Is Calico — Kubernetes Networking and Network Security free to use?

Yes. Calico — Kubernetes Networking and Network Security is freely available on TokRepo. Check the Source & Thanks section on the asset page for the specific open-source license.

How do I install Calico — Kubernetes Networking and Network Security?

Visit the asset page on TokRepo and click "Copy for agent" to get the installation instructions. Most assets can be installed with a single command.

ConfigsApr 16, 2026·3 min read

Calico — Kubernetes Networking and Network Security

A high-performance networking and network policy engine for Kubernetes that provides pod networking, network policy enforcement, and optional eBPF data plane for zero-overhead observability.

AI Open Source · Community

TL;DR

Calico is a high-performance CNI plugin for Kubernetes with network policy, eBPF, and WireGuard encryption.

§01

What it is

Calico is a networking and network security solution for Kubernetes that provides pod-to-pod networking and fine-grained network policy enforcement. It supports multiple data planes including standard Linux networking, eBPF for higher throughput, and WireGuard for workload-level encryption. Calico is maintained by Tigera and is the most widely adopted CNI plugin in the Kubernetes ecosystem.

Calico targets platform engineers and DevOps teams running Kubernetes clusters from single-node labs to large production environments. It handles both Kubernetes-native NetworkPolicy and its own richer GlobalNetworkPolicy for microsegmentation across namespaces and clusters.

§02

How it saves time or tokens

Calico eliminates manual iptables rule management by translating declarative YAML policies into kernel-level enforcement automatically. The eBPF data plane bypasses iptables entirely, reducing per-packet overhead and improving throughput for high-traffic services. WireGuard encryption is enabled with a single configuration flag, removing the need to set up separate VPN tunnels between nodes.

§03

How to use

Install Calico on your cluster by applying the manifest: kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.28.0/manifests/calico.yaml.
Verify that calico-node pods are running: kubectl get pods -n kube-system -l k8s-app=calico-node.
Apply network policies using standard Kubernetes NetworkPolicy resources or Calico-specific GlobalNetworkPolicy CRDs.

§04

Example

# Deny all ingress traffic to pods in default namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress
---
# Allow only port 80 from frontend pods
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend
spec:
  podSelector:
    matchLabels:
      app: backend
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - port: 80

§05

Related on TokRepo

AI Tools for DevOps -- explore AI-powered infrastructure tools that complement Kubernetes networking
AI Tools for Security -- discover security-focused workflows for cluster hardening

§06

Common pitfalls

Calico's BGP mode requires network infrastructure that supports BGP peering; cloud environments often need VXLAN or IP-in-IP encapsulation instead.
Enabling the eBPF data plane requires kernel 5.3 or later and disables kube-proxy, which may break existing monitoring that relies on iptables rules.
WireGuard encryption adds CPU overhead on nodes without hardware acceleration; benchmark before enabling on latency-sensitive workloads.

Frequently Asked Questions

What is the difference between Calico and Cilium?+

Both are Kubernetes CNI plugins with eBPF support. Calico has broader data plane options (iptables, eBPF, Windows) and a longer track record. Cilium is eBPF-native from the start and offers deeper L7 observability. The choice depends on your kernel version requirements and observability needs.

Does Calico work on managed Kubernetes services like EKS and GKE?+

Yes. Calico runs on EKS, GKE, AKS, and other managed Kubernetes platforms. Some providers pre-install Calico for network policy enforcement while using their own CNI for pod networking.

How does Calico handle network policy enforcement?+

Calico translates Kubernetes NetworkPolicy and its own GlobalNetworkPolicy CRDs into iptables rules or eBPF programs on each node. The calico-node agent watches the API server for policy changes and updates kernel-level rules in real time.

Can I use Calico with WireGuard encryption?+

Yes. Enable WireGuard with a single Calico configuration setting. All pod-to-pod traffic between nodes is encrypted transparently without application changes. Requires WireGuard kernel module on each node.

What resources does the Calico agent consume?+

The calico-node DaemonSet typically uses 100-200MB of memory and minimal CPU per node. Resource usage scales with the number of active network policies and endpoints rather than total cluster size.

Citations (3)

Calico GitHub— Calico provides pod networking using BGP, VXLAN, or IP-in-IP encapsulation
Calico eBPF Docs— Calico supports eBPF data plane as alternative to iptables
Kubernetes Docs— Kubernetes NetworkPolicy API specification

Related on TokRepo

AI DevOps tools AI security tools Featured workflows

Discussion

No comments yet. Be the first to share your thoughts.

Calico — Kubernetes Networking and Network Security

What it is

How it saves time or tokens

How to use

Example

Related on TokRepo

Common pitfalls

Frequently Asked Questions

Citations (3)

Related on TokRepo

Discussion

Related Assets

Cucumber.js — BDD Testing with Plain Language Scenarios

WireMock — Flexible API Mocking for Java and Beyond

Google Benchmark — Microbenchmark Library for C++