Skip to main content
Version: 3.26 (latest)

About Calico

What is Calico?

Calico is a networking and security solution that enables Kubernetes workloads and non-Kubernetes/legacy workloads to communicate seamlessly and securely.

Components and features

In Kubernetes, the default for networking traffic to/from pods is default-allow. If you do not lock down network connectivity using network policy, then all pods can communicate freely with other pods.

Calico consists of networking to secure network communication, and advanced network policy to secure cloud-native microservices/applications at scale.

ComponentDescriptionMain features
Calico CNI for networkingCalico CNI is a control plane that programs several dataplanes. It is an L3/L4 networking solution that secure containers, Kubernetes clusters, virtual machines, and native host-based workloads. Built-in data encryption
 Advanced IPAM management
 Overlay and non-overlay networking options
 Choice of dataplanes: iptables, eBPF, Windows HNS, or VPP
Calico network policy suite for network policyCalico network policy suite is an interface to the Calico CNI that contains rules for the dataplane to execute.

Calico network policy:
 Is designed with a zero-trust security model (deny-all, allow only where needed)
Integrates with the Kubernetes API server (so you can still use Kubernetes network policy)   Supports legacy systems (bare metal, non-cluster hosts) using the same network policy model.
 Namespace and global policy to allow/deny traffic within a cluster, between pods and the outside world, and for non-cluster hosts.

 Network sets (an arbitrary set of IP subnetworks, CIDRs, or domains) to limit IP ranges for egress and ingress traffic to workloads.

 Application layer (L7) policy to enforce traffic using attributes like HTTP methods, paths, and cryptographically-secure identities.

Calico deployment options

Calico networking and network policy are most powerful when used together, but they are both offered separately for the widest adoption across platforms. Here are common Calico deployments.

Deployment optionsExamples
Self-managed Kubernetes, on-premisesKubernetes/kubeadm cluster
Managed Kubernetes on public cloudEKS, GKE, IKS, AKS
Self-managed Kubernetes on public cloudAWS, GCE, Azure, Digital Ocean
Self-managed Kubernetes distributionsOpenShift, AKS on Azure stack, Mirantis (MKE), RKE, VMware
IntegrationsOpenStack, Flannel
Bare metal, non-cluster hosts
Windows Kubernetes clusters

For a list of platforms used by Calico community members, see Community-tested Kubernetes versions.

Feature summary

The following table summarizes the main Calico features. To search for specific features, see Product comparison.

FeatureDescription
DataplaneseBPF, standard Linux iptables, Windows HNS, VPP.
Networking Scalable pod networking using BPG or overlay networking
Advanced IP address management that is customizable
Security Network policy enforcement for workload and host endpoints
Data-in-transit encryption using WireGuard
Monitor Calico componentsUses Prometheus to monitor Calico component metrics.
User interfacesCLIs: kubectl and calicoctl
APIs Calico API for Calico resources <br / Installation API for operator installation and configuration
Support and maintenanceCommunity-driven. Calico powers 2M+ nodes daily across 166 countries.

Install Calico

You can install Calico using a single operator/Helm chart or manifests.

To get start with Calico in 15 minutes: