Calico (software)

Calico (software)
Name	Calico
Developer	Tigera
Released	2014
Programming language	Go
Operating system	Linux
License	Apache License 2.0

Contents

Overview
Architecture and Components
Features and Functionality
Deployment and Integration
Security and Compliance
Performance and Scalability
History and Development

Calico (software) is an open-source networking and network security solution designed for containerized environments and cloud-native platforms. It provides scalable layer 3 networking, network policy enforcement, and integration with orchestration systems for use with Kubernetes, OpenStack, and other Linux-based platforms. Calico is maintained by Tigera and has been adopted across enterprises, cloud providers, and research organizations for secure, observable network connectivity.

Overview

Calico delivers IP routing and packet forwarding using a pure layer 3 model and implements network policy using a distributed programmable dataplane. It targets orchestrators including Kubernetes, OpenShift, and OpenStack Nova as well as service meshes and virtual machine environments such as KVM and VMware ESXi. The project integrates with cloud providers like Amazon Web Services, Microsoft Azure, and Google Cloud Platform and with ecosystem tools including Prometheus, Envoy (software), Istio, and Flannel. Calico components are implemented primarily in Go (programming language), and the project is released under the Apache License with commercial support from Tigera.

Architecture and Components

Calico's architecture centers on a control plane, data plane, and policy engine. The control plane interacts with orchestrators such as Kubernetes API and OpenStack Neutron while storing state in backends like etcd and Kubernetes etcd. The dataplane can use Linux kernel routing, eBPF via Linux eBPF, or the Bird (routing daemon) for BGP peering with routers such as FRRouting and Quagga. Key components include Felix, Typha, and the Calico CNI plugin: Felix programs dataplane rules on each host; Typha scales control-plane distribution in large clusters; the CNI plugin integrates with Container Network Interface-aware runtimes such as containerd, CRI-O, and Docker Engine. Calico also offers an operator for deployment with controllers modeled after Kubernetes Operator patterns.

Features and Functionality

Calico implements features such as network policy, global network policy, host endpoints, and service connectivity. It supports Kubernetes NetworkPolicy and extended policy APIs inspired by Cilium and integrates with ingress controllers like NGINX and HAProxy. Calico provides IP-in-IP and VXLAN encapsulation options akin to GRE tunnels and supports eBPF acceleration comparable to XDP offloads. Observability is provided via integration with Prometheus metrics, Jaeger (software) tracing, and tools like Grafana dashboards. Calico Enterprise adds features such as workload-aware firewalls, threat defense with Suricata, and compliance reporting aligned with standards such as PCI DSS and SOC 2.

Deployment and Integration

Calico is deployed using manifests, Helm charts such as those used by Helm (software), or operators coordinated via Operator Lifecycle Manager. It integrates with CI/CD pipelines that use systems like Jenkins, GitLab CI/CD, and Tekton for continuous delivery into clusters provisioned by Terraform, Ansible, or CloudFormation. Calico can operate alongside service meshes including Istio and Linkerd and is compatible with CNI ecosystems such as Weave Net and Flannel. For multi-cluster networking, it interoperates with solutions like Submariner and federated control planes such as Kubernetes Federation.

Security and Compliance

Calico enforces microsegmentation using network policies and supports identity-aware controls through integration with OpenID Connect providers and LDAP directories like Microsoft Active Directory. It provides auditing hooks that forward logs to SIEMs such as Splunk and Elasticsearch/Logstash stacks, and integrates with policy engines like Open Policy Agent for admission and runtime decisions. Calico Enterprise offers managed threat detection capabilities interoperable with Falco and intrusion detection systems like Snort. The project addresses compliance regimes by enabling policy-driven isolation and tracing required by regulations including HIPAA and GDPR where applicable.

Performance and Scalability

Calico is designed for large-scale clusters and high-throughput workloads found in environments managed by Kubernetes Federation and hyperscalers like Google, Amazon, and Microsoft Azure. Using eBPF and kernel routing, Calico reduces context switches and leverages data plane acceleration similar to technologies used in DPDK workflows. BGP-based routing with Bird (routing daemon) enables efficient east-west traffic handling across thousands of nodes, while Typha distributes control-plane updates to avoid etcd overloads analogous to scaling patterns in etcd clusters. Benchmarks and capacity planning often reference metrics collected with Prometheus and visualized in Grafana to validate throughput, latency, and policy enforcement overhead.

History and Development

Calico originated in 2014 as part of the evolution of container networking concurrent with projects like Kubernetes and Docker (software), and was initially developed by founders who later formed Tigera. Over time it adopted eBPF support inspired by research in the Linux kernel community and incorporated BGP techniques used in routing projects such as Quagga and FRRouting. The project has engaged with standards bodies and landscape efforts including the Cloud Native Computing Foundation and has influenced networking patterns used by cloud providers and enterprises. Ongoing development is driven through contributions by open-source communities, commercial engineering from Tigera, and collaborations with ecosystem projects including Envoy (software), Istio, and Prometheus.

Category:Networking software Category:Cloud computing