Skip to content

Calico

Pluggable CNI providing networking and network security for Kubernetes, VMs, and bare metal — with eBPF, iptables, nftables, and VPP data planes.

Overview

Calico is a mature, pluggable networking and network security solution by Tigera. It supports multiple data planes (eBPF, iptables, nftables, Windows HNS, VPP), making it the most versatile CNI plugin. It provides the industry's most comprehensive network policy model, extends security to non-K8s workloads (VMs, bare metal), and offers a unified platform spanning open-source, enterprise, and cloud tiers.

Key Facts

Attribute Detail
Repository github.com/projectcalico/calico
Stars ~6k+ ⭐
Latest Version v3.31.4 / v3.30.7 (March 2026)
Language Go
License Apache 2.0 (Open Source), Proprietary (Enterprise/Cloud)
Company Tigera
Data Planes eBPF, iptables, nftables, Windows HNS, VPP

Evaluation

Pros Cons
Multiple data planes (most flexible CNI) Enterprise features require paid license
Strongest network policy model in K8s Complex configuration for advanced use cases
Extends to VMs and bare metal eBPF mode less mature than Cilium's
AI Assistant for troubleshooting UI/observability less integrated than Hubble
eBPF load balancer (new, 2026) Community smaller than Cilium's
L2 networking for VM migration
N-2 K8s version compatibility

Architecture

flowchart TB
    subgraph Node["Kubernetes Node"]
        Felix["Felix\n(policy enforcement)"]
        BIRD["BIRD\n(BGP daemon)"]
        CNI_C["Calico CNI\n(plugin)"]
        DS["Data Plane\n(eBPF / iptables / nftables)"]
    end

    subgraph CP["Control Plane"]
        Typha["Typha\n(API proxy / fan-out)"]
        APISERVER["calico-apiserver\nor K8s API"]
        ETCD_CAL["etcd or\nK8s CRDs"]
    end

    Felix -->|"watch"| Typha
    Typha -->|"watch"| APISERVER
    Felix -->|"programs"| DS
    BIRD -->|"BGP peers"| Network["Fabric /\nToR switches"]

    style Node fill:#ff6f00,color:#fff
    style CP fill:#1565c0,color:#fff

Key Features (Winter 2026)

Feature Detail
AI Assistant Natural-language troubleshooting and security audits
Calico Load Balancer eBPF-based software LB, K8s-native
L2 Networking VM-to-K8s migration without IP/VLAN changes
Ingress Gateway Dashboard Traffic volume, latency, request visibility
Policy "Last Evaluated" Identify and decommission stale network policies
NetworkPolicy K8s + Calico extended policies (GlobalNetworkPolicy, tiers)
BGP Native BGP peering for bare-metal and hybrid
Encryption WireGuard encryption between nodes
Windows support HNS data plane for Windows worker nodes

Sources