What’s new in Calico Enterprise 3.9: Live troubleshooting and resource-efficient application-level observability

We are excited to announce Calico Enterprise 3.9, which provides faster and simpler live troubleshooting using Dynamic Packet Capture for organizations while meeting regulatory and compliance requirements to access the underlying data. The release makes application-level observability resource-efficient, less security intrusive, and easier to manage. It also includes pod-to-pod encryption with Microsoft AKS and AWS EKS with AWS CNI.

Live troubleshooting

Enterprises that want to carry out live troubleshooting in their production environments face the following challenges when doing packet capture at an organizational scale:

  • Difficult to limit access to packet capture by organizational roles
  • Takes hours to days to setting up packet capture instead of making part of the code
  • Extremely difficult to capture the right amount of data to lessen storage and compute cost
  • Spend days and weeks to correlate the data collected from different Kubernetes components such as namespaces, workloads, pods, microservices

With Dynamic Packet Capture, organizations can enable DevOps, SREs, service owners to collect the data that they need when they need it. They can filter the data based on protocol and port to fine-tune their capture for faster debugging and subsequent analysis for shorter time-to-resolution. With just-in-time data collection and built-in smart correlation, they get workload and Kubernetes context during data aggregation. DevOps, SREs, and service owners don’t need to spend time collecting massive data and building correlations across different services, namespaces, workloads, and pods. All the information, accompanied by workload and Kubernetes context, is available. This means they can pinpoint the problem and resolve it in minutes.

Dynamic Packet Capture also integrates with Kubernetes role-based access control (RBAC). Teams get live, self-service, on-demand troubleshooting capabilities, according to their roles, that provide visibility into their specific application’s behavior, services, service dependencies, external APIs, and service interactions. Assigning access by role reduces security and compliance risk since teams don’t have unrestricted access to all namespaces within a cluster to initiate packet capture. This eliminates the unintentional HIPAA, PCI, SOC2 compliance violations that may occur on Kubernetes workloads due to incorrect initiation of packet capture.

To summarize, the Dynamic Packet Capture available in 3.9 offers the following observability and troubleshooting benefits:

  • Standardize packet capture for troubleshooting Kubernetes environments
  • Leverage built-in Kubernetes context for workload, microservices, namespaces, and pods for faster analysis
  • Enable self-service, on-demand packet capture for troubleshooting based on role permissions defined with Kubernetes RBAC
  • Troubleshoot your Kubernetes environment faster with less operational overhead
  • Prevent unauthorized access by not circumventing role permissions defined with Kubernetes RBAC
  • Ensure regulatory compliance (e.g. PCI, SOC 2) for troubleshooting when doing packet capture and analysis

Application-level observability

DevOps, SREs, service owners, and platform engineers now have an operationally simpler alternative to service mesh for application-level observability and control. Calico Enterprise 3.9 provides Envoy integration with the data plane as a DaemonSet, making it less invasive to the pods that make up microservices.

Sidecar vs DaemonSet approach to application-level observability

With Calico Enterprise 3.9, operational complexity and performance overhead for application-level observability is reduced due to the following reasons:

  • Users only need to manage and operate one Envoy proxy per node, instead of multiple sidecars for each pod, leading to reduced security risk footprint
  • Application-level information that includes Kubernetes-related context and correlation with other components allows for easier troubleshooting
  • The use of DaemonSet instead of multiple sidecars on a per-node basis leads to less CPU and memory consumption

With 3.9, users also get data-in-transit encryption for node-to-node communication within Microsoft AKS and AWS EKS.


To try these Calico Enterprise features, sign up for a free trial of Calico Cloud.


Next steps:

Join our mailing list

Get updates on blog posts, workshops, certification programs, new releases, and more!