Installing Calico for policy (advanced)

You can also use Calico just for policy enforcement and achieve networking with another solution, such as static routes or a Kubernetes cloud provider integration.

To install Calico in this mode using the Kubernetes API datastore, complete the following steps.

  1. Ensure that you have a Kubernetes cluster that meets the Calico system requirements. If you don’t, follow the steps in Using kubeadm to create a cluster.

  2. Ensure that the Kubernetes controller manager has the following flags set:
    --cluster-cidr=<your-pod-cidr> and --allocate-node-cidrs=true.

    Tip: On kubeadm, you can pass --pod-network-cidr=<your-pod-cidr> to kubeadm to set both Kubernetes controller flags.

  3. Download the Calico policy-only manifest for the Kubernetes API datastore.

    curl -O
  4. If you are using pod CIDR, skip to the next step. If you are using a different pod CIDR, use the following commands to set an environment variable called POD_CIDR containing your pod CIDR and replace in the manifest with your pod CIDR.

    POD_CIDR="<your-pod-cidr>" \
    sed -i -e "s?$POD_CIDR?g" calico.yaml
  5. If your cluster contains more than 50 nodes:

    By default the replica count in the Deployment named calico-typha is set to 1. You may want to consider changing this for large clusters or production environments.

    apiVersion: apps/v1
    kind: Deployment
      name: calico-typha
      replicas: <number of replicas>

    We recommend at least one replica for every 200 nodes up to a maximum of 20. In production, we recommend a minimum of three replicas to reduce the impact of rolling upgrades and failures. The number of replicas should always be less than the number of nodes, otherwise rolling upgrades will stall. In addition, Typha only helps with scale if there are fewer Typha instances than there are nodes.

  6. Apply the manifest using the following command.

    kubectl apply -f calico.yaml
  7. If you wish to enforce application layer policies and secure workload-to-workload communications with mutual TLS authentication, continue to Enabling application layer policy (optional).