Requirements
About Calico for Windows
Because the Kubernetes and Calico control components do not run on Windows yet, a hybrid Linux/Windows cluster is required. The Calico for Windows standard installation is distributed as a .zip archive.
What’s supported in this release
✓ Install: Manifest install for Kubernetes clusters
✓ Platforms: Kubernetes, OpenShift, RKE, EKS, AKS
✓ Networking:
- Kubernetes, on-premises: Calico CNI with BGP or VXLAN
- OpenShift: Calico CNI with BGP or VXLAN
- Rancher Kubernetes Engine: Calico CNI with BGP or VXLAN
- EKS: VPC CNI, or Calico CNI with BGP or VXLAN
- AKS: Azure CNI
Requirements
CNI and networking options
The following table summarizes the networking options and considerations.
| Networking | Components | Value/Content |
|---|---|---|
| Calico BGP | Windows CNI plugin: calico.exeLinux: Calico for policy and networking |
Calico’s native networking approach, supports: - Auto-configured node-to-node BGP mesh over an L2 fabric - Peering with external routers for an L3 fabric - Calico IPAM and IP aggregation (with some limitations) - Route reflectors (including the new in-cluster route reflector introduced in Calico v3.3). Note: Windows node cannot act as route reflectors. - Kubernetes API datastore driver AWS users: If running on AWS, you must disable the source/dest check on your EC2 instances so that hosts can forward traffic on behalf of pods. |
| Calico VXLAN | Windows CNI plugin: calico.exe Linux: Calico for policy and networking |
Calico’s VXLAN overlay, supports: - VXLAN overlay, which can traverse most networks. - Auto-configured node-to-node routing - Calico IPAM and IP aggregation (with some limitations) - Kubernetes API datastore driver Note: VXLAN runs on UDP port 4789 (this is the only port supported by Windows), remember to open that port between your Calico hosts in any firewalls / security groups. |
| Cloud provider | Windows CNI plugin: win-bridge.exe Linux: Calico policy-only |
A useful fallback, particularly if you have a Kubernetes cloud provider that automatically installs inter-host routes. Calico has been tested with the standard win-bridge.exe CNI plugin so it should work with any networking provider that ultimately uses win-bridge.exe to network the pod (such as the Azure CNI plugin and cloud provider). |
Note: If Calico CNI with VXLAN is used, BGP must be disabled. See the installation reference.
Datastores
Whether you use etcd or Kubernetes datastore (kdd), the datastore for the Windows node/Kubernetes cluster must be the same as the datastore for the Linux control node. (You cannot mix datastores in Calico for Windows.)
Kubernetes version
- Versions 1.20, 1.19, or 1.18
Earlier versions may work, but we do not actively test Calico for Windows against them, and they may have known issues and incompatibilities.
Linux platform
- At least one Linux Kubernetes worker node to run Calico’s cluster-wide components that meets Linux system requirements, and is installed with Calico v3.12+.
- VXLAN or BGP without encapsulation is supported if using Calico CNI. IPIP (Calico’s default encapsulation mode) is not supported. Use the following command to turn off IPIP.
calicoctl patch felixconfiguration default -p '{"spec":{"ipipEnabled":false}}' - If using Calico IPAM, strict affinity of IPAM configuration must be set to
true.calicoctl ipam configure --strictaffinity=true
Note: For operator-managed Linux Calico clusters, three Linux worker nodes are required in order to meet high-availability requirements for Typha.
Windows platform
- Windows versions:
- Windows Server 1809 (build Build 17763.1432 or greater)
- Windows Server 2004 (build 19041)
- Windows Server 20H2 (build 19042)
- PowerShell for the installer
- Make sure Docker or containerd is installed and running.
- If you are using Calico BGP networking, the RemoteAccess service must be installed for the Windows BGP Router.
- Windows nodes support only a single IP pool type (so, if using a VXLAN pool, you should only use VXLAN throughout the cluster).
- TLS v1.2 enabled. For example:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12