x86-64, arm64, ppc64le, or s390x processor
- Linux kernel 3.10 or later with required dependencies.
The following distributions have the required kernel, its dependencies, and are
known to work well with Calico and Kubernetes.
- RedHat Linux 7
- CentOS 7
- CoreOS Container Linux stable
- Ubuntu 16.04
- Debian 8
Calico must be able to manage
cali*interfaces on the host. When IPIP is enabled (the default), Calico also needs to be able to manage
tunl*interfaces. When VXLAN is enabled, Calico also needs to be able to manage the
Note: Many Linux distributions, such as most of the above, include NetworkManager. By default, NetworkManager does not allow Calico to manage interfaces. If your nodes have NetworkManager, complete the steps in Preventing NetworkManager from controlling Calico interfaces before installing Calico.
If your Linux distribution comes with installed Firewalld or another iptables manager it should be disabled. These may interfere with rules added by Calico and result in unexpected behavior.
Note: If a host firewall is needed, it can be configured by Calico HostEndpoint and GlobalNetworkPolicy. More information about configuration at Security for host.
Calico v3.20 requires a key/value store accessible by all Calico components. On Kubernetes, you can configure Calico to access an etcdv3 cluster directly or to use the Kubernetes API datastore.
Ensure that your hosts and firewalls allow the necessary traffic based on your configuration.
|Calico networking (BGP)||All||Bidirectional||TCP 179|
|Calico networking with IP-in-IP enabled (default)||All||Bidirectional||IP-in-IP, often represented by its protocol number
|Calico networking with VXLAN enabled||All||Bidirectional||UDP 4789|
|Calico networking with Typha enabled||Typha agent hosts||Incoming||TCP 5473 (default)|
|flannel networking (VXLAN)||All||Bidirectional||UDP 4789|
|All||kube-apiserver host||Incoming||Often TCP 443 or 6443*|
|etcd datastore||etcd hosts||Incoming||Officially TCP 2379 but can vary|
* The value passed to kube-apiserver using the
--secure-port flag. If you cannot locate this, check the
targetPort value returned by
kubectl get svc kubernetes -o yaml.
Ensure that Calico has the
The simplest way to provide the necessary privilege is to run Calico as root or in a privileged container. When installed as a Kubernetes daemon set, Calico meets this requirement by running as a privileged container. This requires that the kubelet be allowed to run privileged containers. There are two ways this can be achieved.
--allow-privilegedon the kubelet (deprecated).
- Use a pod security policy.
We test Calico v3.20 against the following Kubernetes versions.
Due to changes in the Kubernetes API, Calico v3.20 will not work on Kubernetes v1.15 or below. v1.16-v1.18 may work, but they are no longer tested. Newer versions may also work, but we recommend upgrading to a version of Calico that is tested against the newer Kubernetes version.
CNI plug-in enabled
Calico is installed as a CNI plugin. The kubelet must be configured
to use CNI networking by passing the
--network-plugin=cni argument. (On
kubeadm, this is the default.)
Other network providers
Calico must be the only network provider in each cluster. We do not currently support migrating a cluster with another network provider to use Calico networking.
Supported kube-proxy modes
Calico supports the following kube-proxy modes:
ipvsRequires Kubernetes >=v1.9.3. Refer to Enabling IPVS in Kubernetes for more details.
IP pool configuration
The IP range selected for pod IP addresses cannot overlap with any other IP ranges in your network, including:
- The Kubernetes service cluster IP range
- The range from which host IPs are allocated
Application layer policy requirements
Note that Kubernetes version 1.16+ requires Istio version 1.2 or greater. Note that Istio version 1.7 requires Kubernetes version 1.16+.
Tip: If you are using one of the recommended distributions, you will already satisfy these.
ipip(if using Calico networking in IPIP mode)
wireguard(if using WireGuard encryption)