calico-node

What is calico-node?

The calico-node image is the core per-node agent of Project Calico. It runs as a DaemonSet pod on every node in the cluster and is responsible for programming iptables or eBPF-based network policy rules, managing BGP routing (via the embedded BIRD daemon), handling IPAM for pod IP allocation, and maintaining the Felix policy enforcement engine.

It is the primary runtime component of a Calico installation and is what enforces NetworkPolicy and Calico-specific GlobalNetworkPolicy objects at the kernel level. calico-node is deployed automatically when installing Calico via the official manifests, Helm chart, or the Calico Operator.

How to use this image

calico-node is not typically run manually; it is deployed and managed by the Calico installation method you choose.

Install Calico using the manifest (includes calico-node DaemonSet):

kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calico.yaml

Install Calico using the Tigera Operator:

kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/tigera-operator.yaml
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/custom-resources.yaml

Verify calico-node pods are running on all nodes:

kubectl get pods -n calico-system -l k8s-app=calico-node -o wide

Check Felix (policy engine) status on a node:

kubectl exec -n calico-system \
  $(kubectl get pod -n calico-system -l k8s-app=calico-node -o name | head -1) \
  -- calico-node -felix-live

Image variants

calico/node:latest

The latest stable calico-node release. Not recommended for production, as Calico component versions must be consistent across the cluster.

calico/node:<version>

Pinned version tags such as calico/node:v3.27.0. All Calico components (calico/node, calico/cni, calico/kube-controllers) should be pinned to the same version. Always use versioned tags in production.