Calico
Pluggable CNI providing networking and network security for Kubernetes, VMs, and bare metal — with eBPF, iptables, nftables, and VPP data planes.
Overview
Calico is a mature, pluggable networking and network security solution by Tigera. It supports multiple data planes (eBPF, iptables, nftables, Windows HNS, VPP), making it the most versatile CNI plugin. It provides the industry's most comprehensive network policy model, extends security to non-K8s workloads (VMs, bare metal), and offers a unified platform spanning open-source, enterprise, and cloud tiers.
Key Facts
| Attribute |
Detail |
| Repository |
github.com/projectcalico/calico |
| Stars |
~6k+ ⭐ |
| Latest Version |
v3.31.4 / v3.30.7 (March 2026) |
| Language |
Go |
| License |
Apache 2.0 (Open Source), Proprietary (Enterprise/Cloud) |
| Company |
Tigera |
| Data Planes |
eBPF, iptables, nftables, Windows HNS, VPP |
Evaluation
| Pros |
Cons |
| Multiple data planes (most flexible CNI) |
Enterprise features require paid license |
| Strongest network policy model in K8s |
Complex configuration for advanced use cases |
| Extends to VMs and bare metal |
eBPF mode less mature than Cilium's |
| AI Assistant for troubleshooting |
UI/observability less integrated than Hubble |
| eBPF load balancer (new, 2026) |
Community smaller than Cilium's |
| L2 networking for VM migration |
|
| N-2 K8s version compatibility |
|
Architecture
flowchart TB
subgraph Node["Kubernetes Node"]
Felix["Felix\n(policy enforcement)"]
BIRD["BIRD\n(BGP daemon)"]
CNI_C["Calico CNI\n(plugin)"]
DS["Data Plane\n(eBPF / iptables / nftables)"]
end
subgraph CP["Control Plane"]
Typha["Typha\n(API proxy / fan-out)"]
APISERVER["calico-apiserver\nor K8s API"]
ETCD_CAL["etcd or\nK8s CRDs"]
end
Felix -->|"watch"| Typha
Typha -->|"watch"| APISERVER
Felix -->|"programs"| DS
BIRD -->|"BGP peers"| Network["Fabric /\nToR switches"]
style Node fill:#ff6f00,color:#fff
style CP fill:#1565c0,color:#fff
Key Features (Winter 2026)
| Feature |
Detail |
| AI Assistant |
Natural-language troubleshooting and security audits |
| Calico Load Balancer |
eBPF-based software LB, K8s-native |
| L2 Networking |
VM-to-K8s migration without IP/VLAN changes |
| Ingress Gateway Dashboard |
Traffic volume, latency, request visibility |
| Policy "Last Evaluated" |
Identify and decommission stale network policies |
| NetworkPolicy |
K8s + Calico extended policies (GlobalNetworkPolicy, tiers) |
| BGP |
Native BGP peering for bare-metal and hybrid |
| Encryption |
WireGuard encryption between nodes |
| Windows support |
HNS data plane for Windows worker nodes |
Sources