Calico
Calico is a popular CNI plugin that provides networking and network policy enforcement for Kubernetes. It’s known for its robust Network Policy support, BGP routing capabilities, and flexibility in deployment models. Calico is widely used in production environments that need advanced networking features and security policies.
What is Calico?
Calico provides:
- Pod networking - IP address assignment and routing
- Network Policies - Full Network Policy support
- BGP routing - Direct routing with BGP (optional)
- IP-in-IP or VXLAN - Encapsulation options
- Cross-cluster networking - Connect multiple clusters
graph TB
A[Pods] --> B[Calico CNI]
B --> C[Network Policies]
B --> D[BGP Routing]
B --> E[IP Assignment]
style B fill:#e8f5e9
style C fill:#fff4e1
style D fill:#fff4e1
Calico Architecture
Calico consists of several components:
Calico Node
Runs on each Kubernetes node:
- Felix - Policy enforcement agent
- BIRD - BGP routing daemon (if BGP enabled)
- CNI plugin - Network interface configuration
Calico API Server
Manages Calico resources (Network Policies, IP pools, etc.)
etcd or Kubernetes API
Stores Calico configuration and state
graph TB
A[Calico Components] --> B[Calico Node<br/>Per Node]
A --> C[Calico API Server]
A --> D[etcd/Kubernetes API]
B --> E[Felix - Policy]
B --> F[BIRD - BGP]
B --> G[CNI Plugin]
style B fill:#e8f5e9
style C fill:#fff4e1
Key Features
Network Policies
Calico provides full Network Policy support:
- Ingress rules - Control incoming traffic
- Egress rules - Control outgoing traffic
- Advanced selectors - Complex matching rules
- Performance - Efficient policy enforcement
BGP Routing
Calico can use BGP for routing:
- Direct routing - No encapsulation overhead
- BGP peering - Integrate with network infrastructure
- Route distribution - Share routes via BGP
- Optional - Can use overlay instead
Encapsulation Options
Calico supports multiple encapsulation methods:
IP-in-IP:
- Lower overhead
- Requires IP-in-IP support in network
- Better performance
VXLAN:
- Works in more environments
- Higher overhead
- More compatible
No encapsulation (BGP):
- Best performance
- Requires BGP support
- Direct routing
Installation
Quick Install
# Install Calico operator
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.1/manifests/tigera-operator.yaml
# Install Calico
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.1/manifests/custom-resources.yaml
Configuration
Calico can be configured via CustomResourceDefinitions:
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
name: default
spec:
calicoNetwork:
ipPools:
- cidr: 192.168.0.0/16
encapsulation: VXLAN
natOutgoing: true
IP Pool Configuration
Calico uses IP pools for pod IP assignment:
apiVersion: crd.projectcalico.org/v1
kind: IPPool
metadata:
name: default-ipv4-ippool
spec:
cidr: 192.168.0.0/16
blockSize: 26
ipipMode: Never
vxlanMode: Always
natOutgoing: true
Key settings:
cidr- IP range for podsblockSize- Size of IP blocks per nodeipipMode- IP-in-IP encapsulationvxlanMode- VXLAN encapsulationnatOutgoing- NAT for external traffic
Network Policies
Calico supports standard Kubernetes Network Policies plus Calico-specific policies:
Kubernetes Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: example-policy
spec:
podSelector:
matchLabels:
app: web
ingress:
- from:
- podSelector:
matchLabels:
app: api
ports:
- protocol: TCP
port: 80
Calico Network Policy
Calico also supports extended Network Policies with additional features:
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: calico-policy
spec:
selector: app == 'web'
ingress:
- action: Allow
source:
selector: app == 'api'
destination:
ports:
- 80
BGP Configuration
Enable BGP for direct routing:
apiVersion: projectcalico.org/v3
kind: BGPConfiguration
metadata:
name: default
spec:
logSeverityScreen: Info
nodeToNodeMeshEnabled: true
asNumber: 64512
BGP modes:
- Node-to-node mesh - All nodes peer with each other
- Route reflectors - Centralized route distribution
- External BGP - Peer with external routers
Use Cases
Production Clusters
Calico is ideal for production:
- Robust Network Policy support
- High performance
- Enterprise features
- Active development
Multi-Cluster
Calico can connect multiple clusters:
- Cross-cluster networking
- Shared network policies
- Unified management
BGP Integration
When you need BGP:
- Integration with network infrastructure
- Direct routing without encapsulation
- Route distribution
Best Practices
- Plan IP pools - Ensure IP pool size is adequate
- Choose encapsulation - Select IP-in-IP or VXLAN based on network
- Enable BGP if needed - Use BGP for better performance
- Monitor Calico - Monitor Calico component health
- Keep updated - Update Calico regularly
- Test Network Policies - Verify Network Policy enforcement
- Document configuration - Document Calico configuration
- Use IP pools wisely - Plan IP pool allocation
- Monitor performance - Track network performance
- Backup configuration - Backup Calico resources
Troubleshooting
Pods Not Getting IPs
- Check Calico pods:
kubectl get pods -n calico-system - Verify IP pools:
calicoctl get ippools - Check node status:
calicoctl node status - Review logs:
kubectl logs -n calico-system -l k8s-app=calico-node - Verify CNI config: Check
/etc/cni/net.d/and/opt/cni/bin/
Network Policies Not Working
- Verify Calico version: Ensure version supports Network Policies
- Check Felix logs:
kubectl logs -n calico-system -l k8s-app=calico-node | grep felix - Test simple policy: Create a basic policy to test
- Check policy status:
calicoctl get networkpolicies - Review configuration: Verify Calico is configured correctly
BGP Issues
- Check BGP status:
calicoctl node status - Verify BGP config:
calicoctl get bgpconfig - Check BIRD logs: Review BIRD daemon logs
- Test BGP peers: Verify BGP peering is working
- Review network: Ensure network supports BGP
See Also
- CNI Plugins Overview - CNI plugin comparison
- Network Policies - Network isolation
- CNI Basics - Understanding CNI