What is Calico?
Calico is a networking and security solution that enables Kubernetes workloads and non-Kubernetes/legacy workloads to communicate seamlessly and securely.
Components and features
In Kubernetes, the default for networking traffic to/from pods is default-allow. If you do not lock down network connectivity using network policy, then all pods can communicate freely with other pods.
Calico consists of networking to secure network communication, and advanced network policy to secure cloud-native microservices/applications at scale.
|Calico CNI for networking||Calico CNI is a control plane that programs several dataplanes. It is an L3/L4 networking solution that secure containers, Kubernetes clusters, virtual machines, and native host-based workloads.||• Built-in data encryption|
• Advanced IPAM management
• Overlay and non-overlay networking options
• Choice of dataplanes: iptables, eBPF, Windows HNS, or VPP
|Calico network policy suite for network policy||Calico network policy suite is an interface to the Calico CNI that contains rules for the dataplane to execute. |
Calico network policy:
• Is designed with a zero-trust security model (deny-all, allow only where needed)
• Integrates with the Kubernetes API server (so you can still use Kubernetes network policy) • Supports legacy systems (bare metal, non-cluster hosts) using the same network policy model.
|• Namespace and global policy to allow/deny traffic within a cluster, between pods and the outside world, and for non-cluster hosts.|
• Network sets (an arbitrary set of IP subnetworks, CIDRs, or domains) to limit IP ranges for egress and ingress traffic to workloads.
• Application layer (L7) policy to enforce traffic using attributes like HTTP methods, paths, and cryptographically-secure identities.
Calico deployment options
Calico networking and network policy are most powerful when used together, but they are both offered separately for the widest adoption across platforms. Here are common Calico deployments.
|Self-managed Kubernetes, on-premises||Kubernetes/kubeadm cluster|
|Managed Kubernetes on public cloud||EKS, GKE, IKS, AKS|
|Self-managed Kubernetes on public cloud||AWS, GCE, Azure, Digital Ocean|
|Self-managed Kubernetes distributions||OpenShift, AKS on Azure stack, Mirantis (MKE), RKE, VMware|
|Bare metal, non-cluster hosts|
|Windows Kubernetes clusters|
For a list of platforms used by Calico community members, see Community-tested Kubernetes versions.
The following table summarizes the main Calico features. To search for specific features, see Product comparison.
|Dataplanes||eBPF, standard Linux iptables, Windows HNS, VPP.|
|Networking||• Scalable pod networking using BPG or overlay networking|
• Advanced IP address management that is customizable
|Security||• Network policy enforcement for workload and host endpoints|
• Data-in-transit encryption using WireGuard
|Monitor Calico components||Uses Prometheus to monitor Calico component metrics.|
|User interfaces||CLIs: |
|APIs||• Calico API for Calico resources <br /• Installation API for operator installation and configuration|
|Support and maintenance||Community-driven. Calico powers 2M+ nodes daily across 166 countries.|
You can install Calico using a single operator/Helm chart or manifests.
To get start with Calico in 15 minutes: