Quickstart for Calico on Kubernetes


This quickstart gets you a single-host Kubernetes cluster with Calico in approximately 15 minutes. You can use this cluster for testing and development.

To deploy a cluster suitable for production, refer to Installation.


  • AMD64 processor
  • 2CPU
  • 2GB RAM
  • 10GB free disk space
  • RedHat Enterprise Linux 7.x+, CentOS 7.x+, Ubuntu 16.04+, or Debian 9.x+

Before you begin

Create a single-host Kubernetes cluster

  1. As a regular user with sudo privileges, open a terminal on the host that you installed kubeadm on.

  2. Initialize the master using the following command.

    sudo kubeadm init --pod-network-cidr=

    Note: If is already in use within your network you must select a different pod network CIDR, replacing in the above command as well as in any manifests applied below.

  3. Execute the following commands to configure kubectl (also returned by kubeadm init).

    mkdir -p $HOME/.kube
    sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
    sudo chown $(id -u):$(id -g) $HOME/.kube/config
  4. Install an etcd instance with the following command.

    kubectl apply -f \

    Note: You can also view the YAML in a new tab.

    You should see the following output.

    daemonset.extensions/calico-etcd created
    service/calico-etcd created
  5. Install the RBAC roles required for Calico

    kubectl apply -f \

    Note: You can also view the YAML in a new tab.

    You should see the following output.

    clusterrole.rbac.authorization.k8s.io/calico-kube-controllers created
    clusterrolebinding.rbac.authorization.k8s.io/calico-kube-controllers created
    clusterrole.rbac.authorization.k8s.io/calico-node created
    clusterrolebinding.rbac.authorization.k8s.io/calico-node created
  6. Install Calico with the following command.

    kubectl apply -f \

    Note: You can also view the YAML in a new tab.

    You should see the following output.

    configmap/calico-config created
    secret/calico-etcd-secrets created
    daemonset.extensions/calico-node created
    serviceaccount/calico-node created
    deployment.extensions/calico-kube-controllers created
    serviceaccount/calico-kube-controllers created
  7. Confirm that all of the pods are running with the following command.

    watch kubectl get pods --all-namespaces

    Wait until each pod has the STATUS of Running.

    NAMESPACE    NAME                                       READY  STATUS   RESTARTS  AGE
    kube-system  calico-etcd-x2482                          1/1    Running  0         2m45s
    kube-system  calico-kube-controllers-6ff88bf6d4-tgtzb   1/1    Running  0         2m45s
    kube-system  calico-node-24h85                          2/2    Running  0         2m43s
    kube-system  coredns-846jhw23g9-9af73                   1/1    Running  0         4m5s
    kube-system  coredns-846jhw23g9-hmswk                   1/1    Running  0         4m5s
    kube-system  etcd-jbaker-1                              1/1    Running  0         6m22s
    kube-system  kube-apiserver-jbaker-1                    1/1    Running  0         6m12s
    kube-system  kube-controller-manager-jbaker-1           1/1    Running  0         6m16s
    kube-system  kube-proxy-8fzp2                           1/1    Running  0         5m16s
    kube-system  kube-scheduler-jbaker-1                    1/1    Running  0         5m41s
  8. Press CTRL+C to exit watch.

  9. Remove the taints on the master so that you can schedule pods on it.

    kubectl taint nodes --all node-role.kubernetes.io/master-

    It should return the following.

    node/<your-hostname> untainted
  10. Confirm that you now have a node in your cluster with the following command.

    kubectl get nodes -o wide

    It should return something like the following.

    <your-hostname>   Ready    master   52m   v1.12.2   <none>        Ubuntu 18.04.1 LTS   4.15.0-1023-gcp   docker://18.6.1

Congratulations! You now have a single-host Kubernetes cluster equipped with Calico.

Next steps

Secure a simple application using the Kubernetes NetworkPolicy API

Control ingress and egress traffic using the Kubernetes NetworkPolicy API

Create a user interface that shows blocked and allowed connections in real time

Install and configure calicoctl