Calico — Kubernetes Networking and Network Security

Introduction

Calico is the most widely adopted CNI plugin for Kubernetes, powering networking and security in clusters ranging from single-node labs to 5,000-node production environments. It enforces Kubernetes NetworkPolicy natively and extends it with its own richer policy model for fine-grained microsegmentation.

What Calico Does

• Provides pod-to-pod networking using BGP, VXLAN, or IP-in-IP encapsulation
• Enforces Kubernetes NetworkPolicy and Calico-specific GlobalNetworkPolicy
• Offers an eBPF data plane as an alternative to iptables for higher throughput
• Enables workload-level encryption with WireGuard without application changes
• Supports hybrid deployments spanning Kubernetes, VMs, and bare-metal hosts

Architecture Overview

Calico runs a per-node agent (calico-node) that programs the Linux networking stack. Felix, the policy engine, translates network policies into iptables or eBPF rules. BIRD handles BGP peering for routing pod CIDRs across nodes. The Typha component fans out datastore updates to reduce API server load in large clusters.

Self-Hosting & Configuration

• Install via manifest YAML, Helm chart, or the Calico operator
• Choose the data plane: standard Linux (iptables), eBPF, or Windows HNS
• Configure IP pools, encapsulation mode, and MTU in the Installation CR
• Enable WireGuard encryption with a single toggle in the FelixConfiguration
• Integrate with external BGP routers by configuring BIRD peering sessions

Key Features

• Scales to thousands of nodes with proven production deployments at scale
• eBPF data plane eliminates iptables overhead and enables native service handling
• WireGuard encryption secures pod traffic with no app-level TLS changes
• GlobalNetworkPolicy applies cluster-wide rules outside any single namespace
• DNS-based and service-account-based policies for identity-aware security

Comparison with Similar Tools

• Cilium — eBPF-first CNI with L7 visibility; Calico offers eBPF as an option alongside iptables
• Flannel — simple overlay networking only, no network policy enforcement
• Weave Net — mesh overlay with encryption, but less scalable at large clusters
• Canal — combines Flannel networking with Calico policy, a subset of full Calico
• Antrea — OVS-based CNI by VMware, smaller community and ecosystem

FAQ

Q: Can I switch from Flannel to Calico? A: Yes. Calico provides a migration path where it takes over networking and policy from Flannel with minimal disruption using the canal compatibility mode.

Q: Does Calico work with managed Kubernetes services? A: Yes. Calico runs on EKS, GKE, AKS, and other managed platforms. Some providers pre-install Calico for network policy enforcement.

Q: How does the eBPF data plane compare to iptables? A: The eBPF data plane provides higher throughput, lower latency, and native kube-proxy replacement, eliminating the need for thousands of iptables rules in large clusters.

Q: Is Calico free? A: Calico Open Source is Apache 2.0 licensed. Tigera offers a commercial Calico Enterprise edition with additional UI, compliance, and threat detection features.

Sources

• https://github.com/projectcalico/calico
• https://docs.tigera.io/calico/latest/about