We are excited to announce the release of Calico v3.26! This latest milestone brings a range of enhancements and new features to the Calico ecosystem, delivering an optimized and secure networking solution. This release has a strong emphasis on product performance, with strengthened security measures, expanded compatibility with Windows Server 2022 and OpenStack Yoga, and notable improvements to the Calico eBPF dataplane.
As always, let’s begin by thanking our awesome community members who helped us in this release.
Community shoutout
Big thanks to our GitHub users afshin-deriv, blue-troy, and winstonu for their valuable contributions in enhancing the Kind installation and VXLAN documentation, as well as improving the code comments.
Additionally, we would like to extend our appreciation to laibe and yankay for their efforts in updating the flannel version and improving the IPtables detection mechanism. Their contributions have been instrumental in improving the overall functionality and reliability of our project.
Finally, a huge thank-you to dilyevsky, detailyang, mayurjadhavibm, and olljanat for going above and beyond in pushing Calico beyond its original scope and for generously sharing their solutions with the rest of the community.
Community-driven enhancement request: Fine-grained BGP route control
The primary responsibility of a routing protocol is to facilitate the exchange of local route information with remote peers, ensuring an updated and comprehensive route map for efficient traffic management. The BGPFilter added to this release allows you to limit the amount of information that you would like to share with your BGP peers, and it also allows you to block routes that might be harmful or not necessary for your setup.
The BGPFilter resource has two primary specifications: “import,” which influences imported routes from BGP peers, and “export,” which impacts routes to be exported to peers. It is important to highlight that these specifications encompass both IPv4 and IPv6 CIDRs, which is why each specification should include the version of the desired IP protocol name at the end. For instance, “importV4” is the appropriate expression for an IPv4 import BGP rule.
kind: BGPFilter
apiVersion: projectcalico.org/v3
metadata:
name: first-bgp-filter
spec:
exportV4:
- action: Accept
matchOperator: In
cidr: 77.0.0.0/16
importV4:
- action: Accept
matchOperator: NotIn
cidr: 44.0.0.0/16
Learn more about BGP filters by reading our docs: Configure a BGP filter
Increased scalability across all data planes
This release also provides a couple of performance improvements for Felix, the brain of Calico. One significant enhancement is the complete offloading of route filtering processes to the Linux kernel, resulting in a remarkable reduction in CPU usage (including garbage collection) on systems that handle numerous interfaces, pods, and routes.
To view the data on these improvements, read this blog: Calico’s 3.26.0 update unlocks high density vertical scaling in Kubernetes. The blog also comes with a step-by-step guide to help you test the improvements in your local environment.
eBPF dataplane improvements
With the goal of improving cloud networking and security for everyone, the Calico v3.26 release brings many improvements and enhancements to our eBPF-based dataplane.
Azure Kubernetes Service
The Calico eBPF dataplane direct service return (DSR) mode is a feature that eliminates the intermediate network hop for external traffic to services such as node ports. DSR reduces latency for forwarded nodeport connections. However, it’s important to note that in public cloud providers, custom configurations are required for DSR to function properly.
For example, in an AKS cluster, load balancer health probes originate from a specific IP address, 168.63.129.16. This can cause a problem in DSR mode. To prevent this issue from happening, you can set the newly added “BPFDSROptoutCIDRs” value to “168.63.129.16/32” in the Calico-Felix configuration to prevent DSR mode from affecting the health probe.
Use the following command to prevent the health check from failing in DSR mode:
kubectl patch felixconfiguration default --type merge --patch='{"spec": {"BPFDSROptoutCIDRs": "168.63.129.16/32"}}'
Topology-aware hints
Topology Aware Routing is a routing mechanism that intelligently adjusts the behavior of routes to prioritize keeping traffic within the zone it originated from. This approach is beneficial in certain scenarios, as it has the potential to reduce costs and enhance network performance by optimizing traffic flow within specific zones. The Calico eBPF dataplane now supports these hints and can select service backends based on these hints.
As always, you can find the full list of changes in our release notes.
Join our community
If you like to work on the next anticipated Calico Open Source feature, join our contributor’s Slack channel. Feel free to tell us about your vision and the community will help you achieve it.
You’re also welcome to take part in our next virtual community meeting event, where we discuss the future of Calico Open Source and spotlight community members who might have made some of the favorite features you are currently using.
Did you know we have an ambassador program? Join Calico Big Cats today and help us grow our Calico Open Source community.
Join our mailing list
Get updates on blog posts, workshops, certification programs, new releases, and more!
