Calico CNI 1.0: Network Policy Comes to Kubernetes

Introduction

Calico CNI 1.0 brings policy‑driven networking to Kubernetes. It focuses on pure L3 routing with iptables‑based policy enforcement—no overlays required—keeping things simple and fast.

Born in the early days of Project Calico at Metaswitch (now part of Tigera), this 1.0 release capped several years of work on applying proven BGP routing concepts to container fabrics. When Calico was donated to the CNCF as a Sandbox project shortly after, it cemented itself as one of the go-to Kubernetes networking stacks.

Capabilities

Kubernetes NetworkPolicy primitives for micro‑segmentation.
BGP/Route Distribution to integrate with existing networks.
No Encapsulation by default—good for performance and troubleshooting.

Calico vs. Overlay Alternatives

Flannel & Weave Net rely on VXLAN or other encapsulations; Calico sticks to routed packets, simplifying MTU and tooling.
Performance: No overlay tax means lower CPU usage and clearer packet paths for debugging.
Operational Fit: Existing network teams understand BGP and route tables, reducing the learning curve compared to overlay-specific tooling.
Tradeoffs: When you need encrypted pod-to-pod traffic, you introduce WireGuard/IPsec yourself; overlays can bundle that in.

Typical Uses in 2016

Secure namespaces by default‑deny and allowlist specific service traffic.
Connect clusters to data‑center networks using BGP peering.

Operational Notes

Plan CIDR allocation early to avoid renumbering.
Policy order and namespace labeling strategy are key for clarity.
Treat etcd (Calico’s data store in 2016) as a first-class dependency with backups and quorum monitoring.
Start with a default-deny namespace policy and explicitly allow ingress/egress to critical services (e.g., DNS).
Use namespace and pod labels consistently to simplify spec.ingress[].from and spec.egress[].to selectors.

Conclusion

Calico’s 1.0 release makes Kubernetes networking feel production‑grade with enforceable, understandable policies and solid performance.