Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started
Networking 2018

Calico 3.0: Enterprise-Grade Network Policy and BGP Control

K8s Guru
2 min read
#calico #networking #networkpolicy #bgp #kubernetes #release-3-0
Calico 3.0: Enterprise-Grade Network Policy and BGP Control

Table of Contents

Introduction

On January 31, 2018, Project Calico 3.0 shipped with its largest architectural change since the project’s inception. The release replaces the etcd data model with Kubernetes Custom Resource Definitions (CRDs), introduces Windows node support, and refreshes the routing stack for large-scale production clusters.

Official Highlights

1. CRD-Backed Calico Resources

  • Calico policies, IP pools, and host endpoints now live as Kubernetes-native CRDs.
  • Eliminates the etcd management tax for Kubernetes-only installs.
  • Enables RBAC, audit trails, and GitOps workflows against Calico resources.

2. Expanded Platform Support

  • Windows Server 2016 support arrives via VXLAN overlay with enforced Kubernetes NetworkPolicy.
  • Container orchestrators (Kubernetes, OpenShift, Mesos) all share the same v3 API surface.

3. BGP and IP-in-IP Enhancements

  • Automatic node-to-node mesh auto-detects IP families and updates.
  • Improved IP-in-IP encapsulation reduces MTU pain and supports selective disable per pool.
  • BGP communities, filters, and route reflectors get new configuration guardrails.

Implementation Tips

  • Migrate to CRDs: run the provided calico-upgrade utility and store manifests in Git for version control.
  • Review RBAC: leverage Kubernetes RBAC to scope Calico API access per platform team.
  • Windows onboarding: deploy Calico for Windows alongside the standard CNI binaries; confirm VXLAN port 4789 is reachable cluster-wide.
  • BGP tuning: adopt route reflectors for clusters beyond ~100 nodes to avoid full-mesh complexity.

Upgrade Checklist

  1. Snapshot existing Calico v2 datastore.
  2. Deploy Calico v3 components (Felix, Typha, CNI) in a canary node pool.
  3. Execute the datastore migration and validate CRDs appear in calicoctl get.
  4. Roll out the upgrade pool-by-pool, watching Felix metrics and kube-proxy logs.
  5. Update monitoring dashboards for the new felix_active_local_endpoints and BGP counters.

Integration Notes

  • Works with Kubernetes 1.7–1.9; ensure kube-proxy and kubelet MTU values align with Calico encapsulation.
  • Compatible with Istio, Linkerd, and Envoy service meshes—Calico policies now recognize service accounts and namespaces natively.
  • Plays well with Prometheus 2.x via the refreshed /metrics endpoint.

Summary

AspectDetails
Release DateJanuary 31, 2018
Key GainsCRD datastore, Windows support, BGP/IP-in-IP rework
Why it MattersSimplifies operations and scales policy enforcement for hybrid Kubernetes fleets

Calico 3.0 marks the moment the project became a first-class Kubernetes citizen. By ditching its bespoke datastore and embracing CRDs, Calico aligns with GitOps pipelines, simplifies HA management, and unlocks cross-platform parity. Operators planning multi-cloud Kubernetes or hybrid Windows/Linux workloads can now run a single policy engine across the fleet.