Alister Baroi for Tigera Inc

Posted on Apr 2 • Originally published at tigera.io on Mar 4

What’s New in Calico: Winter 2026 Release

#companyblog #technicalblog #calicoai #release

AI Powered Intelligence, Unified Traffic Observability and Scalable Infrastructure Management

As anyone managing one or more Kubernetes clusters knows by now, scaling can introduce an exponentially growing number of problems. The sheer volume of metrics, logs and other data can become an obstacle, rather than an asset, to effective troubleshooting and overall cluster management. Fragmented tools and manual troubleshooting processes introduce operational complexity leading to the inevitable security gaps and extended downtime. As the number of clusters grows it becomes more important than ever to find ways of reducing the observability noise, decluttering the monitoring stack and eliminating the bottlenecks that get in the way of keeping your clusters stable and secure.

The Winter 2026 release of Calico Enterprise and Calico Cloud addresses the pain points of scaling clusters with three key enhancements:

1. AI-Powered Intelligence

AI Assistant for Calico: Efficiently navigate disparate data sources to quickly get answers through natural language, or proactively identify problems before they arise.

2. Unified Traffic Observability

Unified Ingress Gateway Dashboard: Monitor gateway traffic volume, latency, and request behavior alongside east-west traffic observability.
Last Evaluated Policy Metrics: Identify and decommission unused security policies to maintain a lean, least-privileged posture.

3. Scalable Infrastructure and Expanded Ecosystem Support

Deterministic NetworkSet Matching: Ensure stable policy enforcement in large environments with predictable, namespace-aware lookups.
Projects Hierarchy: Connect and organize an unlimited number of clusters with self-service grouping and regional data residency compliance.
Expanded OS Support: Extend unified security policies to traditional workloads with official support for Debian and Ubuntu on VMs.

AI-Powered Intelligence

AI-Powered Intelligence and Enhanced Observability

AI Assistant for Calico: Natural Language Insights for Faster Troubleshooting

Understanding what is going on in a Kubernetes cluster is a challenge for most, if not all, platform and DevOps teams. Calico Cloud provides an abundance of networking and security telemetry from flow logs, metrics, service connectivity, and policy evaluation events across workloads, namespaces, and clusters. However, making good use of this data to properly secure a cluster and efficiently troubleshoot issues becomes next to impossible when it involves manually searching across multiple sources to find that connecting thread. Debugging and resolving an issue can take hours and sometimes days causing frustration not only for platform and DevOps engineers but for customers too, ultimately costing the organization revenue.

To accelerate troubleshooting and reduce operational complexity, the Winter 2026 release of Calico Cloud introduces AI Assistant. This AI powered context-aware intelligence layer replaces cumbersome queries and time consuming log analysis with the ability to resolve issues through natural language.

How it Works: Instead of creating complex filters to sift through pages of log entries, teams will simply ask questions such as “Why is traffic between service A and service B blocked?” or “What are the policies applied to the production-frontend namespace?”

Key Benefits of AI Assistant for Calico:

Accelerated Troubleshooting: Reduce MTTR (Mean Time To Resolution) by asking concise and pertinent questions instead of manually creating queries and filters to retrieve the troubleshooting data you need.
Natural Language Interaction: Interact with cluster data using plain English, without needing the specialized expertise required for complex debugging.
Proactive Security Insights: Identify security gaps, egress exposure risks, and misconfigurations that might otherwise go unnoticed.
Policy Optimization: Use AI Assistant’s recommendations to clean up unused objects and improve overall cluster stability.

AI Assistant for Calico can quickly get you the information you need.

Scenario: Rapidly Resolving a Blocked Service Connection

The Situation: Imagine a platform engineer receiving an urgent alert that a critical production service is unable to communicate with its database. Traditionally, the engineer would spend 30-60 minutes checking network policies, flow logs, and namespace labels across multiple clusters to find the culprit.

The AI Assistant for Calico Solution: Instead of manual investigation, the engineer asks the AI Assistant: “Why is the frontend-service in the production namespace unable to reach the db-service?” The AI Assistant instantly analyzes the environment and identifies that a recent policy update lacks the necessary egress rule for the specific database port. It provides a summary of the issue and a recommended policy snippet to fix it, reducing the resolution time from an hour to minutes.

Unified Traffic Observability

Dashboard for the Calico Ingress Gateway

The recent release of Calico Ingress Gateway created a need for observability into this new component. Users need to be able to access metric and troubleshooting insight in the same Calico in-product dashboards they use to view the rest of their cluster traffic. Not being able to easily troubleshoot their gateways could slow adoption and make it difficult to migrate to Gateway API. It adds unnecessary administrative overhead and makes a critical component of cluster security opaque.

To bridge this visibility gap and simplify cluster management, the Calico Winter 2026 release adds the Calico Ingress Gateway dashboard to Calico UI. Users now have out-of-the box access to traffic volume, latency, and request data across all gateways and routes in the same place they see their east-west traffic.

Key Benefits of Ingress Gateway Dashboards:

Unified Observability: Easily view ingress, egress, and east-west traffic data using the same in-product UI.
Real-Time Performance Tracking: Track live metrics such as requests per minute, duration, and latency at the namespace, service, and route levels.
Gateway Health Monitoring: Get a clear view of Gateway Classes, hosts, instances, and listener status to verify and maintain your cluster’s stability and availability.
No extra tools or collectors are required: Get access to gateway metrics without having to install additional components.
Rapid Error Detection: Drill down into individual requests for detailed troubleshooting of gateway-managed APIs.

See metrics across all gateways, namespaces and routes with the Ingress Gateway Dashboard.

Scenario: Isolating Latency in a High-Traffic Application

The Situation: A DevOps engineer notices a spike in user reports regarding slow response times for a specific web application. Using traditional tools, they would have to check the external load balancer, then the ingress controller logs, and finally the backend application metrics to find the bottleneck.

The Calico Solution: The engineer opens the Calico Ingress Gateway dashboard and immediately sees a “Request Latency per Minute” chart. They filter by route and notice that while the gateway itself is healthy, one specific route is showing high latency samples. By looking at the “Traffic Performance” list, they confirm the delay is occurring at the backend service destination rather than the gateway layer, allowing them to escalate the issue to the correct application team in seconds.

Unified Traffic Observability

Identifying and Cleaning Up Unused Policies with “Last Evaluated” Metrics

As Kubernetes environments grow, clusters can accumulate hundreds of network policies. Over time, changes in application architecture or service decommissions leave many of these policies active but no longer utilized. Maintaining a “least-privileged” security posture becomes nearly impossible when the environment is cluttered with stale rules. These unused policies not only create operational noise but can also lead to accidental security gaps and performance overhead as the CNI continues to process redundant logic.

To eliminate this operational noise and strengthen security posture, the Winter 2026 release introduces visibility into policy evaluation. The ‘Last evaluated’ metric has been added to policy data to provide visibility into which policies and rules have not seen traffic in a while. Platform engineers can investigate unused policies and confidently decommission them, ensuring the cluster remains lean and secure. By identifying and removing “dead” rules, teams improve the overall performance of the policy engine and strictly adhere to micro-segmentation best practices.

Key Benefits of Last Evaluated Metrics:

Confident Policy Decommissioning: Clearly identify policies that have not seen traffic for a specific number of days.
Maintain Least Privilege: Ensure your micro-segmentation strategy remains effective by removing obsolete permissions.
Improved UI Visibility: See the “Last Evaluated” date and time displayed directly on your Policy and View Boards.

Scenario: Automating a “Zero-Trust” Monthly Audit

The Situation: A security engineer at a healthcare company is tasked with a monthly audit to ensure no unnecessary network paths are open. Previously, this meant manually comparing flow logs against the entire policy set—a process that took days and was prone to human error.

The Calico Solution: Using the new “Last Evaluated” metric, the engineer creates a report for all policies that haven’t been evaluated in the last 30 days. He quickly identifies five policies belonging to a decommissioned billing service. After discussion with his team he is able to decommission the policies before they can become vulnerabilities.

Scalable Infrastructure

Deterministic Matching for Overlapping NetworkSets

In large-scale enterprise environments, organizations often manage a high volume of NetworkSets. As these environments grow, it is common for different teams to define overlapping CIDR ranges across multiple NetworkSet objects. When CIDRs overlap, it becomes difficult for platform engineers to identify exactly which NetworkSet is being applied to a specific traffic flow. This ambiguity can lead to unpredictable policy enforcement, making it harder to troubleshoot connectivity issues or ensure that security rules are hitting the intended targets.

To resolve these policy conflicts and ensure predictable enforcement, Calico now introduces namespace awareness and a deterministic tie-breaker for NetworkSet lookups.

The lookup process follows a strict priority: first, it checks for a NetworkSet in the workload’s own namespace; second, it evaluates GlobalNetworkSets; and finally, it considers NetworkSets in other namespaces. If an overlap still exists, a lexicographic ordering tie-breaker is used to ensure the result is always consistently reproducible removing the “guesswork” from policy matching in complex environments. By providing a predictable, hierarchical lookup, Calico ensures that the most relevant security context is applied to every flow. This results in more stable policy enforcement and significantly simplifies auditing and troubleshooting for large organizations.

Key Benefits of Improved NetworkSet Matching:

Namespace-First Priority: Preference is now given to NetworkSets in the same namespace as the connection initiating workload.
Deterministic Results: Get the same results each time with lexicographic ordering acting as a tie-breaker.
Scalable Policy Management: Allow multiple teams to define NetworkSets without worrying about unpredictable global side effects.

Scalable Infrastructure

Streamlining Multi-Cluster Management with Projects Hierarchy

As organizations grow, they need to manage an increasing number of clusters across different teams and geographical regions. Previously, Calico Cloud users were limited to a set number of clusters per tenant and had to rely on manual support requests to create projects and organize their environments into logical groupings. A hard limit on cluster count and the lack of self-service organization tools created operational bottlenecks for large-scale deployments. Furthermore, without the ability to strictly assign clusters to specific regions, meeting stringent data residency and compliance requirements was a complex, manual task.

To remove these scaling bottlenecks and simplify global infrastructure management, Calico Cloud now introduces Projects.

With the Calico Winter 2026 release Calico Cloud now introduces “Projects,” a grouping mechanism that allows users to organize an unlimited number of managed clusters into meaningful logical structures. This feature is entirely self-service, enabling platform teams to create projects, group clusters by department or environment, and assign projects to specific geographic regions. It significantly improves operational efficiency by allowing platform engineers to manage vast, global infrastructures with ease. By enabling regional assignments for projects, organizations can more easily meet compliance and data residency requirements. Additionally, the removal of cluster limits ensures that Calico Cloud can scale alongside your business without friction.

Key Benefits of Projects Hierarchy:

Self-Service Organization: Empower teams to manage their own groupings without external support.
Unlimited Scalability: Connect an unlimited number of clusters to Calico Cloud.
Simplified Compliance: Assign projects to specific regions to ensure data residency requirements are met.
Improved Management: Organize clusters by environment (e.g., Prod, Staging, Dev) or business unit.

Expanded Ecosystem Support

Expanding Hybrid Cloud Reach with New OS Support for VMs

Many enterprises operate in hybrid environments where critical workloads run on a mix of Kubernetes clusters and traditional virtual machines (VMs). To maintain a unified security posture, these organizations need to run the Calico agent directly on their VM hosts. Previously, Calico’s support for non-Kubernetes hosts was limited primarily to RHEL 8 and 9. This restricted customers who preferred or already standardized on other popular Linux distributions, forcing them to either maintain inconsistent security stacks or manage multiple OS versions just to support Calico.

To extend consistent security policies across the hybrid cloud and support broader infrastructure requirements, the Winter 2026 release adds official support for Debian and Ubuntu.

This allows customers to extend Calico’s unified networking and security policies to these popular distributions, ensuring consistent protection across their entire infrastructure. By supporting a broader range of operating systems, Calico provides customers with the flexibility to choose the VM host OS that best fits their operational needs. This expansion simplifies management by allowing a single, unified security and networking platform to govern both modern Kubernetes clusters and traditional VM-based applications.

Get Started with Calico

The Winter 2026 release of Calico Enterprise and Calico Cloud introduces powerful new capabilities designed to simplify, secure, and scale your infrastructure. By integrating AI Assistant into Calico Cloud, we are helping platform teams cut through the noise with natural language troubleshooting and proactive insights that reduce MTTR and identify security gaps before they become incidents. Together, these enhancements give platform engineers the confidence to manage complex, high-performance environments with greater efficiency and less manual intervention.

Environment	Action Required	Documentation Link
Calico Enterprise	Upgrade to the latest Enterprise version.	Upgrade Calico Enterprise documentation
Calico Cloud	Follow instructions to update your connected clusters.	Upgrade Calico Cloud instructions

Ready to see the Winter 2026 release in action? Reach out for alive demo or Sign up for a Calico Cloud trial to experience the new AI Assistant firsthand.

The post What’s New in Calico: Winter 2026 Release appeared first on Tigera - Creator of Calico.

DEV Community