Configuring the Calico Kubernetes controllers

The Calico Kubernetes controllers are primarily configured through environment variables. When running the controllers as a Kubernetes pod, this is accomplished through the pod manifest env section.

The calico/kube-controllers container

The calico/kube-controllers container includes the following controllers:

  1. policy controller: watches network policies and programs Calico policies.
  2. profile controller: watches namespaces and programs Calico profiles.
  3. workloadendpoint controller: watches for changes to pod labels and updates Calico workload endpoints.
  4. node controller: watches for the removal of Kubernetes nodes and removes corresponding data from Calico.

By default, all four controllers are enabled.

Configuring etcd access

The Calico Kubernetes controllers support the following environment variables to configure etcd access:

Environment Description Schema
ETCD_ENDPOINTS The list of etcd nodes in your cluster. e.g,  
ETCD_CA_CERT_FILE The full path to the CA certificate file for the Certificate Authority that signed the etcd server key/certificate pair. path
ETCD_CERT_FILE The full path to the client certificate file for accessing the etcd cluster. path
ETCD_KEY_FILE The full path to the client key file for accessing the etcd cluster. path

The *_FILE variables are paths to the corresponding certificates/keys. As such, when the controllers are running as a Kubernetes pod, you must ensure that the files exist within the pod. This is usually done in one of two ways:

  • Mount the certificates from the host. This requires that the certificates be present on the host running the controller.
  • Use Kubernetes Secrets to mount the certificates into the pod as files.

Configuring Kubernetes API access

The controllers must have read access to the Kubernetes API in order to monitor NetworkPolicy, Pod, and Namespace events.

When running the controllers as a self-hosted Kubernetes Pod, Kubernetes API access is configured automatically and no additional configuration is required. However, the controllers can also be configured to use an explicit kubeconfig file override to configure API access if needed.

Other configuration

The following environment variables can be used to configure the Calico Kubernetes controllers.

Environment Description Schema
ENABLED_CONTROLLERS Which controllers to run policy, profile, workloadendpoint, node
LOG_LEVEL Minimum log level to be displayed. debug, info, warning, error
KUBECONFIG Path to a kubeconfig file for Kubernetes API access path