Issues with Calico

The easy way

As of Calico 3.18 (from early 2021), Calico now supports limited integration with MetalLB. Calico can be configured to announce the LoadBalancer IPs via BGP. Simply run MetalLB, apply an IPAddressPool without any BGPAdvertisement CR. When using MetalLB in this way, you can even remove the Speaker pods to save cluster resources, as the controller is the component in charge of assigning the IPs to the services.

See the official Calico docs for reference.

Example:

calicoctl patch BGPConfig default --patch '{"spec": {"serviceLoadBalancerIPs": [{"cidr": "10.11.0.0/16"},{"cidr":"10.1.5.0/24"}]}}'

Be aware that Calico announces the entire CIDR block provided, not individual LoadBalancer IPs. If you need to announce more specific routes, then explicitly list them in serviceLoadBalancerIPs.

The hard way

If you can’t use a newer version of Calico, or missing features make it unusable, then there are a number of older workarounds.

The problem

BGP only allows one session to be established per pair of nodes. So, if Calico has a session established with your BGP router, MetalLB cannot establish its own session – it’ll get rejected as a duplicate by BGP’s conflict resolution algorithm.

graph BT
    subgraph "  "
      metallbA
      calicoA
    end
    subgraph " "
      metallbB
      calicoB
    end
    metallbA(MetalLB<br>speaker)-. "LB routes<br>(doesn't work)" .->router(BGP Router)
    calicoA("Calico")-- Cluster routes -->router

    metallbB(MetalLB<br>speaker)-. "LB routes<br>(doesn't work)" .->router
    calicoB(Calico)-- Cluster routes -->router

Unfortunately, Calico does not currently provide the extension points we would need to make MetalLB coexist peacefully. There are bugs filed with Calico to add these extension points, but in the meantime, we can only offer some hacky workarounds.

Workaround: Peer with spine routers

If you are deploying to a cluster using a traditional “rack and spine” router architecture, you can work around the limitation imposed by BGP with some clever choice of peering.

Let’s start with the network architecture, and see how we can add in MetalLB:

graph BT
    subgraph " "
      metallbA("MetalLB<br>Speaker")
      calicoA
    end
    subgraph "  "
      calicoB
      metallbB("MetalLB<br>Speaker")
    end

    subgraph "   "
      metallbC("MetalLB<br>Speaker")
      calicoC
    end
    subgraph "    "
      calicoD
      metallbD("MetalLB<br>Speaker")
    end

    calicoA("Calico")-->torA(ToR Router)
    calicoB("Calico")-->torA

    calicoC("Calico")-->torB(ToR Router)
    calicoD("Calico")-->torB
    
    torA-->spine(Spine Router)
    torB-->spine(Spine Router)

In this architecture, we have 4 machines in our Kubernetes cluster, spread across 2 racks. Each rack has a top-of-rack (ToR) router, and both ToRs connect to an upstream “spine” router.

The arrows represent BGP peering sessions: Calico has been configured to not automatically mesh with itself, but to instead peer with the ToRs. The ToRs in turn peer with the spine, which propagates routes throughout the cluster.

Ideally, we would like MetalLB to connect to the ToRs in the same way that Calico does. However, Calico is already “consuming” the one allowed BGP session between machine and ToR.

The alternative is to make MetalLB peer with the spine router(s):

graph BT
    subgraph " "
      metallbA("MetalLB<br>Speaker")
      calicoA
    end
    subgraph "  "
      calicoB
      metallbB("MetalLB<br>Speaker")
    end

    subgraph "   "
      metallbC("MetalLB<br>Speaker")
      calicoC
    end
    subgraph "    "
      calicoD
      metallbD("MetalLB<br>Speaker")
    end

    calicoA("Calico")-->torA(ToR Router)
    calicoB("Calico")-->torA

    calicoC("Calico")-->torB(ToR Router)
    calicoD("Calico")-->torB
    
    torA-->spine(Spine Router)
    torB-->spine(Spine Router)
    
    metallbA-->spine
    metallbB-->spine
    metallbC-->spine
    metallbD-->spine

Properly configured, the spine can redistribute MetalLB’s routes to anyone that needs them. And, because there are no preexisting BGP sessions between the machines and the spine, there is no conflict between Calico and MetalLB.

The downside of this option is additional configuration complexity, and a loss of scalability: instead of scaling the number of spine BGP sessions by the number of racks in your cluster, you’re once again scaling by the total number of machines. In some deployments, this may not be acceptable.

In large clusters, another compromise might be to dedicate only certain racks to externally facing services: constrain the MetalLB speaker daemonset to schedule only on those racks, and either use the “Cluster” externalTrafficPolicy, or also constrain the pods of the externally facing services to run on those racks.

graph BT
    subgraph " "
      metallbA("MetalLB<br>Speaker")
      calicoA
    end

    subgraph "  "
      calicoB
    end

    calicoA("Calico")-->torA(ToR Router)
    calicoB("Calico")-->torB(ToR Router)

    torA-->spine(Spine Router)
    torB-->spine(Spine Router)
    
    metallbA-->spine

Workaround: Router VRFs

If your networking hardware supports VRFs (Virtual Routing and Forwarding), you may be able to “split” your router in two, and peer Calico and MetalLB to separate halves of the same router. Then, with judicious inter-VRF route leaking, you can re-merge the two routing tables.

graph BT
    subgraph " "
      metallbA("MetalLB<br>Speaker")
      calicoA("Calico")
    end
    subgraph "  "
      calicoB("Calico")
      metallbB("MetalLB<br>Speaker")
    end

    subgraph Router
      torA("Router VRF 1")
      torB("Router VRF 2")
    end

    calicoA-->torA
    calicoB-->torA

    metallbA-->torB
    metallbB-->torB
    
    torB-. "Careful route<br>propagation" .->torA

While this should theoretically work, it hasn’t been demonstrated, and setting it up varies wildly based on which routing software/hardware you are interfacing with. If you get this working, please let us know, especially if you have tips on how to make this work best!

Ideas wanted

If you have an idea for another workaround that would enable Calico and MetalLB to coexist nicely, please tell us !