Configuring the Calico Kubernetes controllers
The Calico Kubernetes controllers are primarily configured through environment variables. When running
the controllers as a Kubernetes pod, this is accomplished through the pod manifest
The calico/kube-controllers container
calico/kube-controllers container includes the following controllers:
- policy controller: watches network policies and programs Calico policies.
- profile controller: watches namespaces and programs Calico profiles.
- workloadendpoint controller: watches for changes to pod labels and updates Calico workload endpoints.
- node controller: watches for the removal of Kubernetes nodes and removes corresponding data from Calico.
By default, all four controllers are enabled.
Configuring etcd access
The Calico Kubernetes controllers support the following environment variables to configure etcd access:
||The list of etcd nodes in your cluster. e.g
||The full path to the CA certificate file for the Certificate Authority that signed the etcd server key/certificate pair.||path|
||The full path to the client certificate file for accessing the etcd cluster.||path|
||The full path to the client key file for accessing the etcd cluster.||path|
*_FILE variables are paths to the corresponding certificates/keys. As such, when the controllers are running as a Kubernetes pod, you
must ensure that the files exist within the pod. This is usually done in one of two ways:
- Mount the certificates from the host. This requires that the certificates be present on the host running the controller.
- Use Kubernetes Secrets to mount the certificates into the pod as files.
Configuring Kubernetes API access
The controllers must have read access to the Kubernetes API in order to monitor
When running the controllers as a self-hosted Kubernetes Pod, Kubernetes API access is configured automatically and no additional configuration is required. However, the controllers can also be configured to use an explicit kubeconfig file override to configure API access if needed.
The following environment variables can be used to configure the Calico Kubernetes controllers.
||Which controllers to run||policy, profile, workloadendpoint, node|
||Minimum log level to be displayed.||debug, info, warning, error|
||Path to a kubeconfig file for Kubernetes API access||path|