Tigera introduces staged network policies in Calico 3.30

Tigera’s Calico 3.30 release delivers a major upgrade to Kubernetes networking and security, with a strong emphasis on operational safety and visibility—especially through the introduction of staged network policies. This feature allows administrators to simulate the effect of policy changes in a non-enforcing mode, effectively providing a “preview” of how network rules will behave without actually applying them. It’s a safeguard that helps avoid misconfigurations, downtime, or unintended service disruptions in complex Kubernetes environments. Teams can validate changes, detect conflicts, and iterate confidently before pushing policies live.

Complementing this, Calico 3.30 enhances network observability with rich flow logging. The system captures detailed metadata on pod-level traffic—such as source/destination, namespaces, data volumes, and policy impact—and channels it through the Goldmane gRPC API for visualization via Whisker, a user-friendly UI built with React and TypeScript. This enables precise troubleshooting and real-time monitoring of traffic patterns.

The release also introduces tiered policy management, allowing security and operations teams to enforce hierarchical controls. Policies at higher tiers (e.g., company-wide security mandates) take precedence over application-level rules, supporting clearer governance and layered defense. Calico maintains its support for multiple data planes, including eBPF, iptables, and Windows, while adding Cisco’s VPP integration for broader compatibility. Tigera is also exploring AI-driven enhancements for future observability and security automation.