Installing Calico for policy (advanced)

You can also use Calico just for policy enforcement and achieve networking with another solution, such as static routes or a Kubernetes cloud provider integration.

To install Calico in this mode using the Kubernetes API datastore, complete the following steps.

  1. Ensure that you have a Kubernetes cluster that meets the Calico system requirements. If you don’t, follow the steps in Using kubeadm to create a cluster.

  2. If your cluster has RBAC enabled, issue the following command to configure the roles and bindings that Calico requires.

    kubectl apply -f \

    Note: You can also view the manifest in your browser.

  3. Ensure that the Kubernetes controller manager has the following flags set:
    --cluster-cidr= and --allocate-node-cidrs=true.

    Tip: On kubeadm, you can pass --pod-network-cidr= to kubeadm to set both Kubernetes controller flags.

  4. Download the Calico policy-only manifest for the Kubernetes API datastore.

    curl \ \
  5. If your cluster contains more than 50 nodes:

    • In the ConfigMap named calico-config, locate the typha_service_name, delete the none value, and replace it with calico-typha.

    • Modify the replica count in theDeployment named calico-typha to the desired number of replicas.

      apiVersion: apps/v1beta1
      kind: Deployment
        name: calico-typha
        replicas: <number of replicas>

      We recommend at least one replica for every 200 nodes and no more than 20 replicas. In production, we recommend a minimum of three replicas to reduce the impact of rolling upgrades and failures.

      Tip: If you set typha_service_name without increasing the replica count from its default of 0 Felix will try to connect to Typha, find no Typha instances to connect to, and fail to start.

  6. Apply the manifest using the following command.

    kubectl apply -f calico.yaml