Tigera Arms Calico With WAF, Smarter Policy Recommendations, and VM Visibility in Kubernetes Security Push

When Kubernetes is the foundation of your digital infrastructure, the attack surface is as wide as the cloud. Tigera—the company behind the widely used Project Calico networking and security platform—wants to narrow that gap with a wave of enhancements aimed at simplifying protection in sprawling, multi-cluster environments.

The new release introduces four major additions: an integrated web application firewall (WAF) for ingress gateways, policy recommendation capabilities in the Calico Cloud Free Tier, centralized log forwarding for non-Kubernetes workloads, and richer visualization inside its service graph. Together, these features reinforce Tigera’s pitch that Calico can be the one-stop platform for networking and security in cloud-native ecosystems.

WAF at the Gate

Ingress traffic is one of the most common routes into a Kubernetes cluster, and it’s increasingly the first target adversaries probe. Tigera is now embedding WAF technology directly into Calico’s Ingress Gateway, giving teams runtime inspection of HTTP and gRPC protocols without bolting on yet another standalone tool. By integrating at the gateway layer, Calico can enforce deep inspection rules and block malicious payloads before they ever reach the workloads.

The move addresses a pain point for many Kubernetes operators: fragmented stacks that require juggling multiple vendors for traffic inspection, policy management, and enforcement. With the WAF embedded, Tigera claims organizations can unify ingress protection with the same policies that govern internal services, trimming operational complexity.

Policy Guidance Without the Guesswork

For developers and platform engineers, writing Kubernetes network policies often feels like trying to sketch a map in the dark. Too restrictive, and services break; too permissive, and risk skyrockets. Calico Cloud Free Tier now comes with policy recommendation capabilities that automatically analyze flow logs and suggest staged policies per namespace.

The intent is to give teams—especially those newer to Kubernetes—an assistive framework for segmenting services safely. Automated suggestions can be reviewed and refined, lowering the learning curve and reducing reliance on security specialists to write rules from scratch.

Bringing VMs and Bare Metal Into the Fold

Not every workload lives inside a container. Many enterprises still rely heavily on bare metal and virtual machines. To bridge that reality, Tigera is adding centralized log forwarding for non-Kubernetes hosts running Calico. Instead of configuring forwarding on each individual machine, organizations can now collect logs centrally at a management cluster and stream them into external analytics tools.

The benefit is both scalability and consistency—large environments no longer need to handle log pipelines piecemeal, which often leads to blind spots or ballooning costs.

Seeing the Big Picture

Visualization matters when you’re untangling thousands of microservices, and Calico’s Service Graph has been updated to make that easier. The platform now clearly distinguishes between Kubernetes cluster nodes and external VM or bare-metal nodes. With improved iconography and filtering, teams can track communications and flow logs across all workloads, regardless of where they run.

Aiming for a Unified Front

“As organizations scale their Kubernetes environments, many struggle to ensure security due to the siloed, disparate solutions used for Kubernetes security,” said Phil DiCorpo, Senior Director of Product Management at Tigera. “Calico’s new capabilities are a testament to our ongoing commitment to delivering a single, comprehensive platform that enables security across every aspect of the customer's Kubernetes journey.”

For Tigera, the strategy is clear: collapse the patchwork of cloud-native security into a unified plane that travels with workloads, whether they live in containers, VMs, or legacy servers. With Kubernetes continuing to expand as the default infrastructure fabric for modern apps, the company is betting that convergence—not fragmentation—will be the winning formula for securing the next decade of cloud-native computing.