explaingit

projectcalico/calico

7,199GoAudience · ops devopsComplexity · 4/5LicenseSetup · hard

TLDR

Calico is an open-source networking and security layer for Kubernetes clusters, handling traffic routing between containers and enforcing access control policies that control which services can talk to each other.

Mindmap

mindmap
  root((repo))
    What it does
      Kubernetes networking
      Security policy enforcement
    Traffic routing options
      eBPF mode
      Standard Linux networking
      VXLAN and BGP
    Security features
      Access control policies
      WireGuard encryption
    Compatibility
      Multiple K8s distros
      Cloud providers
      Bare metal and VMs
    Community
      Apache license
      Slack community
      Commercial version
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Add network security policies to a Kubernetes cluster to control which services can communicate with each other.

USE CASE 2

Enable WireGuard encryption for all traffic between cluster nodes to secure inter-node communication.

USE CASE 3

Switch your Kubernetes cluster networking to eBPF mode for higher performance without rewriting security policies.

Tech stack

GoeBPFWireGuardBGPVXLAN

Getting it running

Difficulty · hard Time to first run · 1h+

Requires an existing Kubernetes cluster, setup complexity varies significantly by chosen networking backend and cloud environment.

Apache 2.0, use freely for any purpose, including commercial, as long as you keep the copyright notice.

In plain English

Calico is an open-source networking and security tool for Kubernetes clusters. Kubernetes is software used to run and manage containerized applications across groups of servers. When you run applications in containers on Kubernetes, those containers need to communicate with each other and with the outside world, and someone has to decide which traffic is allowed and which is blocked. Calico handles both of those jobs: it provides the networking layer that moves traffic between containers, and it enforces security policies that control what can connect to what. Calico is created and maintained by a company called Tigera. It describes itself as the most widely used container networking solution, reportedly running on over 8 million nodes across more than 160 countries. A node in this context is a single server in a Kubernetes cluster. One of Calico's distinguishing characteristics is that it supports multiple ways of actually moving network traffic. You can use eBPF, a newer Linux kernel technology, for higher performance, or standard Linux networking, or Windows networking, or VPP, another high-performance option. This gives operators flexibility to choose what works best for their infrastructure without changing the security policies they have written. Security features include fine-grained access controls that restrict which services can talk to which other services, and optional WireGuard encryption for traffic between nodes. WireGuard is a modern encryption protocol for securing network connections. Calico works across different Kubernetes distributions, bare metal servers, virtual machines, and multiple cloud providers. It supports networking technologies like BGP and VXLAN, which are methods for routing traffic across different networks. The project is open source under the Apache license and accepts contributions. Documentation, a Slack community, and regular community meetings are available for users and developers. A commercial version with additional enterprise features is offered by Tigera.

Copy-paste prompts

Prompt 1
Walk me through installing Calico on an existing Kubernetes cluster and creating a basic network policy.
Prompt 2
How do I enable WireGuard encryption for node-to-node traffic in Calico?
Prompt 3
Show me a Calico network policy that blocks all ingress traffic to a namespace except from one specific service.
Prompt 4
How do I switch Calico from standard Linux networking to eBPF mode and what are the performance benefits?
Open on GitHub → Explain another repo

← projectcalico on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.