Tigera has released Calico Enterprise 3.7, an update of its security and observability platform for Kubernetes deployments. The update adds high availability through redundant network connection support, plus a new extended Berkeley Packet Filter data plane for higher throughput.
Calico Enterprise is aimed at organisations deploying Kubernetes and containers in a production environment, and targets the complex security, observability and networking challenges this presents, the firm said.
For this reason, the high availability support in this release is designed to ensure reliable and consistent network connectivity to resources located outside of the Kubernetes cluster.
Calico already uses the Border Gateway Protocol (BGP) to peer with infrastructure both within and outside the cluster, and integrates with top-of-rack (ToR) switches to provide that connectivity.
Tigera has added dual ToR connectivity to ensure high availability, providing support for active-active connectivity between the cluster nodes and ToR switches. This simply means that the Kubernetes cluster is peered via two ToR switches and will still have an active link even if one switch becomes unavailable. Kubernetes cannot accomplish this on its own, according to Tigera.
Calico Enterprise automates the process of bootstrapping and configuring BGP peering between cluster nodes and ToR switches before Kubernetes networking is started and the Calico BGP daemon takes over. This removes the need for manual configuration while helping prevent service downtime.
Also in this release is a data plane based on the extended Berkeley Packet Filter (eBPF) technology, taking advantage of the pluggable data plane architecture of Calico Enterprise. According to Tigera, eBPF allows Calico to scale to higher throughput when processing network traffic, requiring less CPU overhead per gigabit compared with the standard Linux data plane, which is based on iptables.
Another advantage of eBPF is that it natively supports Kubernetes services without kube-proxy, which reduces latency and preserves external client source IP addresses.
Tigera said it has also extended the eBPF data plane to offer support for host protection. When combined with Calico’s automatic host endpoints feature, this provides a way to secure both Kubernetes pods and the host systems using a unified policy model, according to the firm, making it easier to create and maintain security policies.
Other new features in Calico Enterprise 3.7 include additional ways for IT teams to monitor Fluentd and Elastic, both key components in Calico Enterprise. Metrics that can now be monitored include Elastic cluster health, Fluentd buffer utilisation, high CPU usage and low available storage.
This release also introduces an improved version of the Dynamic Service Graph, with additional data sources for application-level visibility. According to Tigera, a summary of Layer 7 traffic is now available directly on the details panel when selecting a node or edge on the graph, and users have direct access to application-level flows. This means that IT teams no longer need to pull all the information together from different silos to get an overall picture of the performance of their applications.
For full details of all the new features in Calico Enterprise 3.7, see the Tigera blog on the new release.