Install Calico networking and network policy for on-premises deployments

5 MINUTE READ

Big picture

Install Calico to provide both networking and network policy for self-managed on-premises deployments.

Value

Calico networking and network policy are a powerful choice for a CaaS implementation. If you have the networking infrastructure and resources to manage Kubernetes on-premises, installing the full Calico product provides the most customization and control.

Features

This how-to guide uses the following Calico features:

  • calico/node
  • Typha

Concepts

Calico manifests

Calico provides manifests for easy customization. Each manifest contains the necessary resources for installing Calico on each node in your Kubernetes cluster. You may want to customize the Calico manifests before installing Calico on nodes.

Before you begin…

How to

Determine your datastore

Calico supports both Kubernetes API datastore (kdd) and etcd datastores. The Kubernetes API datastore is recommended for on-premises deployments, and supports only Kubernetes workloads; etcd is the best datastore for hybrid deployments.

Install Calico on nodes

Based on your datastore and number of nodes, select a link below to install Calico.

Note: The option, Kubernetes API datastore, more than 50 nodes provides scaling using Typha daemon. Typha is not included for etcd because etcd already handles many clients so using Typha is redundant and not recommended.

Install Calico with Kubernetes API datastore, 50 nodes or less
  1. Download the Calico networking manifest for the Kubernetes API datastore.

    curl https://docs.projectcalico.org/manifests/calico.yaml -O
    
  2. If you are using pod CIDR 192.168.0.0/16, skip to the next step. If you are using a different pod CIDR with kubeadm, no changes are required - Calico will automatically detect the CIDR based on the running configuration. For other platforms, make sure you uncomment the CALICO_IPV4POOL_CIDR variable in the manifest and set it to the same value as your chosen pod CIDR.

  3. Customize the manifest as necessary.
  4. Apply the manifest using the following command.

    kubectl apply -f calico.yaml
    
Install Calico with Kubernetes API datastore, more than 50 nodes
  1. Download the Calico networking manifest for the Kubernetes API datastore.

    curl https://docs.projectcalico.org/manifests/calico-typha.yaml -o calico.yaml
    
  2. If you are using pod CIDR 192.168.0.0/16, skip to the next step. If you are using a different pod CIDR with kubeadm, no changes are required - Calico will automatically detect the CIDR based on the running configuration. For other platforms, make sure you uncomment the CALICO_IPV4POOL_CIDR variable in the manifest and set it to the same value as your chosen pod CIDR.

  3. Modify the replica count to the desired number in the Deployment named, calico-typha.

    apiVersion: apps/v1beta1
    kind: Deployment
    metadata:
      name: calico-typha
      ...
    spec:
      ...
      replicas: <number of replicas>
    

    We recommend at least one replica for every 200 nodes, and no more than 20 replicas. In production, we recommend a minimum of three replicas to reduce the impact of rolling upgrades and failures. The number of replicas should always be less than the number of nodes, otherwise rolling upgrades will stall. In addition, Typha only helps with scale if there are fewer Typha instances than there are nodes.

    Warning: If you set typha_service_name and set the Typha deployment replica count to 0, Felix will not start.

  4. Customize the manifest if desired.
  5. Apply the manifest.

    kubectl apply -f calico.yaml
    
Install Calico with etcd datastore
  1. Download the Calico networking manifest for etcd.

    curl https://docs.projectcalico.org/manifests/calico-etcd.yaml -o calico.yaml
    
  2. If you are using pod CIDR 192.168.0.0/16, skip to the next step. If you are using a different pod CIDR with kubeadm, no changes are required - Calico will automatically detect the CIDR based on the running configuration. For other platforms, make sure you uncomment the CALICO_IPV4POOL_CIDR variable in the manifest and set it to the same value as your chosen pod CIDR.

  3. In the ConfigMap named, calico-config, set the value of etcd_endpoints to the IP address and port of your etcd server.

    Tip: You can specify more than one etcd_endpoint using commas as delimiters.

  4. Customize the manifest if desired.
  5. Apply the manifest using the following command.

    kubectl apply -f calico.yaml
    

Next steps

Tools

Networking

  • If you are using the default BGP networking with full-mesh node-to-node peering with no encapsulation, go to Configure BGP peering to get traffic flowing between pods.
  • If you are unsure about networking options, or want to implement encapsulation (overlay networking), see Determine best networking option.

Security