Skip to content

Calico Cheatsheet

Installation

Platform/Method Command
Operator (Recommended) kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/tigera-operator.yaml
Manifest-Based kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calico.yaml
Helm helm install calico projectcalico/tigera-operator --namespace tigera-operator --create-namespace
calicoctl (Linux) curl -L https://github.com/projectcalico/calico/releases/download/v3.27.0/calicoctl-linux-amd64 -o calicoctl && chmod +x calicoctl && sudo mv calicoctl /usr/local/bin/
calicoctl (macOS) brew install calicoctl
calicoctl (Windows) Invoke-WebRequest -Uri "https://github.com/projectcalico/calico/releases/download/v3.27.0/calicoctl-windows-amd64.exe" -OutFile "calicoctl.exe"
calicoctl as Pod kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calicoctl.yaml
Amazon EKS kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calico-vxlan.yaml
Azure AKS az aks create --network-plugin azure --network-policy calico

Basic Commands

Command Description
calicoctl version Display Calico version information
calicoctl node status Show node BGP peering status and routes
calicoctl get nodes List all nodes running Calico
calicoctl get nodes -o wide List nodes with additional details
calicoctl get ippools Display all IP address pools
calicoctl get ippool default-ipv4-ippool -o yaml Show detailed IP pool configuration
calicoctl get workloadendpoints List all workload endpoints (pods)
calicoctl get wep --all-namespaces List workload endpoints across all namespaces
calicoctl get networkpolicy Display all network policies
calicoctl get networkpolicy -n NAMESPACE List policies in specific namespace
calicoctl get globalnetworkpolicy Show global network policies
calicoctl get profiles List all Calico profiles
calicoctl get hostendpoints Display host endpoint configurations
kubectl get pods -n calico-system Check Calico system pods status
kubectl get installation default -o yaml View Calico installation configuration

Advanced Usage

Command Description
calicoctl apply -f network-policy.yaml Apply network policy from file
calicoctl delete networkpolicy POLICY_NAME -n NAMESPACE Delete specific network policy
calicoctl get bgpconfig default -o yaml View BGP configuration
calicoctl get bgppeers List all BGP peer configurations
calicoctl apply -f bgppeer.yaml Configure BGP peering
calicoctl get felixconfiguration default -o yaml View Felix (agent) configuration
calicoctl patch felixconfiguration default --patch='{"spec":{"bpfEnabled":true}}' Enable eBPF dataplane
calicoctl ipam show Display IP address allocation information
calicoctl ipam show --show-blocks Show detailed IP allocation blocks
calicoctl ipam release --ip=IP_ADDRESS Release specific IP address
calicoctl datastore migrate export > calico-data.yaml Export Calico datastore
calicoctl datastore migrate import < calico-data.yaml Import Calico datastore
calicoctl get node NODE_NAME -o yaml Get detailed node configuration
calicoctl patch ippool default-ipv4-ippool -p '{"spec":{"natOutgoing":true}}' Enable NAT for IP pool
calicoctl convert -f old-policy.yaml -o new-policy.yaml Convert policy to newer API version

Configuration

calicoctl Configuration File

# ~/.calico/calicoctl.cfg
apiVersion: projectcalico.org/v3
kind: CalicoAPIConfig
metadata:
spec:
  datastoreType: "kubernetes"
  kubeconfig: "/home/user/.kube/config"

Environment Variables

export CALICO_DATASTORE_TYPE=kubernetes
export CALICO_KUBECONFIG=~/.kube/config
export CALICO_APICONFIG=/path/to/calicoctl.cfg

IP Pool Configuration

apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
  name: default-ipv4-ippool
spec:
  cidr: 192.168.0.0/16
  ipipMode: CrossSubnet
  natOutgoing: true
  disabled: false
  blockSize: 26

BGP Configuration

apiVersion: projectcalico.org/v3
kind: BGPConfiguration
metadata:
  name: default
spec:
  logSeverityScreen: Info
  nodeToNodeMeshEnabled: true
  asNumber: 64512
  serviceClusterIPs:
  - cidr: 10.96.0.0/12

Felix Configuration

apiVersion: projectcalico.org/v3
kind: FelixConfiguration
metadata:
  name: default
spec:
  logSeverityScreen: Info
  reportingInterval: 60s
  ipipEnabled: true
  ipipMTU: 1440
  bpfEnabled: false
  wireguardEnabled: false

Common Use Cases

Use Case 1: Deny All Traffic to Namespace

# Create deny-all default policy
cat <<EOF | calicoctl apply -f -
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: default-deny
  namespace: production
spec:
  selector: all()
  types:
  - Ingress
  - Egress
EOF

# Verify policy
calicoctl get networkpolicy -n production

Use Case 2: Allow Traffic Between Specific Pods

# Allow frontend to backend communication
cat <<EOF | calicoctl apply -f -
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: frontend-to-backend
  namespace: production
spec:
  selector: app == 'frontend'
  types:
  - Egress
  egress:
  - action: Allow
    destination:
      selector: app == 'backend'
      ports:
      - 8080
EOF

Use Case 3: Configure BGP Peering with ToR Switch

# Add BGP peer for Top-of-Rack switch
cat <<EOF | calicoctl apply -f -
apiVersion: projectcalico.org/v3
kind: BGPPeer
metadata:
  name: rack1-tor
spec:
  node: k8s-node-01
  peerIP: 192.168.1.1
  asNumber: 64512
EOF

# Verify BGP peering
calicoctl node status

Use Case 4: Enable WireGuard Encryption

# Enable WireGuard on Felix
calicoctl patch felixconfiguration default --type=merge --patch='{"spec":{"wireguardEnabled":true}}'

# Verify WireGuard status
kubectl get nodes -o yaml | grep wireguard

# Check encryption on specific node
calicoctl get node NODE_NAME -o yaml | grep wireguard

Use Case 5: Create Global Network Policy for Host Protection

# Create global policy to protect Kubernetes nodes
cat <<EOF | calicoctl apply -f -
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: host-protection
spec:
  selector: has(host-endpoint)
  order: 0
  ingress:
  - action: Allow
    protocol: TCP
    destination:
      ports: [22, 179, 443, 6443]
  - action: Deny
  egress:
  - action: Allow
EOF

Best Practices

  • Use Network Policies Early: Implement default-deny policies at the namespace level before deploying applications to enforce zero-trust security from the start

  • Leverage Label Selectors: Use consistent, meaningful labels on pods and apply network policies based on these labels rather than IP addresses for maintainability

  • Enable eBPF Dataplane: For high-performance workloads, enable eBPF mode (bpfEnabled: true) to reduce CPU usage and improve throughput by up to 2x

  • Monitor BGP Sessions: Regularly check BGP peering status with calicoctl node status to ensure proper route advertisement and network connectivity

  • Use IP Pool Blocks Wisely: Configure appropriate blockSize in IP pools (default /26) based on pod density to avoid IP exhaustion while minimizing waste

  • Implement Policy Ordering: Use the order field in policies (lower numbers = higher priority) to create layered security with global defaults and specific exceptions

  • Enable WireGuard for Compliance: For regulated environments requiring encryption in transit, enable WireGuard encryption with minimal performance overhead

  • Regular Backups: Export Calico configuration regularly using calicoctl datastore migrate export for disaster recovery

Troubleshooting

Issue Solution
Pods can't communicate across nodes Check BGP peering: calicoctl node status. Verify IP pool CIDR doesn't conflict: calicoctl get ippools
Network policy not taking effect Verify policy selector matches pod labels: kubectl get pods --show-labels. Check policy order and types (Ingress/Egress)
High CPU usage on nodes Enable eBPF dataplane: calicoctl patch felixconfiguration default --patch='{"spec":{"bpfEnabled":true}}'
IP address exhaustion Check IP allocation: calicoctl ipam show --show-blocks. Increase IP pool size or adjust blockSize
calicoctl commands fail Verify datastore config: echo $CALICO_DATASTORE_TYPE. Check kubeconfig: kubectl get nodes
Calico pods in CrashLoopBackOff Check logs: kubectl logs -n calico-system -l k8s-app=calico-node. Verify kernel modules: lsmod | grep ip_tables
BGP routes not propagating Disable node-to-node mesh if using ToR: calicoctl patch bgpconfig default -p '{"spec":{"nodeToNodeMeshEnabled":false}}'
MTU issues causing packet loss Adjust IPIP MTU: calicoctl patch felixconfig default -p '{"spec":{"ipipMTU":1440}}' or disable IPIP
WireGuard encryption not working Verify kernel support: modprobe wireguard && lsmod | grep wireguard. Check Felix config: calicoctl get felixconfig default -o yaml
Workload endpoints not appearing Restart calico-node pod: kubectl delete pod -n calico-system -l k8s-app=calico-node. Verify CNI config: cat /etc/cni/net.d/10-calico.conflist

Quick Reference: Policy Examples

Allow DNS Traffic

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: allow-dns
  namespace: default
spec:
  selector: all()
  types:
  - Egress
  egress:
  - action: Allow
    protocol: UDP
    destination:
      selector: k8s-app == 'kube-dns'
      ports: [53]

Allow Ingress from Specific Namespace

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: allow-from-frontend
  namespace: backend
spec:
  selector: app == 'api'
  types:
  - Ingress
  ingress:
  - action: Allow
    source:
      namespaceSelector: name == 'frontend'

Rate Limiting (Global Policy)

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: rate-limit-external
spec:
  selector: role == 'public-api'
  types:
  - Ingress
  ingress:
  - action: Allow
    source:
      notNets: [10.0.0.0/8]
    metadata:
      annotations:
        rate-limit: "100"