Calico 3.28: eBPF Networking and Enhanced Security Policies

Introduction

In Calico land, the big operational decision is often “which dataplane?”—iptables/IPVS for broad compatibility, or eBPF for performance and kube-proxy replacement. That choice shows up later as CPU burn, tail latency, and how painful it is to troubleshoot policies.

Calico 3.28, released on August 1, 2025, doubles down on eBPF performance, policy ergonomics, and observability—aimed at secure networking at scale where enforcement speed and visibility matter as much as connectivity.

Why this matters in practice

• Policy at scale: faster evaluation and better reporting reduces accidental “deny everything” outages.
• eBPF operational maturity: improvements lower the risk of adopting eBPF in production (when your kernel/platform allow it).
• Troubleshooting: richer flow logs and service graphs are the difference between minutes and hours during an incident.

Advanced eBPF Networking

• eBPF data plane enhancements provide even higher performance packet processing with reduced CPU overhead through optimized eBPF programs.
• Direct routing improvements reduce latency for pod-to-pod communication by eliminating unnecessary network hops.
• Service handling enhancements improve service load balancing performance with better connection tracking and state management.
• Connection tracking optimizations improve scalability for workloads with millions of concurrent connections.

Network Policy Enhancements

1. Policy evaluation improvements dramatically reduce latency for policy enforcement decisions through optimized rule matching algorithms.
2. Complex policy rules support enables more expressive network policies with advanced matching conditions and actions.
3. Policy reporting provides comprehensive visibility into policy enforcement, violations, and compliance across the cluster.
4. Policy as code support enables version-controlled policy management with GitOps integration for policy lifecycle management.

Observability Improvements

• Flow logs provide detailed visibility into network traffic patterns, policy enforcement actions, and security events for compliance and troubleshooting.
• Metrics expansion exposes detailed network performance, policy enforcement, and resource utilization metrics for Prometheus integration.
• Service graph visualization shows real-time network topology with service dependencies, traffic flows, and policy overlays.
• Troubleshooting tools enable faster diagnosis of network connectivity issues and policy misconfigurations with intuitive debugging interfaces.

Performance Optimizations

• Memory efficiency optimizations reduce resource footprint by up to 30% in large clusters through improved data structure design.
• CPU optimization reduces overhead for network policy evaluation and packet processing, enabling better resource utilization.
• Scaling improvements enable reliable operation with 10,000+ nodes and millions of pods while maintaining consistent performance.
• Connection pooling enhancements improve throughput for service-to-service communication with better connection reuse.

Security Features

1. Network segmentation improvements enable fine-grained isolation between workloads, namespaces, and tenant environments.
2. Threat detection capabilities identify and block suspicious network patterns and potential security threats in real-time.
3. Compliance reporting provides detailed audit trails and compliance reports for regulatory requirements.
4. Encryption support enables transparent encryption of pod-to-pod traffic with minimal performance impact.

Choosing eBPF vs Standard Dataplane

• Pick eBPF when you need higher throughput/low latency, kube-proxy replacement, native load balancing, and efficient policy enforcement on modern kernels (5.4+ with BPF enabled).
• Stay on standard (iptables/IPVS) when running older kernels, mixed Windows nodes, or platforms that restrict BPF helpers/maps.
• Upgrade note: If you are switching from the standard dataplane, drain nodes and verify bpffs mount, BPF/TC modules, and cgroupv2 compatibility before enabling linuxDataplane: BPF.

Minimal install toggle:

apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
  name: default
spec:
  calicoNetwork:
    linuxDataplane: BPF   # set to Calico if sticking with iptables/IPVS

Policy Examples (HostEndpoint + NetworkPolicy)

Secure a node’s host network and pod traffic together:

apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
  name: node1-eth0
  labels:
    node-role.kubernetes.io/worker: "true"
spec:
  interfaceName: eth0
  node: node1
  expectedIPs:
  - 10.0.0.10
---
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: frontend-to-api
  namespace: production
spec:
  selector: app == "api"
  ingress:
  - action: Allow
    source:
      selector: app == "frontend"
    protocol: TCP
    destination:
      ports: [8080]
  egress:
  - action: Allow
    destination:
      nets:
      - 0.0.0.0/0
      ports: [443]
    protocol: TCP

This combination protects node-level ingress while allowing only the intended service-to-service traffic at the pod layer.

Getting Started

# Install Calico using operator
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.28.0/manifests/tigera-operator.yaml
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.28.0/manifests/custom-resources.yaml

Configure eBPF data plane:

apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
  name: default
spec:
  calicoNetwork:
    linuxDataplane: BPF
    containerIPForwarding: Enabled

Summary

Calico 3.28 continues to set the standard for Kubernetes networking, providing teams with high-performance, secure, and observable networking solutions for production workloads.