-aware standard. Existing ingress controllers were capable, implemented advanced features, however at the same time tied you to a specific project/vendor.

This meant:

Why we need a unified approach to Kubernetes environments

Today, organizations struggle managing disparate technologies for their Kubernetes networking and network security needs. Leveraging multiple technologies for networking and security for in-cluster, ingress, egress, and traffic across clusters creates challenges, including operational complexities and increased costs. For example, to manage ingress traffic for Kubernetes clusters, users cobble together multiple solutions from different providers such as ingress controllers or gateways and load balancers for routing traffic, as well as Web Application Firewalls (WAFs) for enhanced security.

Despite the challenges it brings, deploying disparate technologies has been a “necessary evil” for organizations to get all the capabilities needed for holistic Kubernetes networking. Here, we’ll explore challenges this proliferation of tooling introduces, and provide actionable tips for today’s platform and security teams to overcome these issues.

Challenges Managing Multiple Technologies

The fragmented approach to networking and network security in Kubernetes leads to challenges and inefficiencies, including:

  • Operational overhead: Each technology comes with its own learning curve, setup, configuration, integration, and maintenance requirements. This leads to a challenging user experience.
  • Increased costs: Licensing and operational costs accumulate as more tools are deployed.
  • Scaling challenges: As clusters grow or spread across diverse environments, ensuring consistent and secure networking becomes harder.
  • Security gaps: Disjointed solutions Continue reading

What’s New in Calico: Spring 2025

Introducing Calico Cloud Free Tier

Calico provides a unified platform for all your Kubernetes networking, network security, and observability requirements. From ingress/egress management and east-west policy enforcement to multi-cluster connectivity, Calico delivers comprehensive capabilities. It is distribution-agnostic, preventing vendor lock-in and offering a consistent experience across popular Kubernetes distributions and managed services. Calico eliminates silos, providing seamless networking and observability for containers, VMs, and bare metal servers, and extends effortlessly to multi-cluster environments, in the cloud, on-premises, and at the edge.

With the recent release of Calico Open Source 3.30, we added:

  • Improved observability to visualize and troubleshoot workload communication with Calico Whisker and the Goldmane API.
  • Kubernetes Network Policies are critical for preventing ransomware, achieving microsegmentation to isolate sensitive assets for compliance, and thwarting attacks from malicious actors. However, implementing them effectively can be challenging due to the complexity of identifying, testing, and rapidly updating policies to meet evolving threats. Calico Open Source 3.30 introduces staged policies to enable teams to audit and validate policies before they are enforced, reducing the risk of misconfigured policies and improving security and compliance.
  • The ability to manage Kubernetes ingress traffic with Calico Ingress Gateway, a 100% upstream, enterprise-ready implementation Continue reading

Recap: KubeCon + CloudNativeCon Europe 2025

When I got the assignment to attend KubeCon 1st of April I thought it was an April prank, but as the date got closer I realized—this is for real and I’ll be on the ground in London at the tenth anniversary of cloud native computing. I’ve seen a lot of tech events during my years in the industry while trying not to get replaced by AI and I have to say this one stands out!

Image source: CNCF YouTube Channel

Here is my recap of KubeCon + CloudNativeCon Europe 2025.

CalicoCon 2025

CalicoCon is an event that happens twice every year, as a co-located event during KubeCon NA and EU. It’s a free event that allows you to learn about Tigera’s vision for the future of networking and security in the cloud. There’s also an after-party to celebrate our community and people like you who are on this journey with us!

This year our main focus was on Calico v3.30, our upcoming release that will add a lot of anticipated features to Calico, unlocking things like observability, staged network policy, and gateway api. CalicoCon brought together cloud-native enthusiasts to explore the latest advancements in Calico and Kubernetes networking.

Continue reading

How to get started with Calico Observability features

Kubernetes, by default, adopts a permissive networking model where all pods can freely communicate unless explicitly restricted using network policies. While this simplifies application deployment, it introduces significant security risks. Unrestricted network traffic allows workloads to interact with unauthorized destinations, increasing the potential for cyberattacks such as Remote Code Execution (RCE), DNS spoofing, and privilege escalation.

To better understand these problems, let’s examine a sample Kubernetes application: ANP Demo App.

This application comprises a deployment that spawns pods and a service that exposes them to external users in a similar situation like any real word workload which you will encounter in your environment.

If you open the application service before implementing any policies, the application reports the following messages:

  1. Container can reach the Internet – Without network policies, an attacker can use our container as an entry point by exploiting it with a vulnerability. This could allow them to exfiltrate data or establish remote control over the workload by leveraging its Internet access.
  2. Container can reach CoreDNS Pods – Kubernetes relies heavily on DNS, with records served using CoreDNS Pods. While communication between your Pods and CoreDNS is essential and not inherently a vulnerability, pairing it with unrestricted access to Continue reading

Calico Open Source 3.30: Exploring the Goldmane API for custom Kubernetes Network Observability

Kubernetes is built on the foundation of APIs and abstraction, and Calico leverages its extensibility to deliver network security and observability in both its commercial and open source versions. APIs are the special sauce that help automate and operationalize your Kubernetes platforms as part of a CI/CD pipeline and other GitOps workflows.

Calico OSS 3.30, introduces numerous battle-tested observability and security tools from our commercial editions. This includes the following key features:

  • Goldmane – A gRPC-based API for accessing and capturing flow logs and policy evaluation metrics
  • Whisker – A web-based tool for viewing and filtering flow logs to troubleshoot connectivity issues and author and maintain Calico network security policies
  • GlobalStagedNetworkPolicy and StagedNetworkPolicy – New custom resources that allow you to audit the behavior of a new policy before you actively enforce it
  • Calico Ingress Gateway – Our 100% upstream, enterprise-ready implementation of the Gateway API that is based on Envoy Gateway
  • Calico Cloud ready – Every OSS cluster includes the required components to connect to a stateless, read-only, and free version of Calico Cloud

You may know about the Calico REST API, which allows you to manage Calico resources, such as Calico network policy, Calico IPAM configurations Continue reading

Calico Whisker, Your New Ally in Network Observability

With the upcoming release of Calico v3.30 on the horizon, we are excited to introduce Calico Whisker, a simple yet powerful User Interface (UI) designed to enhance network observability and policy debugging. If you’ve ever struggled to make sense of network flow logs or troubleshoot policies in a complex Kubernetes cluster, Whisker is your friend!

Whisker is a three part deployment that holds a UI, backend and a gRPC channel to communicate with the Felix brain of Calico to gather live flow information and present it in a human readable, easy to understand way. But before we get started let’s dive into why Whisker is a must-have for your Kubernetes environment, what problems it solves, and how it can streamline your policy management.

Navigating Network Flows is Difficult

In Kubernetes environments, network flows are the backbone of communication between workloads. As clusters scale, so does the complexity of managing these flows and their security. Without clear visibility and effective observability tools, teams often struggle with:

  • Diagnosing unexplained workload behavior and determining why certain applications aren’t working as expected.
  • Identifying the real reason why certain workload communications are permitted or denied, which stems from understanding which policies are affecting specific Continue reading

Introducing Calico 3.30: A New Era of Open Source Network Security and Observability for Kubernetes

When we first launched Project Calico in 2016, we set out to make Kubernetes networking easy, reliable, and scalable for all organizations. Our goal was to abstract away the complexity and performance overheads of other CNI plugins while simultaneously extending Kubernetes network policy to make it easier to secure your Kubernetes workloads.

Over the last 9 years, we’ve seen our community grow alongside Calico Open Source, which has become the most widely adopted Kubernetes networking tool that now powers over 8 million nodes across more than 166 countries. We’ve seen the challenges our community has faced as more organizations adopt Kubernetes, and as the scale and complexity of these Kubernetes deployments has increased. Through our commercial offerings, we’ve helped solve networking and network security challenges for some of the world’s largest Kubernetes deployments, from financial institutions to telcos.

Calico OSS 3.30

With the release of Calico OSS 3.30 in May, we are open sourcing our battle-tested observability and security tools from our commercial editions. This includes the following key features:

  • Goldmane – A gRPC-based API for accessing and capturing flow logs and policy evaluation metrics
  • Whisker – A web-based tool for viewing and filtering flow logs to troubleshoot Continue reading

A Detailed Look at the Calico Ingress Gateway

Managing traffic in Kubernetes environments presents serious security and operational challenges. Traditional ingress solutions lack flexibility, rely on proprietary configurations, and offer limited traffic control, creating security gaps and inefficiencies.

What’s needed is a more flexible, scalable, and policy-driven approach to ingress traffic management. Enter Calico Ingress Gateway—built to eliminate these limitations while enhancing security, visibility, and control over ingress traffic at scale.

So Why an Ingress Gateway?

An ingress gateway serves as the first point of contact for external traffic entering a Kubernetes cluster. For most modern applications, this traffic includes API requests, user connections, or service calls, all of which need to be routed to the appropriate workloads securely and efficiently. Without a robust ingress solution, organizations face a range of challenges:

  • Customization Challenges: Legacy ingress solutions provide limited flexibility, frequently requiring custom annotations to extend functionality, which increases the time and complexity of implementations.
  • Operational Complexity: Traditional ingress controllers often rely on proprietary configurations, making deployments harder to manage and less portable across environments.
  • Limited Traffic Control: Basic ingress controllers lack some of the advanced features needed to manage, shape, and secure traffic effectively.

What is the Calico Ingress Gateway?

The Calico Ingress Gateway is a 100% Continue reading

How Calico Network Security Works

In the rapidly evolving world of Kubernetes, network security remains one of the most challenging aspects for organizations. The shift to dynamic containerized environments brings challenges like inter-cluster communication, rapid scaling, and multi-cloud deployments. These challenges, compounded by tool sprawl and fragmented visibility, leave teams grappling with operational inefficiencies, misaligned priorities, and increasing vulnerabilities. Without a unified solution, organizations risk security breaches and compliance failures.

Calico’s single platform approach to network security.
Calico’s single platform approach to network security.

Calico reimagines Kubernetes security with a holistic, end-to-end approach that simplifies operations while strengthening defenses. By unifying key capabilities like ingress and egress gateways, microsegmentation, and real-time observability, Calico empowers teams to bridge the gaps between security, compliance, and operational efficiency. The result is a scalable, robust platform that addresses the unique demands of containerized environments without introducing unnecessary complexity. Let’s look at how Calico’s key network security capabilities make this possible.

Calico Ingress Gateway

The Calico Ingress Gateway is a Kubernetes-native solution, built on the Envoy Gateway, that serves as a centralized entry point for managing and securing incoming traffic to your clusters. Implementing the Kubernetes Gateway API specification, it replaces traditional ingress controllers with a more robust, scalable, and flexible architecture that is capable of more Continue reading

Calico eBPF Source IP Preservation: The Unexpected Story of High Tail Latency

The Calico eBPF data plane is your choice if latency is your primary concern. It was very disturbing that some benchmarking brought to our attention that eBPF had higher tail latency than iptables. The 99+% percentiles were higher by as much as a few hundred milliseconds. We did a whole bunch of experiments and we could not crack the nut until we observed that there are some occasional and unexpected TCP reset (RST) packets, but no connections were reset.

We noticed that the RST belongs to a connection that was already completed and finished a while ago. That was strange, but it pointed us in the right direction. We also knew that this happens only if the benchmark uses a LoadBalancer and we have connections going through multiple nodes to the same backend pod. That was enough to get to the root cause, but let’s start at the beginning…

External Clients and Kubernetes Services

One of the shortcomings of iptables/nftables based networking in Kubernetes is that if an external client connects to your cluster via a NodePort or a LoadBalancer, you may lose its IP address along the way. The reason for this is that the client may connect to Continue reading

Calico at KubeCon + CloudNativeCon Europe 2025

Tigera is getting ready for KubeCon + CloudNativeCon Europe this year!

Join us for exciting demos, networking opportunities, meaningful community connections, and fun celebrations. We can’t wait to share what’s in store!

This blog post covers all the ways you can engage with us and dive deeper into your favorite tool, Calico, at KubeCon + CloudNativeCon Europe 2025.

CalicoCon 2025

CalicoCon 2025 is your go-to event for the latest in Kubernetes networking, security, and observability. Hosted by the Calico team, it offers an in-depth look at the state of Project Calico.

Attendees will have the chance to connect with Calico engineers and leadership, ask questions, and share their experiences.

Add CalicoCon to your existing KubeCon + CloudNativeCon registration ‌to secure your spot. If you are not attending KubeCon + CloudNativeCon Europe but would still like to attend CalicoCon, please reach out to us ‌on the Calico User Slack.


Event Details

Date: April 1, 2025
Time: 1:00pm – 4:30pm BST
Location: Good Hotel London

<Register Now>

Party with Calico Cool Cats

This is your chance to connect with fellow Kubernetes enthusiasts, Calico users, and the brilliant minds behind Project Calico in a relaxed setting.

Engage in insightful conversations, share your Kubernetes Continue reading

High-Performance Kubernetes Networking with Calico eBPF

Kubernetes has revolutionized cloud-native applications, but networking remains a crucial aspect of ensuring scalability, security, and performance. Default networking approaches, such as iptables-based packet filtering, often introduce performance bottlenecks due to inefficient packet processing and complex rule evaluations. This is where Calico eBPF comes into play, offering a powerful alternative that enhances networking efficiency and security at scale.

Understanding Kubernetes Networking

Kubernetes networking consists of two primary components:

  1. Physical Network Infrastructure – Connects cloud resources to external networks, ensuring communication between nodes and the broader internet.
  2. Cluster Network Infrastructure – Manages internal workload communication within the Kubernetes cluster, including service-to-service traffic and pod-to-pod interactions.

Choosing the right data plane is critical for optimal performance. Factors such as cluster size, throughput, and security requirements should guide this choice. Poor networking choices can lead to congestion, excessive latency, and resource starvation.

Data Plane Options in Kubernetes Networking

Networking in Kubernetes is an abstract idea. While Kubernetes lays the foundation, your Container Networking Interface (CNI) is in charge of the actual networking. To better understand networking, we usually divide it into two sections: a control plane and a data plane.

What’s New in Calico: Winter 2025

As we kick off the new year, we’re excited to introduce the latest updates to Calico, designed to create a single, unified platform for all your Kubernetes networking, security, and observability needs. These new features help organizations reduce tool sprawl, streamline operations, and lower costs, making it more convenient and efficient to manage Kubernetes environments.

In this blog, we’ll highlight some of the most exciting additions that include a major new product capability, an ingress gateway.

Introducing the Calico Ingress Gateway

Managing and securing traffic in Kubernetes environments is one of the most complex and critical challenges organizations face today. With more than 60% of enterprises having adopted Kubernetes, according to an annual CNCF survey, controlling and optimizing how external traffic enters clusters is more important than ever. As applications grow in scale and complexity, legacy ingress solutions often fall short, plagued by operational inefficiencies, reliance on proprietary APIs, limited scalability, and difficulty in customization. These limitations make it difficult for teams to maintain consistent performance and robust security across their environments.

To address these challenges, we’re excited to introduce the Calico Ingress Gateway, an enterprise hardened, 100% upstream distribution of Envoy Gateway that leverages and expands the Continue reading

Ensuring Optimal Kubernetes Cluster Health with Calico Observability

Have you ever wondered how to navigate the complexities of managing Kubernetes clusters effectively? Observability is the key, and Elasticsearch plays a pivotal role in storing and analyzing the critical data that keeps your systems running smoothly.

In this blog post, we will delve into the essential aspects of observability within Kubernetes clusters powered by Calico eBPF data plane, highlighting the significance of Elasticsearch in this ecosystem. We’ll explore how Calico leverages Elasticsearch to enhance both observability and security, providing a comprehensive guide to common issues, best practices, and troubleshooting tips. You will understand the value of observability on a Kubernetes cluster and how to keep Elasticsearch healthy by storing and making observability data available. By the end, you’ll be equipped with the knowledge to maintain a robust and efficient Elasticsearch setup, ensuring optimal performance and security for your Kubernetes cluster powered by Calico eBPF data plane.
We will discuss what Elasticsearch is, why it matters, and how Calico Enterprise utilizes it to provide unparalleled observability. Whether you’re dealing with common issues or looking to implement best practices, this guide will serve as your reference guide to maintain a healthy Elasticsearch setup.

The importance of observability in a Kubernetes cluster

Continue reading

Kubernetes Network Security at Scale: Troubleshooting, Visibility & Compliance with Calico

Kubernetes adoption continues to grow as enterprises increasingly rely on containerized environments to deploy and scale their application. However, the complexity of the Kubernetes environment has evolved dramatically. It ranges from single-cluster setups of workloads to multi-cluster environments spanning hybrid and multi-cloud infrastructure. Kubernetes deployments are now characterized by their scale and diversity. Further multi-tenancy within a single cluster is becoming standard practice, as seen with the accelerated adoption of managed Kubernetes services available with Microsoft AKS, Amazon EKS, and Google GKE, further complicating the tenant and their workload security.

Organizations are leveraging Kubernetes to manage thousands of workloads within a single cluster and distribute them across multiple clusters for redundancy, geographic coverage, and performance optimization. Additionally, hybrid and multi-cloud deployments allow businesses to balance cost, performance, and compliance requirements.

To manage and secure this growth, organizations must ensure robust network security while maintaining visibility and simplifying operations. Addressing these challenges requires a comprehensive understanding of Kubernetes traffic patterns and the solution to observe, aggregate, and correlate traffic data.

Challenges

Kubernetes environments generate various traffic patterns, including:

  • In-cluster traffic: Communication between pods within the same cluster
  • Egress traffic: Outbound traffic to external services or the internet
  • DNS traffic: Application layer Continue reading

Securely Deploying & Running Multiple Tenants on Kubernetes

As Kubernetes becomes the backbone of modern cloud native applications, organizations increasingly seek to consolidate workloads and resources by running multiple tenants within the same Kubernetes infrastructure. These tenants could be:

  • Internal teams: Departments within a company that share a Kubernetes cluster for development and production.
  • External clients: SaaS providers hosting customer workloads on shared infrastructure.

While multitenancy offers cost efficiency and centralized management, it also introduces security and operational challenges:

  • How do you ensure strong isolation between tenants?
  • How do you manage resources and prevent one tenant from affecting another?
  • How do you meet regulatory and compliance requirements?

To address these concerns, practitioners have three primary options for deploying multiple tenants securely on Kubernetes.

How to Deploy Multiple Tenants on Kubernetes

Option 1: Namespace-Based Isolation with Network Policies, RBAC and Security Controls

Namespaces are Kubernetes’ built-in mechanism for logical isolation. This approach uses:

  • Namespaces: Logical boundaries for separating tenant workloads.
  • RBAC (role-based access control): Restricts tenant access to their namespace and resources.
  • Network policies: Controls ingress and egress traffic between pods and namespaces.
  • Resource quotas: Limits CPU, memory and other resources to prevent noisy neighbors.

Advantages:

  • Cost-effective: Tenants share the cluster infrastructure.
  • Simple to manage: Centralized operations within a Continue reading

How Calico Network Threat Detection Works

In today’s cloud-native environments, network security is more complex than ever, with Kubernetes and containerized workloads introducing unique challenges. Traditional tools struggle to monitor and secure these dynamic, interconnected systems, leaving organizations vulnerable to advanced threats, such as lateral movement, zero-day exploits, ransomware, data exfiltration, and more.

Network threat detection identifies malicious or suspicious activity within network traffic by using rules and analyzing patterns, behaviors, and anomalies. It enables organizations to spot attacks early, respond quickly, and mitigate risks before they escalate. Tools like Calico are specifically designed to address these challenges in Kubernetes, offering visibility, detection, and automated responses to protect workloads from known and emerging threats.

Calico delivers advanced network threat detection for Kubernetes environments, leveraging a variety of techniques to ensure comprehensive protection. Here are the key features of Calico’s network threat detection.

Behavior-based detection

Calico uses machine learning algorithms to establish a baseline of normal network behavior and detect anomalies such as port scans, IP (Internet Protocol) sweeps, and domain generation algorithms (DGA), which are commonly used by malware to evade detection and maintain communication with command and control (C2) servers.

Calico’s anomaly detection capability evaluates traffic flows using machine learning to identify the baseline behavior Continue reading

1 2 3 16