Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started
Networking 2017

Calico 2.2: Network Policy GA and Kubernetes IPAM

K8s Guru
2 min read
#calico #network-policy #cni #ipam #security
Calico 2.2: Network Policy GA and Kubernetes IPAM

Table of Contents

Introduction

On April 25, 2017, Tigera released Calico 2.2, the update that brought Kubernetes NetworkPolicy to General Availability while refining Calico’s pure L3 networking model. With GKE, AKS and DIY clusters converging on policy enforcement, Calico 2.2 became the go-to CNI for secure multi-tenant Kubernetes.

Release Highlights

  • NetworkPolicy GA: Full support for Kubernetes NetworkPolicy v1, including ingress/egress rules, namespace selectors and peer selectors.
  • Kubernetes IPAM: New IP Address Management mode allocates pod IPs from Kubernetes-managed pools, simplifying integration with kubeadm clusters.
  • Host Protection: Calico policy extends to Kubernetes nodes, letting operators lock down SSH, etcd and control-plane ports using the same policy language.
  • Policy Datastore Choices: Etcd v3 support and early Kubernetes API datastore integration reduce etcd maintenance overhead.
  • Felix Performance Improvements: Faster rule programming and reduced conntrack churn for high-density nodes.

Deploying Calico 2.2

  1. Apply the Tigera manifest tailored for your cluster:

    kubectl apply -f \
  https://docs.projectcalico.org/v2.2/getting-started/kubernetes/installation/hosted/calico.yaml

  2. Configure IP pools to match your pod CIDR (default 192.168.0.0/16).

  3. Enable Kubernetes IPAM by toggling CALICO_IPV4POOL_IPIP=Always and calico-ipam plugins in the CNI config.

  4. Apply NetworkPolicy objects to restrict traffic between namespaces and workloads.

Sample NetworkPolicy

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: frontend
  policyTypes: ["Ingress"]
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          team: payments
    ports:
    - protocol: TCP
      port: 443

This policy admits only TLS traffic from workloads in namespaces labeled team=payments.

Operational Tips

  • Leverage calicoctl to inspect BGP peers, route tables and policy stats.
  • Combine Calico with kube-router or Cilium if you need service proxying or eBPF features; Calico 2.2 focuses on pure routing + policy.
  • Monitor Felix health via Prometheus metrics (felix_active_local_endpoints, felix_ipset_errors_total).
  • When running in cloud environments, disable IP-in-IP if VPC routing already handles pod CIDRs natively.

Looking Forward

Calico’s roadmap post-2.2 targeted:

  • Calico Enterprise features (flow logs, tiered policies).
  • Kubernetes datastore general availability to remove the need for standalone etcd clusters.
  • BGP enhancements including route reflector automation and IPv6 dual-stack.

Calico 2.2 solidified policy, security and IPAM foundations, making it easier to operate production Kubernetes clusters without sacrificing network performance.

Summary

AspectDetails
Release DateApril 25, 2017
Key InnovationsNetworkPolicy GA, Kubernetes IPAM, host protection, Felix performance
SignificanceElevated Calico as the de facto policy engine for secure, multi-tenant Kubernetes clusters