As our enterprise customers build out large, multi-cluster Kubernetes environments, they are encountering an entirely new set of complex security, observability, and networking challenges, requiring solutions that operate at scale and can be deployed both on-premises and across multiple clouds. New features in our latest release add to the already formidable capabilities of Calico Enterprise.
Many platform operators who run Kubernetes on-premises want to leverage Border Gateway Protocol (BGP) to peer with other infrastructure. Calico uses BGP to peer with infrastructure within the cluster as well as outside of the cluster, and integrates with top-of-rack (ToR) switches to provide that connectivity.
Calico ToR connectivity has existed for some time now. However, for cluster operators using BGP who need reliable, consistent connectivity to resources outside of the cluster as well as cluster nodes on different racks, Calico Enterprise dual ToR connectivity ensures high availability with active-active redundant connectivity planes between cluster nodes and ToR switches. A cluster that is peered to two ToR switches will still have an active link, even if one switch becomes unavailable, thus ensuring the cluster always has a network connection. Kubernetes cannot do this on its own.
Calico Enterprise dual ToR peering provides a redundant path for customers with cluster applications that cannot tolerate service downtime or failure, and require a high-availability solution. Calico:
For Calico customers, the operational benefits are many.
For more details, check out these resources:
Calico was designed from the ground up with a pluggable data plane architecture. Now the new eBPF (extended Berkeley Packet Filter) data plane is available in Calico Enterprise.
When compared with the standard Linux data plane (based on iptables), the eBPF data plane:
The following diagrams illustrate the relative performance and latency of eBPF vs. the standard Linux data plane.
Calico has extended its eBPF data plane to offer support for host protection. When combined with Calico’s automatic host endpoints feature, this offers a way to secure Kubernetes pods and hosts together using a unified policy model. By deploying Calico for host protection as well as for pod security, your host protection policy becomes just as dynamic as your workload policy, and matches the identity of the workload (carried in its metadata labels).
For a deeper dive into the eBPF data plane, check out:
Calico now offers a single framework to define policies across hosts, VMs, containers, and Kubernetes. You can now generate flow logs for traffic at the host levels (i.e. host endpoints in Calico) between Kubernetes nodes and external hosts or VMs. This simplifies the process of creating host-level policies by viewing the traffic between host endpoints and determining the appropriate rules to accept or decline connection.
Calico Enterprise 3.7 introduces new ways for administrators to monitor Fluentd and Elastic, both of which are key components of Calico Enterprise. Calico Enterprise administrators can now monitor the health of the overall platform and the components it relies on.
Administrators can access the following metrics for Elastic and Fluentd:
These additional metrics can assist in monitoring and improving the health and uptime of Calico Enterprise.
Calico Enterprise 3.7 introduces an improved version of Dynamic Service Graph that includes improved performance and integrates several new data sources for application-level visibility, process information, and socket stats.
A summary of Layer 7/HTTP traffic is now included directly on the details panel when selecting a node or edge on the graph, and an additional tab provides direct access to application-level flows for troubleshooting scenarios where additional metadata may be required.
DevOps teams, site reliability engineers (SREs), and platform architects don’t need to pull this information from different silos and then stitch it together to understand the performance of their applications. Calico provides correlated information including HTTP, process info, and socket stats to enable live troubleshooting.
Get updates on blog posts, new releases and more!