Calico Open Source

Networking and security for containers and Kubernetes


Calico Open Source is a networking and security solution for containers, virtual machines, and native host-based workloads. It supports a broad range of platforms including Kubernetes, OpenShift, Docker EE, OpenStack, and bare metal services.

Whether you opt to use Calico's eBPF data plane, Linux’s standard networking pipeline, or the Windows data plane, Calico delivers blazing-fast performance with true cloud-native scalability. Calico provides developers and cluster operators with a consistent experience and set of capabilities whether running in public cloud or on-premises, or on a single node or across a multi-thousand node cluster.


Pluggable data planes includes eBPF, Windows, VPP, and Linux

Any container, any Kubernetes distro, any cloud

Unparalleled scalability & efficient resource utilization

Real-world production hardened



Choice of data planes

Calico Open Source offers a choice of data planes, including a pure Linux eBPF data plane, a standard Linux networking data plane, and a Windows HNS data plane. Calico combines cutting-edge features with standard primitives system administrators are already familiar with, to provide networking and security for containers and Kubernetes.

Full Kubernetes network policy support

Calico Open Source’s network policy engine is the original reference implementation of Kubernetes network policy. It implements the full set of features defined by the Kubernetes networking API, giving users all of the capabilities and flexibility envisaged when the API was originally defined.

Kubernetes-native Security Policy Model

Calico Open Source translates networking and security best practices into a rich networking and security policy model for Kubernetes-native environments. Calico makes it easy for DevOps, SRE, platform architect, security, and compliance teams to allow or deny access to traffic. The solution comes with built-in support for WireGuard encryption, with higher performance and lower CPU consumption.

Calico’s policy engine enforces the same policy model at the host networking layer and at the application layer. Thus, it protects infrastructure from compromised workloads, and vice-versa.

Best-in-class Performance

Calico Open Source uses the Linux kernel’s built-in, highly optimized forwarding and access control capabilities to deliver native Linux networking data plane performance, typically without requiring any of the encap/decap overheads. Calico’s control plane and policy engine are optimized to minimize overall CPU usage and occupancy, leading to higher performance and lower monthly bills.

Workload interoperability

Calico Open Source enables Kubernetes workloads and non-Kubernetes or legacy workloads to communicate seamlessly and securely. Calico can easily extend to secure existing host-based workloads (whether in the public cloud, or on-premises on VMs or bare metal servers) alongside Kubernetes. All workloads are subject to the same network and security policy model for consistent enforcement of traffic flow externally and internally.


Calico enables WireGuard to secure on-the-wire, in-cluster pod traffic in a Kubernetes cluster. Calico automatically creates and manages WireGuard tunnels between nodes providing transport-level security for on-the-wire, in-cluster pod traffic. WireGuard provides formally verified secure and performant tunnels without any specialized hardware.

Scalable Networking

Calico’s core design principles leverage best practice cloud-native design patterns combined with proven standards based network protocols trusted worldwide by the largest internet carriers. The result is a solution with exceptional scalability that has been running at scale in production for years. Calico’s development test cycle includes regularly testing multi-thousand node clusters. Whether you are running a 10 node cluster, 100 node cluster, or more, you reap the benefits of the improved performance and scalability characteristics demanded by the largest Kubernetes clusters.

Key Features

How It Works


Learn about Kubernetes-native networking and security with Calico on a single-host Kubernetes cluster within 15 mins.

If you like Calico, you will love Calico Cloud



Learn more


Get Started

Latest Content

Turbocharging AKS networking with Calico eBPF

Turbocharging AKS networking with Calico eBPF

By Reza Ramezanpour on Nov 23, 2021

A single Kubernetes cluster expends a small percentage of its total available assigned resources on delivering in-cluster networking. We don’t have to be satisfied with this, though—achieving the lowest possible overhead can provide significant cost...

Read more >
Automate EKS workloads security and observability using Calico integration with Amazon Control Tower

Automate EKS workloads security and observability using Calico integration with Amazon Control Tower

By Neeraj Shahdadpuri on Nov 18, 2021

Streamline the security and observability of your landing zone for EKS clusters by automating the process of connecting an EKS cluster to Calico Cloud. Users get granular workload access controls,...

Register here >
Rancher Masterclass: 90 mins hands-on workshop to learn security and observability for Containers, Kubernetes, and Cloud on RKE2 and Calico

Rancher Masterclass: 90 mins hands-on workshop to learn security and observability for Containers, Kubernetes, and Cloud on RKE2 and Calico

By Neeraj Shahdadpuri on Nov 19, 2021

In this RKE2-focused workshop for networking, security and observability on containers, Kubernetes and Calico, you will work with a Calico and RKE expert to learn how to design, deploy, and...

Watch here >