Go back

Advanced Kubernetes Networking with Calico

Advanced Kubernetes Networking with Calico

Introduction

Calico provides advanced networking and security for Kubernetes with BGP routing, network policies, and multi-cluster connectivity.

Prerequisites

Step 1: Install Calico CNI

Install Calico operator:

kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.0/manifests/tigera-operator.yaml

Create Calico installation:

apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
  name: default
spec:
  calicoNetwork:
    ipPools:
    - blockSize: 26
      cidr: 192.168.0.0/16
      encapsulation: VXLANCrossSubnet
      natOutgoing: Enabled
      nodeSelector: all()
    nodeAddressAutodetectionV4:
      firstFound: true

Apply the configuration:

kubectl apply -f calico-installation.yaml

Step 2: Network Policy Implementation

Create namespace isolation:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-same-namespace
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: production
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: production
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to: []
    ports:
    - protocol: UDP
      port: 53
    - protocol: TCP
      port: 53

Step 3: Advanced Calico Network Policies

Create Calico-specific policies:

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: deny-cluster-internal-ingress
spec:
  order: 200
  preDNAT: true
  applyOnForward: true
  ingress:
  - action: Deny
    source:
      nets:
      - 192.168.0.0/16
    destination: {}
  selector: has(host-endpoint)
---
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: allow-tcp-6379
  namespace: production
spec:
  selector: role == 'database'
  types:
  - Ingress
  - Egress
  ingress:
  - action: Allow
    protocol: TCP
    source:
      selector: role == 'frontend'
    destination:
      ports:
      - 6379
  egress:
  - action: Allow
---
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: allow-egress-external
  namespace: production
spec:
  selector: role == 'frontend'
  types:
  - Egress
  egress:
  - action: Allow
    destination:
      notNets:
      - 192.168.0.0/16
      - 172.16.0.0/12
      - 10.0.0.0/8

Step 4: BGP Configuration

Configure BGP peering:

apiVersion: projectcalico.org/v3
kind: BGPConfiguration
metadata:
  name: default
spec:
  logSeverityScreen: Info
  nodeToNodeMeshEnabled: true
  asNumber: 64512
---
apiVersion: projectcalico.org/v3
kind: BGPPeer
metadata:
  name: rack-1-peer
spec:
  peerIP: 192.168.1.1
  asNumber: 64512
  node: node-1
---
apiVersion: projectcalico.org/v3
kind: BGPPeer
metadata:
  name: external-peer
spec:
  peerIP: 10.0.0.1
  asNumber: 65001
  nodeSelector: rack == 'rack-1'

Step 5: IP Pool Management

Create custom IP pools:

apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
  name: production-pool
spec:
  cidr: 192.168.100.0/24
  ipipMode: Always
  natOutgoing: true
  nodeSelector: environment == 'production'
---
apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
  name: development-pool
spec:
  cidr: 192.168.200.0/24
  vxlanMode: CrossSubnet
  natOutgoing: true
  nodeSelector: environment == 'development'
---
apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
  name: external-pool
spec:
  cidr: 10.244.0.0/16
  disabled: true

Step 6: Host Endpoint Protection

Create host endpoint policies:

apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
  name: node-1-eth0
  labels:
    host-endpoint: ingress
spec:
  interfaceName: eth0
  node: node-1
  expectedIPs:
  - 10.0.1.10
---
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: allow-cluster-internal-ingress
spec:
  order: 10
  preDNAT: true
  applyOnForward: true
  ingress:
  - action: Allow
    source:
      nets:
      - 10.0.0.0/8
      - 192.168.0.0/16
  selector: has(host-endpoint)
---
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: allow-outbound-external
spec:
  order: 10
  egress:
  - action: Allow
  selector: has(host-endpoint)

Step 7: Service Advertisement

Configure service advertisement:

apiVersion: projectcalico.org/v3
kind: BGPConfiguration
metadata:
  name: default
spec:
  serviceClusterIPs:
  - cidr: 10.96.0.0/12
  serviceExternalIPs:
  - cidr: 192.168.1.0/24
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-service
  annotations:
    projectcalico.org/advertise-cluster-ips: "true"
    projectcalico.org/advertise-external-ips: "true"
spec:
  type: LoadBalancer
  externalIPs:
  - 192.168.1.100
  selector:
    app: nginx
  ports:
  - port: 80
    targetPort: 80

Step 8: Multi-Cluster Networking

Configure cross-cluster communication:

apiVersion: projectcalico.org/v3
kind: RemoteClusterConfiguration
metadata:
  name: remote-cluster-1
spec:
  clusterAccessSecret:
    name: remote-cluster-secret
    namespace: calico-system
    kind: Secret
---
apiVersion: v1
kind: Secret
metadata:
  name: remote-cluster-secret
  namespace: calico-system
type: Opaque
data:
  token: <base64-encoded-token>
  cluster-ca-cert: <base64-encoded-ca-cert>
  cluster-endpoint: <base64-encoded-endpoint>
---
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: allow-cross-cluster
  namespace: production
spec:
  selector: app == 'api'
  types:
  - Ingress
  ingress:
  - action: Allow
    source:
      serviceAccounts:
        selector: projectcalico.org/remote-cluster == 'remote-cluster-1'

Step 9: Monitoring and Troubleshooting

Install monitoring tools:

# Enable Prometheus metrics
kubectl patch felixconfiguration default --type merge --patch '{"spec":{"prometheusMetricsEnabled": true}}'

# Install calicoctl
curl -L https://github.com/projectcalico/calico/releases/download/v3.26.0/calicoctl-linux-amd64 -o calicoctl
chmod +x calicoctl
sudo mv calicoctl /usr/local/bin/

# Check node status
calicoctl node status

# Get IP pool information
calicoctl get ippool -o wide

# Debug network policies
calicoctl get networkpolicy --all-namespaces

Step 10: Performance Optimization

Optimize Calico performance:

apiVersion: projectcalico.org/v3
kind: FelixConfiguration
metadata:
  name: default
spec:
  bpfEnabled: true
  bpfLogLevel: "Info"
  bpfDataIfacePattern: "^((en|wl|ww|sl|ib)[opsx].*|(eth|wlan|wwan).*)"
  wireguardEnabled: true
  wireguardInterfaceName: "wireguard.cali"
  reportingInterval: 60s
  healthEnabled: true
  prometheusMetricsEnabled: true
  prometheusMetricsPort: 9091

Enable eBPF mode:

# Patch installation for eBPF
kubectl patch installation.operator.tigera.io default --type merge -p '{"spec":{"calicoNetwork":{"linuxDataplane":"BPF"}}}'

# Disable kube-proxy (optional for eBPF mode)
kubectl patch ds -n kube-system kube-proxy -p '{"spec":{"template":{"spec":{"nodeSelector":{"non-calico": "true"}}}}}'

Summary

Calico provides advanced networking and security policies for Kubernetes with BGP routing, IP address management, and cross-cluster connectivity. Use network policies for microsegmentation and BGP for advanced routing scenarios.

Share this post on:
Share this post via WhatsAppShare this post on FacebookShare this post on XShare this post via TelegramShare this post on PinterestShare this post via email
Previous Post
Event-Driven Architecture with Apache Kafka and Node.js
Next Post
Implementing Service Mesh with Istio in Kubernetes