Calico 3.16: eBPF Dataplane GA for Zero-Trust

Introduction

Calico 3.16, released on September 1, 2020, brings its high-performance eBPF dataplane to General Availability, pairs it with WireGuard encryption, and improves observability to speed up policy troubleshooting.

eBPF Dataplane GA

Drop-in replacement for the standard Linux dataplane, delivering lower latency service routing and direct packet forwarding.
Supports mixed clusters; operators can enable eBPF per node pool while legacy nodes stay on iptables.
Maintains compatibility with Kubernetes network policy, Calico custom policies, and global network sets.

WireGuard Encryption GA

Manage end-to-end pod encryption seamlessly, with automatic key rotation and multi-cluster awareness.
Works with eBPF dataplane, eliminating the need for overlay tunnels or sidecars.
Observability hooks expose encryption status via Prometheus metrics and calicoctl diagnostics.

Visibility & Operations

Service Graph: Calico Enterprise visualizes workload communication with policy verdict overlays.
Flow Logs: Enhanced log outputs include allow/deny verdicts, layer 7 context, and namespace metadata for SIEM pipelines.
Operator Upgrades: Kubernetes operator now supports zero-downtime upgrades, configuration drift detection, and Helm3 charts.

Getting Started

calicoctl patch felixconfiguration default --type merge -p '{"spec":{"bpfEnabled":true}}'
calicoctl patch felixconfiguration default --type merge -p '{"spec":{"wireguardEnabled":true}}'

Validate dataplane status:

calicoctl node status

Summary

Aspect	Details
Release Date	September 1, 2020
Headline Features	eBPF dataplane GA, WireGuard GA, observability upgrades
Why it Matters	Delivers a performant, encrypted, and debuggable zero-trust network fabric for Kubernetes

Calico 3.16 proves teams can secure traffic and gain clarity without sacrificing speed, paving the way for hybrid and multi-cloud adoption.