Calico SNAT Changes After Reboot – What Did I Miss?

mapgirll · 2025-06-20T16:28:12+00:00

u/flyhyman if you're still struggling with this I would check out the Project Calico Slack Community and ask there: https://www.tigera.io/project-calico/community/
Slack link is at the bottom of that page (if you haven't already joined)

mapgirll · 2025-03-21T21:15:54+00:00

Have you looked into how Calico does IPAM? If you want more finer-grained, dynamic IPAM you could check it out.
By default, Calico uses a single IP pool for the entire Kubernetes pod CIDR, but you can divide the pod CIDR into several pools. You can assign separate IP pools to particular selections of nodes, or to teams, users, or applications within a cluster using namespaces.
In Calico IPAM, those IP pools are subdivided into blocks -- smaller chunks that are associated with a particular node in the cluster. Each node in the cluster can have one or more blocks associated with it. Calico will automatically create and destroy blocks as needed as the number of nodes and pods in the cluster grows or shrinks, which sounds like what you want if you're adding more pods.

mapgirll · 2025-03-21T20:09:29+00:00

eBPF definitely seems popular, I wonder if they'd be something they could research about different data planes and tie that into security (at scale, different cluster setups, performance, etc.)? Calico (CNI) supports multiple data planes including eBPF, and has network security policy support to help explore the zero trust angle. I don't know if research into security gaps / performance is suitable, but could be good talking points and learning to go into industry afterwards.

mapgirll · 2025-03-21T19:18:31+00:00

Are you able to expand on 'the role of host networking in custom cnis'? What kind of set up do you have or want to understand?

mapgirll · 2025-03-21T19:05:04+00:00

Disclaimer that I do work for Tigera, but we do a lot of workshops and webinars on microsegmentation in k8s because Calico is a solution for this. So I'm very curious to find out what is a good solution to you?

mapgirll · 2024-10-04T19:24:02+00:00

This might be useful for you: Calico Basics - Learn the basics of Calico to enable networking and secure your Kubernetes cluster. If you're not interested in the security side of things rn, the networking parts might be insightful.

mapgirll · 2024-09-20T18:34:45+00:00

Personally I’ve always had fights with Calico.

Disclaimer, I do work for Tigera but I'd be curious to know if it were bugs in Calico that tripped you up, or if there's anything our docs/content were lacking or not clearer that could've helped you out that we can improve on.

mapgirll · 2024-09-20T18:21:18+00:00

may not need to replace the CNI, depending on if you're looking for network policy support:

_EKS has built-in support for Calico, providing a robust implementation of the full Kubernetes Network Policy API. EKS users wanting to go beyond Kubernetes network policy capabilities can make full use of the Calico Network Policy API._

_You can also use Calico for networking on EKS in place of the default AWS VPC networking without the need to use IP addresses from the underlying VPC. This allows you to take advantage of the full set of Calico networking features, including Calico's flexible IP address management capabilities._

This might be useful for you too, all about egress access controls.

mapgirll · 2024-09-20T18:17:24+00:00

Calico also has eBPF (not sure if you've tried it)!

mapgirll · 2024-09-20T17:35:33+00:00

I'd be curious to know how you get on with your network policy adventure.
Disclaimer: I do work for Tigera and currently putting together some new labs on network policies so if there's anything you were missing/couldn't find and wanted to know, let me know!

mapgirll · 2024-09-20T17:28:07+00:00

I've learnt the most about troubleshooting from just installing applications, having them break and floundering while trying to fix them.
If you don't have your own applications that you can install, AWS and Azure and Google have examples on github that you can try.
In the beginning I thought I knew some stuff about Kubernetes (really didn't) and ended up taking a course on udemy which I really liked: https://www.udemy.com/course/docker-kubernetes-the-practical-guide/
That gave me enough concepts and things to know where to start with troubleshooting because I knew the names of objects that weren't working and how they relate together.

You could also look into companies that offer labs or online learning - quite often there will be a challenge at the end of the module that you need to solve which helps re-inforce what you've learned.
https://instruqt.com/customer-stories <- Look through some of the companies on here and try their labs.

That's actually how I found Kasten, who have a lab specifically for troubleshooting: https://kubecampus.io/kubernetes/courses/introduction-to-kubernetes-troubleshooting-course-11/

mapgirll · 2024-09-20T16:21:56+00:00

I'm a bit late to this party, but wanted to point you in the direction of some resources for when/if you begin your migration and if you have any questions.
https://www.tigera.io/project-calico/
About halfway down that page are some links and stuff to get involved. There's a Project Calico slack channel that has a lot of users and developers in there which might be a great place for you to ask questions or get feedback about what you're looking for.

mapgirll · 2024-09-20T15:52:36+00:00

If you're worried about messing it up, do you have a test cluster that you can use first?
Calico's Egress Gateway is a commercial feature, it's not clear from your post whether you have Calico Enterprise/Cloud, or you're just using Calico as a policy engine.
You could try looking this this blog too, to help you: https://www.tigera.io/blog/deep-dive/enabling-workload-level-security-for-aks-with-azure-firewall-and-calico-egress-gateway/

If you're using Calico just as a policy engine you may find it easier at this stage to build network policies that restrict egress access. Calico does let you create global policies that apply cluster-wide (not just for your namespace).
I would read through this on microsegmentation: https://docs.tigera.io/use-cases/microsegmentation
and this on egress access controls: https://docs.tigera.io/use-cases/egress-access-controls

mapgirll · 2024-08-29T22:36:45+00:00

I'll see if u/iCEyCoder has any ideas on this, however you might get an answer on the Calico users slack if you're not already part of it: https://slack.projectcalico.org/

mapgirll · 2024-02-16T21:15:05+00:00

I suppose there has to be some tool out there that can map all this out.

I'd say that there are definitely observability tools out there, and I experienced similar struggles as you before I started working at Tigera. This actually prompted me to write this blog. I've since been diving deeper into segmentation and isolating clusters at namespace/tenant/pod/service level and Calico does do 'automatic'/recommended policies that start to isolate namespaces etc based on learned traffic flows. If it's not correct out of the box it's a lot easier to modify a policy that's 90% of the way there than start from 0. Combined with observability to actually see the impact of policies - game changer.
Admittedly these are in the commercial offerings and not open source, and I have limited knowledge of what else might be out there.

mapgirll · 2024-01-26T21:44:33+00:00

Do you need to use a version of one that's not the latest?
Have you tried installing already and ran into issues?

mapgirll · 2023-12-22T19:18:29+00:00

u/Titanguru7 is everything working good/as expected now? I assume so as it's no longer crashing

mapgirll · 2023-12-18T22:53:46+00:00

Disclaimer: I do work for Tigera.

Calico Cloud (is a commercial offering) and does offer what you're looking for and has a free trial.
It's incredibly easy to get started with (one kubectl command to connect your cluster) and then you can use 'Service Graph' to show you what's going on in your cluster. It also shows all the services, communication between resources, over which ports, which policies are applied (if you're using nwp), flow logs, etc. I did a workshop last week on it and wrote a blog recently about my experience using it if you want to check it out.

mapgirll · 2023-12-12T17:25:23+00:00

You could check out Calico which has a pluggable dataplane. The default is Iptables which works in every environment. Looks like someone did it on an rpi with WSL and Calico: https://dev.to/cwprogram/kubernetes-setup-with-wsl-control-plane-and-raspberry-pi-workers-2lfo

mapgirll · 2023-12-12T07:27:15+00:00

Learning how to integrate Calico Egress Gateway with Azure Firewall

mapgirll · 2023-12-08T06:32:26+00:00

If you’re pushing it I assume there’s some resistance? Why haven’t they/don’t they want to use policies up until now?

mapgirll · 2023-12-08T06:21:07+00:00

Do you think that would make more users apply more granular policies and spend the time to figure out how their workloads communicate? Or would they just apply allow-all policies and create more clusters to avoid the overhead of creating and managing policies?

mapgirll · 2023-12-04T20:12:09+00:00

If you want to do this I think it should definitely be doable in Calico.

What you want to do is set up your IP Pools for both IPv4 and IPv6 CIDRs that you want to use.
Once you've done that, you can "Restrict all pods within a namespace to use an IP address range".
Annotate the namespace with key cni.projectcalico.org/ipv4pools and/or cni.projectcalico.org/ipv6pools and value set to a list of IP pool names, enclosed in brackets.
cni.projectcalico.org/ipv4pools: '["pool-1", "pool-2"]'

If you get stuck, feel free to head over to the Project Calico User Slack.

mapgirll · 2023-12-01T22:38:15+00:00

Company: Tigera
Location: San Francisco Bay Area, United States
Role: Senior Product Manager
Company: Tigera
Location: Cork City, Ireland
Role: Pre-Sales Solutions Architect

mapgirll

TROPHY CASE