2. 2
CALICO with Docker
Calico provides secure network connectivity for containers and virtual
machine workloads.
Calico integrates seamlessly with cloud orchestration systems such as
OpenStack and Docker to provide networking between local and
geographically distributed workloads.
Here will discuss more about integrate with Docker
3. 3
CALICO with Docker
Calico implements a Docker network plugin that can be used to provide
routing and advanced network policy for Docker containers.
Security using Calico Profiles
Security using Calico Profiles and Policy
Security using Docker Labels and Calico Policy
IPAM
4. 4
Security using Calico Profiles
With Calico as a Docker network plugin, Calico uses an identically
named profile to represent each Docker network. This profile is applied to
each container in that network and the profile is used by Calico to configure
access policy for that container. The Calico network plugin will
automatically create the associated profile if it does not exist when the
container is attached to the network. By default, the profile contains rules
that allow full egress traffic but allow ingress traffic only from containers
within the same network and no other source. Custom policy for a network
can be configured by creating in advance, or editing, the profile associated
with the Docker network
Refer the link to know more - https://docs.projectcalico.org/v2.6/getting-started/docker/tutorials/security-using-
calico-profiles
5. 5
Security using Calico Profiles and Policy
There are two ways in which the policy that defines the Docker network can
be modified:
•Modify the profile policy rules. This policy is applied directly to each container in the
associated Docker network. This approach is simple, but not very flexible, as the
profile must describe the full set of rules that apply to the containers in the network.
•Assign labels to the profile, and define global selector based policy. The (Calico-
specific) labels are assigned to containers in the associated Docker network. The
globally defined policy uses selectors to determine which subset of the policy is
applied to each container based on their labels. This approach provides a powerful
way to group together all of your network Policy, makes it easy to reuse policy in
different networks, and makes it easier to define policy that extends across different
orchestration systems that use Calico.
Refer the link to know more - https://docs.projectcalico.org/v2.6/getting-started/docker/tutorials/security-using-
calico-profiles
6. 6
Security using Docker Labels and Calico Policy
To enable labels to be used in Policy selectors the flag --use-docker-
networking-container-labels must be passed when starting calico/node
with the calicoctl node run command. All calico/node instances should be
started with the flag to avoid a mix of labels and profiles.
Refer the link to know more - https://docs.projectcalico.org/v2.6/getting-started/docker/tutorials/security-using-
calico-profiles
7. 7
IPAM
With the release of Docker 1.10, support has been added to allow users to
select a specific IP address when creating a container. In order to use this
feature, Docker requires that you specify the --subnet parameter when
running docker network create.
Calico requires that the passed --subnet value be the same CIDR as an
existing Calico IP pool.
Refer the link to know more - https://docs.projectcalico.org/v2.6/getting-started/docker/tutorials/ipam