Customizing the manifests
Each manifest contains all the necessary resources for installing Calico on each node in your Kubernetes cluster.
It installs the following Kubernetes resources:
calico-configConfigMap, which contains parameters for configuring the install.
- Installs the
calico/nodecontainer on each host using a DaemonSet.
- Installs the Calico CNI binaries and network config on each host using a DaemonSet.
calico/kube-controllersas a deployment.
calico-etcd-secretssecret, which optionally allows for providing etcd TLS assets.
calico.yaml provides a way to configure a Calico
self-hosted installation. It exposes the following configuration parameters.
Configuring the pod IP range
Calico IPAM assigns IP addresses from IP pools.
To change the default IP range used for pods, modify the
section of the
calico.yaml manifest. For more information, see
By default, the manifests enable IP-in-IP encapsulation across subnets. Many users may want to disable IP-in-IP encapsulation, such as under the following circumstances.
- Their cluster is running in a properly configured AWS VPC.
- All their Kubernetes nodes are connected to the same L2 network.
- They intend to use BGP peering to make their underlying infrastructure aware of pod IP addresses.
To disable IP-in-IP encapsulation, modify the
CALICO_IPV4POOL_IPIP section of the
manifest. For more information, see Configuring calico/node.
By default, these manifests do not configure secure access to etcd and assume an etcd proxy is running on each host. The following configuration options let you specify custom etcd cluster endpoints as well as TLS.
The following table outlines the supported
ConfigMap options for etcd:
|etcd_endpoints||A comma separated list of etcd nodes.||http://127.0.0.1:2379|
|etcd_ca||The location of the CA mounted in the pods deployed by the DaemonSet.||None|
|etcd_key||The location of the client cert mounted in the pods deployed by the DaemonSet.||None|
|etcd_cert||The location of the client key mounted in the pods deployed by the DaemonSet.||None|
To use these manifests with a TLS-enabled etcd cluster you must do the following:
- Populate the
calico-etcd-secretssecret with the contents of the following files:
- Populate the following options in the
ConfigMapwhich will trigger the various services to expect the provided TLS assets:
Calico’s manifests assign its components one of two service accounts. Depending on your cluster’s authorization mode, you’ll want to back these service accounts with the necessary permissions.
Other configuration options
The following table outlines the remaining supported
|calico_backend||The backend to use.||
|cni_network_config||The CNI Network config to install on each node. Supports templating as described below.|
CNI network configuration template
cni_network_config configuration option supports the following template fields, which will
be filled in automatically by the
||The Kubernetes service Cluster IP, e.g
||The Kubernetes service port, e.g.,
||The service account token for the namespace, if one exists.|
||The etcd endpoints specified in
||The path to the automatically generated kubeconfig file in the same directory as the CNI network configuration file.|
||The path to the etcd key file installed to the host. Empty if no key is present.|
||The path to the etcd certificate file installed to the host, empty if no cert present.|
||The path to the etcd certificate authority file installed to the host. Empty if no certificate authority is present.|