Requirements
About Calico for Windows
Because the Kubernetes and Calico control components do not run on Windows yet, a hybrid Linux/Windows cluster is required. Calico for Windows standard installation is distributed as a .zip archive.
What’s supported in this release
✓ Install: Manifest install for Kubernetes clusters
✓ Platforms: Kubernetes, EKS
✓ Networking:
- Kubernetes, on-premises: Calico CNI with BGP or VXLAN
- EKS: VPC CNI, or Calico CNI with BGP or VXLAN
Requirements
CNI and networking options
The following table summarizes the networking options and considerations.
Networking | Components | Value/Content |
---|---|---|
Calico BGP | Windows CNI plugin: calico.exeLinux: Calico for policy and networking |
Calico’s native networking approach, supports: - Auto-configured node-to-node BGP mesh over an L2 fabric - Peering with external routers for an L3 fabric - Calico IPAM and IP aggregation (with some limitations) - Route reflectors (including the new in-cluster route reflector introduced in Calico v3.3). Note: Windows node cannot act as route reflectors. - Kubernetes API datastore driver AWS users: If running on AWS, you must disable the source/dest check on your EC2 instances so that hosts can forward traffic on behalf of pods. |
Calico VXLAN | Windows CNI plugin: calico.exe Linux: Calico for policy and networking |
Calico’s VXLAN overlay, supports: - VXLAN overlay, which can traverse most networks. - Auto-configured node-to-node routing - Calico IPAM and IP aggregation (with some limitations) - Kubernetes API datastore driver Note: VXLAN runs on UDP port 4789 (this is the only port supported by Windows), remember to open that port between your Calico hosts in any firewalls / security groups. |
Cloud provider | Windows CNI plugin: win-bridge.exe Linux: Calico policy-only |
A useful fallback, particularly if you have a Kubernetes cloud provider that automatically installs inter-host routes. Calico has been tested with the standard win-bridge.exe CNI plugin so it should work with any networking provider that ultimately uses win-bridge.exe to network the pod (such as the Azure CNI plugin and cloud provider). |
Note: If Calico CNI with VXLAN is used, BGP must be disabled. See the installation reference.
Datastores
Whether you use etcd or Kubernetes datastore (kdd), the datastore for the Windows node/Kubernetes cluster must be the same as the datastore for the Linux control node. (You cannot mix datastores in a Calico for Windows implementation.)
Kubernetes version
- Versions 1.19, 1.18, 1.17
Earlier versions may work, but we do not actively test Calico for Windows against them, and they may have known issues and incompatibilities.
Linux platform
- At least one Linux Kubernetes worker node to run Calico’s cluster-wide components that meets Linux system requirements, and is installed with Calico v3.12.0+.
- VXLAN or BGP without encapsulation is supported if using Calico CNI. IPIP (default encapsulation mode) is not supported. Use the following command to turn off IPIP.
calicoctl patch felixconfiguration default -p '{"spec":{"ipipEnabled":false}}'
- If using Calico IPAM, strict affinity of IPAM configuration must be set to
true
.calicoctl ipam configure --strictaffinity=true
Note: Calico for Windows requires four Linux worker nodes in order to meet high-availability requirements for Typha.
Windows platform
- Windows versions:
- Windows Server 1903 (AKA 19H1) build 18317 or greater
- Windows Server 2019 / 1809 (RS5) or greater, with some limitations
- Windows Server 2019 with DSR support:
- OS 1809: Build 17763.1432, binary version: 10.0.17763.1432
- OS 1903: Build 18362.1049, binary version: 10.0.18362.1049
- OS 1909: Build 18363.1049, binary version: 10.0.18363.1049
- Powershell for the installer
- Make sure the Docker service is installed and running. Install Docker on Windows node.
- If you are using Calico BGP networking, the RemoteAccess service must be installed for the Windows BGP Router.
- Windows nodes support only a single IP pool type (so, if using a VXLAN pool, you should only use VXLAN throughout the cluster).
- TLS v1.2 enabled. For example:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12