Skills2026年4月16日·1 分钟阅读

Calico — Kubernetes Networking and Network Security

A high-performance networking and network policy engine for Kubernetes that provides pod networking, network policy enforcement, and optional eBPF data plane for zero-overhead observability.

AI Open Source
AI Open Source · Community
Agent 就绪

Agent 可直接安装

这个资产可安装;Agent 先选择当前运行时、检查安装计划,再运行匹配命令。

Native · 98/100策略:允许
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Single
信任
信任等级:Established
入口
Calico K8s Networking
直接安装命令
npx -y tokrepo@latest install 4c5c9177-397e-11f1-9bc6-00163e2b0d79 --target codex

先 dry-run 确认安装计划,再运行此命令。

TL;DR
Calico is a high-performance CNI plugin for Kubernetes with network policy, eBPF, and WireGuard encryption.
§01

What it is

Calico is a networking and network security solution for Kubernetes that provides pod-to-pod networking and fine-grained network policy enforcement. It supports multiple data planes including standard Linux networking, eBPF for higher throughput, and WireGuard for workload-level encryption. Calico is maintained by Tigera and is the most widely adopted CNI plugin in the Kubernetes ecosystem.

Calico targets platform engineers and DevOps teams running Kubernetes clusters from single-node labs to large production environments. It handles both Kubernetes-native NetworkPolicy and its own richer GlobalNetworkPolicy for microsegmentation across namespaces and clusters.

§02

How it saves time or tokens

Calico eliminates manual iptables rule management by translating declarative YAML policies into kernel-level enforcement automatically. The eBPF data plane bypasses iptables entirely, reducing per-packet overhead and improving throughput for high-traffic services. WireGuard encryption is enabled with a single configuration flag, removing the need to set up separate VPN tunnels between nodes.

§03

How to use

  1. Install Calico on your cluster by applying the manifest: kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.28.0/manifests/calico.yaml.
  2. Verify that calico-node pods are running: kubectl get pods -n kube-system -l k8s-app=calico-node.
  3. Apply network policies using standard Kubernetes NetworkPolicy resources or Calico-specific GlobalNetworkPolicy CRDs.
§04

Example

# Deny all ingress traffic to pods in default namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress
---
# Allow only port 80 from frontend pods
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend
spec:
  podSelector:
    matchLabels:
      app: backend
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - port: 80
§05

Related on TokRepo

§06

Common pitfalls

  • Calico's BGP mode requires network infrastructure that supports BGP peering; cloud environments often need VXLAN or IP-in-IP encapsulation instead.
  • Enabling the eBPF data plane requires kernel 5.3 or later and disables kube-proxy, which may break existing monitoring that relies on iptables rules.
  • WireGuard encryption adds CPU overhead on nodes without hardware acceleration; benchmark before enabling on latency-sensitive workloads.

常见问题

What is the difference between Calico and Cilium?+

Both are Kubernetes CNI plugins with eBPF support. Calico has broader data plane options (iptables, eBPF, Windows) and a longer track record. Cilium is eBPF-native from the start and offers deeper L7 observability. The choice depends on your kernel version requirements and observability needs.

Does Calico work on managed Kubernetes services like EKS and GKE?+

Yes. Calico runs on EKS, GKE, AKS, and other managed Kubernetes platforms. Some providers pre-install Calico for network policy enforcement while using their own CNI for pod networking.

How does Calico handle network policy enforcement?+

Calico translates Kubernetes NetworkPolicy and its own GlobalNetworkPolicy CRDs into iptables rules or eBPF programs on each node. The calico-node agent watches the API server for policy changes and updates kernel-level rules in real time.

Can I use Calico with WireGuard encryption?+

Yes. Enable WireGuard with a single Calico configuration setting. All pod-to-pod traffic between nodes is encrypted transparently without application changes. Requires WireGuard kernel module on each node.

What resources does the Calico agent consume?+

The calico-node DaemonSet typically uses 100-200MB of memory and minimal CPU per node. Resource usage scales with the number of active network policies and endpoints rather than total cluster size.

引用来源 (3)
  • Calico GitHub— Calico provides pod networking using BGP, VXLAN, or IP-in-IP encapsulation
  • Calico eBPF Docs— Calico supports eBPF data plane as alternative to iptables
  • Kubernetes Docs— Kubernetes NetworkPolicy API specification
TokRepo 相关
AI DevOps toolsAI security toolsFeatured workflows

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产

Cilium — eBPF-Powered Cloud Native Networking & Security

Cilium provides high-performance networking, observability, and security for Kubernetes using eBPF. CNI plugin, service mesh, and network policy — all kernel-level.

Skills
AI Open Source

Hubble — Network Observability for Kubernetes via eBPF

A CNCF observability tool built on Cilium that provides deep visibility into network traffic, service dependencies, and security policies in Kubernetes clusters.

Skills
Script Depot

Flannel — Simple Overlay Network for Kubernetes

A lightweight networking fabric for Kubernetes that gives each node a subnet for container-to-container communication. Supports VXLAN, host-gw, WireGuard, and other backends.

Skills
Script Depot

kube-hunter — Kubernetes Security Testing from an Attacker Perspective

kube-hunter is an open-source tool by Aqua Security that hunts for security weaknesses in Kubernetes clusters by simulating an attacker's discovery and exploitation process.

Skills
Script Depot
首页🔍搜索👤我的