Learn More

Project Calico, the leading Network plugin and Network Policy implementation for Kubernetes, provides a rich set of security enforcement capabilities running on top of a highly scalable and efficient virtual network fabric. Calico is integrated with the OpenShift 3.6 base platform, both Origin, and OpenShift Container Platform, and is deployed using openshift-ansible.

Features and Benefits


Traditional SDNs are complex, making them hard to deploy and troubleshoot. Calico removes that complexity, with a simplified networking model designed for the demands of today's cloud-native applications.


Unlike SDNs that require a central controller, limiting scalability, Calico is built on a fully distributed, scale-out architecture. So it scales smoothly from a single developer laptop to large enterprise deployments. Calico's policy implementation uses a dynamic and distributed architecture along with IPSets for truly scalable deployment, and has been field-proven in the largest production Kubernetes deployments.


Calico's powerful micro-segmentation capabilities build on a simple policy language that naturally expresses the developer's intent, and connect applications to other environments including host or baremetal instances and other platforms (including VM platforms like OpenStack). In addition to pod protection, Calico also provides dynamic host protection for the OpenShift nodes themselves.


Calico works seamlessly with other parts of the Kubernetes (and OpenShift) connectivity stack, so the default (and commonly used) components Services/Kube-Proxy, Ingress, and Kube-DNS work function seamlessly with Kubernetes.

Project Calico: The Industry's Favorite Cloud Networking

Scalable, distributed control plane

What do you get when you combine internet routing protocols with the industry's leading consensus-based data store? Unparalleled scalability.

When designing Calico's control plane, we turned for inspiration to the internet. Serving billions of endpoints around the world, it is the largest network ever built. We figured, if we can do that, then scaling the cloud to millions of workloads should be easy, right? So we borrowed proven IP routing technology to connect containers (and VMs) to one another and to underlying infrastructure. We then have to distribute security policy rules. Here, we turned to the latest cloud techniques pioneered by web-scale operators such as Google. Making use of the same raft consensus algorithm found in systems like Kubernetes, we achieved consistent, fast convergence times (typically a few milliseconds, even at scale) with high levels of fault tolerance.

Policy-driven network security

"A micro-firewall for every workload" minimizes attack surface

Perimeter security (edge firewalls) has been demonstrated time and again to be insufficient. That's why we built a security layer into Calico that enables developers and operations staff to easily define with fine granularity which connections are allowed, and which are not. These rules implement and extend the Kubernetes Network Policy API – but also work on all other platforms supported by Calico. They might separate development from production workloads, or limit access to a specific restricted service to ensure regulatory compliance. A distributed algorithm calculates which rules are required on each node in the cluster and updates them dynamically as workloads are created and terminated. As a result, malicious actors – or just errant applications – are detected and stopped before they can cause damage.

No overlay required

Why add another layer of overhead when you don't need it?

Sometimes, an overlay network (encapsulating packets inside an extra IP header) is necessary. Often, though, it just adds unnecessary overhead, resulting in multiple layers of nested packets, impacting performance and complicating trouble-shooting. Wouldn't it be nice if your virtual networking solution adapted to the underlying infrastructure, using an overlay only when required? That's what Calico does. In most environments, Calico simply routes packets from the workload onto the underlying IP network without any extra headers. Where an overlay is needed – for example when crossing availability zone boundaries in public cloud – it can use lightweight encapsulation including IP-in-IP and VxLAN. Project Calico even supports both IPv4 and IPv6 networks!

Integrated with OpenShift and all major cloud platforms

From Kubernetes and OpenShift to OpenStack, AWS to GCE, we've got you covered

We know you don't want to be writing lots of integration code to get Calico working with your favorite orchestrator. That is why Calico comes out of the box with a variety of plug-ins and recipes. Support for industry standard APIs such as Container Network Interface (CNI), Neutron, and libnetwork, enables Calico to plug into a wide variety of cloud orchestrators including Kubernetes, Mesos, Docker, OpenStack, and various vendor derivatives and distributions. Calico is deployed with OpenShift using the standard openshift-ansible deployment flow, and works seamlessly with other Kubernetes and OpenShift components including kube-proxy. So you've no excuse not to get started today!

Widely deployed, and proven at scale

Hundreds of enterprises trust Calico to connect and secure their cloud networks

Calico is the most trusted networking solution for mission-critical cloud-native applications. Not just because of its simple architecture, but also because it has been field tested in thousands of real-world production deployments. From a multi-exabyte public storage cloud delivering 99.99999999999% (that's 13 9's!) durability, to large, multi-tenant Kubernetes public cloud services networked and secured with Calico, to the Kubernetes Platform forYahoo! services to Japan and Github, Calico has established a reputation for enterprise-grade performance and reliability.

Primed For
OpenShift Container Platform 3.3
Primed On