Convert Figma logo to code with AI

projectcalico logocalico

Cloud native networking and network security

5,870
1,306
5,870
375

Top Related Projects

109,710

Production-Grade Container Scheduling and Management

20,022

eBPF-based Networking, Security, and Observability

35,857

Connect, secure, control, and observe services.

10,567

Ultralight, security-first service mesh for Kubernetes. Main repo for Linkerd 2.x.

24,693

Cloud-native high-performance edge/middle/service proxy

50,104

The Cloud Native Application Proxy

Quick Overview

Calico is an open-source networking and security solution for containers, virtual machines, and native host-based workloads. It provides a pure Layer 3 approach to networking, offering high performance, scalability, and interoperability with existing infrastructure. Calico also includes a flexible policy engine to enforce network security rules.

Pros

  • Highly scalable and performant networking solution
  • Supports multiple platforms (Kubernetes, OpenStack, bare metal)
  • Robust network policy enforcement for enhanced security
  • Active community and regular updates

Cons

  • Steeper learning curve compared to some alternatives
  • Complex troubleshooting in large-scale deployments
  • Limited support for certain advanced networking features (e.g., multicast)
  • May require additional configuration for specific use cases

Getting Started

To get started with Calico on Kubernetes, follow these steps:

  1. Install Calico on your Kubernetes cluster:
kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
  1. Verify the installation:
kubectl get pods -n kube-system
  1. Create a simple network policy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress

Apply the policy:

kubectl apply -f default-deny-ingress.yaml
  1. For more advanced configuration and usage, refer to the official Calico documentation.

Competitor Comparisons

109,710

Production-Grade Container Scheduling and Management

Pros of Kubernetes

  • Comprehensive container orchestration platform with broader functionality
  • Larger community and ecosystem, leading to more resources and third-party integrations
  • Native support for various deployment strategies and scaling options

Cons of Kubernetes

  • Steeper learning curve and more complex setup compared to Calico
  • Higher resource overhead, especially for smaller deployments
  • Less specialized in network policy management and security features

Code Comparison

Kubernetes (Pod definition):

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - name: nginx
    image: nginx:1.14.2
    ports:
    - containerPort: 80

Calico (Network policy):

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: allow-tcp-6379
spec:
  selector: app == 'database'
  ingress:
  - action: Allow
    protocol: TCP
    destination:
      ports:
      - 6379

Kubernetes focuses on overall container orchestration, while Calico specializes in network policies and security. Kubernetes provides a more comprehensive platform for managing containerized applications, but Calico offers more granular control over network policies and security. The code examples demonstrate the difference in focus, with Kubernetes defining a pod and Calico defining a network policy.

20,022

eBPF-based Networking, Security, and Observability

Pros of Cilium

  • Advanced networking features like eBPF-based load balancing and traffic management
  • Built-in observability with Hubble for detailed network visibility
  • Strong focus on security with identity-based policies and encryption

Cons of Cilium

  • Steeper learning curve due to eBPF complexity
  • Requires newer kernel versions for full feature set
  • Less widespread adoption compared to Calico

Code Comparison

Cilium (eBPF-based policy):

__section("ingress")
int ingress(struct __sk_buff *skb)
{
    if (skb->protocol == bpf_htons(ETH_P_IP))
        return process_ipv4(skb);
    return TC_ACT_OK;
}

Calico (iptables-based policy):

-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -j MARK --set-xmark 0x4000/0x4000
-A KUBE-FORWARD -m mark --mark 0x4000/0x4000 -j ACCEPT
-A KUBE-FORWARD -s 10.244.0.0/16 -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Both Cilium and Calico are popular Kubernetes networking solutions, but they differ in their approach. Cilium leverages eBPF for advanced networking and security features, while Calico relies on more traditional Linux networking components. The code comparison shows Cilium's use of eBPF programs versus Calico's iptables rules for implementing network policies.

35,857

Connect, secure, control, and observe services.

Pros of Istio

  • Comprehensive service mesh with advanced traffic management, security, and observability features
  • Supports multiple platforms and environments beyond Kubernetes
  • Robust API gateway functionality for managing ingress traffic

Cons of Istio

  • More complex setup and configuration compared to Calico
  • Higher resource overhead due to its extensive feature set
  • Steeper learning curve for teams new to service mesh concepts

Code Comparison

Calico (NetworkPolicy example):

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: allow-tcp-6379
spec:
  selector: app == 'database'
  ingress:
  - action: Allow
    protocol: TCP
    destination:
      ports:
      - 6379

Istio (VirtualService example):

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: reviews-route
spec:
  hosts:
  - reviews.prod.svc.cluster.local
  http:
  - route:
    - destination:
        host: reviews.prod.svc.cluster.local
        subset: v2
      weight: 25
    - destination:
        host: reviews.prod.svc.cluster.local
        subset: v1
      weight: 75
10,567

Ultralight, security-first service mesh for Kubernetes. Main repo for Linkerd 2.x.

Pros of Linkerd2

  • Lightweight and easy to install, with minimal configuration required
  • Provides automatic mTLS encryption and strong security features out-of-the-box
  • Offers powerful observability tools, including real-time metrics and distributed tracing

Cons of Linkerd2

  • Limited to Layer 7 (application layer) traffic management
  • Smaller ecosystem and community compared to Calico
  • Less flexible for complex networking scenarios outside of service mesh use cases

Code Comparison

Linkerd2 (Rust):

pub fn new_from_config(
    config: &Config,
    tls: tls::Conditional<identity::Local>,
) -> Result<(Self, drain::Watch)> {
    let (metrics, _) = Metrics::new(config.metrics.retain_idle);
    let (drain_tx, drain_rx) = drain::channel();

Calico (Go):

func (c *Client) EnsureInitialized() error {
    if err := c.ensureClusterInformation(); err != nil {
        return err
    }
    if err := c.ensureNodeResources(); err != nil {
        return err
    }
    return nil
}

Both projects use different programming languages and have distinct architectures. Linkerd2 focuses on service mesh functionality, while Calico provides broader network policy and security features for Kubernetes environments.

24,693

Cloud-native high-performance edge/middle/service proxy

Pros of Envoy

  • More versatile as a general-purpose proxy, supporting various protocols and use cases beyond networking
  • Offers advanced load balancing and traffic management features
  • Provides extensive observability and monitoring capabilities

Cons of Envoy

  • Steeper learning curve due to its broader feature set
  • May introduce more complexity in simple networking scenarios
  • Requires more resources to run compared to lightweight networking solutions

Code Comparison

Calico (network policy example):

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: allow-tcp-6379
spec:
  selector: app == 'database'
  ingress:
  - action: Allow
    protocol: TCP
    destination:
      ports:
      - 6379

Envoy (basic configuration example):

static_resources:
  listeners:
  - address:
      socket_address:
        address: 0.0.0.0
        port_value: 8080
  clusters:
  - name: service_backend
    connect_timeout: 0.25s
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    hosts:
    - socket_address:
        address: service.local
        port_value: 8080

While Calico focuses on network policies and security, Envoy's configuration demonstrates its flexibility as a proxy for various services and protocols.

50,104

The Cloud Native Application Proxy

Pros of Traefik

  • Easy to configure and use, with automatic service discovery
  • Supports multiple protocols and load balancing out of the box
  • Provides real-time configuration updates without restarts

Cons of Traefik

  • Limited network policy management capabilities
  • Less suitable for complex network security requirements
  • Primarily focused on ingress and reverse proxy functionality

Code Comparison

Traefik configuration example:

http:
  routers:
    my-router:
      rule: "Host(`example.com`)"
      service: my-service
  services:
    my-service:
      loadBalancer:
        servers:
          - url: "http://localhost:8080"

Calico network policy example:

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: allow-tcp-6379
spec:
  selector: role == 'database'
  ingress:
  - action: Allow
    protocol: TCP
    destination:
      ports:
      - 6379

Traefik focuses on routing and load balancing, while Calico specializes in network policies and security. Traefik's configuration is centered around HTTP routing rules, whereas Calico's policies define network-level access controls. Traefik is better suited for application-level traffic management, while Calico excels in securing container-to-container communication within a cluster.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Go Report Card ArtifactHub License GoPkg CII Best Practices

🐾 Welcome to Project Calico!

Project Calico, created and maintained by Tigera, is an open-source project with an active development and user community. Calico Open Source has grown to be the most widely adopted solution for container networking and security, powering 8M+ nodes daily across 166 countries.

🌟 Why use Calico?

  • Data Plane Choice: eBPF, standard Linux, Windows, and VPP — versatility in network solutions.
  • Interoperability: Works across multiple distros, multiple clouds, bare metal, and VMs.
  • Optimized Performance: Engineered for high speed and low CPU usage, maximizing your cluster investments.
  • Scalable Architecture: Grows seamlessly with your Kubernetes clusters without sacrificing performance.
  • Advanced Security: Get granular access controls and WireGuard encryption.
  • Kubernetes Networking Policy Support: Continually defining excellence in Kubernetes network policy standards and support.
  • Vibrant Contributor Community: Over 200 contributors from a wide array of global companies.
  • Flexible networking: An array of networking tools at your disposal, including BGP, VXLAN, service advertisement, and more.

🤝 Join the Calico Community

💡 Contributing to Project Calico

🛠️ Projects We Maintain

📢 Stay Connected