kubeadm Hosted Install

This document outlines how to install Calico, as well as a as single node etcd cluster for use by Calico on a Kubernetes cluster created by kubeadm. If you have already built your cluster with kubeadm, please review the Requirements / Limitations at the bottom of this page. It is likely you will need to recreate your cluster with the --pod-network-cidr and --service-cidr arguments to kubeadm.

Users who have deployed their own etcd cluster outside of kubeadm should use the Calico only manifest instead, as it does not deploy its own etcd.

You can easily create a cluster compatible with this manifest by following the official kubeadm guide.


To install Calico and a single node etcd, run one of the following commands depending on your Kubernetes version.

For kubeadm stable with Kubernetes version >= v1.6.0:

kubectl apply -f https://docs.projectcalico.org/v2.6/getting-started/kubernetes/installation/hosted/kubeadm/1.6/calico.yaml

Click here to view the above yaml directly.

For kubeadm 1.5 with Kubernetes version v1.5.x:

kubectl apply -f https://docs.projectcalico.org/v2.6/getting-started/kubernetes/installation/hosted/kubeadm/1.5/calico.yaml

Click here to view the above yaml directly.

Using calicoctl in a kubeadm Cluster

The simplest way to use calicoctl in kubeadm is by running it as a pod. See using calicoctl with Kubernetes for more information.


This manifest deploys the standard Calico components described here as well as a dedicated Calico etcd node on the Kubernetes master. Note that in a production cluster, it is recommended you use a secure, replicated etcd cluster.

This manifest uses a node label to select the master node on which Calico’s etcd is run. This label is configured automatically on the master when using kubeadm.

To check if the required label is applied, run the following command and inspect the output for the correct label:

$ kubectl get node <master_name> -o yaml

Requirements / Limitations

  • This install does not configure etcd TLS
  • This install expects that one Kubernetes master node has been labeled (this is usually setup by kubeadm, but kubectl get node --show-labels will expose the labels) with:
    • For kubeadm 1.5 kubeadm.alpha.kubernetes.io/role: master
    • For kubeadm 1.6 node-role.kubernetes.io/master: ""
  • This install assumes no other pod network configurations have been installed in /etc/cni/net.d (or equivilent directory).
  • The CIDR(s) specified with the kubeadm flag --cluster-cidr (pre 1.6) or --pod-network-cidr (1.6+) must match the Calico IP Pools to have Network Policy function correctly. The default is
  • The CIDR specified with the kubeadm flag --service-cidr should not overlap with the Calico IP Pool.
    • The default CIDR for --service-cidr is
    • The calico.yaml(s) linked sets the Calico IP Pool to