Upgrading Calico on Kubernetes

About upgrading Calico

This page describes how to upgrade to v3.10 from Calico v3.0 or later. The procedure varies by datastore type.

Important: Do not use older versions of calicoctl after the upgrade. This may result in unexpected behavior and data.

Upgrading an installation that uses the Kubernetes API datastore

  1. Download the v3.10 manifest that corresponds to your original installation method.

    Calico for policy and networking

    curl https://docs.projectcalico.org/v3.10/manifests/calico.yaml -O
    

    Calico for policy and flannel for networking

    curl https://docs.projectcalico.org/v3.10/manifests/canal.yaml -O
    

    Calico for policy (advanced)

    curl https://docs.projectcalico.org/v3.10/manifests/calico-policy-only.yaml -O
    

    Note: If you manually modified the manifest, you must manually apply the same changes to the downloaded manifest.

  2. Use the following command to initiate a rolling update, after replacing <manifest-file-name> with the file name of your v3.10 manifest.

    kubectl apply -f <manifest-file-name>
    
  3. Watch the status of the upgrade as follows.

    watch kubectl get pods -n kube-system
    

    Verify that the status of all Calico pods indicate Running.

    calico-node-hvvg8     2/2   Running   0    3m
    calico-node-vm8kh     2/2   Running   0    3m
    calico-node-w92wk     2/2   Running   0    3m
    
  4. Remove any existing calicoctl instances, install the new calicoctl and configure it to connect to your datastore.

  5. Use the following command to check the Calico version number.

    calicoctl version
    

    It should return a Cluster Version of v3.10.x.

  6. If you have enabled Application Layer Policy, follow the instructions below to complete your upgrade. Skip this if you are not using Istio with Calico.

  7. Congratulations! You have upgraded to Calico v3.10.

Upgrading an installation that uses an etcd datastore

  1. Download the v3.10 manifest that corresponds to your original installation method.

    Calico for policy and networking

    curl https://docs.projectcalico.org/v3.10/manifests/calico-etcd.yaml -O
    

    Calico for policy and flannel for networking

    curl https://docs.projectcalico.org/v3.10/manifests/canal-etcd.yaml -O
    

    Note: You must must manually apply the changes you made to the manifest during installation to the downloaded v3.10 manifest. At a minimum, you must set the etcd_endpoints value.

  2. Use the following command to initiate a rolling update, after replacing <manifest-file-name> with the file name of your v3.10 manifest.

    kubectl apply -f <manifest-file-name>
    
  3. Watch the status of the upgrade as follows.

    watch kubectl get pods -n kube-system
    

    Verify that the status of all Calico pods indicate Running.

    calico-kube-controllers-6d4b9d6b5b-wlkfj   1/1       Running   0          3m
    calico-node-hvvg8                          1/2       Running   0          3m
    calico-node-vm8kh                          1/2       Running   0          3m
    calico-node-w92wk                          1/2       Running   0          3m
    

    Tip: The calico-node pods will report 1/2 in the READY column, as shown.

  4. Remove any existing calicoctl instances, install the new calicoctl and configure it to connect to your datastore.

  5. Use the following command to check the Calico version number.

    calicoctl version
    

    It should return a Cluster Version of v3.10.

  6. If you have enabled Application Layer Policy, follow the instructions below to complete your upgrade. Skip this if you are not using Istio with Calico.

  7. Congratulations! You have upgraded to Calico v3.10.

Upgrading if you have Application Layer Policy enabled

Dikastes is versioned the same as the rest of Calico, but an upgraded calico-node will still be able to work with a downlevel Dikastes so that you will not lose data plane connectivity during the upgrade. Once calico-node is upgraded, you can begin redeploying your service pods with the updated version of Dikastes.

If you have enabled Application Layer Policy, take the following steps to upgrade the Dikastes sidecars running in your application pods. Skip these steps if you are not using Istio with Calico.

  1. Update the Istio sidecar injector template to use the new version of Dikastes. Replace <your Istio version> below with the full version string of your Istio install, for example 1.0.7.

    kubectl apply -f https://docs.projectcalico.org/v3.10/manifests/alp/istio-inject-configmap-<your Istio version>.yaml
    
  2. Once the new template is in place, newly created pods use the upgraded version of Dikastes. Perform a rolling update of each of your service deployments to get them on the new version of Dikastes.