Calico — Commands & Recipes
Installation
# Install calicoctl
curl -L https://github.com/projectcalico/calico/releases/latest/download/calicoctl-linux-amd64 -o calicoctl
chmod +x calicoctl && sudo mv calicoctl /usr/local/bin/
# Install Calico on K8s (Operator)
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.31.4/manifests/tigera-operator.yaml
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.31.4/manifests/custom-resources.yaml
# Verify
kubectl get pods -n calico-system
calicoctl node status
Network Policies
# Calico GlobalNetworkPolicy — deny all ingress by default
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: default-deny
spec:
selector: all()
types:
- Ingress
# Allow specific traffic with tiered policy
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: allow-frontend
namespace: default
spec:
tier: application
selector: app == 'backend'
ingress:
- action: Allow
source:
selector: app == 'frontend'
destination:
ports:
- 8080
Diagnostics
# Check node status and BGP peers
calicoctl node status
# View all network policies
calicoctl get networkpolicy -A -o wide
calicoctl get globalnetworkpolicy -o yaml
# Check workload endpoints
calicoctl get workloadendpoint -A
# View IP pools
calicoctl get ippool -o wide
# Debug connectivity
calicoctl node diags # collect diagnostics bundle
Enable eBPF Mode
# Switch from iptables to eBPF data plane
kubectl patch installation default --type merge --patch='{"spec":{"calicoNetwork":{"linuxDataplane":"BPF"}}}'
# Disable kube-proxy (Calico replaces it in eBPF mode)
kubectl patch ds -n kube-system kube-proxy -p '{"spec":{"template":{"spec":{"nodeSelector":{"non-calico":"true"}}}}}'
Sources