Calico Overview, Architecture, Deployment, and Management in Kubernetes

Calico is a popular BGP‑based CNI plugin for Kubernetes that offers high performance, flexibility, and full network policy support, operating as a pure L3 solution integrated with cloud platforms such as OpenStack, AWS, and GCE.

1. Calico Overview – Calico creates a virtual router (vRouter) on each node, broadcasting container routes via BGP to achieve IP routing without additional NAT or overlay networks, improving CPU efficiency.

2. Architecture and BGP Implementation – The core components include Felix (node agent), Orchestrator Plugin, etcd, BIRD (BGP client), and an optional BGP Route Reflector for large clusters. Calico can also use IP‑in‑IP overlay when needed.

3. Deployment Steps

Modify Kubernetes API server and kubelet parameters to enable privileged mode and CNI networking, then create the necessary resources:

curl https://docs.projectcalico.org/v3.11/manifests/calico-etcd.yaml -o calico-etcd.yaml

Populate etcd TLS secrets with base64‑encoded certificates, configure calico-config ConfigMap with etcd endpoints, and set the pod CIDR (e.g., 10.244.0.0/16) and IPIP mode as desired.

# vim calico-etcd.yaml</code>
<code>apiVersion: v1</code>
<code>kind: Secret</code>
<code>type: Opaque</code>
<code>data:</code>
<code>  etcd-key: <base64‑key></code>
<code>  etcd-cert: <base64‑cert></code>
<code>  etcd-ca: <base64‑ca>

Apply the manifests with kubectl apply -f calico-etcd.yaml and verify the created resources.

4. Management Tools – Install calicoctl from the official releases, then use it to query node status, BGP peers, IP pools, and network policies.

# wget -O /usr/local/bin/calicoctl https://github.com/projectcalico/calicoctl/releases/download/v3.11.1/calicoctl</code>
<code># chmod +x /usr/local/bin/calicoctl</code>
<code># ./calicoctl node status

5. Calico BGP Mode – Nodes act as full‑mesh BGP peers by default; for large clusters, enable a Route Reflector to reduce mesh size.

6. Route Reflector (RR) Mode – Disable node‑to‑node mesh in BGPConfiguration, label chosen nodes as route-reflector=true, and set routeReflectorClusterID in the Node spec.

# cat <<EOF | calicoctl create -f -
apiVersion: projectcalico.org/v3
kind: BGPConfiguration
metadata:
  name: default
spec:
  nodeToNodeMeshEnabled: false
  asNumber: 63400
EOF

7. IPIP Mode – Enable IPIP tunneling by setting ipipMode: Always in the IPPool, which creates a tunl0 interface for encapsulated traffic, though it adds overhead.

# calicoctl get ipPool -o yaml > ipip.yaml</code>
<code># vi ipip.yaml</code>
<code>spec:
  ipipMode: Always</code>
<code># calicoctl apply -f ipip.yaml

8. Network Policy Support – After Calico is installed, Kubernetes NetworkPolicy objects are enforced via Calico’s iptables‑based policy engine.

Overall, the guide walks through setting up Calico, configuring BGP or IPIP, managing routes with a reflector, and leveraging Calico’s network policy capabilities for secure, high‑performance Kubernetes networking.