Calico Kubernetes Hosted Install

This document describes deploying Calico on Kubernetes using Kubernetes manifests. Note that the Kubernetes hosted installation method is experimental and subject to change, and requires Kubernetes v1.4.0+.

  • calico.yaml: Deploys Calico on Kubernetes. Assumes an etcd cluster is available - modify etcd_endpoints to direct Calico at the correct cluster.

  • kubeadm/calico.yaml: Installs Calico as well as a single node etcd cluster for cases where etcd is not already available (e.g kubeadm clusters). See here for more information.

To install Calico, download one of the above manifests depending on your deployment, and run the following command:

kubectl apply -f calico.yaml


If using your own etcd cluster, make sure you configure the provided ConfigMap with the location of the cluster before running the above command.

How it works

The calico.yaml file contains all the necessary resources for installing Calico on each node in your Kubernetes cluster.

It installs the following Kubernetes resources:

  • The calico-config ConfigMap, which contains parameters for configuring the install.
  • Installs the calico/node container on each host using a DaemonSet.
  • Installs the Calico CNI binaries and network config on each host using a DaemonSet.
  • Runs the calico/kube-policy-controller pod as a ReplicaSet.

Configuration options

The ConfigMap in calico.yaml provides a way to configure a Calico self-hosted installation. It exposes the following configuration parameters:


The location of your etcd cluster. The default in the provided manifest assumes that an etcd proxy is running on each node.


Whether or not to run Calico BGP. If false, then BGP will be disabled and Calico will enforce policy only.


The CNI network configuration to install on each node. This field supports the following template fields, which will be filled in automatically by the calico/cni container:

  • __KUBERNETES_SERVICE_HOST__: This will be replaced with the Kubernetes Service clusterIP. e.g
  • __KUBERNETES_SERVICE_PORT__: This will be replaced with the Kubernetes Service port. e.g 443
  • __SERVICEACCOUNT_TOKEN__: This will be replaced with the serviceaccount token for the namespace. Requires that Kubernetes be configured to create serviceaccount tokens.
  • __ETCD_ENDPOINTS__: This will be replaced with the etcd cluster specified in the ETCD_ENDPOINTS environment variable. e.g
  • __KUBECONFIG_FILENAME__: The name of the automatically generated kubeconfig file in the same directory as the CNI network config file.