Installing Calico for policy (advanced)

You can also use Calico just for policy enforcement and achieve networking with another solution, such as static routes or a Kubernetes cloud provider integration.

To install Calico in this mode using the Kubernetes API datastore, complete the following steps.

  1. Ensure that you have a Kubernetes cluster that meets the Calico system requirements. If you don’t, follow the steps in Using kubeadm to create a cluster.

  2. If your cluster has RBAC enabled, issue the following command to configure the roles and bindings that Calico requires.

    kubectl apply -f \
    https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/rbac-kdd.yaml
    

    Note: You can also view the manifest in your browser.

  3. Ensure that the Kubernetes controller manager has the following flags set:
    --cluster-cidr=192.168.0.0/16 and --allocate-node-cidrs=true.

    Tip: On kubeadm, you can pass --pod-network-cidr=192.168.0.0/16 to kubeadm to set both Kubernetes controller flags.

  4. Download the Calico policy-only manifest for the Kubernetes API datastore.

    curl \
    https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/kubernetes-datastore/policy-only/1.7/calico.yaml \
    -O
    
  5. If your cluster contains more than 50 nodes:

    • In the ConfigMap named calico-config, locate the typha_service_name, delete the none value, and replace it with calico-typha.

    • Modify the replica count in theDeployment named calico-typha to the desired number of replicas.

      apiVersion: apps/v1beta1
      kind: Deployment
      metadata:
        name: calico-typha
        ...
      spec:
        ...
        replicas: <number of replicas>
      

      We recommend at least one replica for every 200 nodes and no more than 20 replicas. In production, we recommend a minimum of three replicas to reduce the impact of rolling upgrades and failures. The number of replicas should always be less than the number of nodes, otherwise rolling upgrades will stall. In addition, Typha only helps with scale if there are fewer Typha instances than there are nodes.

      Tip: If you set typha_service_name without increasing the replica count from its default of 0 Felix will try to connect to Typha, find no Typha instances to connect to, and fail to start.

  6. Apply the manifest using the following command.

    kubectl apply -f calico.yaml
    
  7. If you wish to enforce application layer policies and secure workload-to-workload communications with mutual TLS authentication, continue to Enabling application layer policy (optional).