System requirements


Node requirements

  • x86-64, arm64, ppc64le, or s390x processor

  • Linux kernel 3.10 or later with required dependencies. The following distributions have the required kernel, its dependencies, and are known to work well with Calico and OpenShift.
    • RedHat Linux 7
    • RedHat Container OS
  • Calico must be able to manage cali* interfaces on the host. When IPIP is enabled (the default), Calico also needs to be able to manage tunl* interfaces. When VXLAN is enabled, Calico also needs to be able to manage the vxlan.calico interface.

    Note: Many Linux distributions, such as most of the above, include NetworkManager. By default, NetworkManager does not allow Calico to manage interfaces. If your nodes have NetworkManager, complete the steps in Preventing NetworkManager from controlling Calico interfaces before installing Calico.

  • If your Linux distribution comes with installed Firewalld or another iptables manager it should be disabled. These may interfere with rules added by Calico and result in unexpected behavior.

    Note: If a host firewall is needed, it can be configured by Calico HostEndpoint and GlobalNetworkPolicy. More information about configuration at Security for host.

Key/value store

Calico v3.20 requires a key/value store accessible by all Calico components. With OpenShift, the Kubernetes API datastore is used for the key/value store.

Network requirements

Ensure that your hosts and firewalls allow the necessary traffic based on your configuration.

Configuration Host(s) Connection type Port/protocol
Calico networking (BGP) All Bidirectional TCP 179
Calico networking with IP-in-IP enabled (default) All Bidirectional IP-in-IP, often represented by its protocol number 4
Calico networking with VXLAN enabled All Bidirectional UDP 4789
Typha access Typha agent hosts Incoming TCP 5473 (default)
All kube-apiserver host Incoming Often TCP 443 or 8443*

* The value passed to kube-apiserver using the --secure-port flag. If you cannot locate this, check the targetPort value returned by kubectl get svc kubernetes -o yaml.


Ensure that Calico has the CAP_SYS_ADMIN privilege.

The simplest way to provide the necessary privilege is to run Calico as root or in a privileged container.

OpenShift requirements

Calico v3.20 supports:

  • OpenShift Container Platform 4.3+

Refer to the OpenShift documentation for additional requirements.

Kernel dependencies

Tip: If you are using one of the recommended distributions, you will already satisfy these.

  • ip_set
  • ip_tables (for IPv4)
  • ip6_tables (for IPv6)
  • ipt_REJECT
  • ipt_rpfilter
  • ipt_set
  • nf_conntrack_netlink subsystem
  • nf_conntrack_proto_sctp
  • sctp
  • xt_addrtype
  • xt_comment
  • xt_conntrack
  • xt_icmp (for IPv4)
  • xt_icmp6 (for IPv6)
  • xt_ipvs,ipt_ipvs
  • xt_mark
  • xt_multiport
  • xt_rpfilter
  • xt_sctp
  • xt_set
  • xt_u32
  • xt_bpf (for eBPF)
  • vfio-pci
  • ipip (if using Calico networking in IPIP mode)
  • wireguard (if using WireGuard encryption)