Calico CNI and network policy engine via Tigera Operator for Kubernetes. Use when deploying Calico with Tigera Operator Helm chart, configuring IPPools (VXLAN/IPIP/BGP encapsulation), writing Calico NetworkPolicy or GlobalNetworkPolicy resources, setting up BGP peering (BGPPeer, BGPConfiguration, route reflectors), tuning FelixConfiguration (BPF dataplane, iptables, logging, flow logs), upgrading Calico versions, enabling or disabling Calico on K3s/RKE2/Rancher clusters, configuring airgapped Calico deployments, or troubleshooting pod networking issues (node NotReady, DNS failures, cross-node connectivity, VXLAN/IPIP tunnel problems).
Kubernetes CNI and network policy engine deployed via Tigera Operator. Provides pod networking (VXLAN, IPIP, or native BGP), network policy enforcement, and optional BPF dataplane.
Tigera Operator (manages lifecycle)
├── calico-node (DaemonSet) - BGP, routing, Felix agent
├── calico-typha (Deployment) - fan-out datastore cache
├── calico-kube-controllers - sync K8s resources to Calico
├── calico-apiserver - Calico API extension
└── CRDs - IPPool, NetworkPolicy, BGP*, Felix*, etc.
helm repo add projectcalico https://docs.tigera.io/calico/charts
helm install calico projectcalico/tigera-operator --version v3.29.3 \
--namespace tigera-operator --create-namespace -f values.yaml
tigera-operator:
installation:
calicoNetwork:
ipPools:
- cidr: 10.42.0.0/16
encapsulation: VXLAN
natOutgoing: true
nodeSelector: all()
For K3s/Rancher integration (enable/disable, airgap, HA), see references/frameworks/k3s.md.
# 1. Check compatibility matrix: https://docs.tigera.io/calico/latest/getting-started/kubernetes/requirements
# 2. Update chart
helm repo update
helm upgrade calico projectcalico/tigera-operator --version v3.29.3 \
--namespace tigera-operator -f values.yaml
# 3. Monitor rollout
kubectl rollout status daemonset/calico-node -n calico-system
kubectl get tigerastatus
| Mode | Field | Use Case |
|---|---|---|
| VXLAN | encapsulation: VXLAN | Default, works across L3 networks |
| VXLANCrossSubnet | encapsulation: VXLANCrossSubnet | VXLAN only for cross-subnet |
| IPIP | encapsulation: IPIP | Legacy, tunnel-based |
| IPIPCrossSubnet | encapsulation: IPIPCrossSubnet | IPIP only for cross-subnet |
| None | encapsulation: None | Native routing / BGP peering required |
For IP pool management (multiple pools, node-specific pools, migration), see references/ip-pools.md.
Calico extends Kubernetes NetworkPolicy with richer selectors and global scope:
| Resource | Scope | Key Features |
|---|---|---|
NetworkPolicy | Namespaced | L3-L7 rules, DNS policy, service accounts |
GlobalNetworkPolicy | Cluster-wide | Host endpoint protection, ordered evaluation |
apiVersion: projectcalico.org/v3