Calico — Operations¶
Scope
CNI deployment, network policy management, BGP peering, eBPF dataplane, and troubleshooting.
Deployment¶
# Operator-based install (recommended)
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.29.0/manifests/tigera-operator.yaml
kubectl create -f - <<EOF
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
name: default
spec:
calicoNetwork:
ipPools:
- cidr: 192.168.0.0/16
encapsulation: VXLANCrossSubnet
natOutgoing: true
EOF
Network Policy¶
# calicoctl operations
calicoctl get networkpolicy -A
calicoctl get globalnetworkpolicy
# Check endpoint status
calicoctl get workloadendpoints -o wide
BGP Peering¶
apiVersion: projectcalico.org/v3
kind: BGPPeer
metadata:
name: rack-peer
spec:
peerIP: 10.0.0.1
asNumber: 64512
nodeSelector: rack == 'rack1'
eBPF Dataplane¶
# Enable eBPF dataplane (replaces iptables)
calicoctl patch felixconfiguration default \
--type='merge' -p '{"spec":{"bpfEnabled":true}}'
# Disable kube-proxy (eBPF handles services)
kubectl patch ds -n kube-system kube-proxy -p \
'{"spec":{"template":{"spec":{"nodeSelector":{"non-calico": "true"}}}}}'
Common Issues¶
| Issue | Diagnosis | Fix |
|---|---|---|
| Pod connectivity fails | calicoctl node status |
Check Felix, BGP peering |
| Policy not applied | calicoctl get workloadendpoints |
Verify label selectors |
| IP exhaustion | calicoctl ipam show |
Expand IP pool CIDR |
| eBPF map full | tc filter show dev cali* |
Increase BPF map size |