Calico

Purpose: Container networking and network policy

Version: v3.28.0

Namespace: calico-system

Description

CNI plugin providing networking and network policy enforcement. Replaced Flannel for better policy support and enhanced security.

Installation

Installed as CNI during cluster setup with kubeadm.

Features

Network Policies: Kubernetes NetworkPolicy support
IP Address Management (IPAM): Automatic IP allocation
Network Visualization: View network connections
Cross-node Communication: Pod-to-Pod communication

Components

Component	Purpose
calico-node	DaemonSet on each node for networking
calico-kube-controllers	Policy and IPAM controllers
calico-typha	Scale extension for etcd

Network Policy Example

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
  namespace: my-app
spec:
  podSelector: {}
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: allowed-app

Default Deny

Apply default deny policy for namespace:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
spec:
  podSelector: {}
  policyTypes:
    - Ingress

Why Calico?

Network policies for pod isolation
Better security than Flannel
Supports NetworkSets for complex policies
Integration with Istio service mesh

Description​

Installation​

Features​

Components​

Network Policy Example​

Default Deny​

Why Calico?​