Reference

APIs, CLI, architecture and design, and FAQ.

API and installation references

Calico APILearn about the Calico API and how to use it.Helm installation referenceHelm installation referenceInstallation referenceInstallation API reference

calicoctl reference

calicoctl user referenceThe command line interface tool (CLI) to manage Calico network and security policy.calicoctl createCommand to create a policy.calicoctl replaceCommand to replace an existing policy with a different one.calicoctl applyCommand to apply a policy.calicoctl deleteCommand to delete a policy.calicoctl getCommand to list policies in the default output format.calicoctl patchCommand to update a node with a patch.calicoctl labelCommand to change labels for workload endpoints or nodes.calicoctl convertCommand to convert contents of policy.yaml to v3 policy.calicoctl ipamCommands for calicoctl IP address management (IPAM).calicoctl ipam checkCommand to check IPAM statuscalicoctl ipam releaseCommand to release an IP address from Calico IP management.calicoctl ipam showCommand to see if IP address is being used.calicoctl ipam configureCommand to change IPAM configuration.calicoctl ipam splitCommand and options for splitting an existing IP poolcalicoctl nodeCommands for calicoctl node.calicoctl node runCommand and options for running a Calico node.calicoctl node statusCommand to check status of a Calico node instance.calicoctl node diagsCommand to get diagnostics from a Calico node.calicoctl node checksystemCommand to check compatibility of host to run a Calico node instance.calicoctl datastoreCommands for calicoctl datastorecalicoctl datastore migrateCommands for calicoctl datastore migrate.calicoctl datastore migrate exportCommand and options for exporting an etcdv3 datastore.calicoctl datastore migrate importCommand and options for importing exported data to a kubernetes datastore.calicoctl datastore migrate lockCommand and options for locking a datastore for migration.calicoctl datastore migrate unlockCommand and options for unlocking a datastore after migration.calicoctl versionCommand to display the calicoctl CLI version.

Resource definitions

Resource definitionsCalico resources (APIs) that you can manage using calicoctl.BGP configurationAPI for this Calico resource.BGP peerAPI for this Calico resource.BGP FilterAPI for this Calico resource.Block affinityIP address management block affinityCalico node statusAPI for this Calico resource.Felix configurationAPI for this Calico resource.Global network policyAPI for this Calico resource.Global network setAPI for this Calico resource.Host endpointAPI for this Calico resource.IP poolAPI for this Calico resource.IP reservationAPI for this Calico resource.IPAM configurationIP address management global configurationKubernetes controllers configurationAPI for KubeControllersConfiguration resource.Network policyAPI for this Calico resource.Network setAPI for this Calico resource.NodeAPI for this Calico resource.ProfileAPI for this Calico resource.Workload endpointAPI for this Calico resource.

Configuring etcd RBAC

Setting up etcd certificates for RBACProtect your etcd datastore by restricting operation permissions.Generating certificatesGenerate Certificates of Authority (CA) to authenticate users with etcd datastore.Creating users and rolesProvide role-based access control to etcd datastore.Segmenting etcd on Kubernetes (basic)Limit user access to Kubernetes and Calico components.Segmenting etcd on Kubernetes (advanced)Limit user access to Calico components or calicoctl.Calico key and path prefixesPrefixes to configure Calico components to access the etcd datastore.

Felix

Configuring FelixConfigure Felix, the daemon that runs on every machine that provides endpoints.Prometheus metricsReview metrics for the Felix component if you are using Prometheus.

Typha

Typha overviewUse the Calico Typha daemon to increase scale and reduce impact on the datastore.Configuring TyphaConfigure Typha for scaling Kubernetes API datastore (kdd).Prometheus metricsReview metrics for the Typha component if you are using Prometheus.

Configuration on public clouds

Amazon Web ServicesAdvantages of using Calico in AWS.AzureSupport for Calico in Azure.Google Compute EngineMethods to ensure that traffic between containers on different hosts is not dropped by GCE fabric.IBM CloudCalico integration with IBM Cloud.

Host endpoints

Host endpointsSecure host network interfaces.Creating policy for basic connectivityCustomize the Calico failsafe policy to protect host endpoints.Creating host endpoint objectsTo protect a host interface, start by creating a host endpoint object in etcd.Selector-based policiesApply ordered policies to endpoints that match specific label selectors.Failsafe rulesAvoid cutting off connectivity to hosts because of incorrect network policies.Pre-DNAT policyApply rules in a host endpoint policy before any DNAT.Apply on forwarded trafficLearn the subtleties using the applyOnForward option in host endpoint policies.Summary of host endpoint policiesHow different host endpoint rules affect packet flows.Connection trackingWorkaround for Linux conntrack if Calico policy is not working as it should.

Architecture

Component architectureLearn the basic Calico components.‘The Calico data path: IP routing and iptables’Learn how packets flow between workloads in a datacenter, or between a workload and the internet.

VPP dataplane

Primary interface configurationConfiguration parameters for the primary interface in VPP.VPP dataplane implementation detailsTechnical details on the VPP dataplane integration.Host network configurationDescription of the host network configuration performed by VPP.

Other reference topics

Component versionsA list of component versions for CalicoFrequently asked questionsCommon questions that users ask about Calico.Getting involvedContribute to Calico open source project.Configuring calico/nodeCustomize calico/node using environment variables.Configure resource requests and limitsConfigure Resource requests and limits.Configure the Calico CNI pluginsDetails for configuring the Calico CNI plugins.