As our enterprise customers build out large, multi-cluster Kubernetes environments, they are encountering an entirely new set of complex security, observability, and networking challenges, requiring solutions that operate at scale and can be deployed both on-premises and across multiple clouds. New features in our latest release add to the already formidable capabilities of Calico Enterprise.
New feature: High-availability connectivity for Kubernetes with dual ToR
Many platform operators who run Kubernetes on-premises want to leverage Border Gateway Protocol (BGP) to peer with other infrastructure. Calico uses BGP to peer with infrastructure within the cluster as well as outside of the cluster, and integrates with top-of-rack (ToR) switches to provide that connectivity.
Calico ToR connectivity has existed for some time now. However, for cluster operators using BGP who need reliable, consistent connectivity to resources outside of the cluster as well as cluster nodes on different racks, Calico Enterprise dual ToR connectivity ensures high availability with active-active redundant connectivity planes between cluster nodes and ToR switches. A cluster that is peered to two ToR switches will still have an active link, even if one switch becomes unavailable, thus ensuring the cluster always has a network connection. Kubernetes cannot do this on its own.
Calico Enterprise dual ToR peering provides a redundant path for customers with cluster applications that cannot tolerate service downtime or failure, and require a high-availability solution. Calico:
- Enables cluster operators to connect with, and take advantage of, dual ToR switches
- Provides two active, independent planes of connectivity between cluster nodes when a dual plane cluster is connected to a dual ToR switch
- Automates the process of bootstrapping and configuring BGP peering between cluster nodes and ToR switches before Kubernetes networking is started and the Calico BGP daemon (BIRD) takes over
For Calico customers, the operational benefits are many.
- Ensures high availability with active-active redundant connectivity planes between cluster nodes and ToR switches
- Prevents service downtime so that, if a link or software component breaks somewhere in one of the planes, cluster nodes can still communicate over the other plane, and the cluster as a whole continues to operate normally
- Eliminates the complex, time-consuming manual process of bootstrapping and configuring BGP peering
For more details, check out these resources:
- Deploy a Dual ToR Cluster provides detailed instructions on how to deploy a dual plane cluster to provide redundant connectivity between your workloads for on-premises deployments
New feature: eBPF data plane
Calico was designed from the ground up with a pluggable data plane architecture. Now the new eBPF (extended Berkeley Packet Filter) data plane is available in Calico Enterprise.
When compared with the standard Linux data plane (based on iptables), the eBPF data plane:
- Scales to higher throughput, using less CPU per GBit
- Natively supports Kubernetes services (without kube-proxy) in a way that:
- Reduces latency
- Preserves external client source IP addresses
- Supports direct server return (DSR) for reduced latency and CPU usage
- Uses less CPU than kube-proxy to keep the data plane in sync
The following diagrams illustrate the relative performance and latency of eBPF vs. the standard Linux data plane.
Support for host protection
Calico has extended its eBPF data plane to offer support for host protection. When combined with Calico’s automatic host endpoints feature, this offers a way to secure Kubernetes pods and hosts together using a unified policy model. By deploying Calico for host protection as well as for pod security, your host protection policy becomes just as dynamic as your workload policy, and matches the identity of the workload (carried in its metadata labels).
- With the addition of eBPF, Calico Enterprise now includes three data planes:
- Standard Linux
- Windows HNS
- Preserves the source IP of external connections by using Calico’s eBPF data plane as a replacement for kube-proxy
- Scales to higher throughput versus the standard Linux data plane
- Reduces latency by using DSR and eliminating the need for secure network address translation (SNAT)
- Makes it easier to write security policy
For a deeper dive into the eBPF data plane, check out:
- Our Calico Enterprise eBPF data plane documentation, which includes a detailed comparison of eBPF versus the standard Linux data plane, as well as an architectural overview.
- This blog post, which provides an easy-to-digest summary of eBPF benefits and features.
New feature: Flow logs for host endpoints
Calico now offers a single framework to define policies across hosts, VMs, containers, and Kubernetes. You can now generate flow logs for traffic at the host levels (i.e. host endpoints in Calico) between Kubernetes nodes and external hosts or VMs. This simplifies the process of creating host-level policies by viewing the traffic between host endpoints and determining the appropriate rules to accept or decline connection.
- Facilitates policy creation – Observe and review host endpoint traffic to create security policies
- Enables rapid troubleshooting – Review flow log data to troubleshoot issues related to host endpoints
New feature: Elastic and Fluentd monitoring and alerting
Calico Enterprise 3.7 introduces new ways for administrators to monitor Fluentd and Elastic, both of which are key components of Calico Enterprise. Calico Enterprise administrators can now monitor the health of the overall platform and the components it relies on.
Administrators can access the following metrics for Elastic and Fluentd:
- Elastic cluster health (up or down)
- Low storage
- High CPU usage
- High JVM memory usage
- Slow queries
- Fluentd buffer utilization
These additional metrics can assist in monitoring and improving the health and uptime of Calico Enterprise.
New feature: Additional data sources in Dynamic Service Graph
Calico Enterprise 3.7 introduces an improved version of Dynamic Service Graph that includes improved performance and integrates several new data sources for application-level visibility, process information, and socket stats.
A summary of Layer 7/HTTP traffic is now included directly on the details panel when selecting a node or edge on the graph, and an additional tab provides direct access to application-level flows for troubleshooting scenarios where additional metadata may be required.
DevOps teams, site reliability engineers (SREs), and platform architects don’t need to pull this information from different silos and then stitch it together to understand the performance of their applications. Calico provides correlated information including HTTP, process info, and socket stats to enable live troubleshooting.
- Enables faster detection and resolution of performance bottlenecks
- Enables live troubleshooting of connectivity issues across the Kubernetes environment
- Enables high-fidelity visualization of communication between Kubernetes cluster components
Join our mailing list
Get updates on blog posts, new releases and more!