Installing Calico for policy and networking (recommended)

Before you begin

Ensure that you have a Kubernetes cluster that meets the Calico system requirements. If you don’t, follow the steps in Using kubeadm to create a cluster.

Installing Calico for policy and networking

Selecting your datastore type and number of nodes

The procedure differs according to the type of datastore you want Calico to use and the number of nodes. Refer to the section that matches your desired datastore type and number of nodes.

Note: Calico networking with the Kubernetes API datastore is beta because it does not yet support Calico IPAM. It uses host-local IPAM with Kubernetes pod CIDR assignments instead.

Installing with the etcd datastore

  1. If your cluster has RBAC enabled, issue the following command to configure the roles and bindings that Calico requires.

    kubectl apply -f \
    https://docs.projectcalico.org/v3.2/getting-started/kubernetes/installation/rbac.yaml
    

    Note: You can also view the manifest in your browser.

  2. Download the Calico networking manifest for etcd.

    curl \
    https://docs.projectcalico.org/v3.2/getting-started/kubernetes/installation/hosted/calico.yaml \
    -O
    
  3. In the ConfigMap named calico-config, set the value of etcd_endpoints to the IP address and port of your etcd server.

    Tip: You can specify more than one using commas as delimiters.

  4. Apply the manifest using the following command.

    kubectl apply -f calico.yaml
    
  5. If you wish to enforce application layer policies and secure workload-to-workload communications with mutual TLS authentication, continue to Enabling application layer policy (optional).

Installing with the Kubernetes API datastore—50 nodes or less

  1. Ensure that the Kubernetes controller manager has the following flags set:
    --cluster-cidr=192.168.0.0/16 and --allocate-node-cidrs=true.

    Tip: On kubeadm, you can pass --pod-network-cidr=192.168.0.0/16 to kubeadm to set both Kubernetes controller flags.

  2. If your cluster has RBAC enabled, issue the following command to configure the roles and bindings that Calico requires.

    kubectl apply -f \
    https://docs.projectcalico.org/v3.2/getting-started/kubernetes/installation/hosted/rbac-kdd.yaml
    

    Note: You can also view the manifest in your browser.

  3. Issue the following command to install Calico.

    kubectl apply -f \
    https://docs.projectcalico.org/v3.2/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.7/calico.yaml
    

    Note: You can also view the manifest in your browser.

  4. If you wish to enforce application layer policies and secure workload-to-workload communications with mutual TLS authentication, continue to Enabling application layer policy (optional).

Installing with the Kubernetes API datastore—more than 50 nodes

  1. Ensure that the Kubernetes controller manager has the following flags set:
    --cluster-cidr=192.168.0.0/16 and --allocate-node-cidrs=true.

    Tip: On kubeadm, you can pass --pod-network-cidr=192.168.0.0/16 to kubeadm to set both Kubernetes controller flags.

  2. If your cluster has RBAC enabled, issue the following command to configure the roles and bindings that Calico requires.

    kubectl apply -f \
    https://docs.projectcalico.org/v3.2/getting-started/kubernetes/installation/hosted/rbac-kdd.yaml
    

    Note: You can also view the manifest in your browser.

  3. Download the Calico networking manifest for the Kubernetes API datastore.

    curl \
    https://docs.projectcalico.org/v3.2/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.7/calico.yaml \
    -O
    
  4. In the ConfigMap named calico-config, locate the typha_service_name, delete the none value, and replace it with calico-typha.

  5. Modify the replica count in theDeployment named calico-typha to the desired number of replicas.

    apiVersion: apps/v1beta1
    kind: Deployment
    metadata:
      name: calico-typha
      ...
    spec:
      ...
      replicas: <number of replicas>
    

    We recommend at least one replica for every 200 nodes and no more than 20 replicas. In production, we recommend a minimum of three replicas to reduce the impact of rolling upgrades and failures.

    Warning: If you set typha_service_name without increasing the replica count from its default of 0 Felix will try to connect to Typha, find no Typha instances to connect to, and fail to start.

  6. Apply the manifest.

    kubectl apply -f calico.yaml
    
  7. If you wish to enforce application layer policies and secure workload-to-workload communications with mutual TLS authentication, continue to Enabling application layer policy (optional).