Tigera adds eBPF support to Calico
Calico provides users flexibility by detecting and choosing the right tool for the right job.
One of our core values at Tigera is Our customer is the hero of our story. We consider the OpenSource users of Project Calico our customers and we intently listen to their needs to continuously deliver new capabilities and enhanced performance. We believe this works, as evidenced by all four major cloud providers selecting Calico for network security for their Kubernetes services – they selected us because they also listen closely to their customers, and Tigera is committed to advancing Calico to continue to be the best policy engine available to our users.
We have been watching with interest some of the new advances to the Linux kernel, including the latest additions to eBPF (extended Berkeley Packet Filter) that offer some pretty exciting new capabilities. Many enterprise users are not ready to adopt the very latest Linux kernels and will want to wait for these features to mature some more, but we do expect they will become mainstream over the next few years, and some users will be willing to take the plunge well ahead of the masses.
Calico was designed from the start with a fully pluggable data plane. This has allowed us to select the best technologies for the job at hand. We currently use the standard Linux kernel data plane as well as Windows Host Networking Service (HNS). We are now well on our way to adding another full data plane to Calico built on eBPF.
With this announcement, we are future-proofing our customer’s investment in Calico and showing our commitment to continuing to provide the most advanced, scalable, and reliable solutions for Kubernetes network security.
Over the next few Calico releases, you’ll see the results of our work, starting with uses cases that have the most real-world value.
Calico 3.7, announced in May 2019, uses BPF to improve on an existing popular Calico use case for mitigation of Denial of Service (Dos) attacks. Prior to Calico 3.7, Calico used the iptables “raw” table to implement doNotTrack rules achieving impressive performance. With 3.7, we’ve taken this a step further and Calico will automatically offload to the NIC driver or NIC hardware (if supported by the NIC) using XDP to attach a BPF program to process the packets before they even reach the Linux kernel.
Calico 3.8 is planned for release in June 2019 and will include Envoy sidecar acceleration that improves the networking throughput of Istio using eBPF features. Envoy sidecar acceleration uses eBPF sockmap to bypass much of the networking overhead of the sidecar architecture.
Calico is currently running on well over 100,000 Kubernetes clusters worldwide and has provided near bare-metal performance and high scalability for our customers for years. As new Linux kernel features are released that can help make Calico deliver additional functionality or better performance, we are committed to our customers and users to deliver the absolute best policy engine on the market today; keeping up with the pace of technology adoption by our most-advanced users, while committing to serve all users regardless of where they are on their adoption of the latest kernels.