Configuring calico/node

The calico/node container is primarily configured through environment variables.

Environment Variables

Environment Description Schema
NODENAME A unique identifier for this host. See node name determination for more details. lowercase string
NO_DEFAULT_POOLS Prevents Calico from creating a default pool if one does not exist. [Default: false] boolean
IP The IPv4 address to assign this host. When specified, the address is saved in the node resource configuration for this host, overriding any previously configured value. When omitted, if an address has been saved in the node resource, then that value will be used. When omitted, if an address has not yet been configured in the node resource, the node will auto-detect an IPv4 address and configure the node resource with that address. This autodetection can be forced (even if a value has already been set in the node resource) by setting IP to “autodetect”. Doing so will overwrite any value configured in the node resource. IPv4
IP6 The IPv6 address for Calico will bind to. When specified, the address is saved in the node resource configuration for this host, overriding any previously configured value. When omitted, if an address has not yet been configured in the node resource, IPv6 routing is not enabled. When omitted, if an IPv6 address has been previously configured in the node resource, IPv6 is enabled using the already configured address. IPv6
IP_AUTODETECTION_METHOD The method to use to autodetect the IPv4 address for this host. This is only used when the IPv4 address is being autodetected. See IP Autodetection methods for details of the valid methods. [Default: first-found] string
IP6_AUTODETECTION_METHOD The method to use to autodetect the IPv6 address for this host. This is only used when the IPv6 address is being autodetected. See IP Autodetection methods for details of the valid methods. [Default: first-found] string
DISABLE_NODE_IP_CHECK Skips checks for duplicate Node IPs. This can reduce the load on the cluster when a large number of Nodes are restarting. [Default: false] boolean
AS The AS number for this node. When specified, the value is saved in the node resource configuration for this host, overriding any previously configured value. When omitted, if an AS number has been previously configured in the node resource, that AS number is used for the peering. When omitted, if an AS number has not yet been configured in the node resource, the node will use the global value (see example modifying Global BGP settings for details.) int
DATASTORE_TYPE Type of datastore. [Default: etcdv3] kubernetes, etcdv3
WAIT_FOR_DATASTORE Wait for connection to datastore before starting. If a successful connection is not made, node will shutdown. [Default: false] boolean
CALICO_NETWORKING_BACKEND Describes which BGP networking backend to use [Default: bird] bird, none
CALICO_IPV4POOL_CIDR The IPv4 Pool to create if none exists at start up. It is invalid to define this variable and NO_DEFAULT_POOLS. [Default: 192.168.0.0/16] IPv4 CIDR
CALICO_IPV6POOL_CIDR The IPv6 Pool to create if none exists at start up. It is invalid to define this variable and NO_DEFAULT_POOLS. [Default: <a randomly chosen /48 ULA>] IPv6 CIDR
CALICO_IPV4POOL_IPIP IPIP Mode to use for the IPv4 POOL created at start up. [Default: Off] Off, Always, CrossSubnet
CALICO_IPV4POOL_NAT_OUTGOING Controls NAT Outgoing for the IPv4 Pool created at start up. [Default: true] boolean
CALICO_IPV6POOL_NAT_OUTGOING Controls NAT Outgoing for the IPv6 Pool created at start up. [Default: false] boolean
CALICO_STARTUP_LOGLEVEL The log severity above which startup calico/node logs are sent to the stdout. [Default: ERROR] DEBUG, INFO, WARNING, ERROR, CRITICAL, or NONE (case-insensitive)
CLUSTER_TYPE Contains comma delimited list of indicators about this cluster. e.g. k8s, mesos, kubeadm, canal, bgp string
ETCD_ENDPOINTS A comma separated list of etcd endpoints [Example: http://127.0.0.1:2379,http://127.0.0.2:2379] (required) string
ETCD_KEY_FILE Path to the etcd key file, e.g. /etc/calico/key.pem (optional) string
ETCD_CERT_FILE Path to the etcd client cert, e.g. /etc/calico/cert.pem (optional) string
ETCD_CA_CERT_FILE Path to the etcd CA file, e.g. /etc/calico/ca.pem (optional) string
KUBECONFIG When using the Kubernetes datastore, the location of a kubeconfig file to use. string
K8S_API_ENDPOINT Location of the Kubernetes API. Not required if using kubeconfig. string
K8S_CERT_FILE Location of a client certificate for accessing the Kubernetes API. string
K8S_KEY_FILE Location of a client key for accessing the Kubernetes API. string
K8S_CA_FILE Location of a CA for accessing the Kubernetes API. string
K8S_TOKEN Token to be used for accessing the Kubernetes API. string

In addition to the above, calico/node also supports the standard Felix configuration environment variables.

Note: When Calico is configured to use the Kubernetes API as the datastore, the environments used for BGP configuration are ignored—this includes selection of the node AS number (AS) and all of the IP selection options (IP, IP6, IP_AUTODETECTION_METHOD, IP6_AUTODETECTION_METHOD).

Node name determination

The calico/node must know the name of the node on which it is running. The node name is used to retrieve the Node resource configured for this node if it exists, or to create a new node resource representing the node if it does not. It is also used to associate the node with per-node BGP configuration, felix configuration, and endpoints.

When launched, the `` container sets the node name according to the following order of precedence:

  1. The value specified in the NODENAME environment variable, if set.
  2. The value specified in /var/lib/calico/nodename, if it exists.
  3. The value specified in the HOSTNAME environment variable, if set.
  4. The hostname as returned by the operating system, converted to lowercase.

Once the node has determined its name, the value will be cached in /var/lib/calico/nodename for future use.

For example, if given the following conditions:

  • NODENAME=""
  • /var/lib/calico/nodename does not exist
  • HOSTNAME="host-A"
  • The operating system returns “host-A.internal.myorg.com” for the hostname

calico/node will use “host-a” for its name and will write the value in /var/lib/calico/nodename. If calico/node is then restarted, it will use the cached value of “host-a” read from the file on disk.

IP Autodetection methods

When Calico is used for routing, each node must be configured with the IPv4 address (and IPv6 address if using IPv6) that would be used to route between nodes. To eliminate node specific IP address configuration, the calico/node container can be configured to autodetect these IP addresses. In many systems, there might be multiple physical interfaces on a host, or possibly multiple IP addresses configured on a physical interface. In these cases, there are multiple addresses to choose from and so autodetection of the correct address can be tricky.

The IP autodetection methods are provided to improve the selection of the correct address, by limiting the selection based on suitable criteria for your deployment.

The following sections describe the available IP autodetection methods.

first-found

The first-found option enumerates all interface IP addresses and returns the first valid IP address (based on IP version and type of address) on the first valid interface. Certain known “local” interfaces are omitted, such as the docker bridge. The order that both the interfaces and the IP addresses are listed is system dependent.

This is the default detection method. However, since this method only makes a very simplified guess, it is recommended to either configure the node with a specific IP address, or to use one of the other detection methods.

e.g.

IP_AUTODETECTION_METHOD=first-found
IP6_AUTODETECTION_METHOD=first-found

can-reach=DESTINATION

The can-reach method uses your local routing to determine which IP address will be used to reach the supplied destination. Both IP addresses and domain names may be used.

e.g.

# Using IP addresses
IP_AUTODETECTION_METHOD=can-reach=8.8.8.8
IP6_AUTODETECTION_METHOD=can-reach=2001:4860:4860::8888

# Using domain names
IP_AUTODETECTION_METHOD=can-reach=www.google.com
IP6_AUTODETECTION_METHOD=can-reach=www.google.com

interface=INTERFACE-REGEX

The interface method uses the supplied interface regular expression (golang syntax) to enumerate matching interfaces and to return the first IP address on the first matching interface. The order that both the interfaces and the IP addresses are listed is system dependent.

e.g.

# Valid IP address on interface eth0, eth1, eth2 etc.
IP_AUTODETECTION_METHOD=interface=eth.*
IP6_AUTODETECTION_METHOD=interface=eth.*