Sponsored"> Project Calico and the Challenge of Cloud Native Networking - The New Stack
Modal Title
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
The Transformative Power of SBOMs and IBOMs for Cloud Apps
Jun 15th 2023 9:20am, by Oren Penso
Pulumi: New Features for Infrastructure as Code Automation
Jun 15th 2023 9:00am, by B. Cameron Gain
A CTO’s Guide to Navigating the Cloud Native Ecosystem
Jun 13th 2023 9:39am, by Jess Lulka
Survey Says: Cloud Maturity Matters
Jun 13th 2023 6:20am, by Fredric Paul
The Rise of the Cloud Native Cloud
Jun 12th 2023 9:38am, by John Dietz
A CTO’s Guide to Navigating the Cloud Native Ecosystem
Jun 13th 2023 9:39am, by Jess Lulka
Deploy a Kubernetes Development Environment with Kind
Jun 10th 2023 7:00am, by Jack Wallen
Chainguard Improves Security for Its Container Image Registry
May 31st 2023 6:30am, by Steven J. Vaughan-Nichols
How to Protect Containerized Workloads at Runtime
May 30th 2023 4:00am, by Kevin Casey
How to Containerize a Python Application with Paketo Buildpacks
May 29th 2023 5:00am, by Sylvain Kalache
Creating an IoT Data Pipeline Using InfluxDB and AWS
Jun 5th 2023 10:25am, by Jason Myers
Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods
May 31st 2023 11:00am, by Chris J. Preimesberger
Gothenburg, Sweden Used Open Source IoT to Drastically Cut Water Waste
May 23rd 2023 6:58am, by Alex Handy
Building a Plant Monitoring Tool with IoT
May 8th 2023 9:27am, by Zoe Steinkamp
How to Choose and Model Time Series Databases
Apr 28th 2023 3:00am, by Robert Kimani
In the Great Microservices Debate, Value Eats Size for Lunch
Jun 13th 2023 6:10am, by Anoop Balakuntalam
Amazon Prime Video’s Microservices Move Doesn’t Lead to a Monolith after All
Jun 13th 2023 6:00am, by Scott M. Fulton III
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by Susan Hall
RabbitMQ Is Boring, and I Love It
May 15th 2023 6:30am, by Josh Long
How OpenSearch Visualizes Jaeger's Distributed Tracing
May 11th 2023 10:00am, by Derek Ho and Jonah Kowall
Red Hat Launches OpenStack Platform 17.1 with Enhanced Security
Jun 14th 2023 10:34am, by Steven J. Vaughan-Nichols
WithSecure Pours Energy into Making Software More Efficient
Jun 1st 2023 7:14am, by Joe Fay
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
How to Decide Between a Layer 2 or Layer 3 Network
Apr 25th 2023 10:00am, by Gino Dion
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by Andrew Brust
Forrester on WebAssembly for Developers: Frontend to Backend
May 17th 2023 6:00am, by Loraine Lawson
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
IBM's Quiet Approach to AI, Wasm and Serverless
May 4th 2023 6:00am, by Loraine Lawson
Cloud Control Planes for All: Implement Internal Platforms with Crossplane
Apr 13th 2023 10:00am, by Bassam Tabbara
The Architect’s Guide to Storage for AI
Jun 1st 2023 7:44am, by Keith Pijanowski
8 Real-Time Data Best Practices
Jun 1st 2023 5:00am, by Jennifer Riggins
Raft Native: The Foundation for Streaming Data’s Best Future
May 30th 2023 9:44am, by Doug Flora
Why the Document Model Is More Cost-Efficient Than RDBMS
May 25th 2023 9:24am, by Rick Houlihan
Amazon Aurora vs. Redshift: What You Need to Know
May 25th 2023 6:27am, by Casey Samulski
Frontend Development Software Development Typescript WebAssembly Cloud Services Data Machine Learning Security
Canva Launches Developer Platform, Eyes Generative AI Apps
Jun 14th 2023 11:00am, by
Dev News: Apollo Drama, Monster API and Mobile App Discontent
Jun 10th 2023 6:00am, by
Vision Pro for Devs: Easy to Start, but UI Not Revolutionary
Jun 9th 2023 9:09am, by
Dev News: A New Rust Release and Chrome 114 Updates
Jun 3rd 2023 9:00am, by
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by
An E-tailer’s Journey to Real-Time AI: Recommendations
Jun 15th 2023 10:41am, by
How Dell's Data Science Team Benefits from Agile Practices
Jun 15th 2023 9:38am, by
The Transformative Power of SBOMs and IBOMs for Cloud Apps
Jun 15th 2023 9:20am, by
Apache SeaTunnel Integrates Masses of Divergent Data Faster
Jun 15th 2023 6:58am, by
Can Companies Really Self-Host at Scale?
Jun 14th 2023 7:47am, by
70% of Devs Using or Will Use AI, Says Stack Overflow Survey
Jun 14th 2023 10:45am, by
Dev News: A New Rust Release and Chrome 114 Updates
Jun 3rd 2023 9:00am, by
Dev News: New Microsoft Edge Tools and Goodbye Node.js 16
May 27th 2023 6:00am, by
Dev News: Angular v16, plus Node.js and TypeScript Updates
Apr 22nd 2023 4:00am, by
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by
WebAssembly and Go: A Guide to Getting Started (Part 1)
Jun 12th 2023 5:00am, by
WebAssembly and Go: A Guide to Getting Started (Part 2)
Jun 12th 2023 5:00am, by
How WASM (and Rust) Unlocks the Mysteries of Quantum Computing
Jun 8th 2023 3:00am, by
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by
Python and WebAssembly: Elevating Performance for Web Apps
Jun 5th 2023 3:00am, by
Managing Kubernetes Complexity in Multicloud Environments
Jun 15th 2023 7:48am, by
3 AI Moves Smart Companies Get Right
Jun 14th 2023 8:41am, by
Amazon Prime Video’s Microservices Move Doesn’t Lead to a Monolith after All
Jun 13th 2023 6:00am, by
Open Sourcing AWS Cedar Is a Game Changer for IAM
Jun 12th 2023 10:00am, by
Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods
May 31st 2023 11:00am, by
An E-tailer’s Journey to Real-Time AI: Recommendations
Jun 15th 2023 10:41am, by
How Dell's Data Science Team Benefits from Agile Practices
Jun 15th 2023 9:38am, by
Apache SeaTunnel Integrates Masses of Divergent Data Faster
Jun 15th 2023 6:58am, by
Salesforce Officially Launches Einstein AI-Based Data Cloud
Jun 15th 2023 5:00am, by
Can Companies Really Self-Host at Scale?
Jun 14th 2023 7:47am, by
3 AI Moves Smart Companies Get Right
Jun 14th 2023 8:41am, by
Google's DeepMind Extends AI with Faster Sort Algorithms
Jun 13th 2023 12:09pm, by
How to Reduce the Hallucinations from Large Language Models
Jun 9th 2023 7:46am, by
Cybersecurity Pioneer Calls for Regulations to Restrain AI
Jun 9th 2023 5:00am, by
How Apache Airflow Better Manages Machine Learning Pipelines
Jun 8th 2023 3:13pm, by
The Transformative Power of SBOMs and IBOMs for Cloud Apps
Jun 15th 2023 9:20am, by
Salesforce Officially Launches Einstein AI-Based Data Cloud
Jun 15th 2023 5:00am, by
Red Hat Launches OpenStack Platform 17.1 with Enhanced Security
Jun 14th 2023 10:34am, by
Survey Says: Cloud Maturity Matters
Jun 13th 2023 6:20am, by
Open Sourcing AWS Cedar Is a Game Changer for IAM
Jun 12th 2023 10:00am, by
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
At PlatformCon: For Realtor.com, Success Is Driven by Stories
Jun 13th 2023 9:31am, by Jennifer Riggins
‘Running Service’ Blueprint for a Kubernetes Developer Portal
Jun 7th 2023 8:30am, by Zohar Einy
Building GPT Applications on Open Source Stack LangChain
Jun 7th 2023 6:58am, by Akmal Chaudhri
Can DevEx Metrics Drive Developer Productivity?
Jun 7th 2023 3:00am, by Jennifer Riggins
SRE vs. DevOps? Successful Platform Engineering Needs Both
Jun 6th 2023 10:53am, by Paige Cruz
Pulumi: New Features for Infrastructure as Code Automation
Jun 15th 2023 9:00am, by B. Cameron Gain
Managing Kubernetes Complexity in Multicloud Environments
Jun 15th 2023 7:48am, by Hemanth Kavuluru
The Risks of Decomposing Software Components
Jun 14th 2023 12:47pm, by Alex Williams
No More FOMO: Efficiency in SLO-Driven Monitoring
Jun 14th 2023 10:00am, by Imaya Kumar Jagannathan
Can Companies Really Self-Host at Scale?
Jun 14th 2023 7:47am, by Jessica Wachtel
What’s Up with OpenStack in 2023
Jun 14th 2023 7:00am, by Kristin Barrientos
Kubernetes Operators: The Real Reason Your Boss Is Smiling
Jun 14th 2023 6:30am, by Ryan Wallner
Is DevOps Tool Complexity Slowing Down Developer Velocity?
May 17th 2023 6:29am, by Heather Joslyn and Lawrence E Hecht
AI Has Become Integral to the Software Delivery Lifecycle
May 12th 2023 11:01am, by Richard MacManus
4 Core Principles of GitOps
May 11th 2023 2:17pm, by Alex Williams
Neil deGrasse Tyson on AI Fears and Pluto’s Demotion
Jun 9th 2023 6:00am, by Loraine Lawson
Can DevEx Metrics Drive Developer Productivity?
Jun 7th 2023 3:00am, by Jennifer Riggins
Donald Knuth Asked ChatGPT 20 Questions. What Did We Learn?
Jun 4th 2023 6:00am, by David Cassel
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by David Eastman
Defend Open Source from Trolls: Oppose Patent Rule Changes
Jun 2nd 2023 6:49am, by Michael Dolan
Kubernetes Operators: The Real Reason Your Boss Is Smiling
Jun 14th 2023 6:30am, by Ryan Wallner
At PlatformCon: For Realtor.com, Success Is Driven by Stories
Jun 13th 2023 9:31am, by Jennifer Riggins
How DevSecOps Teams Should Approach API Security
Jun 12th 2023 6:30am, by Gary Archer
GitLab All in on AI: CEO Predicts Increased Demand for Coders
Jun 9th 2023 8:26am, by Loraine Lawson
Unlocking DevSecOps' Potential Challenges, Successes, Future
Jun 9th 2023 7:40am, by Steven J. Vaughan-Nichols
Managing Kubernetes Complexity in Multicloud Environments
Jun 15th 2023 7:48am, by Hemanth Kavuluru
Kubernetes Operators: The Real Reason Your Boss Is Smiling
Jun 14th 2023 6:30am, by Ryan Wallner
The First Kubernetes Bill of Materials Standard Arrives
Jun 13th 2023 10:48am, by Steven J. Vaughan-Nichols
The Rise of the Cloud Native Cloud
Jun 12th 2023 9:38am, by John Dietz
Deploy a Kubernetes Development Environment with Kind
Jun 10th 2023 7:00am, by Jack Wallen
No More FOMO: Efficiency in SLO-Driven Monitoring
Jun 14th 2023 10:00am, by Imaya Kumar Jagannathan
How Adobe Uses OpenTelemetry Collector
Jun 5th 2023 10:02am, by Susan Hall
Red Hat Ansible Gets Event-Triggered Automation, AI Assist on Playbooks
May 24th 2023 6:22am, by Joab Jackson
Observability: Working with Metrics, Logs and Traces
May 22nd 2023 8:23am, by Jessica Wachtel
Why Upgrade to Observability from Application Monitoring?
May 19th 2023 11:49am, by George Hamilton
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
How to Create Zero Trust Architecture for Service Mesh
Mar 27th 2023 7:00am, by Joe Fay
Ambient Mesh: Sidestepping the Sidecar
Mar 1st 2023 8:44am, by Jeff Goldman
Service Mesh Demand for Kubernetes Shifts to Security
Oct 27th 2022 11:04am, by B. Cameron Gain
Networking / Service Mesh

Project Calico and the Challenge of Cloud Native Networking

KubeCon + CloudNativeCon will feature key maintainers behind popular projects like Kubernetes, Prometheus, gRPC, Envoy, OpenTracing and other domain experts, adopters, and end users to further the education and advancement of cloud native computing.
Apr 25th, 2019 5:00pm by
Featued image for: Project Calico and the Challenge of Cloud Native Networking

This podcast is sponsored by InfluxData and KubeCon+CloudNativeCon. Tigera is a sponsor of The New Stack.


Project Calico and the Challenge of Cloud Native Networking

Listen to all TNS podcasts on Simplecast.

Christopher Liljenstolpe is the founder and chief technology officer of Tigera, a provider of cloud native security and networking software. He formed Tigera to offer commercial support for Project Calico, a control plane he created for cloud native applications.  In this episode of The New Stack Analysts podcast, TNS Managing Editor Joab Jackson and TNS contributing analyst Janakiram MSV talk with Liljenstolpe about Calico’s creation, overlay networks, service meshes and IPv6.

Key Takeaways

  • Originally created for OpenStack, Calico was designed to make it easy to get data packets from one part of the network to another, using the Internet technologies like IP routing, rather than switching, virtual networks, overlay networks or other complex approaches.
  • This form of networking offers only a coarse-grained isolation across nodes, so Calico uses real-time distributed filtering engines to control which nodes can communicate with one another, in effect acting as a network policy enforcement tool.
  • Anticipating containers, Calico was designed for very dynamic environments, and can manage hundreds of thousands of end-points that can change location at any time.
  • Each host makes filtering decisions, allowing the system as a whole to easily scale. The filters can be located on the underlying hosts, and also can be installed in the pod itself to manage higher-level policies, working with data from services meshes and Kubernetes.
  • To get the higher level data, Calico listens to events from the Kubernetes API Server, for metadata changes and policy additions from the Container Networking Interface (CNI) and the Kubernetes Policy API.
  • Calico is not dependent on an orchestrator. It can also run on bare metal. It can also support and track non-Kubernetes legacy applications and cloud services.
  • Calico meshes very well with Google’s Zero Trust Security model, which assume networks and hosts will be breached, and so limits the amount of damage that can be done. “We not only protect the rest of the workloads from the rest of the workload, we also protect the rest of the world from the workload,” Liljenstolpe said, talking about multiple authentication checks on both inbound and outbound traffic on a per-object basis.
  • Although Calico superficially resembles a sort of SE Linux for networking, it is a lot easier to deploy and manage. “We tried to make this very easy to understand,” Liljenstolpe said.
    • On Calico vs. Flannel: Flannel doesn’t have to be integrated with the underlying infrastructure. Calico can also operate in this “overlay network” mode, but can also integrate with the infrastructure for greater ease-of-use: no onloading and offloading of the overlay network, less address spaces are required. Tigera also contributes to the Flannel project.
    • Calico and the Zero Trust model, in general, simplifies a lot of the overhead dealing with traditional security measures, such as making changes in the firewall rules, which typically involve submitting requests to the security team and waiting for a review against all the other policies. Calico’s tiered policy model streamlines this process by ensuring broad compliance policies (i.e. no PCI compliant component can communicate with a non-PCI components) are enforced while giving the freedom to developers to make the local changes alone.
    • Tigera offers a number of visualization tools to understand where traffic flows. IP addresses, which change rapidly for sources, are annotated by the metadata from the orchestrator. Real-time compliance reports can be easily generated, or the data can be easily shipped off to a search engine, such as Elastic.

In this Edition:

1:43: What is Calico?
11:25: How does Calico get this information from Kubernetes, and how does this look for the Kubernetes administrator?
21:02: What is the difference between Flannel and Calico, and when should developers choose one over the other?
27:15: Why firewall changes take so long, and how Tigera aims to solve that problem
35:15: Moving into multi-cloud operations
37:36: Where do you see the Calico network stopping Istio from taking over, and where do you see these lines getting blurred and converging?

The OpenStack Foundation is a sponsor of The New Stack.

Feature Image by sweetmeatone from Pixabay.

Group Created with Sketch.
Joab Jackson is Editor-in-Chief for The New Stack, assuring that the TNS website gets a fresh batch of cloud native news, tutorials and perspectives each day. He has reported on infrastructure IT for over 25 years, including stints at IDG...
Read more from Joab Jackson
SHARE THIS STORY
RELATED STORIES
Can Companies Really Self-Host at Scale? Creating an IoT Data Pipeline Using InfluxDB and AWS Observability: Working with Metrics, Logs and Traces Building a Plant Monitoring Tool with IoT Perform Distributed Tracing with Zipkin
TNS owner Insight Partners is an investor in: The New Stack, Tigera, Real.
RELATED STORIES
Can Companies Really Self-Host at Scale? Creating an IoT Data Pipeline Using InfluxDB and AWS Observability: Working with Metrics, Logs and Traces Building a Plant Monitoring Tool with IoT Perform Distributed Tracing with Zipkin
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.