If you’ve managed traffic in Kubernetes, you’ve likely navigated the world of Ingress controllers. For years, Ingress has been the standard way of getting our HTTP/S services exposed. But let’s be honest, it often felt like a compromise. We wrestled with controller-specific annotations to unlock critical features, blurred the lines between infrastructure and application concerns, and sometimes wished for richer protocol support or a more standardized approach. This “pile of vendor annotations,” while functional, highlighted the limitations of a standard that struggled to keep pace with the complex demands of modern, multi-team environments and even led to security vulnerabilities.
Yes, and it’s a crucial one. The Kubernetes Gateway API isn’t just an Ingress v2; it’s a fundamental redesign, the “future” of Kubernetes ingress, built by the community to address these very challenges head-on.
There are three main points that I came across while evaluating GatewayAPI and Ingress controllers:
This story is becoming more and more common in the Kubernetes world. What starts as a manageable cluster or two can quickly balloon into a sprawling, multi-cluster architecture spanning public clouds, private data centers, or a bit of both. And with that growth comes a whole new set of headaches. How do you keep tabs on compliance across wildly different configurations? When a service goes down across multiple clusters, how do you pinpoint the cause amidst the chaos? And what about those hard-to-diagnose latency issues that seem to crop up between regions?
The truth is, achieving secure and scalable multi-cluster Kubernetes isn’t about throwing more tools at the problem. It’s about having the right tools and adopting the right best practices. This is where a solution like Calico Cluster Mesh shines, offering those essential capabilities for a seamless multi-cluster experience without the complexity or overhead that you expect with traditional service meshes.
So, why are so many organizations finding themselves in this multi-cluster maze? Often, it’s driven by solid business reasons:
If you’ve managed traffic in Kubernetes, you’ve likely navigated the world of Ingress controllers. For years, Ingress has been the standard way of getting HTTP/S services exposed. But let’s be honest, it often felt like a compromise. We wrestled with controller-specific annotations to unlock critical features, blurred the lines between infrastructure and application concerns, this complexity didn’t just make portability more difficult, it sometimes led to security vulnerabilities and other complications.
As part of Calico Open Source v3.30, we have released a free and open source Calico Ingress Gateway that implements a custom built Envoy proxy with the Kubernetes Gateway API standard to help you navigate Ingress complexities with style. This blog post is designed to get you up to speed on why such a change might be the missing link in your environment.
The challenge with traditional Ingress wasn’t a lack of effort, since the landscape is full of innovative solutions. However, the problem was the lack of a unified, expressive, and role-aware standard. Existing ingress controllers were capable, implemented advanced features, however at the same time tied you to a specific project/vendor.
This meant:
Today, organizations struggle managing disparate technologies for their Kubernetes networking and network security needs. Leveraging multiple technologies for networking and security for in-cluster, ingress, egress, and traffic across clusters creates challenges, including operational complexities and increased costs. For example, to manage ingress traffic for Kubernetes clusters, users cobble together multiple solutions from different providers such as ingress controllers or gateways and load balancers for routing traffic, as well as Web Application Firewalls (WAFs) for enhanced security.
Despite the challenges it brings, deploying disparate technologies has been a “necessary evil” for organizations to get all the capabilities needed for holistic Kubernetes networking. Here, we’ll explore challenges this proliferation of tooling introduces, and provide actionable tips for today’s platform and security teams to overcome these issues.
The fragmented approach to networking and network security in Kubernetes leads to challenges and inefficiencies, including:
Calico provides a unified platform for all your Kubernetes networking, network security, and observability requirements. From ingress/egress management and east-west policy enforcement to multi-cluster connectivity, Calico delivers comprehensive capabilities. It is distribution-agnostic, preventing vendor lock-in and offering a consistent experience across popular Kubernetes distributions and managed services. Calico eliminates silos, providing seamless networking and observability for containers, VMs, and bare metal servers, and extends effortlessly to multi-cluster environments, in the cloud, on-premises, and at the edge.
With the recent release of Calico Open Source 3.30, we added:
When I got the assignment to attend KubeCon 1st of April I thought it was an April prank, but as the date got closer I realized—this is for real and I’ll be on the ground in London at the tenth anniversary of cloud native computing. I’ve seen a lot of tech events during my years in the industry while trying not to get replaced by AI and I have to say this one stands out!
Image source: CNCF YouTube Channel
Here is my recap of KubeCon + CloudNativeCon Europe 2025.
CalicoCon is an event that happens twice every year, as a co-located event during KubeCon NA and EU. It’s a free event that allows you to learn about Tigera’s vision for the future of networking and security in the cloud. There’s also an after-party to celebrate our community and people like you who are on this journey with us!
This year our main focus was on Calico v3.30, our upcoming release that will add a lot of anticipated features to Calico, unlocking things like observability, staged network policy, and gateway api. CalicoCon brought together cloud-native enthusiasts to explore the latest advancements in Calico and Kubernetes networking.
Kubernetes, by default, adopts a permissive networking model where all pods can freely communicate unless explicitly restricted using network policies. While this simplifies application deployment, it introduces significant security risks. Unrestricted network traffic allows workloads to interact with unauthorized destinations, increasing the potential for cyberattacks such as Remote Code Execution (RCE), DNS spoofing, and privilege escalation.
To better understand these problems, let’s examine a sample Kubernetes application: ANP Demo App.
This application comprises a deployment that spawns pods and a service that exposes them to external users in a similar situation like any real word workload which you will encounter in your environment.
If you open the application service before implementing any policies, the application reports the following messages:
Kubernetes is built on the foundation of APIs and abstraction, and Calico leverages its extensibility to deliver network security and observability in both its commercial and open source versions. APIs are the special sauce that help automate and operationalize your Kubernetes platforms as part of a CI/CD pipeline and other GitOps workflows.
Calico OSS 3.30, introduces numerous battle-tested observability and security tools from our commercial editions. This includes the following key features:
You may know about the Calico REST API, which allows you to manage Calico resources, such as Calico network policy, Calico IPAM configurations Continue reading
With the upcoming release of Calico v3.30 on the horizon, we are excited to introduce Calico Whisker, a simple yet powerful User Interface (UI) designed to enhance network observability and policy debugging. If you’ve ever struggled to make sense of network flow logs or troubleshoot policies in a complex Kubernetes cluster, Whisker is your friend!
Whisker is a three part deployment that holds a UI, backend and a gRPC channel to communicate with the Felix brain of Calico to gather live flow information and present it in a human readable, easy to understand way. But before we get started let’s dive into why Whisker is a must-have for your Kubernetes environment, what problems it solves, and how it can streamline your policy management.
In Kubernetes environments, network flows are the backbone of communication between workloads. As clusters scale, so does the complexity of managing these flows and their security. Without clear visibility and effective observability tools, teams often struggle with:
When we first launched Project Calico in 2016, we set out to make Kubernetes networking easy, reliable, and scalable for all organizations. Our goal was to abstract away the complexity and performance overheads of other CNI plugins while simultaneously extending Kubernetes network policy to make it easier to secure your Kubernetes workloads.
Over the last 9 years, we’ve seen our community grow alongside Calico Open Source, which has become the most widely adopted Kubernetes networking tool that now powers over 8 million nodes across more than 166 countries. We’ve seen the challenges our community has faced as more organizations adopt Kubernetes, and as the scale and complexity of these Kubernetes deployments has increased. Through our commercial offerings, we’ve helped solve networking and network security challenges for some of the world’s largest Kubernetes deployments, from financial institutions to telcos.
With the release of Calico OSS 3.30 in May, we are open sourcing our battle-tested observability and security tools from our commercial editions. This includes the following key features:
Managing traffic in Kubernetes environments presents serious security and operational challenges. Traditional ingress solutions lack flexibility, rely on proprietary configurations, and offer limited traffic control, creating security gaps and inefficiencies.
What’s needed is a more flexible, scalable, and policy-driven approach to ingress traffic management. Enter Calico Ingress Gateway—built to eliminate these limitations while enhancing security, visibility, and control over ingress traffic at scale.
An ingress gateway serves as the first point of contact for external traffic entering a Kubernetes cluster. For most modern applications, this traffic includes API requests, user connections, or service calls, all of which need to be routed to the appropriate workloads securely and efficiently. Without a robust ingress solution, organizations face a range of challenges:
The Calico Ingress Gateway is a 100% Continue reading
In the rapidly evolving world of Kubernetes, network security remains one of the most challenging aspects for organizations. The shift to dynamic containerized environments brings challenges like inter-cluster communication, rapid scaling, and multi-cloud deployments. These challenges, compounded by tool sprawl and fragmented visibility, leave teams grappling with operational inefficiencies, misaligned priorities, and increasing vulnerabilities. Without a unified solution, organizations risk security breaches and compliance failures.
Calico reimagines Kubernetes security with a holistic, end-to-end approach that simplifies operations while strengthening defenses. By unifying key capabilities like ingress and egress gateways, microsegmentation, and real-time observability, Calico empowers teams to bridge the gaps between security, compliance, and operational efficiency. The result is a scalable, robust platform that addresses the unique demands of containerized environments without introducing unnecessary complexity. Let’s look at how Calico’s key network security capabilities make this possible.
The Calico Ingress Gateway is a Kubernetes-native solution, built on the Envoy Gateway, that serves as a centralized entry point for managing and securing incoming traffic to your clusters. Implementing the Kubernetes Gateway API specification, it replaces traditional ingress controllers with a more robust, scalable, and flexible architecture that is capable of more Continue reading
The Calico eBPF data plane is your choice if latency is your primary concern. It was very disturbing that some benchmarking brought to our attention that eBPF had higher tail latency than iptables. The 99+% percentiles were higher by as much as a few hundred milliseconds. We did a whole bunch of experiments and we could not crack the nut until we observed that there are some occasional and unexpected TCP reset (RST) packets, but no connections were reset.
We noticed that the RST belongs to a connection that was already completed and finished a while ago. That was strange, but it pointed us in the right direction. We also knew that this happens only if the benchmark uses a LoadBalancer and we have connections going through multiple nodes to the same backend pod. That was enough to get to the root cause, but let’s start at the beginning…
One of the shortcomings of iptables/nftables based networking in Kubernetes is that if an external client connects to your cluster via a NodePort or a LoadBalancer, you may lose its IP address along the way. The reason for this is that the client may connect to Continue reading
Tigera is getting ready for KubeCon + CloudNativeCon Europe this year!
Join us for exciting demos, networking opportunities, meaningful community connections, and fun celebrations. We can’t wait to share what’s in store!
This blog post covers all the ways you can engage with us and dive deeper into your favorite tool, Calico, at KubeCon + CloudNativeCon Europe 2025.
CalicoCon 2025 is your go-to event for the latest in Kubernetes networking, security, and observability. Hosted by the Calico team, it offers an in-depth look at the state of Project Calico.
Attendees will have the chance to connect with Calico engineers and leadership, ask questions, and share their experiences.
Add CalicoCon to your existing KubeCon + CloudNativeCon registration to secure your spot. If you are not attending KubeCon + CloudNativeCon Europe but would still like to attend CalicoCon, please reach out to us on the Calico User Slack.
Event Details
Date: April 1, 2025
Time: 1:00pm – 4:30pm BST
Location: Good Hotel London
This is your chance to connect with fellow Kubernetes enthusiasts, Calico users, and the brilliant minds behind Project Calico in a relaxed setting.
Engage in insightful conversations, share your Kubernetes Continue reading
Kubernetes has revolutionized cloud-native applications, but networking remains a crucial aspect of ensuring scalability, security, and performance. Default networking approaches, such as iptables-based packet filtering, often introduce performance bottlenecks due to inefficient packet processing and complex rule evaluations. This is where Calico eBPF comes into play, offering a powerful alternative that enhances networking efficiency and security at scale.
Kubernetes networking consists of two primary components:
Choosing the right data plane is critical for optimal performance. Factors such as cluster size, throughput, and security requirements should guide this choice. Poor networking choices can lead to congestion, excessive latency, and resource starvation.
Networking in Kubernetes is an abstract idea. While Kubernetes lays the foundation, your Container Networking Interface (CNI) is in charge of the actual networking. To better understand networking, we usually divide it into two sections: a control plane and a data plane.
As we kick off the new year, we’re excited to introduce the latest updates to Calico, designed to create a single, unified platform for all your Kubernetes networking, security, and observability needs. These new features help organizations reduce tool sprawl, streamline operations, and lower costs, making it more convenient and efficient to manage Kubernetes environments.
In this blog, we’ll highlight some of the most exciting additions that include a major new product capability, an ingress gateway.
Managing and securing traffic in Kubernetes environments is one of the most complex and critical challenges organizations face today. With more than 60% of enterprises having adopted Kubernetes, according to an annual CNCF survey, controlling and optimizing how external traffic enters clusters is more important than ever. As applications grow in scale and complexity, legacy ingress solutions often fall short, plagued by operational inefficiencies, reliance on proprietary APIs, limited scalability, and difficulty in customization. These limitations make it difficult for teams to maintain consistent performance and robust security across their environments.
To address these challenges, we’re excited to introduce the Calico Ingress Gateway, an enterprise hardened, 100% upstream distribution of Envoy Gateway that leverages and expands the Continue reading
Have you ever wondered how to navigate the complexities of managing Kubernetes clusters effectively? Observability is the key, and Elasticsearch plays a pivotal role in storing and analyzing the critical data that keeps your systems running smoothly.
In this blog post, we will delve into the essential aspects of observability within Kubernetes clusters powered by Calico eBPF data plane, highlighting the significance of Elasticsearch in this ecosystem. We’ll explore how Calico leverages Elasticsearch to enhance both observability and security, providing a comprehensive guide to common issues, best practices, and troubleshooting tips. You will understand the value of observability on a Kubernetes cluster and how to keep Elasticsearch healthy by storing and making observability data available. By the end, you’ll be equipped with the knowledge to maintain a robust and efficient Elasticsearch setup, ensuring optimal performance and security for your Kubernetes cluster powered by Calico eBPF data plane.
We will discuss what Elasticsearch is, why it matters, and how Calico Enterprise utilizes it to provide unparalleled observability. Whether you’re dealing with common issues or looking to implement best practices, this guide will serve as your reference guide to maintain a healthy Elasticsearch setup.
Kubernetes adoption continues to grow as enterprises increasingly rely on containerized environments to deploy and scale their application. However, the complexity of the Kubernetes environment has evolved dramatically. It ranges from single-cluster setups of workloads to multi-cluster environments spanning hybrid and multi-cloud infrastructure. Kubernetes deployments are now characterized by their scale and diversity. Further multi-tenancy within a single cluster is becoming standard practice, as seen with the accelerated adoption of managed Kubernetes services available with Microsoft AKS, Amazon EKS, and Google GKE, further complicating the tenant and their workload security.
Organizations are leveraging Kubernetes to manage thousands of workloads within a single cluster and distribute them across multiple clusters for redundancy, geographic coverage, and performance optimization. Additionally, hybrid and multi-cloud deployments allow businesses to balance cost, performance, and compliance requirements.
To manage and secure this growth, organizations must ensure robust network security while maintaining visibility and simplifying operations. Addressing these challenges requires a comprehensive understanding of Kubernetes traffic patterns and the solution to observe, aggregate, and correlate traffic data.
Kubernetes environments generate various traffic patterns, including:
As Kubernetes becomes the backbone of modern cloud native applications, organizations increasingly seek to consolidate workloads and resources by running multiple tenants within the same Kubernetes infrastructure. These tenants could be:
While multitenancy offers cost efficiency and centralized management, it also introduces security and operational challenges:
To address these concerns, practitioners have three primary options for deploying multiple tenants securely on Kubernetes.
Namespaces are Kubernetes’ built-in mechanism for logical isolation. This approach uses:
Advantages:
In today’s cloud-native environments, network security is more complex than ever, with Kubernetes and containerized workloads introducing unique challenges. Traditional tools struggle to monitor and secure these dynamic, interconnected systems, leaving organizations vulnerable to advanced threats, such as lateral movement, zero-day exploits, ransomware, data exfiltration, and more.
Network threat detection identifies malicious or suspicious activity within network traffic by using rules and analyzing patterns, behaviors, and anomalies. It enables organizations to spot attacks early, respond quickly, and mitigate risks before they escalate. Tools like Calico are specifically designed to address these challenges in Kubernetes, offering visibility, detection, and automated responses to protect workloads from known and emerging threats.
Calico delivers advanced network threat detection for Kubernetes environments, leveraging a variety of techniques to ensure comprehensive protection. Here are the key features of Calico’s network threat detection.
Calico uses machine learning algorithms to establish a baseline of normal network behavior and detect anomalies such as port scans, IP (Internet Protocol) sweeps, and domain generation algorithms (DGA), which are commonly used by malware to evade detection and maintain communication with command and control (C2) servers.
Calico’s anomaly detection capability evaluates traffic flows using machine learning to identify the baseline behavior Continue reading