Operations¶
Scope
CNI deployment, network policy management, BGP peering, eBPF dataplane, and troubleshooting.
Deployment¶
# Operator-based install (recommended)
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.29.0/manifests/tigera-operator.yaml
kubectl create -f - <<EOF
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
name: default
spec:
calicoNetwork:
ipPools:
- cidr: 192.168.0.0/16
encapsulation: VXLANCrossSubnet
natOutgoing: true
EOF
Network Policy¶
# calicoctl operations
calicoctl get networkpolicy -A
calicoctl get globalnetworkpolicy
# Check endpoint status
calicoctl get workloadendpoints -o wide
BGP Peering¶
apiVersion: projectcalico.org/v3
kind: BGPPeer
metadata:
name: rack-peer
spec:
peerIP: 10.0.0.1
asNumber: 64512
nodeSelector: rack == 'rack1'
eBPF Dataplane¶
# Enable eBPF dataplane (replaces iptables)
calicoctl patch felixconfiguration default \
--type='merge' -p '{"spec":{"bpfEnabled":true}}'
# Disable kube-proxy (eBPF handles services)
kubectl patch ds -n kube-system kube-proxy -p \
'{"spec":{"template":{"spec":{"nodeSelector":{"non-calico": "true"}}}}}'
Common Issues¶
| Issue | Diagnosis | Fix |
|---|---|---|
| Pod connectivity fails | calicoctl node status |
Check Felix, BGP peering |
| Policy not applied | calicoctl get workloadendpoints |
Verify label selectors |
| IP exhaustion | calicoctl ipam show |
Expand IP pool CIDR |
| eBPF map full | tc filter show dev cali* |
Increase BPF map size |
Commands & Recipes¶
Installation¶
# Install calicoctl
curl -L https://github.com/projectcalico/calico/releases/latest/download/calicoctl-linux-amd64 -o calicoctl
chmod +x calicoctl && sudo mv calicoctl /usr/local/bin/
# Install Calico on K8s (Operator)
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.31.4/manifests/tigera-operator.yaml
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.31.4/manifests/custom-resources.yaml
# Verify
kubectl get pods -n calico-system
calicoctl node status
Network Policies¶
# Calico GlobalNetworkPolicy — deny all ingress by default
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: default-deny
spec:
selector: all()
types:
- Ingress
# Allow specific traffic with tiered policy
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: allow-frontend
namespace: default
spec:
tier: application
selector: app == 'backend'
ingress:
- action: Allow
source:
selector: app == 'frontend'
destination:
ports:
- 8080
Diagnostics¶
# Check node status and BGP peers
calicoctl node status
# View all network policies
calicoctl get networkpolicy -A -o wide
calicoctl get globalnetworkpolicy -o yaml
# Check workload endpoints
calicoctl get workloadendpoint -A
# View IP pools
calicoctl get ippool -o wide
# Debug connectivity
calicoctl node diags # collect diagnostics bundle
Enable eBPF Mode¶
# Switch from iptables to eBPF data plane
kubectl patch installation default --type merge --patch='{"spec":{"calicoNetwork":{"linuxDataplane":"BPF"}}}'
# Disable kube-proxy (Calico replaces it in eBPF mode)
kubectl patch ds -n kube-system kube-proxy -p '{"spec":{"template":{"spec":{"nodeSelector":{"non-calico":"true"}}}}}'