Mastering Calico: Complete Guide to Installing and Configuring Kubernetes CNI Networking

0. Introduction

Reference: https://github.com/containernetworking/cni. Pod network plugins enable pod networking; Kubernetes uses the open CNI interface to allow third‑party plugins. CNI solves cross‑host container communication by allocating unique Pod IPs and handling routing or overlay networks. Each pod has a "pause" root container that other containers share. CNI plugins are categorized as MAIN (e.g., bridge, ipvlan), Windows (e.g., win‑bridge), IPAM (e.g., host‑local), and META (e.g., firewall, flannel).

Common solutions include Flannel, Calico (with network policy support), and Canal (Flannel + Calico).

1. Calico Overview

Reference: https://projectcalico.docs.tigera.io/. Calico is a widely adopted open‑source networking and security solution for Kubernetes, VMs, and bare metal, supporting full Kubernetes network policies.

1.1 Calico Components

1.1.1 CNI Plugin

Calico’s CNI plugin integrates with kubelet to provide pod networking.

1.1.2 Calico Node

Runs on each node, managing routing, policy rules, and the virtual Calico device. Sub‑modules include:

Felix – daemon that configures interfaces, routes, ACLs, and reports node health.

BIRD BGP client – implements BGP routing for dynamic route distribution.

BIRD Route Reflector – optional component that reduces BGP peer connections in large clusters.

1.1.3 Calico Controller

Creates iptables rules on nodes based on NetworkPolicy resources.

1.1.4 Calico Typha (optional)

When clusters exceed ~50 nodes, Typha reduces load on the kube‑apiserver by communicating directly with etcd.

1.2 Calico Network Implementation

Calico supports two backend mechanisms:

1.2.1 Dynamic Routing Mode (BGP)

Uses BGP to automatically learn routes from other ASes, similar to Flannel’s Host‑GW mode but without subnet limitations.

1.2.2 Overlay Network Mode

Encapsulates traffic using IPIP or VXLAN. Options include IPIP, VXLAN, IPIPCrossSubnet, VXLANCrossSubnet, and None. IPIP offers smaller packet headers but lower security. Virtual interfaces: tunl0 for IPIP and vxlan.calico for VXLAN.

1.3 Understanding CIDR Subnet Allocation (blockSize)

Calico divides a larger CIDR (default 10.244.0.0/16) into per‑node blocks. Default blockSize is 26 for IPv4, yielding 64 IPs per node (62 usable for pods).

1.4 Calico Network Policy

Calico implements NetworkPolicy via iptables, creating rules on each node to control pod ingress and egress traffic.

2. Install Calico

Two installation methods: using the calico.yaml manifest or the Tigera Calico Operator.

2.1 Install via calico.yaml

Requirements: x86‑64/arm64/ppc64le/s390x, 2 CPU, 2 GB RAM, 10 GB disk, RHEL 7+/CentOS 7+/Ubuntu 16.04+/Debian 9+. Steps:

Configure Docker registry mirrors for domestic image pull (code block).

Restart Docker (code block).

Configure NetworkManager to allow Calico interfaces (code block).

Download calico.yaml (code block).

Remove the "docker.io/" prefix from image references in calico.yaml (code block).

Apply the manifest: kubectl apply -f calico.yaml .

Verify pods in the kube‑system namespace are running.

2.2 Install via Tigera Calico Operator

Steps:

Configure NetworkManager as above (code block).

Download and apply tigera-operator.yaml from the official repo.

Download custom-resources.yaml , edit the IPPool settings (blockSize, CIDR, encapsulation, natOutgoing, nodeSelector), then apply it.

Operator creates the calico-system namespace; verify Calico pods are running.

If images fail to pull from docker.io, pull them from quay.io and retag as needed.

3. Calico Manifest Details – calico.yaml

Reference: https://docs.projectcalico.org/... The manifest creates DaemonSets for calico/node and CNI binaries, a Deployment for kube‑controllers, optional Secrets for etcd TLS, and a ConfigMap for configuration. Default mode is IPIP.

3.1 Configure Pod CIDR

Set CALICO_IPV4POOL_CIDR in the DaemonSet to change the pod IP range (code snippet).

3.2 Configure IPIP (default)

Enable IPIP with CALICO_IPV4POOL_IPIP="Always". Options: Always, CrossSubnet, Never.

3.3 Switch IPIP to VXLAN

Set CALICO_IPV4POOL_IPIP="Never" and CALICO_IPV4POOL_VXLAN="Always". To disable BGP entirely, set calico_backend: "vxlan" and remove BIRD probes.

3.4 Other Configurations

ConfigMap calico-config defines typha_service_name (none or calico_typha), calico_backend (bird or vxlan), veth_mtu, and the CNI network JSON.

4. Calico Manifest Details – custom-resources.yaml

Used with the Tigera Operator to customize installation. The spec.calicoNetwork.ipPools section defines blockSize, CIDR, encapsulation (IPIP, VXLAN, etc.), NAT outgoing, and node selector.

5. Completely Uninstall Calico

Delete all resources: kubectl delete -f calico.yaml .

Remove the tunl0 virtual interface (if IPIP was used): modprobe -r ipip .

Delete CNI configuration files: rm -rf /var/lib/cni/ && rm -rf /etc/cni/net.d/* .

Restart kubelet: systemctl restart kubelet .