Integration With Calico

What is Calico

Calico is a popular Layer 3 based networking solution that is used to interconnect virtual machines or Linux containers with the help of virtual routers. For more information on Calico, refer to Project Calico website.

Calico provides a Cluster Network Interface (CNI) plugin that can be used for integration with Kubernetes.

Platform9 Managed Kubernetes supports integration with Calico for pod-to-pod communication within a Kubernetes cluster.

When Calico is installed in a Kubernetes cluster, calico-controller and calico-node - the two key components of Calico - run as pods on the Kubernetes nodes.

Calico uses iptables and route table to route traffic between Kubernetes nodes.

Cloud Provider Support Matrix and Prerequisites

Cloud providerSupport for CalicoPrerequisites
Bare Metal ProviderYes
  • Follow the general purpose Networking Prerequisites
  • IP-in-IP traffic should be allowed by your underlying networking stack. Any firewalls, smart switches, routers should allow for IP-in-IP traffic.
AWS ProviderYesNone. All prerequisites are configured by the Managed Kubernetes AWS Provider
Azure ProviderNoNot supported today
OpenStack ProviderYes
  • Follow the general purpose Networking Prerequisites
  • IP-in-IP traffic should be allowed by your underlying networking stack. Any firewalls, smart switches, routers should allow for IP-in-IP traffic.
VMware ProviderYes
  • Follow the general purpose Networking Prerequisites
  • IP-in-IP traffic should be allowed by your underlying networking stack. Any firewalls, smart switches, routers should allow for IP-in-IP traffic.

Configuration

Platform9 Managed Kubernetes deploys Calico using the default upstream settings specified in Calico networking manifest calico.yaml.

Create a Calico-enabled Cluster

While creating the cluster, under Network Configuration, select Calico as the network backend.

Configure Network backend

Configure Network Policies

Once Calico has been installed, you can create network policies within Kubernetes for incoming and outgoing network traffic, by editing the NetworkPolicy Kubernetes Resource.

Following is an example of a NetworkPolicy file. (source: Kubernetes documentation)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 6379
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 5978