Calico at KubeCon + CloudNativeCon Europe 2025
Tigera is getting ready for KubeCon + CloudNativeCon Europe this year!
Join us for exciting demos, networking opportunities, meaningful community connections, and fun celebrations. We can’t wait to share what’s in store!
This blog post covers all the ways you can engage with us and dive deeper into your favorite tool, Calico, at KubeCon + CloudNativeCon Europe 2025.
CalicoCon 2025
CalicoCon 2025 is your go-to event for the latest in Kubernetes networking, security, and observability. Hosted by the Calico team, it offers an in-depth look at the state of Project Calico.
Attendees will have the chance to connect with Calico engineers and leadership, ask questions, and share their experiences.
Add CalicoCon to your existing KubeCon + CloudNativeCon registration to secure your spot. If you are not attending KubeCon + CloudNativeCon Europe but would still like to attend CalicoCon, please reach out to us on the Calico User Slack.
Event Details
Date: April 1, 2025
Time: 1:00pm – 4:30pm BST
Location: Good Hotel London
Party with Calico Cool Cats
This is your chance to connect with fellow Kubernetes enthusiasts, Calico users, and the brilliant minds behind Project Calico in a relaxed setting.
Engage in insightful conversations, share your Kubernetes Continue reading
High-Performance Kubernetes Networking with Calico eBPF
Kubernetes has revolutionized cloud-native applications, but networking remains a crucial aspect of ensuring scalability, security, and performance. Default networking approaches, such as iptables-based packet filtering, often introduce performance bottlenecks due to inefficient packet processing and complex rule evaluations. This is where Calico eBPF comes into play, offering a powerful alternative that enhances networking efficiency and security at scale.
Understanding Kubernetes Networking
Kubernetes networking consists of two primary components:
- Physical Network Infrastructure – Connects cloud resources to external networks, ensuring communication between nodes and the broader internet.
- Cluster Network Infrastructure – Manages internal workload communication within the Kubernetes cluster, including service-to-service traffic and pod-to-pod interactions.
Choosing the right data plane is critical for optimal performance. Factors such as cluster size, throughput, and security requirements should guide this choice. Poor networking choices can lead to congestion, excessive latency, and resource starvation.
Data Plane Options in Kubernetes Networking
Networking in Kubernetes is an abstract idea. While Kubernetes lays the foundation, your Container Networking Interface (CNI) is in charge of the actual networking. To better understand networking, we usually divide it into two sections: a control plane and a data plane.
- Control Plane – Control plane is the part that manages how Continue reading
What’s New in Calico: Winter 2025
As we kick off the new year, we’re excited to introduce the latest updates to Calico, designed to create a single, unified platform for all your Kubernetes networking, security, and observability needs. These new features help organizations reduce tool sprawl, streamline operations, and lower costs, making it more convenient and efficient to manage Kubernetes environments.
In this blog, we’ll highlight some of the most exciting additions that include a major new product capability, an ingress gateway.
Introducing the Calico Ingress Gateway
Managing and securing traffic in Kubernetes environments is one of the most complex and critical challenges organizations face today. With more than 60% of enterprises having adopted Kubernetes, according to an annual CNCF survey, controlling and optimizing how external traffic enters clusters is more important than ever. As applications grow in scale and complexity, legacy ingress solutions often fall short, plagued by operational inefficiencies, reliance on proprietary APIs, limited scalability, and difficulty in customization. These limitations make it difficult for teams to maintain consistent performance and robust security across their environments.
To address these challenges, we’re excited to introduce the Calico Ingress Gateway, an enterprise hardened, 100% upstream distribution of Envoy Gateway that leverages and expands the Continue reading
Ensuring Optimal Kubernetes Cluster Health with Calico Observability
Have you ever wondered how to navigate the complexities of managing Kubernetes clusters effectively? Observability is the key, and Elasticsearch plays a pivotal role in storing and analyzing the critical data that keeps your systems running smoothly.
In this blog post, we will delve into the essential aspects of observability within Kubernetes clusters powered by Calico eBPF data plane, highlighting the significance of Elasticsearch in this ecosystem. We’ll explore how Calico leverages Elasticsearch to enhance both observability and security, providing a comprehensive guide to common issues, best practices, and troubleshooting tips. You will understand the value of observability on a Kubernetes cluster and how to keep Elasticsearch healthy by storing and making observability data available. By the end, you’ll be equipped with the knowledge to maintain a robust and efficient Elasticsearch setup, ensuring optimal performance and security for your Kubernetes cluster powered by Calico eBPF data plane.
We will discuss what Elasticsearch is, why it matters, and how Calico Enterprise utilizes it to provide unparalleled observability. Whether you’re dealing with common issues or looking to implement best practices, this guide will serve as your reference guide to maintain a healthy Elasticsearch setup.
The importance of observability in a Kubernetes cluster
Kubernetes Network Security at Scale: Troubleshooting, Visibility & Compliance with Calico
Kubernetes adoption continues to grow as enterprises increasingly rely on containerized environments to deploy and scale their application. However, the complexity of the Kubernetes environment has evolved dramatically. It ranges from single-cluster setups of workloads to multi-cluster environments spanning hybrid and multi-cloud infrastructure. Kubernetes deployments are now characterized by their scale and diversity. Further multi-tenancy within a single cluster is becoming standard practice, as seen with the accelerated adoption of managed Kubernetes services available with Microsoft AKS, Amazon EKS, and Google GKE, further complicating the tenant and their workload security.
Organizations are leveraging Kubernetes to manage thousands of workloads within a single cluster and distribute them across multiple clusters for redundancy, geographic coverage, and performance optimization. Additionally, hybrid and multi-cloud deployments allow businesses to balance cost, performance, and compliance requirements.
To manage and secure this growth, organizations must ensure robust network security while maintaining visibility and simplifying operations. Addressing these challenges requires a comprehensive understanding of Kubernetes traffic patterns and the solution to observe, aggregate, and correlate traffic data.
Challenges
Kubernetes environments generate various traffic patterns, including:
- In-cluster traffic: Communication between pods within the same cluster
- Egress traffic: Outbound traffic to external services or the internet
- DNS traffic: Application layer Continue reading
Securely Deploying & Running Multiple Tenants on Kubernetes
As Kubernetes becomes the backbone of modern cloud native applications, organizations increasingly seek to consolidate workloads and resources by running multiple tenants within the same Kubernetes infrastructure. These tenants could be:
- Internal teams: Departments within a company that share a Kubernetes cluster for development and production.
- External clients: SaaS providers hosting customer workloads on shared infrastructure.
While multitenancy offers cost efficiency and centralized management, it also introduces security and operational challenges:
- How do you ensure strong isolation between tenants?
- How do you manage resources and prevent one tenant from affecting another?
- How do you meet regulatory and compliance requirements?
To address these concerns, practitioners have three primary options for deploying multiple tenants securely on Kubernetes.
How to Deploy Multiple Tenants on Kubernetes
Option 1: Namespace-Based Isolation with Network Policies, RBAC and Security Controls
Namespaces are Kubernetes’ built-in mechanism for logical isolation. This approach uses:
- Namespaces: Logical boundaries for separating tenant workloads.
- RBAC (role-based access control): Restricts tenant access to their namespace and resources.
- Network policies: Controls ingress and egress traffic between pods and namespaces.
- Resource quotas: Limits CPU, memory and other resources to prevent noisy neighbors.
Advantages:
- Cost-effective: Tenants share the cluster infrastructure.
- Simple to manage: Centralized operations within a Continue reading
How Calico Network Threat Detection Works
In today’s cloud-native environments, network security is more complex than ever, with Kubernetes and containerized workloads introducing unique challenges. Traditional tools struggle to monitor and secure these dynamic, interconnected systems, leaving organizations vulnerable to advanced threats, such as lateral movement, zero-day exploits, ransomware, data exfiltration, and more.
Network threat detection identifies malicious or suspicious activity within network traffic by using rules and analyzing patterns, behaviors, and anomalies. It enables organizations to spot attacks early, respond quickly, and mitigate risks before they escalate. Tools like Calico are specifically designed to address these challenges in Kubernetes, offering visibility, detection, and automated responses to protect workloads from known and emerging threats.
Calico delivers advanced network threat detection for Kubernetes environments, leveraging a variety of techniques to ensure comprehensive protection. Here are the key features of Calico’s network threat detection.
Behavior-based detection
Calico uses machine learning algorithms to establish a baseline of normal network behavior and detect anomalies such as port scans, IP (Internet Protocol) sweeps, and domain generation algorithms (DGA), which are commonly used by malware to evade detection and maintain communication with command and control (C2) servers.
Calico’s anomaly detection capability evaluates traffic flows using machine learning to identify the baseline behavior Continue reading
Kubernetes Security in 2025: The De Facto Platform of GenAI Applications
Over the past year, there has been a culmination of hype and excitement around Generative AI (GenAI). Most organizations initiated proof-of-concept projects for GenAI, eager to reap the technology’s benefits, which range from improved operational efficiency to cost reductions. According to recent research, 88% of organizations are in the midst of actively investigating GenAI, transcending other AI applications. However, the vast majority of organizations have yet to surpass this initial proof-of-concept stage and graduate GenAI applications into production. As we move into 2025, more organizations will begin to formalize their GenAI strategies, creating and deploying a host of new GenAI applications across their infrastructure.
Creating GenAI Applications with Kubernetes
As organizations build out GenAI applications, they will leverage many different GenAI models. To optimize, and derive the most value and accuracy from their GenAI applications, enterprises will utilize proprietary data to create these models, primarily through a Retrieval-Augmented Generation (RAG) architecture. A RAG architecture enables organizations to customize models based on company data, so that GenAI applications are personalized to an enterprise and their specific use cases. Most GenAI applications will contain proprietary company data as a result of this approach, creating many security concerns for organizations.
Consequently, some Continue reading
Introducing Low-Latency DNS Policy with eBPF in Calico Enterprise
In Kubernetes, pods often need to securely communicate with external resources, such as internet services or APIs. Traditional Kubernetes network policies use IP addresses to identify these external resources. However, managing policies with IP addresses can be challenging because IPs often change, especially when dealing with dynamic websites or APIs.
Calico Enterprise addresses this challenge by extending Kubernetes network policies to support Fully Qualified Domain Names (FQDNs). This allows users to define policies using domain names instead of IP addresses, making it easier to manage and secure egress traffic. By dynamically mapping domain names to IPs, Calico ensures that policies remain up-to-date, enabling seamless and secure connectivity to external resources.
While this approach is conceptually simple, practical implementation is tricky. DNS mappings are dynamic: domain names often resolve to different IPs with each query, and wildcard support (e.g., *.example.com) adds complexity. To address this, Calico monitors DNS traffic to create and manage domain-to-IP mappings dynamically, translating high-level DNS-based rules into efficient low-level constructs like iptables, nftables, or eBPF.
Evolution of Calico DNS policy implementation
The DNS policy implementation significantly impacts performance and reliability. Currently, Calico offers three different modes to operate the DNS Continue reading
How Kubernetes Simplifies Configuration Security
This is the second blog post in a series exploring how Kubernetes, despite its inherent complexity, provides features that simplify security efforts.
Kubernetes presents an interesting paradox: while it is complex, it simplifies many aspects of deploying and managing containerized applications, including configuration security. Once you navigate its learning curve, Kubernetes unlocks powerful capabilities and tool support that make managing configuration security significantly easier.
In this blog post, we’ll dive into how Kubernetes enhances configuration security and outline its key advantages.
How Kubernetes Can Help Improve and Simplify Configuration Security
Despite its complexity, Kubernetes offers a range of features that simplify configuration security. These include enhanced visibility, streamlined access to log data, robust RBAC (Role-Based Access Control) capabilities, security policy as code, a layered network policy model, and more. Many of these capabilities also improve the efficiency and effectiveness of mitigation and remediation workflows for configuration security. Below, we highlight key features that should be considered when developing a configuration security strategy.
100% Inventory
Maintaining a complete inventory of workloads can be challenging in non-Kubernetes environments. However, Kubernetes provides complete visibility into every containerized workload running in the system. This eliminates concerns about shadow systems or overlooked resources that could Continue reading
Calico monthly roundup: July 2024
Welcome to the Calico monthly roundup: July edition! From open source news to live events, we have exciting updates to share—let’s get into it!
Exclusive: Cloud and container security leaders round table and dinner
An exclusive, invite-only round table and dinner designed specifically for cloud and container security leaders. This intimate gathering will discuss today’s most pressing issues facing cloud and container security. |
Your Guide to Observability
This guide explains what observability is and shows you how to use Calico’s observability tools. With these tools, you can find and troubleshoot issues with workload communications, performance, and operations in a Kubernetes cluster. |
Customer case study: Playtech
Calico seamlessly integrated with Amazon EKS GitOps model to enhance Playtech’s application security. Read the case study to learn more. |
Open source news
Calico Live stream: Mitigating RCE zero-day attacks with Calico security policies – This live session on July 31, 2024 will examine the capabilities of Calico security policies to mitigate RCE attacks in a cloud-native environment. You can watch the live session on YouTube or LinkedIn.
Calico enhancements
- Calico v3.27.4 is out and here is why you should install or update your Calico instance:
Native Kubernetes cluster mesh with Calico
workloads from remote clusters
As Kubernetes continues to gain traction in the cloud-native ecosystem, the need for robust, scalable, and highly available cluster deployments has become more noticeable.
While a Kubernetes cluster can easily expand via additional nodes, the downside of such an approach is that you might have to spend a lot of time troubleshooting the underlying networking or managing and updating resources between clusters. On top of that, a multi-regional scenario or hyper-cloud environment might be off the limits depending on the limitations that a cloud provider or your Kubernetes distro might impose on your environment.
Calico Enterprise cluster mesh is a suite of features native to Kubernetes with a multi-layer design that connects two or more Kubernetes clusters and seamlessly shares resources between them. This post will explore cluster mesh, its benefits, and how it can enhance your Kubernetes environment.
Projects that provide cluster mesh
Multiple projects offer cluster mesh, and while they are all similar in basic principles, each has a different take on implementing this solution in an environment.
The following table is a brief overview of notable projects that offer cluster mesh:
| Calico Open Source | Calico Enterprise | Cilium | Calico Enterprise | Submariner | |
| Encapsulation | IPIP | Direct Continue reading |
eBPF: Enabling Security and Performance to Co-Exist
Today, most organizations and individuals use Linux and the Linux kernel with a “one-size-fits-all” approach. This differs from how Linux was used in the past–for example, 20 years ago, many users would compile their kernel and modify it to fit their specific needs, architectures and use cases. This is no longer the case, as one-size-fits-all has become good enough. But, like anything in life, “good enough” is not the best you can get.
Enter: Extended Berkeley Packet Filter (eBPF). eBPF allows users to modify one-size-fits-all to fit their specific needs. While this was not impossible before, it was cumbersome and often unsecure.
eBPF is a feature available in Linux kernels that allows users to safely load programs into the kernel, to customize its operation. With eBPF, the kernel and its behavior become highly customizable, instead of being fixed.
Utilizing eBPF, users can load a program into the kernel and instruct the kernel to execute their program if, for example, a certain packet is seen or another event occurs. eBPF lets programs run without needing to add additional modules or modify the kernel source code. Users can think of it as a lightweight, sandboxed virtual machine (VM) within the Linux kernel Continue reading
Embracing Modern Virtualization with Calico’s Microsegmentation
In the rapidly evolving landscape of IT infrastructure, enterprises are increasingly moving away from traditional virtualization platforms due to rising licensing costs and the limitations these older systems impose on modern cloud-native application needs. The shift towards Kubernetes, which can manage diverse workloads such as containers, virtual machines (VMs), and bare metal environments, accelerates the migration from traditional virtualization platforms.
The Limitations of Traditional Network Segmentation
Traditionally, enterprises have segmented their virtualized environments using VLANs and logical switches to create distinct virtual networks and security zones. This segmentation was primarily static VM environments. However, this traditional approach to network segmentation is ill-equipped to handle the dynamic nature of Kubernetes environments, where workloads are frequently created and destroyed, leading to rapidly changing network configurations and policies.
Calico’s Solution: Dynamic and Unified Microsegmentation
Calico is designed to address the shortcomings of traditional network segmentation in the age of Kubernetes and container-based architectures. Calico provides a robust, dynamic, and high-performance network policy engine that supports a diverse range of workloads and scales across environments.
Key Features of Calico’s Microsegmentation:
- Unified Security Model: Calico offers a consistent security model across various environments, whether you are managing VMs, containers, or bare metal. This unified approach Continue reading
Embracing Modern Virtualization with Calico’s Microsegmentation
In the rapidly evolving landscape of IT infrastructure, enterprises are increasingly moving away from traditional virtualization platforms due to rising licensing costs and the limitations these older systems impose on modern cloud-native application needs. The shift towards Kubernetes, which can manage diverse workloads such as containers, virtual machines (VMs), and bare metal environments, accelerates the migration from traditional virtualization platforms.
The Limitations of Traditional Network Segmentation
Traditionally, enterprises have segmented their virtualized environments using VLANs and logical switches to create distinct virtual networks and security zones. This segmentation was primarily static VM environments. However, this traditional approach to network segmentation is ill-equipped to handle the dynamic nature of Kubernetes environments, where workloads are frequently created and destroyed, leading to rapidly changing network configurations and policies.
Calico’s Solution: Dynamic and Unified Microsegmentation
Calico’s microsegmentation capabilities are designed to address the shortcomings of traditional network segmentation in the age of Kubernetes and container-based architectures. Calico provides a robust, dynamic, and high-performance network policy engine that supports a diverse range of workloads and scales across environments.
Key Features of Calico’s Microsegmentation:
- Unified Security Model: Calico offers a consistent security model across various environments, whether you are managing VMs, containers, or bare metal. This Continue reading
Calico monthly roundup: June 2024
Welcome to the Calico monthly roundup: June edition! From open source news to live events, we have exciting updates to share—let’s get into it!
S&P Global 451 Market Insight: Tigera Provides Most Comprehensive CNAPP
Learn how Tigera differentiates itself from competitors by focusing on runtime security, aligning with the rapidly growing market category and how it is one of the strong players in this segment. |
| Your Guide to Observability
This guide explains what observability is and shows you how to use Calico’s observability tools. With these tools, you can find and troubleshoot issues with workload communications, performance, and operations in a Kubernetes cluster.Read case study. |
Customer case study: eHealth
Calico helped eHealth gain visibility and implement zero-trust security controls on Amazon EKS. Read the case study to learn more. |
Open source news
Kubernetes network policies: 4 pain points and how to address them – Learn about the challenges of implementing Kubernetes network policies and how to simplify their management and enhance security using Calico. Read blog post.
The power of Kubevirt and Calico – Unlock the combined power of Kubevirt and Calico for your Kubernetes environments. Learn how to streamline VM management, Continue reading
Kubernetes network policies: 4 pain points and how to address them
Kubernetes is used everywhere, from test environments to the most critical production foundations that we use daily, making it undoubtedly a de facto in cloud computing. While this is great news for everyone who works with, administers, and expands Kubernetes, the downside is that it makes Kubernetes a favorable target for malicious actors.
Malicious actors typically exploit flaws in the system to gain access to a portion of the environment. They then chain these flaws together to move laterally within the environment, ultimately seeking root access or access to critical information.
While the best way to fix security flaws in any software is to patch it with appropriate fixes that the project maintainers publish, there are certain security practices that you can adopt to fortify your environment, like using network policies. However, most people find network policies complex and overwhelming, which discourages them from implementing policies in their environment.
In this blog post, we will examine four pain points that people face when they want to implement network policies and provide solutions to help you effectively secure your Kubernetes environment.
What is a network policy and why should I use it?
In Kubernetes, a network policy (KNP) resource is the Continue reading
How to Address Kubernetes Risks and Vulnerabilities Head-on
Misconfigurations and container image vulnerabilities are major causes of Kubernetes threats and risks. According to Gartner, more than 90% of global organizations will be running containerized applications in production by 2027. This is a significant increase from fewer than 40% in 2021. As container adoption soars, Kubernetes remains the dominant container orchestration platform.
Realizing the full benefits of Kubernetes requires implementing processes and solutions to fight vulnerabilities, threats and risks, including issues stemming from human error such as misconfigurations, and inherent vulnerabilities like those from container images. DevOps and security teams need the right solutions to mitigate the risks and enjoy the full benefits of Kubernetes.
Mitigating the Impact of Misconfigurations
While container adoption has taken off, the industry still lacks skilled Kubernetes experts. Kubernetes is a complex platform, and personnel without the right skillset inadvertently — and frequently—make mistakes that create misconfigurations.
In the Red Hat State of Kubernetes Security Report 2023, more than 50% of respondents said they were concerned about misconfigurations and vulnerabilities. And with good reason: The simplest way for attackers to get to a company’s data, applications or code is through a misconfigured Kubernetes cluster. A bad actor needs just one small misconfiguration Continue reading
Calico monthly roundup: May 2024
Welcome to the Calico monthly roundup: May edition! From open source news to live events, we have exciting updates to share—let’s get into it!
What’s new in Calico
Discover the latest enhancements in Calico for Spring 2024, featuring new security capabilities, improved visualization tools, and an advanced workload-centric WAF to streamline and secure your Kubernetes operations. |
Customer case study: NuraLogix
AI-driven healthtech company, NuraLogix, improves security and compliance on Amazon EKS using Calico Cloud. |
Join us at CloudNative SecurityCon 2024 in Seattle We’re gearing up for CloudNative SecurityCon 2024, on June 26 and 27 in Seattle. Be sure to swing by our booth and learn about exciting container networking updates. Plus, pick up some cool new Calico swag! Stay tuned for details.
|
|
S&P Global 451 Market Insight: Tigera Provides Most Comprehensive CNAPP Learn how Tigera differentiates itself from competitors by focusing on runtime security, aligning with the rapidly growing market category and how it is one of the strong players in this segment. |
Open source news
What’s new in 3.28 – Explore the new features in Calico 3.28, including a Grafana dashboard for Typha performance monitoring, Continue reading
Network observability in Kubernetes clusters for better security and faster troubleshooting
For DevOps and platform teams working with containers and Kubernetes, reducing downtime and improving security posture is crucial. A clear understanding of network topology, service interactions, and workload dependencies is required in cloud-native applications. This is essential for securing and optimizing the Kubernetes deployment and minimizing response time in the event of failure.
Network observability can highlight gaps in network policies for applications that require network policy controls to reduce the risk of attack from unsecured egress access or lateral movement of threats within the Kubernetes cluster. However, visualizing workload communication, service dependencies, and active and inactive network security policies presents significant challenges due to the distributed and dynamic nature of Kubernetes workloads.
Why is network observability difficult with Kubernetes workloads?
Kubernetes scales up and scales out pods and creates and destroys services depending on real-time business requirements, resulting in dynamic network connections for each workload instance. Network access policies defined for each workload further impact these connections.
In such a scenario, capturing an accurate and up-to-date representation of network traffic, service dependencies, and network policies is difficult. The default Kubernetes implementation provides limited network traffic visibility and policy information, making it challenging for teams to troubleshoot connectivity issues, improve Continue reading