Installing Calico for policy and flannel for networking

Before you begin

Ensure that you have a Kubernetes cluster that meets the Calico system requirements. If you don’t, follow the steps in Using kubeadm to create a cluster.

Installing Calico for policy and flannel for networking

Selecting a datastore type

The procedure differs according to your datastore type. Refer to the section that matches your type.

  1. Ensure that the Kubernetes controller manager has the following flags set:
    --cluster-cidr=<your-pod-cidr> and --allocate-node-cidrs=true.

    Tip: On kubeadm, you can pass --pod-network-cidr=<your-pod-cidr> to kubeadm to set both Kubernetes controller flags.

  2. Download the flannel networking manifest for the Kubernetes API datastore.

    curl \
    https://docs.projectcalico.org/v3.4/getting-started/kubernetes/installation/hosted/canal/canal.yaml \
    -O
    
  3. If you are using pod CIDR 10.244.0.0/16, skip to the next step. If you are using a different pod CIDR, use the following commands to set an environment variable called POD_CIDR containing your pod CIDR and replace 10.244.0.0/16 in the manifest with your pod CIDR.

    POD_CIDR="<your-pod-cidr>" \
    sed -i -e "s?10.244.0.0/16?$POD_CIDR?g" canal.yaml
    
  4. Issue the following command to install Calico.

    kubectl apply -f canal.yaml
    
  5. If you wish to enforce application layer policies and secure workload-to-workload communications with mutual TLS authentication, continue to Enabling application layer policy (optional).

Installing with the etcd datastore

We strongly recommend using the Kubernetes API datastore, but if you prefer to use etcd, complete the following steps.

  1. Download the Calico networking manifest.

    curl \
    https://docs.projectcalico.org/v3.4/getting-started/kubernetes/installation/hosted/canal/canal-etcd.yaml \
    -O
    
  2. If you are using pod CIDR 10.244.0.0/16, skip to the next step. If you are using a different pod CIDR, use the following commands to set an environment variable called POD_CIDR containing your pod CIDR and replace 10.244.0.0/16 in the manifest with your pod CIDR.

    POD_CIDR="<your-pod-cidr>" \
    sed -i -e "s?10.244.0.0/16?$POD_CIDR?g" canal-etcd.yaml
    
  3. In the ConfigMap named calico-config, set the value of etcd_endpoints to the IP address and port of your etcd server.

    Tip: You can specify more than one using commas as delimiters.

  4. Apply the manifest using the following command.

    kubectl apply -f canal-etcd.yaml
    
  5. If you wish to enforce application layer policies and secure workload-to-workload communications with mutual TLS authentication, continue to Enabling application layer policy (optional).