Calico

Pluggable CNI providing networking and network security for Kubernetes, VMs, and bare metal — with eBPF, iptables, nftables, and VPP data planes.

Overview

Calico is a mature, pluggable networking and network security solution by Tigera. It supports multiple data planes (eBPF, iptables, nftables, Windows HNS, VPP), making it the most versatile CNI plugin. It provides the industry's most comprehensive network policy model, extends security to non-K8s workloads (VMs, bare metal), and offers a unified platform spanning open-source, enterprise, and cloud tiers.

Key Facts

Attribute	Detail
Repository	github.com/projectcalico/calico
Stars	~6k+ ⭐
Latest Version	v3.31.4 / v3.30.7 (March 2026)
Language	Go
License	Apache 2.0 (Open Source), Proprietary (Enterprise/Cloud)
Company	Tigera
Data Planes	eBPF, iptables, nftables, Windows HNS, VPP

Evaluation

Pros	Cons
Multiple data planes (most flexible CNI)	Enterprise features require paid license
Strongest network policy model in K8s	Complex configuration for advanced use cases
Extends to VMs and bare metal	eBPF mode less mature than Cilium's
AI Assistant for troubleshooting	UI/observability less integrated than Hubble
eBPF load balancer (new, 2026)	Community smaller than Cilium's
L2 networking for VM migration
N-2 K8s version compatibility

Architecture

flowchart TB
    subgraph Node["Kubernetes Node"]
        Felix["Felix\n(policy enforcement)"]
        BIRD["BIRD\n(BGP daemon)"]
        CNI_C["Calico CNI\n(plugin)"]
        DS["Data Plane\n(eBPF / iptables / nftables)"]
    end

    subgraph CP["Control Plane"]
        Typha["Typha\n(API proxy / fan-out)"]
        APISERVER["calico-apiserver\nor K8s API"]
        ETCD_CAL["etcd or\nK8s CRDs"]
    end

    Felix -->|"watch"| Typha
    Typha -->|"watch"| APISERVER
    Felix -->|"programs"| DS
    BIRD -->|"BGP peers"| Network["Fabric /\nToR switches"]

    style Node fill:#ff6f00,color:#fff
    style CP fill:#1565c0,color:#fff

Key Features (Winter 2026)

Feature	Detail
AI Assistant	Natural-language troubleshooting and security audits
Calico Load Balancer	eBPF-based software LB, K8s-native
L2 Networking	VM-to-K8s migration without IP/VLAN changes
Ingress Gateway Dashboard	Traffic volume, latency, request visibility
Policy "Last Evaluated"	Identify and decommission stale network policies
NetworkPolicy	K8s + Calico extended policies (GlobalNetworkPolicy, tiers)
BGP	Native BGP peering for bare-metal and hybrid
Encryption	WireGuard encryption between nodes
Windows support	HNS data plane for Windows worker nodes

Notes

• How It Works
• Architecture
• Operations
• Benchmarks
• Commands & Recipes
• Security
• Sources
• Questions

---

Sources

• Calico Docs — official documentation
• Architecture — Felix, Typha, BIRD
• eBPF Mode — data plane switch
• GitHub — source code
• Tigera Blog — product announcements

---

Questions

Open

• What is the performance delta between Calico eBPF and Cilium eBPF at scale?

Answered

• Q: Can Calico run without kube-proxy? -- Yes, in eBPF mode it replaces kube-proxy.
• Q: Does Calico support Windows? -- Yes, via Host Networking Service (HNS).
• Q: How does Calico's AI Assistant compare to manual policy authoring? -- Tigera's commercial offerings include a "Policy recommendations" feature that automatically generates policies to isolate namespaces based on observed traffic. This is distinct from an AI assistant -- it is a traffic-analysis engine that suggests policies. Manual policy authoring with calicoctl or kubectl gives full control over selectors, tiers, and ordering, which is necessary for complex multi-tenant environments. The recommendation engine is useful for bootstrapping zero-trust policies but does not replace manual authoring for fine-grained L7 rules, tiered policy hierarchies, or host-endpoint policies. Related: security covers policy tiers and RBAC.