About Calico

Calico provides secure network connectivity for containers and virtual machine workloads.

Calico creates and manages a flat layer 3 network, assigning each workload a fully routable IP address. Workloads can communicate without IP encapsulation or network address translation for bare metal performance, easier troubleshooting, and better interoperability. In environments that require an overlay, Calico uses IP-in-IP tunneling or can work with other overlay networking such as flannel.

Calico also provides dynamic enforcement of network security rules. Using Calico’s simple policy language, you can achieve fine-grained control over communications between containers, virtual machine workloads, and bare metal host endpoints.

Proven in production at scale, Calico v3.4 features integrations with Kubernetes, OpenShift, and OpenStack.

Note: For integrations with the Mesos, DC/OS, and Docker orchestrators, use Calico v2.6.

Get started

How it works

Calico overview diagram


Calico leverages the routing and iptables firewall capabilities native to the Linux kernel. All traffic to and from individual containers, virtual machines, and hosts traverses these in-kernel rules before being routed to its destination.

  • calicoctl: allows you to achieve advanced policies and networking from a simple, command-line interface.

  • orchestrator plugins: provide close integration and synchronization with a variety of popular orchestrators.

  • key/value store: holds Calico’s policy and network configuration state.

  • calico/node: runs on each host, reads relevant policy and network configuration information from the key/value store, and implements it in the Linux kernel.

  • Dikastes/Envoy: optional Kubernetes sidecars that secure workload-to-workload communications with mutual TLS authentication and enforce application layer policy.