calico

Calico is an open-source networking and security tool for Kubernetes clusters. Kubernetes is software used to run and manage containerized applications across groups of servers. When you run applications in containers on Kubernetes, those containers need to communicate with each other and with the outside world, and someone has to decide which traffic is allowed and which is blocked. Calico handles both of those jobs: it provides the networking layer that moves traffic between containers, and it enforces security policies that control what can connect to what.

Calico is created and maintained by a company called Tigera. It describes itself as the most widely used container networking solution, reportedly running on over 8 million nodes across more than 160 countries. A node in this context is a single server in a Kubernetes cluster.

One of Calico's distinguishing characteristics is that it supports multiple ways of actually moving network traffic. You can use eBPF, a newer Linux kernel technology, for higher performance; or standard Linux networking; or Windows networking; or VPP, another high-performance option. This gives operators flexibility to choose what works best for their infrastructure without changing the security policies they have written.

Security features include fine-grained access controls that restrict which services can talk to which other services, and optional WireGuard encryption for traffic between nodes. WireGuard is a modern encryption protocol for securing network connections.

Calico works across different Kubernetes distributions, bare metal servers, virtual machines, and multiple cloud providers. It supports networking technologies like BGP and VXLAN, which are methods for routing traffic across different networks.

The project is open source under the Apache license and accepts contributions. Documentation, a Slack community, and regular community meetings are available for users and developers. A commercial version with additional enterprise features is offered by Tigera.