How has the recent turmoil within the OpenAI offices changed your plans to use GPT in a business process or product in 2024?
Increased uncertainty means we are more likely to evaluate alternative AI chatbots and LLMs.
No change in plans, though we will keep an eye on the situation.
With Sam Altman back in charge, we are more likely to go all-in with GPT and LLMs.
What recent turmoil?
Networking / Service Mesh

Project Calico and the Challenge of Cloud Native Networking

KubeCon + CloudNativeCon will feature key maintainers behind popular projects like Kubernetes, Prometheus, gRPC, Envoy, OpenTracing and other domain experts, adopters, and end users to further the education and advancement of cloud native computing.
Apr 25th, 2019 5:00pm by
Featued image for: Project Calico and the Challenge of Cloud Native Networking

This podcast is sponsored by InfluxData and KubeCon+CloudNativeCon. Tigera is a sponsor of The New Stack.

Project Calico and the Challenge of Cloud Native Networking

Christopher Liljenstolpe is the founder and chief technology officer of Tigera, a provider of cloud native security and networking software. He formed Tigera to offer commercial support for Project Calico, a control plane he created for cloud native applications.  In this episode of The New Stack Analysts podcast, TNS Managing Editor Joab Jackson and TNS contributing analyst Janakiram MSV talk with Liljenstolpe about Calico’s creation, overlay networks, service meshes and IPv6.

Key Takeaways

  • Originally created for OpenStack, Calico was designed to make it easy to get data packets from one part of the network to another, using the Internet technologies like IP routing, rather than switching, virtual networks, overlay networks or other complex approaches.
  • This form of networking offers only a coarse-grained isolation across nodes, so Calico uses real-time distributed filtering engines to control which nodes can communicate with one another, in effect acting as a network policy enforcement tool.
  • Anticipating containers, Calico was designed for very dynamic environments, and can manage hundreds of thousands of end-points that can change location at any time.
  • Each host makes filtering decisions, allowing the system as a whole to easily scale. The filters can be located on the underlying hosts, and also can be installed in the pod itself to manage higher-level policies, working with data from services meshes and Kubernetes.
  • To get the higher level data, Calico listens to events from the Kubernetes API Server, for metadata changes and policy additions from the Container Networking Interface (CNI) and the Kubernetes Policy API.
  • Calico is not dependent on an orchestrator. It can also run on bare metal. It can also support and track non-Kubernetes legacy applications and cloud services.
  • Calico meshes very well with Google’s Zero Trust Security model, which assume networks and hosts will be breached, and so limits the amount of damage that can be done. “We not only protect the rest of the workloads from the rest of the workload, we also protect the rest of the world from the workload,” Liljenstolpe said, talking about multiple authentication checks on both inbound and outbound traffic on a per-object basis.
  • Although Calico superficially resembles a sort of SE Linux for networking, it is a lot easier to deploy and manage. “We tried to make this very easy to understand,” Liljenstolpe said.
    • On Calico vs. Flannel: Flannel doesn’t have to be integrated with the underlying infrastructure. Calico can also operate in this “overlay network” mode, but can also integrate with the infrastructure for greater ease-of-use: no onloading and offloading of the overlay network, less address spaces are required. Tigera also contributes to the Flannel project.
    • Calico and the Zero Trust model, in general, simplifies a lot of the overhead dealing with traditional security measures, such as making changes in the firewall rules, which typically involve submitting requests to the security team and waiting for a review against all the other policies. Calico’s tiered policy model streamlines this process by ensuring broad compliance policies (i.e. no PCI compliant component can communicate with a non-PCI components) are enforced while giving the freedom to developers to make the local changes alone.
    • Tigera offers a number of visualization tools to understand where traffic flows. IP addresses, which change rapidly for sources, are annotated by the metadata from the orchestrator. Real-time compliance reports can be easily generated, or the data can be easily shipped off to a search engine, such as Elastic.

In this Edition:

1:43: What is Calico?
11:25: How does Calico get this information from Kubernetes, and how does this look for the Kubernetes administrator?
21:02: What is the difference between Flannel and Calico, and when should developers choose one over the other?
27:15: Why firewall changes take so long, and how Tigera aims to solve that problem
35:15: Moving into multi-cloud operations
37:36: Where do you see the Calico network stopping Istio from taking over, and where do you see these lines getting blurred and converging?

The OpenStack Foundation is a sponsor of The New Stack.

Feature Image by sweetmeatone from Pixabay.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: The New Stack, Real, Tigera.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.