Installing Calico for policy (advanced)
You can also use Calico just for policy enforcement and achieve networking with another solution, such as static routes or a Kubernetes cloud provider integration.
To install Calico in this mode using the Kubernetes API datastore, complete the following steps.
If your cluster has RBAC enabled, issue the following command to configure the roles and bindings that Calico requires.
kubectl apply -f \ https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/rbac-kdd.yaml
Note: You can also view the manifest in your browser.
Ensure that the Kubernetes controller manager has the following flags set:
Tip: On kubeadm, you can pass
--pod-network-cidr=192.168.0.0/16to kubeadm to set both Kubernetes controller flags.
Download the Calico policy-only manifest for the Kubernetes API datastore.
curl \ https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/kubernetes-datastore/policy-only/1.7/calico.yaml \ -O
If your cluster contains more than 50 nodes:
calico-config, locate the
typha_service_name, delete the
nonevalue, and replace it with
Modify the replica count in the
calico-typhato the desired number of replicas.
apiVersion: apps/v1beta1 kind: Deployment metadata: name: calico-typha ... spec: ... replicas: <number of replicas>
We recommend at least one replica for every 200 nodes and no more than 20 replicas. In production, we recommend a minimum of three replicas to reduce the impact of rolling upgrades and failures. The number of replicas should always be less than the number of nodes, otherwise rolling upgrades will stall. In addition, Typha only helps with scale if there are fewer Typha instances than there are nodes.
Tip: If you set
typha_service_namewithout increasing the replica count from its default of
0Felix will try to connect to Typha, find no Typha instances to connect to, and fail to start.
Apply the manifest using the following command.
kubectl apply -f calico.yaml
If you wish to enforce application layer policies and secure workload-to-workload communications with mutual TLS authentication, continue to Enabling application layer policy (optional).