Skip to main content

Calico CNI

Purpose: For platform engineers, shows how to configure Calico IP pools, BGP peering, network policies, and eBPF mode.

What Calico Does

Calico provides container networking (CNI) and network policy enforcement for Kubernetes. It assigns pod IPs from configurable IP pools, enforces NetworkPolicy resources, and optionally peers with external routers via BGP. openCenter clusters use Calico as the default CNI, deployed by Kubespray during cluster bootstrap — not via FluxCD.

How Calico Is Deployed

Unlike most platform services, Calico is installed by Kubespray during initial cluster provisioning. The openCenter-cli generates Kubespray inventory variables that control Calico's configuration:

# infrastructure/clusters/<cluster>/inventory/group_vars/k8s_cluster/k8s-net-calico.yml
calico_network_backend: bird        # "bird" for BGP, "vxlan" for overlay
calico_ipip_mode: Never             # Disable IPIP when using BGP
calico_vxlan_mode: Never            # Disable VXLAN when using BGP
calico_pool_cidr: 10.233.64.0/18   # Pod CIDR
calico_felix_prometheusmetricsenabled: true

Because Calico is managed by Kubespray, changes require re-running the Kubespray playbook — not a FluxCD reconciliation.

Key Configuration

IP Pools

IP pools define the CIDR ranges from which pods receive addresses. The default pool is set via calico_pool_cidr in Kubespray variables. To inspect the active pool after deployment:

kubectl get ippools.crd.projectcalico.org -o yaml

To create an additional IP pool (for example, a secondary range for a specific namespace), apply a manifest directly:

apiVersion: crd.projectcalico.org/v1
kind: IPPool
metadata:
  name: secondary-pool
spec:
  cidr: 10.234.0.0/16
  ipipMode: Never
  vxlanMode: Never
  natOutgoing: true
  nodeSelector: "!all()"  # Disabled by default; assign to specific nodes as needed

BGP Peering

For environments where pods need routable IPs (bare-metal, on-prem), configure BGP peering with your network infrastructure:

apiVersion: crd.projectcalico.org/v1
kind: BGPPeer
metadata:
  name: rack-tor-switch
spec:
  peerIP: 192.168.1.1
  asNumber: 64512
  nodeSelector: "rack == 'rack-01'"

Set the node AS number via BGPConfiguration:

apiVersion: crd.projectcalico.org/v1
kind: BGPConfiguration
metadata:
  name: default
spec:
  asNumber: 64513
  logSeverityScreen: Info

Network Policies

Calico enforces standard Kubernetes NetworkPolicy resources and extends them with its own CRDs for features like global policies and DNS-based rules:

# Standard Kubernetes NetworkPolicy — works with Calico out of the box
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Ingress

For cluster-wide rules, use Calico's GlobalNetworkPolicy:

apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
  name: deny-external-egress
spec:
  selector: "env == 'restricted'"
  types:
    - Egress
  egress:
    - action: Deny
      destination:
        notNets:
          - 10.0.0.0/8

eBPF Mode

Calico supports eBPF dataplane as an alternative to iptables. eBPF mode provides lower latency and removes the need for kube-proxy. To enable it, set the following in Kubespray variables before cluster provisioning:

calico_bpf_enabled: true
kube_proxy_remove: true  # kube-proxy is replaced by Calico eBPF

eBPF mode requires Linux kernel 5.3+ on all nodes. Verify kernel version before enabling.

Verification

# Check Calico pods are running
kubectl get pods -n calico-system

# Verify node status via calicoctl (if installed)
calicoctl node status

# Check IP pool allocation
kubectl get ippools.crd.projectcalico.org

# Verify BGP peering (if configured)
calicoctl node status | grep "bird"

# Check Felix metrics endpoint
kubectl get pods -n calico-system -l k8s-app=calico-node -o wide
curl http://<node-ip>:9091/metrics

Common Customizations

  • Switch from overlay to BGP: Set calico_network_backend: bird and configure BGPPeer resources for your ToR switches.
  • Add IP pools: Create additional IPPool CRs for multi-tenant or namespace-scoped addressing.
  • Enable Wireguard encryption: Set calico_wireguard_enabled: true in Kubespray variables for encrypted pod-to-pod traffic.
  • Tune Felix: Adjust calico_felix_* variables for logging, metrics, and flow log collection.

Changes to Kubespray-managed settings require re-running the cluster playbook. Calico CRD resources (IPPool, BGPPeer, NetworkPolicy) can be applied directly with kubectl.