We’re very excited to announce Calico v3.14.0, which includes a bunch of great features including automatic host endpoint management and a tech preview of Wireguard encryption. Thank you to all of the contributors to this release! For detailed release notes please go here. Below are some highlights from the release.
Automatic host endpoint management
Calico v3.14 provides a new controller for automatically managing HostEndpoints for your Kubernetes nodes. This makes it easy to use Calico’s host policy enforcement features in dynamic environments where cluster nodes may come and go – for example, AWS instance auto scaling groups.
To try it out, take a look at the new how-to guide.
Even more host endpoint policy
In addition to the automatic provisioning of host endpoints discussed above, we’ve enhanced support for protecting both Kubernetes pods and hosts using Calico’s unified policy model. Calico host endpoints come in two flavors – interface-specific host endpoints which represent a single interface on a node, or wildcard host endpoints which represent all interfaces on the node. To-date, wildcard host endpoints have supported only pre-DNAT global network policies. In Calico v3.14, we’ve extended support to include other policy types as well, enabling you to more easily apply network policy to your hosts.
Note that this feature includes a change to the default behavior for wildcard host endpoints – make sure to read the upgrade documentation if you are currently using wildcard host endpoints in your cluster.
Encryption using Wireguard technology preview
In a zero-trust network, encrypting data on the wire provides a fundamental layer of security to your cluster. However, the difficulties presented in managing and configuring encryption for containers at-scale means it is often out of reach for Kubernetes users. We’re really excited to share that Calico v3.14 includes the ability to enable host-to-host encryption for pod traffic using Wireguard. While it’s not yet ready for production due to a few gaps and limited testing, it’s a great preview of what’s to come and we’ll be working hard to promote this feature to GA in future releases.
To give it a spin, head on over to the encryption how-to guide.
Configure and monitor IP borrowing
Calico will handle dynamically borrowing addresses from other nodes in order to maximize usage of the IP address space. However, there are times when this behavior is not desirable. For example, if your network infrastructure does not allow advertisement of the resulting /32 routes.
In Calico v3.14, you can now disable IP borrowing by enabling strict IP affinity using calicoctl. You can also use calicoctl to see what, if any, addresses have been borrowed from other nodes.
If you like Calico, you’ll love Calico Enterprise. Calico v3.14 will be available in the next release of Calico Enterprise. Read more about Calico Enterprise and sign up for a trial on Tigera’s website: https://www.tigera.io/tigera-products/calico-enterprise/