Chapter 1
Calico and eBPF Fundamentals
What powers the next generation of cloud-native networking? In this foundational chapter, you'll explore the revolutionary synergy between Calico and eBPF-a union reshaping security, scalability, and observability in container platforms. Through deep technical insights, learn why this architecture is transforming traditional network designs and what makes it indispensable for Kubernetes and modern distributed systems.
1.1 Project Calico Architecture
Project Calico is architected as a scalable, cloud-native networking solution optimized for the demands of modern distributed systems. Its design principles harness the power of native IP routing protocols, combined with flexible policy enforcement, to deliver high-performance connectivity and security across diverse deployment environments. Central to Calico's architecture is its emphasis on simplicity, robustness, and compatibility with cloud-native orchestration platforms such as Kubernetes, enabling seamless integration and operational efficiency.
At the core of Project Calico's design lies a distributed control plane responsible for maintaining network state and orchestrating routing information. This control plane eschews traditional centralized overlays, opting instead for a mechanism based on the Border Gateway Protocol (BGP) to propagate routing information among nodes. By leveraging BGP, Calico promotes a mesh of peer-to-peer routing relationships, which ensures scalable, efficient distribution of routes without requiring a central traffic-forwarding point. This architecture inherently supports large-scale clusters by minimizing bottlenecks and enabling rapid convergence of routing information.
Integral to each host within a Calico-managed cluster is the Felix agent, a per-node daemon responsible for enforcing networking and security policies. Felix operates by programming Linux kernel features such as Berkeley Packet Filter (BPF) and iptables to realize Calico's intended state. It monitors updates from the control plane and container orchestrator APIs, reconciling desired policy and network configurations with the actual state of each node's networking stack. The decoupling of control (handled centrally) and enforcement (distributed via Felix) facilitates a resilient architecture where policy enforcement scales linearly with cluster size and is isolated to each host's local environment.
Project Calico supports various deployment models tailored to different network environments and performance considerations. Its default mode employs BGP for direct routing of pod IPs between nodes, allowing native IP packets to traverse the underlay network without encapsulation overhead. This simplifies troubleshooting, reduces latency, and maximizes throughput by enabling pods to communicate with minimal protocol layering. In scenarios where the underlay network topology or cloud provider constraints prevent direct L3 connectivity, Calico offers IP-in-IP (IPIP) encapsulation as a fallback, encapsulating pod traffic to maintain seamless IP routing across disparate network segments.
An alternative encapsulation method supported by Calico is VXLAN, which presents a modern overlay networking approach that encapsulates Layer 2 Ethernet frames over Layer 3 networks. VXLAN deployment is advantageous in environments requiring Layer 2 adjacency across distributed nodes or in multi-tenant cloud infrastructures where logical separation via virtual networks is paramount. Calico's flexible deployment models allow operators to carefully select the appropriate encapsulation or native routing mechanism based on infrastructure capabilities, security requirements, and operational preferences.
Integration with container orchestrators such as Kubernetes is achieved through a combination of native APIs and Calico-specific custom resources. Calico interfaces with Kubernetes to obtain pod lifecycle events and network identity information, and it manages the assignment of IP addresses through its own IP address management (IPAM) subsystem or by leveraging Kubernetes IPAM capabilities. This close integration enables Calico to enforce network policies expressed as Kubernetes NetworkPolicy resources or Calico's proprietary GlobalNetworkPolicy constructs, translating high-level intent into low-level dataplane rules applied on each node by Felix.
Calico's approach to distributed routing and policy enforcement establishes a foundation for efficient and high-performance networking. By distributing routing decisions and policy enforcement to individual nodes, traffic forwarding occurs locally without the need for traffic hairpinning or encapsulation where unnecessary, reducing latency and resource consumption. The use of the Linux kernel's native networking stack, enhanced through modern dataplane innovations like eBPF, permits Calico to optimize packet processing and minimize overhead.
Furthermore, the separation of concerns between control and data planes enables Calico to scale horizontally with minimal operational complexity. Network state propagation via BGP can be tuned and extended to support hybrid or multi-cloud topologies, while Felix guarantees consistent policy enforcement regardless of underlying infrastructure heterogeneity. This combination ensures that Calico is not only cloud-native in design but also adaptable to evolving network environments, making it an ideal choice for organizations seeking reliable, scalable, and performant container networking solutions.
Project Calico's architecture exemplifies a modular yet coherent design, leveraging established networking protocols and kernel capabilities to deliver scalable IP networking and robust security policy enforcement. Its control plane, combined with Felix agents deployed on each node, supports flexible deployment modes, enabling operators to tailor networking to their infrastructure's unique needs. This design empowers container platforms to deliver seamless, high-throughput communication with strong security guarantees in cloud-native environments.
1.2 Linux Networking Model Overview
The Linux kernel networking stack embodies a rich set of abstractions and mechanisms that constitute the foundation for contemporary networking, including sophisticated container networking paradigms like those employed by Calico. This section elucidates the essential elements of the Linux networking model-network interfaces, routing tables, the Netfilter framework, network namespaces, and control groups (cgroups)-and examines their roles and interactions within Calico's dataplane operations.
At the lowest level, network interfaces serve as the primary points of interaction between the kernel and physical or virtual network devices. Each interface is represented by a struct net_device in the kernel, which abstracts device-specific operations and attributes. Interfaces can be physical (e.g., eth0), virtual (e.g., veth pairs), or software-defined (e.g., bridges or tunnels). Calico aligns closely with these abstractions by configuring and managing virtual interfaces, typically veth pairs, that bridge container networking stacks to the host and beyond. Such interfaces are vital to isolating container traffic while enabling flexible connectivity patterns.
Routing within the Linux kernel relies on multiple hierarchical routing tables attached to the network stack. The fib_table subsystem maintains these tables and supports policy-based routing. Packets traverse these routing decision trees based on destination addresses, interface affinities, and routing policies, determining next-hop actions such as forwarding to a device or dropping the packet. Calico leverages Linux routing tables to enforce network policies and implement pod-to-pod communication paths across hosts. By programmatically inserting customized routes, Calico precisely controls packet flows, ensuring compliance with the desired security and connectivity policies.
The Netfilter framework forms the kernel's central packet processing and filtering subsystem. Netfilter hooks are strategically placed at various points in the packet processing pipeline: PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING. These hooks enable modular interception and manipulation of packets, critical to implementing firewall rules, NAT, and connection tracking. Calico exploits Netfilter by inserting iptables or nftables rules that enforce granular network policies at specific filtering stages. This modular filtering approach delivers scalable, transparent policy enforcement that integrates naturally with Linux's networking infrastructure.
Fundamental to container isolation, network namespaces virtualize the network stack, allowing multiple independent instances of network devices, routing tables, and firewall rules to coexist on a single host. Each container possesses its own network namespace, effectively sandboxing its network environment. The kernel uses namespace identifiers to multiplex network-related syscalls and packet processing contexts. Calico interacts with these namespaces by attaching...
