About non-cluster hosts


Big picture

Secure hosts not in a cluster by installing Calico with networking and/or networking policy enabled.


Not all hosts in your environment run virtualized workloads (i.e. containers managed by Kubernetes or OpenShift, or VMs managed by OpenStack). There may be physical machines or legacy applications that you cannot move into an orchestrated cluster that need to communicate securely with workloads in your cluster. Whether you have a thousand machines or ten, Calico lets you enforce policy on them using the same robust Calico network policy that is used for workloads.


Workloads and Hosts

We use the term workload to mean a pod or VM running as a guest on a computer with Calico installed. If your cluster is a Kubernetes or OpenShift cluster, workloads are pods, if your cluster is an OpenStack cluster, workloads are VMs.

We use the term host to mean a computer where Calico is installed. These include computers that are part of a cluster and “host” workloads, as well as computers that are not part of the cluster and run applications directly, which we call “non-cluster” hosts. Calico does not handle the networking from host to host (Calico assumes this is set up), but it can be used to handle networking between hosts and workloads. Calico can also provide network policy for hosts, regardless of whether or not the hosts run any workloads. This guide focuses on non-cluster hosts.

Calico networking on non-cluster hosts

When Calico networking is enabled, Calico provides the virtual networking for the workloads in your cluster, allowing them to communicate with one another. It is also responsible for setting up networking so that hosts can communicate with workloads and vice versa. Calico does not handle networking for host to host communications.

When Calico networking is enabled…

Communication type Handled by
Workload ↔ Workload Calico
Workload ↔ Host Calico
Host ↔ Host Underlying network

This means that if you are using Calico networking in your cluster, and you want the non-cluster hosts to be able to communicate with workloads in the cluster, you will need to install Calico for networking on your non-cluster hosts. If you are not using Calico for networking in your cluster (e.g. are using Calico in policy-only mode), or don’t need your non-cluster hosts to communicate directly with workloads, you can install Calico in policy-only mode on your non-cluster hosts.

Calico policy on non-cluster hosts

Calico policy allows you to control firewalls on your non-cluster hosts using the same controls powerful controls as in your cluster. Calico must be running on each non-cluster host you want to control.

Using Calico, you can secure network interfaces of the host; these interfaces are called host endpoints (to distinguish them from workload endpoints). Host endpoints can have labels, which work the same as labels on workload endpoints. This allows you to create Calico network policy for either host or workload endpoints, where each selector can refer to the either type (or be a mix of the two) using labels.

Before you begin…

  1. Check that your hosts meet the system requirements for Calico
  2. Set up a datastore (if you have installed Calico on a cluster you will already have this)
  3. Install and configure calicoctl
  4. Choose an install method and whether to use Calico for networking & policy, or policy-only