Understanding the Calico CNI Plugin: Code Walkthrough and Network Resource Creation

The article begins with an overview of the Calico CNI plugin repository ( projectcalico/cni-plugin) and explains that the plugin compiles two binaries: calico, which creates network resources for sandbox containers, and calico‑ipam, which allocates IP addresses for pods.

It then dives into the source of the ADD command, showing the registration of ADD and DEL in plugin.go and outlining the three main steps performed during ADD:

Check the Calico datastore for an existing WorkloadEndpoint matching the pod; create one if absent.

Create a veth pair, placing one end in the host network namespace and the other in the container namespace, assigning MAC and IP addresses.

Configure routes: a default gateway inside the container and a host‑side route directing traffic to the pod IP via the host veth interface.

A sample WorkloadEndpoint YAML is provided to illustrate the object stored in the Calico datastore.

The article proceeds to the cmdAdd implementation, highlighting configuration loading, logging setup, MTU handling, client creation, and datastore readiness checks. It shows how identifiers are calculated and how the CmdAddK8s function orchestrates the three core actions: writing the WorkloadEndpoint, creating the veth pair, and setting up routing.

Key functions from the Linux dataplane are examined, including DoNetworking, which uses the github.com/vishvananda/netlink package to add the veth pair, set MAC addresses, bring interfaces up, and add IP addresses to the container side. The function also configures host‑side sysctls such as proxy_delay, proxy_arp, and forwarding to enable ARP proxying and packet forwarding.

Finally, the article summarizes that the Calico binary successfully creates all required network resources for a sandbox container, writes the corresponding WorkloadEndpoint to the datastore, and notes that the IP allocation logic of calico‑ipam will be covered in a future note.