// the find
projectcalico/calico
Cloud native networking and network security
Calico is the de facto standard CNI plugin for Kubernetes networking and network policy. It handles pod networking via BGP, VXLAN, or eBPF, and enforces network policy at L3/L4. If you're running Kubernetes at any serious scale, you've almost certainly already encountered it.
Multiple data plane options (eBPF, iptables, nftables, Windows HNS) let you pick the right tradeoff for your workload — eBPF cuts CPU overhead significantly on high-traffic nodes. BGP peering support means you can integrate pod IPs directly into your physical network fabric without overlay tunnels, which matters for latency-sensitive workloads. The policy model extends Kubernetes NetworkPolicy with GlobalNetworkPolicy and tiers, giving you cluster-wide rules that namespace-scoped policies can't bypass — useful for security teams that need guaranteed baseline controls. The codebase structure is well-organized with distinct components (Felix, Typha, CNI plugin, kube-controllers) each with clear ownership, and CI pipelines cover eBPF, iptables, nftables, VPP, and Windows separately.
The split between open-source Calico and Tigera's commercial Calico Enterprise is a constant friction point — the docs frequently reference features that aren't in the OSS build, and you only find out when you try to configure them. Troubleshooting is genuinely hard: Felix's diagnostics are buried in logs and the `calicoctl` CLI doesn't surface enough runtime state without digging into CRDs directly. Windows support exists but is a second-class citizen — it lags behind Linux on eBPF and several policy features, and the test matrix shows it. The monorepo structure is massive (30+ CI pipeline blocks, VPP dataplane, OpenStack, Istio integration) which makes understanding the scope of a change or setting up a local dev environment non-trivial for newcomers.