tigera · caseydavenport · May 18, 2026 · May 18, 2026 · May 20, 2026 · May 20, 2026
@@ -48,8 +48,8 @@ type CalicoNodeDaemonSetContainer struct {
 // CalicoNodeDaemonSetInitContainer is a calico-node DaemonSet init container.
 type CalicoNodeDaemonSetInitContainer struct {
 	// Name is an enum which identifies the calico-node DaemonSet init container by name.
-	// Supported values are: install-cni, hostpath-init, flexvol-driver, ebpf-bootstrap, node-certs-key-cert-provisioner, calico-node-prometheus-server-tls-key-cert-provisioner, mount-bpffs (deprecated, replaced by ebpf-bootstrap)
-	// +kubebuilder:validation:Enum=install-cni;hostpath-init;flexvol-driver;ebpf-bootstrap;node-certs-key-cert-provisioner;calico-node-prometheus-server-tls-key-cert-provisioner;mount-bpffs
+	// Supported values are: install-cni, cni-plugins, hostpath-init, flexvol-driver, ebpf-bootstrap, node-certs-key-cert-provisioner, calico-node-prometheus-server-tls-key-cert-provisioner, mount-bpffs (deprecated, replaced by ebpf-bootstrap)
+	// +kubebuilder:validation:Enum=install-cni;cni-plugins;hostpath-init;flexvol-driver;ebpf-bootstrap;node-certs-key-cert-provisioner;calico-node-prometheus-server-tls-key-cert-provisioner;mount-bpffs
 	Name string `json:"name"`
 
 	// Resources allows customization of limits and requests for compute resources such as cpu and memory.

@@ -1020,8 +1020,36 @@ type CNISpec struct {
 	// +optional
 	// +kubebuilder:validation:Type=string
 	ConfDir *string `json:"confDir,omitempty"`
+
+	// InstallMode controls which CNI plugin binaries the operator installs onto each node
+	// when CNI.Type is Calico.
+	// * All (default): the operator runs a cni-plugins init container that stages upstream
+	//   CNI plugin binaries (host-local, portmap, loopback, tuning, flannel) into a shared
+	//   volume, and the install-cni init container copies them onto the host alongside
+	//   Calico's own binaries.
+	// * CalicoOnly: skip the cni-plugins init container. Only Calico's own binaries are
+	//   installed. Use this when the host already provides the upstream plugins (e.g. kind,
+	//   certain managed node images).
+	//
+	// Default: All
+	// +optional
+	// +kubebuilder:validation:Enum=All;CalicoOnly
+	InstallMode *CNIInstallMode `json:"installMode,omitempty"`
 }
 
+// CNIInstallMode controls which CNI plugin binaries the operator installs onto the host.
+type CNIInstallMode string
+
+const (
+	// CNIInstallModeAll installs Calico's own CNI binaries plus the upstream plugin set
+	// (host-local, portmap, loopback, tuning, flannel) via a dedicated init container.
+	CNIInstallModeAll CNIInstallMode = "All"
+
+	// CNIInstallModeCalicoOnly installs only Calico's own CNI binaries; the host is
+	// expected to provide any required upstream plugins.
+	CNIInstallModeCalicoOnly CNIInstallMode = "CalicoOnly"
+)
+
 // InstallationStatus defines the observed state of the Calico or Calico Enterprise installation.
 type InstallationStatus struct {
 	// Variant is the most recently observed installed variant - one of Calico or CalicoEnterprise.

@@ -13,6 +13,8 @@ components:
     version: master
   cni-windows:
     version: master
+  cni-plugins:
+    version: master
   kube-controllers:
     version: master
   goldmane:

@@ -51,6 +51,9 @@ components:
   tigera-cni-windows:
     image: cni-windows
     version: master
+  tigera-cni-plugins:
+    image: cni-plugins
+    version: master
   # coreos-prometheus holds the version of prometheus built for tigera/prometheus,
   # which prometheus operator uses to validate.
   coreos-prometheus:

@@ -19,6 +19,15 @@ package components
 
 var (
 	CalicoRelease string = "{{ .Title }}"
+{{ with index .Components "cni-plugins" }}
+	ComponentCalicoCNIPlugins = Component{
+		Version:   "{{ .Version }}",
+		Image:     "{{ .Image }}",
+		Registry:  "{{ .Registry }}",
+		imagePath: "{{ .ImagePath }}",
+		variant:   calicoVariant,
+	}
+{{- end }}
 {{ with index .Components "cni-windows" }}
 	ComponentCalicoCNIWindows = Component{
 		Version:   "{{ .Version }}",
@@ -145,6 +154,7 @@ var (
 {{- end }}
 
 	CalicoImages = []Component{
+		ComponentCalicoCNIPlugins,
 		ComponentCalicoCNIWindows,
 		ComponentCalicoNode,
 		ComponentCalicoNodeFIPS,

@@ -54,6 +54,8 @@ var (
 		"coreos-alertmanager":         "unused-image",
 		"tigera-cni":                  "cni",
 		"tigera-cni-windows":          "cni-windows",
+		"cni-plugins":                 "cni-plugins",
+		"tigera-cni-plugins":          "cni-plugins",
 		"linseed":                     "linseed",
 		"gateway-api-envoy-gateway":   "envoy-gateway",
 		"gateway-api-envoy-proxy":     "envoy-proxy",

@@ -237,6 +237,15 @@ var (
 		variant:   enterpriseVariant,
 	}
 {{- end }}
+{{ with index .Components "tigera-cni-plugins" }}
+	ComponentTigeraCNIPlugins = Component{
+		Version:   "{{ .Version }}",
+		Image:     "{{ .Image }}",
+		Registry:  "{{ .Registry }}",
+		imagePath: "{{ .ImagePath }}",
+		variant:   enterpriseVariant,
+	}
+{{- end }}
 {{ with index .Components "gateway-api-envoy-gateway" }}
 	ComponentGatewayAPIEnvoyGateway = Component{
 		Version:   "{{ .Version }}",
@@ -321,6 +330,7 @@ var (
 		ComponentTigeraNode,
 		ComponentTigeraNodeWindows,
 		ComponentTigeraCNIWindows,
+		ComponentTigeraCNIPlugins,
 		ComponentGatewayAPIEnvoyGateway,
 		ComponentGatewayAPIEnvoyProxy,
 		ComponentGatewayAPIEnvoyRatelimit,

@@ -20,6 +20,14 @@ package components
 var (
 	CalicoRelease string = "master"
 
+	ComponentCalicoCNIPlugins = Component{
+		Version:   "master",
+		Image:     "cni-plugins",
+		Registry:  "",
+		imagePath: "",
+		variant:   calicoVariant,
+	}
+
 	ComponentCalicoCNIWindows = Component{
 		Version:   "master",
 		Image:     "cni-windows",
@@ -133,6 +141,7 @@ var (
 	}
 
 	CalicoImages = []Component{
+		ComponentCalicoCNIPlugins,
 		ComponentCalicoCNIWindows,
 		ComponentCalicoNode,
 		ComponentCalicoNodeFIPS,

@@ -212,6 +212,14 @@ var (
 		variant:   enterpriseVariant,
 	}
 
+	ComponentTigeraCNIPlugins = Component{
+		Version:   "master",
+		Image:     "cni-plugins",
+		Registry:  "",
+		imagePath: "",
+		variant:   enterpriseVariant,
+	}
+
 	ComponentGatewayAPIEnvoyGateway = Component{
 		Version:   "master",
 		Image:     "envoy-gateway",
@@ -288,6 +296,7 @@ var (
 		ComponentTigeraNode,
 		ComponentTigeraNodeWindows,
 		ComponentTigeraCNIWindows,
+		ComponentTigeraCNIPlugins,
 		ComponentGatewayAPIEnvoyGateway,
 		ComponentGatewayAPIEnvoyProxy,
 		ComponentGatewayAPIEnvoyRatelimit,

@@ -656,6 +656,10 @@ func fillDefaults(instance *operatorv1.Installation, currentPools *v3.IPPoolList
 	if instance.Spec.CNI.BinDir == nil || *instance.Spec.CNI.BinDir == "" {
 		instance.Spec.CNI.BinDir = &defaultCNIBinDir
 	}
+	if instance.Spec.CNI.InstallMode == nil {
+		mode := operatorv1.CNIInstallModeAll
+		instance.Spec.CNI.InstallMode = &mode
+	}
 
 	// While a number of the fields in this section are relevant to all CNI plugins,
 	// there are some settings which are currently only applicable if using Calico CNI.

@@ -452,7 +452,7 @@ var _ = Describe("Testing core-controller installation", func() {
 						components.TigeraImagePath,
 						components.ComponentTigeraNode.Image,
 						components.ComponentTigeraNode.Version)))
-				Expect(ds.Spec.Template.Spec.InitContainers).To(HaveLen(5))
+				Expect(ds.Spec.Template.Spec.InitContainers).To(HaveLen(6))
 				fv := test.GetContainer(ds.Spec.Template.Spec.InitContainers, "flexvol-driver")
 				Expect(fv).ToNot(BeNil())
 				Expect(fv.Image).To(Equal(
@@ -467,6 +467,13 @@ var _ = Describe("Testing core-controller installation", func() {
 						components.TigeraImagePath,
 						components.ComponentTigeraCalico.Image,
 						components.ComponentTigeraCalico.Version)))
+				cniPlugins := test.GetContainer(ds.Spec.Template.Spec.InitContainers, "cni-plugins")
+				Expect(cniPlugins).ToNot(BeNil())
+				Expect(cniPlugins.Image).To(Equal(
+					fmt.Sprintf("some.registry.org/%s%s:%s",
+						components.TigeraImagePath,
+						components.ComponentTigeraCNIPlugins.Image,
+						components.ComponentTigeraCNIPlugins.Version)))
 				csrinit = test.GetContainer(ds.Spec.Template.Spec.InitContainers, fmt.Sprintf("%s-key-cert-provisioner", render.NodeTLSSecretName))
 				Expect(csrinit).ToNot(BeNil())
 				Expect(csrinit.Image).To(Equal(
@@ -497,6 +504,7 @@ var _ = Describe("Testing core-controller installation", func() {
 						Images: []operator.Image{
 							{Image: "tigera/calico", Digest: "sha256:tigeracalicohash"},
 							{Image: "tigera/node", Digest: "sha256:tigeranodehash"},
+							{Image: "tigera/cni-plugins", Digest: "sha256:tigeracnipluginshash"},
 						},
 					},
 				}
@@ -563,7 +571,7 @@ var _ = Describe("Testing core-controller installation", func() {
 						components.TigeraImagePath,
 						components.ComponentTigeraNode.Image,
 						"sha256:tigeranodehash")))
-				Expect(ds.Spec.Template.Spec.InitContainers).To(HaveLen(5))
+				Expect(ds.Spec.Template.Spec.InitContainers).To(HaveLen(6))
 				fv := test.GetContainer(ds.Spec.Template.Spec.InitContainers, "flexvol-driver")
 				Expect(fv).ToNot(BeNil())
 				Expect(fv.Image).To(Equal(
@@ -578,6 +586,13 @@ var _ = Describe("Testing core-controller installation", func() {
 						components.TigeraImagePath,
 						components.ComponentTigeraCalico.Image,
 						"sha256:tigeracalicohash")))
+				cniPlugins := test.GetContainer(ds.Spec.Template.Spec.InitContainers, "cni-plugins")
+				Expect(cniPlugins).ToNot(BeNil())
+				Expect(cniPlugins.Image).To(Equal(
+					fmt.Sprintf("some.registry.org/%s%s@%s",
+						components.TigeraImagePath,
+						components.ComponentTigeraCNIPlugins.Image,
+						"sha256:tigeracnipluginshash")))
 				csrinit = test.GetContainer(ds.Spec.Template.Spec.InitContainers, fmt.Sprintf("%s-key-cert-provisioner", render.NodeTLSSecretName))
 				Expect(csrinit).ToNot(BeNil())
 				Expect(csrinit.Image).To(Equal(

@@ -115,6 +115,7 @@ var _ = Describe("Defaulting logic tests", func() {
 		var linuxPolicySetupTimeoutSeconds int32 = 1
 		cniBinDir := "/opt/custom/cni/bin"
 		cniConfDir := "/etc/custom/cni/net.d"
+		cniInstallMode := operator.CNIInstallModeAll
 
 		hpEnabled := operator.HostPortsEnabled
 		disabled := operator.BGPDisabled
@@ -134,10 +135,11 @@ var _ = Describe("Defaulting logic tests", func() {
 					},
 				},
 				CNI: &operator.CNISpec{
-					Type:    operator.PluginCalico,
-					IPAM:    &operator.IPAMSpec{Type: operator.IPAMPluginCalico},
-					BinDir:  &cniBinDir,
-					ConfDir: &cniConfDir,
+					Type:        operator.PluginCalico,
+					IPAM:        &operator.IPAMSpec{Type: operator.IPAMPluginCalico},
+					BinDir:      &cniBinDir,
+					ConfDir:     &cniConfDir,
+					InstallMode: &cniInstallMode,
 				},
 				CalicoNetwork: &operator.CalicoNetworkSpec{
 					LinuxDataplane:   &dpIptables, // Actually the default but BPF would make other values invalid.
@@ -210,6 +212,7 @@ var _ = Describe("Defaulting logic tests", func() {
 		logSeverity := operator.LogLevelError
 		cniBinDir := "/opt/custom/cni/bin"
 		cniConfDir := "/etc/custom/cni/net.d"
+		cniInstallMode := operator.CNIInstallModeAll
 
 		disabled := operator.BGPDisabled
 		miMode := operator.MultiInterfaceModeNone
@@ -229,10 +232,11 @@ var _ = Describe("Defaulting logic tests", func() {
 					},
 				},
 				CNI: &operator.CNISpec{
-					Type:    operator.PluginCalico,
-					IPAM:    &operator.IPAMSpec{Type: operator.IPAMPluginCalico},
-					BinDir:  &cniBinDir,
-					ConfDir: &cniConfDir,
+					Type:        operator.PluginCalico,
+					IPAM:        &operator.IPAMSpec{Type: operator.IPAMPluginCalico},
+					BinDir:      &cniBinDir,
+					ConfDir:     &cniConfDir,
+					InstallMode: &cniInstallMode,
 				},
 				CalicoNetwork: &operator.CalicoNetworkSpec{
 					LinuxDataplane:   &dpBPF, // Actually the default but BPF would make other values invalid.

@@ -2903,9 +2903,10 @@ spec:
                                       name:
                                         description: |-
                                           Name is an enum which identifies the calico-node DaemonSet init container by name.
-                                          Supported values are: install-cni, hostpath-init, flexvol-driver, ebpf-bootstrap, node-certs-key-cert-provisioner, calico-node-prometheus-server-tls-key-cert-provisioner, mount-bpffs (deprecated, replaced by ebpf-bootstrap)
+                                          Supported values are: install-cni, cni-plugins, hostpath-init, flexvol-driver, ebpf-bootstrap, node-certs-key-cert-provisioner, calico-node-prometheus-server-tls-key-cert-provisioner, mount-bpffs (deprecated, replaced by ebpf-bootstrap)
                                         enum:
                                           - install-cni
+                                          - cni-plugins
                                           - hostpath-init
                                           - flexvol-driver
                                           - ebpf-bootstrap
@@ -5709,6 +5710,22 @@ spec:
                         * For KubernetesProvider OpenShift, this field defaults to "/var/run/multus/cni/net.d".
                         * Otherwise, this field defaults to "/etc/cni/net.d".
                       type: string
+                    installMode:
+                      description: |-
+                        InstallMode controls which CNI plugin binaries the operator installs onto each node
+                        when CNI.Type is Calico.
+                        * All (default): the operator runs a cni-plugins init container that stages upstream
+                          CNI plugin binaries (host-local, portmap, loopback, tuning, flannel) into a shared
+                          volume, and the install-cni init container copies them onto the host alongside
+                          Calico's own binaries.
+                        * CalicoOnly: skip the cni-plugins init container. Only Calico's own binaries are
+                          installed. Use this when the host already provides the upstream plugins (e.g. kind,
+                          certain managed node images).
+                        Default: All
+                      enum:
+                        - All
+                        - CalicoOnly
+                      type: string
                     ipam:
                       description: |-
                         IPAM specifies the pod IP address management that will be used in the Calico or
@@ -12178,9 +12195,10 @@ spec:
                                           name:
                                             description: |-
                                               Name is an enum which identifies the calico-node DaemonSet init container by name.
-                                              Supported values are: install-cni, hostpath-init, flexvol-driver, ebpf-bootstrap, node-certs-key-cert-provisioner, calico-node-prometheus-server-tls-key-cert-provisioner, mount-bpffs (deprecated, replaced by ebpf-bootstrap)
+                                              Supported values are: install-cni, cni-plugins, hostpath-init, flexvol-driver, ebpf-bootstrap, node-certs-key-cert-provisioner, calico-node-prometheus-server-tls-key-cert-provisioner, mount-bpffs (deprecated, replaced by ebpf-bootstrap)
                                             enum:
                                               - install-cni
+                                              - cni-plugins
                                               - hostpath-init
                                               - flexvol-driver
                                               - ebpf-bootstrap
@@ -15030,6 +15048,22 @@ spec:
                             * For KubernetesProvider OpenShift, this field defaults to "/var/run/multus/cni/net.d".
                             * Otherwise, this field defaults to "/etc/cni/net.d".
                           type: string
+                        installMode:
+                          description: |-
+                            InstallMode controls which CNI plugin binaries the operator installs onto each node
+                            when CNI.Type is Calico.
+                            * All (default): the operator runs a cni-plugins init container that stages upstream
+                              CNI plugin binaries (host-local, portmap, loopback, tuning, flannel) into a shared
+                              volume, and the install-cni init container copies them onto the host alongside
+                              Calico's own binaries.
+                            * CalicoOnly: skip the cni-plugins init container. Only Calico's own binaries are
+                              installed. Use this when the host already provides the upstream plugins (e.g. kind,
+                              certain managed node images).
+                            Default: All
+                          enum:
+                            - All
+                            - CalicoOnly
+                          type: string
                         ipam:
                           description: |-
                             IPAM specifies the pod IP address management that will be used in the Calico or