What’s new in Calico v3.27

Calico v3.27 is out 🎉 and there are a lot of new features, updates, and improvements that are packed into this release. Here is a breakdown of the most important changes:

• Significant performance improvements, especially for extremely large clusters
• Calico VPP dataplane is now GA
• Calico eBPF dataplane now supports IPv6 (Tech preview)
• Easier Windows cluster operations managed by the Tigera operator (Windows HostProcess Container support)

Calico community support and impact

Before we jump into the exciting updates, it is important to highlight the role of our Slack community. Our community is inclusive and its sole purpose is to help you in your Kubernetes, eBPF and networking journey.

Join the Calico users Slack group for support and discussions with other Calico users and developers. Similar to our other releases, a big shoutout to our incredible community members who’ve been instrumental in shaping this release. Let’s take a moment to express our gratitude for their valuable contributions. Also, let’s celebrate the achievements of those community members who have successfully merged their first pull request into the Project Calico GitHub repo.

Community shout-out

A huge shout-out goes to sknat, AloysAugustin, hedibouattour, fgschwan, zvfvrv, onong, hexotic, MathiasRaoul, ondrej-fabry, chinthagovardhan, and haiyuewa who contributed to the Calico VPP dataplane and shared it with the community!

Another shout-out goes to rodrigorfk, alex-matei, JuoCode for improving Project Calico and contributing the changes to the community. These improvements will allow Typha to better handle malicious connections, even faster interface migration, and IPAM garbage collection improvements.

Another shout-out goes to SonalDeshmukh1, davidgiga1993, pepesi, oxr463, MiladYarmohammadi, nimimeht, Rajalakshmi-Girish for making Calico even more compatible with different architectures.

Another round of applause goes to rposts, skmatti, Juneezee, si458, wedaly, zhangguanzhang, 2rs2ts, testwill, krnowak who have spotted pain points in our readme and makefiles and took the opportunity to add their findings to make it even easier for everyone to use Project Calico.

Significant performance improvements, especially for extremely large clusters

On the back of feedback from an enterprise customer that is running 15,000+ nodes with thousands of network policies (in total) and over 750 policies active on each node, we’ve made some big performance improvements to Felix and we’ve put them all into v3.27! The changes touch several areas:

• In the calculation engine, we replaced a couple of big-O n^2 algorithms and made lots of minor tuning improvements. These improvements give the biggest “win” and they apply to all dataplanes.
• In the iptables dataplane, we refactored IP set programming for faster sync after a restart and to rate limit deletions of IP sets to avoid blocking the main loop. Deleting IP sets that are no longer needed was a surprising bottleneck that impacted very large rule sets.
• In the kernel driver layer, we fine-tuned how iptables rules are maintained to avoid back-to-back rescans; this reduces CPU usage at high numbers of rules.

What can you expect from these improvements? If you’re at large scale, the wins are game changing; we measured a 50x reduction in CPU usage and policy processing time for that customer’s policy set (reducing overall cold start time from an unacceptable 60s to a little over 3s). At small to medium scale the wins are a bit smaller but you should still see a significant reduction in CPU usage, especially if you use a lot of policies and selectors, or if you have heavy workload churn.

Calico VPP dataplane is now (GA)

The Calico VPP data plane is the fourth addition to the pluggable data plane arsenal, and it enables transparent user-space packet processing for the Kubernetes environment as a whole, i.e. service load balancing, encapsulation, policy enforcement, and encryption. In the 3.27 release, it is now Generally Available to users of the Calico CNI.

The Calico VPP data plane brings the performance, flexibility, and observability of VPP to Kubernetes networking. It comes with the standard Calico features, and also many additions leveraging its userspace nature that enable whole new classes of workloads to run on Kubernetes.

Learn more about Calico VPP in our docs: Calico VPP dataplane

Calico eBPF dataplane IPv6 (tech preview)

During our Kubecon NA Chicago event, we saw a lot of desire for IPv6 support for the Calico eBPF dataplane, mostly because of cloud-provider incentives that could lower the cost of day-to-day maintenance. Calico 3.27 release adds support for IPv6 within the Calico eBPF dataplane, which allows users to enjoy the throughput of our eBPF dataplane with the scalability of IPv6 addressing to build extremely large clusters.

After a significant refactoring of the codebase, Calico’s eBPF dataplane now has support for IPv6. In this first iteration, only single stack mode is supported so we’re marking it as “tech preview”.

Learn more about the Calico eBPF dataplane in our docs: Enabling Calico eBPF

Tigera Operator: The key to hassle-free Windows node maintenance

Thanks to Host Process Containers (HPC), Calico for Windows is now fully supported by the Tigera operator. Operator support marks a significant milestone, as HPC addresses a common challenge of setting up a hybrid environment faced by devops and platform engineers, streamlining the access to the root silo within a containerized environment. With this enhancement, the task of installing essential requirements for running a hybrid environment is as easy as updating a Kubernetes custom resource.

This streamlined approach underscores Calico’s commitment to simplifying and enhancing the management of containerized environments, offering a more efficient and user-friendly experience for developers and platform engineers.

But wait, there is more!!!

As always, you can find the full list of changes in our release notes.

If you like to work on the next anticipated Calico Open Source feature, join our contributor’s Slack channel. Feel free to tell us about your vision and the community will help you achieve it.

You’re also welcome to take part in our next virtual community meeting event, where we discuss the future of Calico Open Source and spotlight community members who might have made some of the favorite features you are currently using.

Did you know we have an ambassador program? Join Calico Big Cats today and help us grow our Calico Open Source community.