Calico Cheatsheet

Installation

Platform/Method	Command
Operator (Recommended)	`kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/tigera-operator.yaml`
Manifest-Based	`kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calico.yaml`
Helm	`helm install calico projectcalico/tigera-operator --namespace tigera-operator --create-namespace`
calicoctl (Linux)	`curl -L https://github.com/projectcalico/calico/releases/download/v3.27.0/calicoctl-linux-amd64 -o calicoctl && chmod +x calicoctl && sudo mv calicoctl /usr/local/bin/`
calicoctl (macOS)	`brew install calicoctl`
calicoctl (Windows)	`Invoke-WebRequest -Uri "https://github.com/projectcalico/calico/releases/download/v3.27.0/calicoctl-windows-amd64.exe" -OutFile "calicoctl.exe"`
calicoctl as Pod	`kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calicoctl.yaml`
Amazon EKS	`kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calico-vxlan.yaml`
Azure AKS	`az aks create --network-plugin azure --network-policy calico`

Basic Commands

Command	Description
`calicoctl version`	Display Calico version information
`calicoctl node status`	Show node BGP peering status and routes
`calicoctl get nodes`	List all nodes running Calico
`calicoctl get nodes -o wide`	List nodes with additional details
`calicoctl get ippools`	Display all IP address pools
`calicoctl get ippool default-ipv4-ippool -o yaml`	Show detailed IP pool configuration
`calicoctl get workloadendpoints`	List all workload endpoints (pods)
`calicoctl get wep --all-namespaces`	List workload endpoints across all namespaces
`calicoctl get networkpolicy`	Display all network policies
`calicoctl get networkpolicy -n NAMESPACE`	List policies in specific namespace
`calicoctl get globalnetworkpolicy`	Show global network policies
`calicoctl get profiles`	List all Calico profiles
`calicoctl get hostendpoints`	Display host endpoint configurations
`kubectl get pods -n calico-system`	Check Calico system pods status
`kubectl get installation default -o yaml`	View Calico installation configuration

Advanced Usage

Command	Description
`calicoctl apply -f network-policy.yaml`	Apply network policy from file
`calicoctl delete networkpolicy POLICY_NAME -n NAMESPACE`	Delete specific network policy
`calicoctl get bgpconfig default -o yaml`	View BGP configuration
`calicoctl get bgppeers`	List all BGP peer configurations
`calicoctl apply -f bgppeer.yaml`	Configure BGP peering
`calicoctl get felixconfiguration default -o yaml`	View Felix (agent) configuration
`calicoctl patch felixconfiguration default --patch='{"spec":{"bpfEnabled":true}}'`	Enable eBPF dataplane
`calicoctl ipam show`	Display IP address allocation information
`calicoctl ipam show --show-blocks`	Show detailed IP allocation blocks
`calicoctl ipam release --ip=IP_ADDRESS`	Release specific IP address
`calicoctl datastore migrate export > calico-data.yaml`	Export Calico datastore
`calicoctl datastore migrate import < calico-data.yaml`	Import Calico datastore
`calicoctl get node NODE_NAME -o yaml`	Get detailed node configuration
`calicoctl patch ippool default-ipv4-ippool -p '{"spec":{"natOutgoing":true}}'`	Enable NAT for IP pool
`calicoctl convert -f old-policy.yaml -o new-policy.yaml`	Convert policy to newer API version

Configuration

calicoctl Configuration File

# ~/.calico/calicoctl.cfg
apiVersion: projectcalico.org/v3
kind: CalicoAPIConfig
metadata:
spec:
  datastoreType: "kubernetes"
  kubeconfig: "/home/user/.kube/config"

Environment Variables

export CALICO_DATASTORE_TYPE=kubernetes
export CALICO_KUBECONFIG=~/.kube/config
export CALICO_APICONFIG=/path/to/calicoctl.cfg

IP Pool Configuration

apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
  name: default-ipv4-ippool
spec:
  cidr: 192.168.0.0/16
  ipipMode: CrossSubnet
  natOutgoing: true
  disabled: false
  blockSize: 26

BGP Configuration

apiVersion: projectcalico.org/v3
kind: BGPConfiguration
metadata:
  name: default
spec:
  logSeverityScreen: Info
  nodeToNodeMeshEnabled: true
  asNumber: 64512
  serviceClusterIPs:
  - cidr: 10.96.0.0/12

Felix Configuration

apiVersion: projectcalico.org/v3
kind: FelixConfiguration
metadata:
  name: default
spec:
  logSeverityScreen: Info
  reportingInterval: 60s
  ipipEnabled: true
  ipipMTU: 1440
  bpfEnabled: false
  wireguardEnabled: false

Common Use Cases

Use Case 1: Deny All Traffic to Namespace

# Create deny-all default policy
cat <<EOF | calicoctl apply -f -
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: default-deny
  namespace: production
spec:
  selector: all()
  types:
  - Ingress
  - Egress
EOF

# Verify policy
calicoctl get networkpolicy -n production

Use Case 2: Allow Traffic Between Specific Pods

# Allow frontend to backend communication
cat <<EOF | calicoctl apply -f -
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: frontend-to-backend
  namespace: production
spec:
  selector: app == 'frontend'
  types:
  - Egress
  egress:
  - action: Allow
    destination:
      selector: app == 'backend'
      ports:
      - 8080
EOF

Use Case 3: Configure BGP Peering with ToR Switch

# Add BGP peer for Top-of-Rack switch
cat <<EOF | calicoctl apply -f -
apiVersion: projectcalico.org/v3
kind: BGPPeer
metadata:
  name: rack1-tor
spec:
  node: k8s-node-01
  peerIP: 192.168.1.1
  asNumber: 64512
EOF

# Verify BGP peering
calicoctl node status

Use Case 4: Enable WireGuard Encryption

# Enable WireGuard on Felix
calicoctl patch felixconfiguration default --type=merge --patch='{"spec":{"wireguardEnabled":true}}'

# Verify WireGuard status
kubectl get nodes -o yaml | grep wireguard

# Check encryption on specific node
calicoctl get node NODE_NAME -o yaml | grep wireguard

Use Case 5: Create Global Network Policy for Host Protection

# Create global policy to protect Kubernetes nodes
cat <<EOF | calicoctl apply -f -
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: host-protection
spec:
  selector: has(host-endpoint)
  order: 0
  ingress:
  - action: Allow
    protocol: TCP
    destination:
      ports: [22, 179, 443, 6443]
  - action: Deny
  egress:
  - action: Allow
EOF

Best Practices

Use Network Policies Early: Implement default-deny policies at the namespace level before deploying applications to enforce zero-trust security from the start
Leverage Label Selectors: Use consistent, meaningful labels on pods and apply network policies based on these labels rather than IP addresses for maintainability
Enable eBPF Dataplane: For high-performance workloads, enable eBPF mode (bpfEnabled: true) to reduce CPU usage and improve throughput by up to 2x
Monitor BGP Sessions: Regularly check BGP peering status with calicoctl node status to ensure proper route advertisement and network connectivity
Use IP Pool Blocks Wisely: Configure appropriate blockSize in IP pools (default /26) based on pod density to avoid IP exhaustion while minimizing waste
Implement Policy Ordering: Use the order field in policies (lower numbers = higher priority) to create layered security with global defaults and specific exceptions
Enable WireGuard for Compliance: For regulated environments requiring encryption in transit, enable WireGuard encryption with minimal performance overhead
Regular Backups: Export Calico configuration regularly using calicoctl datastore migrate export for disaster recovery

Troubleshooting

Issue	Solution
Pods can’t communicate across nodes	Check BGP peering: `calicoctl node status`. Verify IP pool CIDR doesn’t conflict: `calicoctl get ippools`
Network policy not taking effect	Verify policy selector matches pod labels: `kubectl get pods --show-labels`. Check policy order and types (Ingress/Egress)
High CPU usage on nodes	Enable eBPF dataplane: `calicoctl patch felixconfiguration default --patch='{"spec":{"bpfEnabled":true}}'`
IP address exhaustion	Check IP allocation: `calicoctl ipam show --show-blocks`. Increase IP pool size or adjust blockSize
calicoctl commands fail	Verify datastore config: `echo $CALICO_DATASTORE_TYPE`. Check kubeconfig: `kubectl get nodes`
Calico pods in CrashLoopBackOff	Check logs: `kubectl logs -n calico-system -l k8s-app=calico-node`. Verify kernel modules: `lsmod
BGP routes not propagating	Disable node-to-node mesh if using ToR: `calicoctl patch bgpconfig default -p '{"spec":{"nodeToNodeMeshEnabled":false}}'`
MTU issues causing packet loss	Adjust IPIP MTU: `calicoctl patch felixconfig default -p '{"spec":{"ipipMTU":1440}}'` or disable IPIP
WireGuard encryption not working	Verify kernel support: `modprobe wireguard && lsmod
Workload endpoints not appearing	Restart calico-node pod: `kubectl delete pod -n calico-system -l k8s-app=calico-node`. Verify CNI config: `cat /etc/cni/net.d/10-calico.conflist`

Quick Reference: Policy Examples

Allow DNS Traffic

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: allow-dns
  namespace: default
spec:
  selector: all()
  types:
  - Egress
  egress:
  - action: Allow
    protocol: UDP
    destination:
      selector: k8s-app == 'kube-dns'
      ports: [53]

Allow Ingress from Specific Namespace

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: allow-from-frontend
  namespace: backend
spec:
  selector: app == 'api'
  types:
  - Ingress
  ingress:
  - action: Allow
    source:
      namespaceSelector: name == 'frontend'

Rate Limiting (Global Policy)

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: rate-limit-external
spec:
  selector: role == 'public-api'
  types:
  - Ingress
  ingress:
  - action: Allow
    source:
      notNets: [10.0.0.0/8]
    metadata:
      annotations:
        rate-limit: "100"