Certified OpenShift CNI Plug-ins

Updated -

Table of Contents


The Container Network Interface (CNI) badge is a specialization within Red Hat OpenShift certification available to networking products that integrate with OpenShift using a CNI plug-in.

To be eligible for this badge, the CNI plug-in must be deployed and managed through an Operator. Partners must complete the corresponding Operator certification as well as pass several end-to-end tests. The end-to-end tests validate that the CNI plugin meets basic functionality criteria for the following components:

  • Network Conformance
  • OpenShift Virtualization (OpenShift 4.6 and later)
  • OpenShift Service Mesh (coming soon)

Only the Network Conformance tests are required, and the table below indicates which tests were passed by each CNI plugin.

Once the certification is approved, the Operator will be published in the Red Hat Ecosystem Catalog. The certified Operator will also be listed in the OperatorHub section of the OpenShift web console in OpenShift. Partners will receive a logo to promote their product as a CNI plug-in certified for Red Hat OpenShift.

This document contains the list of 3rd party CNI plug-ins that have been certified by Red Hat for use with OpenShift Container Platform.

3rd Party CNI Plugins

Partner Product Version Installer Type OpenShift Version Tests [1]
Cisco ACI 5.1.3, 5.2 OSP 13 UPI 4.6 N
Cisco ACI 5.2 OSP 16.1 UPI 4.6, 4.7, 4.8 N
Cisco ACI 5.2 vSphere UPI 4.6, 4.7, 4.8 N
Cisco ACI 5.2 BM UPI 4.6, 4.7 N
Isovalent Cilium 1.9.5 UPI and IPI 4.5 N
Isovalent Cilium 1.9.5 UPI and IPI 4.6, 4.7 N, V
Tigera Calico 3.12 UPI 4.2 N
Tigera Calico 3.14 UPI 4.3 N
Tigera Calico 3.15 UPI 4.4 N
Tigera Calico 3.16 UPI 4.5 N
Tigera Calico 3.17, 3.18, 3.19, 3.20 IPI 4.6, 4.7 N, V
Tigera Calico 3.17, 3.18, 3.19 UPI 4.7 N, V
VMware NCP 3.0.2 w/NSX-T3.x+ UPI 4.4 N
VMware Antrea 0.13.1 IPI 4.6, 4.7 N

[1] The only test required for CNI certification is for Network Conformance. The tests executed and passed are indicated as follows:

  • N - Network Conformance
  • V - OpenShift Virtualization
  • S - OpenShift Service Mesh (coming soon)


Hi Antonios, I have a customer asking about Calico support for 4.6+. The table doesn't show this. Can you provide an update on when we could expect certification for these releases?

It's confuse what is "certified" cni plugins, I just discover this alert in a cluster provided by OCP insights

This cluster is running with 3rd party SDN plugin Calico, which will encounter support limitations.

I just made some Installations with calico as SDN on OCP 4.6, 4.7 and 4.8 in azure, aws and vmware. and Yes seems works with these versions.

Follow this table

| Kubernetes  | Openshift | Calico   
|  v1.19      |    4.6    | v3.18.4
|  v1.20      |    4.7    | v3.18.4, v3.19.1 (sometimes fail)
|  v1.21      |    4.8    | v3.19.1

I recommend modify 01-cr-installation.yaml in calico manifests. to set quay.io to download the images, due rate limit of docker.io

# This section includes Calico installation configuration.
apiVersion: operator.tigera.io/v1
kind: Installation
  name: default
  variant: Calico
  registry: quay.io   ## <---------------
  flexVolumePath: None   ## <------------
  kubernetesProvider: OpenShift
    bgp: Disabled

On the other hand there is an certified operator https://catalog.redhat.com/software/containers/tigera/operator/5e741d5cac3db903708a77d1 the description shows "The Tigera Operator manages the lifecycle of a Calico or Calico Enterprise installation on Kubernetes or OpenShift. Its goal is to make installation, upgrades, and ongoing lifecycle management of Calico and Calico Enterprise as simple and reliable as possible."

The requirement is to have installed calico as networkType.

We have a certified operator to handle the lifecycle of calico, and insights telling is not fully supported the sdn.