Calico CNI

What is Calico

Calico is a popular Layer 3 based networking solution that is used to interconnect virtual machines or Linux containers with the help of virtual routers. For more information on Calico, refer to Project Calico website.

Calico provides a Cluster Network Interface (CNI) plugin that can be used for integration with Kubernetes.

Platform9 Managed Kubernetes supports integration with Calico for pod-to-pod and external cluster communications.

When Calico is installed in a Kubernetes cluster, calico-controller,``calico-node and typha- the key components of Calico - run as pods on the Kubernetes nodes.

Calico uses iptables and route table to route traffic between Kubernetes nodes.

For a detailed introduction to Calico and Calico routing please see an introduction here.

##

Create a Calico-enabled Cluster

While creating the cluster, under Network Configuration, select Calico as the network backend.

Calico has multiple configurations, a brief overview is below.

Encapsulated

IP-in-IP is a simple form of encapsulation achieved by putting an IP packet inside another. A transmitted packet contains an outer header with host source and destination IPs and an inner header with pod source and destination IPs. To configure Calico in encapsulated mode select the following configuration:

• Ip-in-Ip Encapsulation: Always
• NAT Outgoing: Enabled

Direct / Non-Encapsulated Mode

Direct sends packets as if they came directly from the pod. Since there is no encapsulation and de-capsulation overhead, direct is highly performant.

To enable Calico to operate in non-encapsulated select the following configuration:

• Ip-in-Ip Encapsulation: Never
• NAT Outgoing: Disabled

Interface Detection Method

Interface detection method controls which ethernet adapter Calico will bound with for ingress/egress from the Kubernetes node.

There are multiple configurations:

First Found - The first-found option enumerates all interface IP addresses and returns the first valid IP address

Can Reach - The can-reach method uses your local routing to determine which IP address will be used to reach the supplied destination. Both IP addresses and domain names may be used.

IP_AUTODETECTION_METHOD=can-reach=8.8.8.8

IP6_AUTODETECTION_METHOD=can-reach=2001:4860:4860::8888

​

IP_AUTODETECTION_METHOD=can-reach=www.google.com

IP6_AUTODETECTION_METHOD=can-reach=www.google.com

Interface - The interface method uses the supplied interface regular expression (golang syntax) to enumerate matching interfaces and to return the first IP address on the first matching interface.

IP_AUTODETECTION_METHOD=interface=eth.*

IP6_AUTODETECTION_METHOD=interface=eth.*

Skip Interface - The skip-interface method uses the supplied interface regular expression (golang syntax) to exclude interfaces and to return the first IP address on the first interface that not matching.

IP_AUTODETECTION_METHOD=skip-interface=enp6s0f0,eth.*

IP6_AUTODETECTION_METHOD=skip-interface=enp6s0f0,eth.*

Configure Network Policies

Once Calico has been installed, you can create network policies within Kubernetes for incoming and outgoing network traffic by editing the NetworkPolicy Kubernetes Resource.

Following is an example of a NetworkPolicy file.

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

  name: test-network-policy

  namespace: default

spec:

  podSelector:

    matchLabels:

      role: db

  policyTypes:

  - Ingress

  - Egress

  ingress:

  - from:

    - ipBlock:

        cidr: 172.17.0.0/16

        except:

        - 172.17.1.0/24

    - namespaceSelector:

        matchLabels:

          project: myproject

    - podSelector:

        matchLabels:

          role: frontend

    ports:

    - protocol: TCP

      port: 6379

  egress:

  - to:

    - ipBlock:

        cidr: 10.0.0.0/24

    ports:

    - protocol: TCP

      port: 5978

Cloud Provider Support Matrix