Announcing Calico v3.0

Announcing Calico v3.0

We’re pleased to announce Calico v3.0!

Introducing namespaces

Calico v3.0 introduces namespaces. Policy can now be defined either per-namespace or at a global scope. Per-namespace network policies apply only to endpoints in the same namespace, while global network policies apply to all endpoints in the cluster.

Network policy rules can also now select entire namespaces using a native namespace selector, making it easier to define coarse-grained policy between multiple namespaces.

Namespaces provide a useful mechanism to help organize your network policy based on user, team, application, development stage, or other criteria.

Named ports

Calico endpoints now support named ports, which can be referenced in Calico policy rules. This provides an abstraction above port numbers, allowing users to write policies that don’t depend on port numbers, which may vary across application deployments.

Kubernetes API datastore improvements

You can now create, read, update, and delete Calico policies stored in the Kubernetes API datastore using calicoctl. For users who have deployed using the Kubernetes API data store, this means access to a richer set of policy semantics than offered by the Kubernetes NetworkPolicy API.

Support for the etcd v3 API

In v3.0, Calico begins to use the etcd v3 API and removes support for the etcd v2 API. This aligns with Kubernetes, helping to simplify etcd operational considerations like backup and restore. The etcd v3 API also provides significant performance improvements over the v2 API.

Existing Calico users must perform a one-time migration to move their data from the etcd v2 data model to the etcd v3 data model. Refer to the upgrade documentation for step-by-step instructions.

Application layer policies

Calico v3.0 includes a tech preview of layer 5-7 policy enforcement. With this, Calico can enforce policy based on Kubernetes service accounts and HTTP request types, right alongside existing layer 3-4 policy. There’s plenty more to come in this area, so stay tuned! In the meantime, you can try it out today by following the getting started documentation.

Limitations

This release supports Kubernetes, OpenShift, and host endpoints only. Users of OpenStack, Mesos, and Docker libnetwork should continue to use 2.x versions of Calico for now.  We plan to add support for the full range of orchestrators in a future 3.x release.

Learn more

To find out more details about all the features and changes in Calico v3.0, check out the Release Notes! Or, try it out in under 15 minutes by following the Quickstart guide!

Casey is a Core Developer at Project Calico. He has been working on software-defined networking solutions since 2012. Among other things, he enjoys Android development, home-brewed beer, and playing soccer on rollerblades.