Reference
APIs, CLI, architecture and design, and FAQ.
API and installation references
Calico Client library
Calico Open Source Go client library reference for working with resources such as network policies programmatically against the Calico Open Source API.
Helm installation reference
Helm chart values reference for installing Calico Open Source covering supported overrides and operator configuration knobs.
Installation reference
Installation API reference for Calico Open Source listing the operator-managed custom resources used to configure cluster installation.
calicoctl reference
calicoctl user reference
Reference overview of the calicoctl command-line tool for managing Calico Open Source network policy, BGP, IP address management, and node operations.
calicoctl create
Reference for the calicoctl create command in Calico Open Source, used to create resources from a manifest file.
calicoctl replace
Reference for the calicoctl replace command in Calico Open Source, used to replace an existing resource with one defined in a manifest.
calicoctl apply
Reference for the calicoctl apply command in Calico Open Source, used to create or update resources from a manifest file.
calicoctl delete
Reference for the calicoctl delete command in Calico Open Source, used to remove resources by name or from a manifest file.
calicoctl get
Reference for the calicoctl get command in Calico Open Source, used to list resources in plain, YAML, JSON, or wide output formats.
calicoctl patch
Reference for the calicoctl patch command in Calico Open Source, used to apply a partial update to a resource.
calicoctl label
Reference for the calicoctl label command in Calico Open Source, used to add, change, or remove labels on workload endpoints and nodes.
calicoctl cluster
Reference overview of the calicoctl cluster subcommands in Calico Open Source for cluster-wide operations such as diagnostics collection.
calicoctl cluster diags
Reference for the calicoctl cluster diags command in Calico Open Source, used to collect diagnostics from all nodes in a cluster.
calicoctl convert
Reference for the calicoctl convert command in Calico Open Source, used to convert v1 resource manifests into v3 format.
calicoctl ipam
Reference overview of the calicoctl IPAM subcommands in Calico Open Source for IP address management operations.
calicoctl ipam check
Reference for the calicoctl IPAM check command in Calico Open Source, used to audit IP address allocation consistency across the cluster.
calicoctl ipam release
Reference for the calicoctl IPAM release command in Calico Open Source, used to release a leaked or stale IP address back to the pool.
calicoctl ipam show
Reference for the calicoctl IPAM show command in Calico Open Source, used to display the owner and details of an allocated IP address.
calicoctl ipam configure
Reference for the calicoctl IPAM configure command in Calico Open Source, used to set IP address management options such as strict affinity.
calicoctl ipam split
Reference for the calicoctl IPAM split command in Calico Open Source, used to split an existing IP pool into smaller pools.
calicoctl node
Reference overview of the calicoctl node subcommands in Calico Open Source for managing the calico/node container.
calicoctl node run
Reference for the calicoctl node run command in Calico Open Source, used to start a calico/node instance with the supplied options.
calicoctl node status
Reference for the calicoctl node status command in Calico Open Source, used to display BGP peer state and node liveness.
calicoctl node diags
Reference for the calicoctl node diags command in Calico Open Source, used to collect diagnostics from a single Calico node.
calicoctl node checksystem
Reference for the calicoctl node check-system command in Calico Open Source, used to verify host kernel support for Calico features.
calicoctl datastore
Reference overview of the calicoctl datastore subcommands in Calico Open Source for migrating between etcdv3 and Kubernetes datastores.
calicoctl datastore migrate
Reference overview of the calicoctl datastore migrate subcommands in Calico Open Source for performing safe datastore migrations.
calicoctl datastore migrate export
Reference for the calicoctl datastore migrate export command in Calico Open Source, used to export resources from an etcdv3 datastore.
calicoctl datastore migrate import
Reference for the calicoctl datastore migrate import command in Calico Open Source, used to import resources into a Kubernetes datastore.
calicoctl datastore migrate lock
Reference for the calicoctl datastore migrate lock command in Calico Open Source, used to lock a datastore during migration.
calicoctl datastore migrate unlock
Reference for the calicoctl datastore migrate unlock command in Calico Open Source, used to unlock a datastore after migration completes.
calicoctl version
Reference for the calicoctl version command in Calico Open Source, used to display client and cluster version information.
Resource definitions
Resource definitions
Reference overview of the Calico Open Source API resources, including the manifest format and how calicoctl manages them.
BGP configuration
Reference for the BGPConfiguration resource in Calico Open Source that sets cluster-wide BGP options including the autonomous system number and route reflectors.
BGP peer
Reference for the BGPPeer resource in Calico Open Source that defines a BGP neighbor relationship between Calico nodes and external routers.
BGP Filter
Reference for the BGPFilter resource in Calico Open Source that filters routes imported from or exported to BGP peers.
Block affinity
Reference for the BlockAffinity resource in Calico Open Source that records which node owns each IP address management block.
Calico node status
Reference for the CalicoNodeStatus resource in Calico Open Source that exposes per-node agent, BGP, and routing state.
Felix configuration
Reference for the FelixConfiguration resource in Calico Open Source that controls Felix data plane behavior across the cluster.
Global network policy
Reference for the GlobalNetworkPolicy resource in Calico Open Source, a cluster-scoped policy that selects endpoints across all namespaces.
Global network set
Reference for the GlobalNetworkSet resource in Calico Open Source that defines a cluster-scoped set of CIDRs referenced by network policy.
Host endpoint
Reference for the HostEndpoint resource in Calico Open Source that represents a host network interface for policy enforcement.
IP pool
Reference for the IPPool resource in Calico Open Source that defines CIDRs available for pod IP address allocation.
IP reservation
Reference for the IPReservation resource in Calico Open Source that excludes specific addresses or ranges from automatic allocation.
IPAM configuration
Reference for the IP address management configuration resource in Calico Open Source that sets cluster-wide options such as strict affinity.
Kubernetes controllers configuration
Reference for the KubeControllersConfiguration resource in Calico Open Source that controls behavior of the kube-controllers component.
Network policy
Reference for the NetworkPolicy resource in Calico Open Source, a namespaced policy that selects pods within a single namespace.
Network set
Reference for the NetworkSet resource in Calico Open Source that defines a namespaced set of CIDRs referenced by network policy.
Node
Reference for the Node resource in Calico Open Source that represents a host running the calico/node agent.
Profile
Reference for the Profile resource in Calico Open Source that groups labels and rules applied to endpoints.
Workload endpoint
Reference for the WorkloadEndpoint resource in Calico Open Source that represents a pod or VM interface for policy and IPAM.
Configuring etcd RBAC
Setting up etcd certificates for RBAC
Reference overview of role-based access control for the etcdv3 datastore used by Calico Open Source covering users, roles, and permission scopes.
Generating certificates
Reference for generating Certificate Authority and client certificates that authenticate Calico Open Source components against the etcdv3 datastore.
Creating users and roles
Reference for defining etcdv3 users and roles that grant scoped access to Calico Open Source components.
Segmenting etcd on Kubernetes (basic)
Reference for restricting user access to Kubernetes and Calico Open Source resources using role-based access control.
Segmenting etcd on Kubernetes (advanced)
Advanced reference for restricting user access to Calico Open Source components and calicoctl through Kubernetes role-based access control.
Calico key and path prefixes
Reference listing the etcdv3 key prefixes used by each Calico Open Source component for role-based access control configuration.
Felix
Configuring Felix
Reference for Felix configuration parameters in Calico Open Source covering environment variables, FelixConfiguration fields, and per-node overrides.
Monitoring Felix with Prometheus
Prometheus metrics reference for Felix in Calico Open Source covering counters and gauges exposed for data plane health and policy evaluation.
Typha
Typha overview
Reference overview of the Typha daemon in Calico Open Source explaining how it reduces datastore load and scales Felix to large clusters.
Configuring Typha
Reference for Typha configuration parameters in Calico Open Source covering environment variables and config file options for scaling the Kubernetes datastore.
Monitoring Typha with Prometheus
Prometheus metrics reference for Typha in Calico Open Source covering connection counts, cache health, and fan-out metrics.
Configuration on public clouds
Amazon Web Services
Reference for running Calico Open Source on Amazon Web Services covering supported networking modes, source/destination check requirements, and AWS-specific notes.
Azure
Reference for running Calico Open Source on Microsoft Azure covering supported networking modes, user-defined routes, and Azure platform notes.
Google Compute Engine
Reference for running Calico Open Source on Google Compute Engine covering supported networking modes and platform-specific routing requirements.
IBM Cloud
Reference for running Calico Open Source on IBM Cloud covering supported networking modes and platform integration notes.
Host endpoints
Host endpoints
Reference overview of host endpoint protection in Calico Open Source covering the model for securing host network interfaces with policy.
Creating policy for basic connectivity
Reference for the Calico Open Source failsafe policy that protects host endpoints from being cut off when host network policy is misconfigured.
Creating host endpoint objects
Reference for the HostEndpoint object in Calico Open Source describing how to represent a host network interface so policy can select it.
Selector-based policies
Reference for ordered host endpoint policies in Calico Open Source that match interfaces using label selectors.
Failsafe rules
Reference for the Calico Open Source failsafe inbound and outbound port lists that prevent host network policy from cutting off control-plane connectivity.
Pre-DNAT policy
Reference for pre-DNAT host endpoint policy in Calico Open Source that applies rules to ingress traffic before destination NAT rewrites the address.
Apply on forwarded traffic
Reference for the applyOnForward field on Calico Open Source host endpoint policy that determines how rules apply to forwarded traffic versus local processes.
Summary of host endpoint policies
Reference summary describing how the different Calico Open Source host endpoint policy types interact and affect packet flows.
Connection tracking
Reference covering Linux conntrack workarounds for Calico Open Source host endpoint policy when stateful tracking interferes with expected packet flow.
Architecture
Component architecture
Architectural overview reference of the Calico Open Source components including Felix, BIRD, confd, Typha, and the kube-controllers.
'The Calico data path: IP routing and iptables'
Reference covering the Calico Open Source data path explaining how packets flow between workloads and to external destinations across networking modes.
VPP data plane
Primary interface configuration
Reference for primary interface configuration parameters in the Calico Open Source VPP data plane.
VPP data plane implementation details
Technical reference for the Calico Open Source VPP data plane integration covering packet processing, kernel offload, and graph nodes.
Host network configuration
Reference covering the host network configuration applied by the Calico Open Source VPP data plane during initialization.
Other reference topics
Component versions
Component version reference listing the upstream container images and binaries shipped with each Calico Open Source release.
Frequently asked questions
Frequently asked questions about Calico Open Source covering networking modes, IP address management, BGP, policy behavior, and platform support.
Getting involved
Reference for getting involved with the Calico Open Source upstream project including source repositories, mailing lists, Slack, and contribution channels.
Configuring calico/node
Reference for configuring the calico/node container in Calico Open Source through environment variables that control Felix, BIRD, and confd.
Configure resource requests and limits
Reference for setting Kubernetes resource requests and limits on Calico Open Source components managed by the Tigera Operator.
Configure the Calico CNI plugins
Reference for configuring the Calico Open Source CNI plugin and IPAM plugin through CNI network configuration files.