Calico Open Source

Calico’s pluggable data plane architecture lets you select the best data plane for your needs. Choose from eBPF, Windows, iptables, or nftables. This pluggable architecture ensures it can readily incorporate new networking technologies, making it future-proof.

Calico Open Source’s network policy engine implements the full set of features defined by the Kubernetes networking API, including the latest release of AdminNetworkPolicy and BaselineAdminNetworkPolicy. This gives you the full power and flexibility that Kubernetes network policy was designed to offer.

Calico Open Source offers advanced Kubernetes-native security policies that simplify the implementation of network security. Calico network policies support policy tiers to precisely define policy evaluation order, leverage “deny and log” actions for enhanced security, and apply more flexible match criteria. Calico network policies support NetworkSets and implement cluster-wide security rules with global policies that extend beyond individual namespaces.

Staged Policies in Calico let you test Calico and Kubernetes network policy behaviour without enforcing them. This helps teams safely evaluate the impact of a policy before it goes live, reducing the risk of misconfigurations and service disruptions. By simulating how a policy would behave in production, before actually enforcing it, platform and security teams can iterate quickly and deploy with confidence.

Calico Open Source includes Whisker, a visual UI tool that simplifies access to flow logs. Whisker makes it easier to analyze network communication and debug policies, providing clear visibility into traffic. This helps you quickly pinpoint network communication issues and optimize your network security policies.

Calico Open Source enables seamless and secure communication between Kubernetes containers and traditional host-based workloads (such as virtual machines and bare metal servers). Its architecture easily applies security policies to these workloads, regardless of the environment, alongside your Kubernetes deployments. This ensures consistent network and security enforcement for all traffic, both within the cluster and externally.

Calico Ingress Gateway is a 100% upstream distribution of Envoy Gateway that provides a standardized way to manage Kubernetes ingress traffic. It offers advanced traffic control, integrated load balancing, and seamless ingress traffic policy enforcement. This simplifies traffic management, strengthens security, and optimizes resource utilization across the cluster.

Calico Open Source implements transport-level security for in-cluster Kubernetes pod traffic by automatically creating and managing WireGuard tunnels between nodes. This encrypts on-the-wire communication, leveraging WireGuard’s formally verified and performant security features.

Calico Open Source achieves high-performance Linux networking by using the Linux kernel’s built-in, optimized forwarding and access control. This usually eliminates the performance impact of encapsulation and decapsulation. Additionally, Calico’s control plane and policy engine are designed to minimize CPU usage and resource demands, resulting in better performance and lower costs.

Built on cloud-native best practices and trusted network standards used by the largest internet carriers, Calico Open Source delivers exceptional scalability proven in large-scale production environments for years. Our rigorous development testing includes multi-thousand-node clusters, ensuring that whether you have 10 nodes or 10,000+, you benefit from the performance and scalability demanded by the largest Kubernetes deployments.

Ready for More? With Calico OSS 3.30 or higher, users can now effortlessly upgrade to Calico Cloud Free Tier! (with no additional software to install) Unlock enhanced observability to visualize and troubleshoot workload communication, plus streamlined policy management for faster and easier network security and microsegmentation.