We’re pleased to announce Calico v3.0!
Calico v3.0 introduces namespaces. Policy can now be defined either per-namespace or at a global scope. Per-namespace network policies apply only to endpoints in the same namespace, while global network policies apply to all endpoints in the cluster.
Network policy rules can also now select entire namespaces using a native namespace selector, making it easier to define coarse-grained policy between multiple namespaces.
Namespaces provide a useful mechanism to help organize your network policy based on user, team, application, development stage, or other criteria.
Calico endpoints now support named ports, which can be referenced in Calico policy rules. This provides an abstraction above port numbers, allowing users to write policies that don’t depend on port numbers, which may vary across application deployments.
Kubernetes API datastore improvements
You can now create, read, update, and delete Calico policies stored in the Kubernetes API datastore using calicoctl. For users who have deployed using the Kubernetes API data store, this means access to a richer set of policy semantics than offered by the Kubernetes NetworkPolicy API.
Support for the etcd v3 API
In v3.0, Calico begins to use the etcd v3 API and removes support for the etcd v2 API. This aligns with Kubernetes, helping to simplify etcd operational considerations like backup and restore. The etcd v3 API also provides significant performance improvements over the v2 API.
Existing Calico users must perform a one-time migration to move their data from the etcd v2 data model to the etcd v3 data model. Refer to the upgrade documentation for step-by-step instructions.
Application layer policies
Calico v3.0 includes a tech preview of layer 5-7 policy enforcement. With this, Calico can enforce policy based on Kubernetes service accounts and HTTP request types, right alongside existing layer 3-4 policy. There’s plenty more to come in this area, so stay tuned! In the meantime, you can try it out today by following the getting started documentation.
This release supports Kubernetes, OpenShift, and host endpoints only. Users of OpenStack, Mesos, and Docker libnetwork should continue to use 2.x versions of Calico for now. We plan to add support for the full range of orchestrators in a future 3.x release.