calico
Calico is an open-source Kubernetes networking and security platform that provides Container Network Interface (CNI) functionality across multiple environments. It supports multiple data planes (eBPF, standard Linux, Windows, VPP) and enforces network policies with granular access controls and encryption.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | projectcalico/calico |
| Owner | projectcalico |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 7.3k |
| Forks | 1.6k |
| Open issues | 230 |
| Latest release | v3.32.1 (2026-06-26) |
| Last updated | 2026-07-08 |
| Source | https://github.com/projectcalico/calico |
What calico is
Calico implements Kubernetes NetworkPolicy standards via a modular architecture supporting eBPF, XDP, and traditional Linux kernel networking. It provides BGP-based routing, VXLAN overlay options, and identity-aware policy enforcement across bare metal, VMs, and cloud environments.
Get the calico source
Clone the repository and explore it locally.
git clone https://github.com/projectcalico/calico.gitcd calico# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Choose data plane (eBPF recommended for modern kernels, standard Linux for compatibility, Windows for Windows nodes) based on infrastructure and performance requirements.
- Plan network policy migration; audit existing policies and test in staging to avoid unintended traffic blocking.
- Size etcd backend appropriately; Calico stores policy state in Kubernetes etcd; scale with cluster size.
- Monitor and tune BGP convergence times and VXLAN performance in multi-node environments to meet latency SLAs.
- Establish backup and disaster recovery for NetworkPolicy resources and Calico operator state.
When to avoid it — and what to weigh
- Requirement for proprietary vendor lock-in or simplified managed SaaS model — Calico is open-source and community-driven; users must manage deployment, upgrades, and operational responsibility themselves.
- Project cannot tolerate active community maintenance dependency — While well-maintained, Calico relies on an open-source development model. Critical bug fixes or features depend on community or commercial support contracts.
- Operating environment is entirely cloud-managed (e.g., AWS EKS managed networking only) — Some managed Kubernetes services have restricted CNI options; verify Calico compatibility before committing.
- Team lacks networking and Kubernetes expertise — Calico requires understanding of BGP, network policies, data plane options, and Kubernetes networking; misconfiguration can cause cluster isolation.
License & commercial use
Apache License 2.0 (Apache-2.0). Permissive OSI-approved license allowing commercial use, modification, and distribution with attribution and liability disclaimers.
Apache-2.0 permits commercial use without explicit permission requirement. However, verify compliance with any modified derivatives or bundled components. Commercial support and managed offerings available from Tigera (project creator); review support SLAs separately.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Strong |
| Assessment confidence | High |
Calico provides network segmentation and encryption mechanisms (WireGuard). Security posture depends on correct policy configuration, etcd security, and regular updates. No known vulnerabilities asserted in provided data; review CVE history and security advisories independently. Audit network policy rules carefully to avoid unintended exposure. CII Best Practices badge suggests adherence to security practices.
Alternatives to consider
Cilium
eBPF-native CNI with advanced observability (Hubble) and service mesh integration; better for teams already invested in eBPF ecosystem or requiring service mesh features without sidecar overhead.
Flannel
Simpler, lightweight CNI for basic overlay networking; suitable for small clusters or edge environments where performance overhead and feature complexity are less critical.
AWS VPC CNI (or cloud-native variants)
Optimized for cloud-native deployments (e.g., EKS); better for teams fully committed to a single cloud provider and willing to accept vendor integration.
Build on calico with DEV.co software developers
Our DevOps and cloud deployment teams can guide you through architecture planning, data plane selection, network policy design, and production deployment. Contact us to assess your infrastructure and build a secure, scalable networking strategy.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
calico FAQ
Do I need to run BGP for Calico to work?
Is Calico suitable for Windows Kubernetes clusters?
How does Calico handle multi-cluster networking?
What is the performance impact of eBPF vs. standard Linux data plane?
Custom software development services
From first prototype to production, DEV.co delivers software development services around tools like calico. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source observability and beyond.
Ready to implement Calico for your Kubernetes clusters?
Our DevOps and cloud deployment teams can guide you through architecture planning, data plane selection, network policy design, and production deployment. Contact us to assess your infrastructure and build a secure, scalable networking strategy.