In a Calico network, each host acts as a gateway router for the workloads that it hosts. In container deployments, Calico uses 169.254.1.1 as the address for the Calico router. By using a link-local address, Calico saves precious IP addresses and avoids burdening the user with configuring a suitable address.
While the routing table may look a little odd to someone who is used to configuring LAN networking, using explicit routes rather than subnet-local gateways is fairly common in WAN networking.
The Calico CNI plugin emits logs to stderr, which are then logged out by the kubelet. Where these logs end up depend on how your kubelet is configured. For deployments using systemd
, you can do this via journalctl
.
The log level can be configured via the CNI network configuration file, by changing the value of the key log_level
. See Configuring the Calico CNI plugins for more information.
Calico tries hard to avoid interfering with any other configuration on the host. Rather than adding the gateway address to the host side of each workload interface, Calico sets the proxy_arp
flag on the interface. This makes the host behave like a gateway, responding to ARPs for 169.254.1.1 without having to actually allocate the IP address to the interface.
In some setups the kernel is unable to generate a persistent MAC address and so Calico assigns a MAC address itself. Since Calico uses point-to-point routed interfaces, traffic does not reach the data link layer so the MAC Address is never used and can therefore be the same for all the cali* interfaces.
Yes! The Kubernetes NetworkPolicy
API added support for egress policies in v1.8. You can also use calicoctl
to configure egress policy to prevent Kubernetes pods from initiating outgoing connections based on the full set of supported Calico policy primitives including labels, Kubernetes namespaces, CIDRs, and ports.
It can, but not in the way that Calico uses it.
In container deployments, Calico only uses proxy ARP for resolving the 169.254.1.1 address. The routing table inside the container ensures that all traffic goes via the 169.254.1.1 gateway so that is the only IP that will be ARPed by the container.
https://projectcalico.docs.tigera.io/reference/faq#how-do-i-get-network-traffic-into-and-out-of-my-calico-cluster
https://www.sobyte.net/post/2022-03/how-the-kubernetes-network-plugin-works/
https://www.securityandit.com/network/kubernetes-network-cluster-architecture/
https://itnext.io/kubernetes-network-deep-dive-7492341e0ab5
https://blog.csdn.net/qq_38473097/article/details/106790303
https://danielmiessler.com/study/tcpdump/#host
https://projectcalico.docs.tigera.io/reference/faq#how-do-i-get-network-traffic-into-and-out-of-my-calico-cluster
https://www.itsupportwale.com/blog/tcpdump-examples/
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/configuring-ip-tunnels_configuring-and-managing-networking
http://cs.uccs.edu/~scold/iptunnel.htm
https://serverfault.com/questions/1094896/route-traffic-through-ipip-tunnels
https://github.com/apprenda/kismatic/blob/master/docs/troubleshooting-calico.md
https://www.cnblogs.com/orchidzjl/p/14908131.html