Installing Calico for policy (advanced)

You can also use Calico just for policy enforcement and achieve networking with another solution, such as static routes or a Kubernetes cloud provider integration.

To install Calico in this mode using the Kubernetes API datastore, complete the following steps.

  1. Ensure that you have a Kubernetes cluster that meets the Calico system requirements. If you don’t, follow the steps in Using kubeadm to create a cluster.

  2. Ensure that the Kubernetes controller manager has the following flags set:
    --cluster-cidr=<your-pod-cidr> and --allocate-node-cidrs=true.

    Tip: On kubeadm, you can pass --pod-network-cidr=<your-pod-cidr> to kubeadm to set both Kubernetes controller flags.

  3. Download the Calico policy-only manifest for the Kubernetes API datastore.

    curl \ \
  4. If you are using pod CIDR, skip to the next step. If you are using a different pod CIDR, use the following commands to set an environment variable called POD_CIDR containing your pod CIDR and replace in the manifest with your pod CIDR.

    POD_CIDR="<your-pod-cidr>" \
    sed -i -e "s?$POD_CIDR?g" calico.yaml
  5. If your cluster contains more than 50 nodes:

    • In the ConfigMap named calico-config, locate the typha_service_name, delete the none value, and replace it with calico-typha.

    • Modify the replica count in theDeployment named calico-typha to the desired number of replicas.

      apiVersion: apps/v1beta1
      kind: Deployment
        name: calico-typha
        replicas: <number of replicas>

      We recommend at least one replica for every 200 nodes and no more than 20 replicas. In production, we recommend a minimum of three replicas to reduce the impact of rolling upgrades and failures.

      Tip: If you set typha_service_name without increasing the replica count from its default of 0 Felix will try to connect to Typha, find no Typha instances to connect to, and fail to start.

  6. Apply the manifest using the following command.

    kubectl apply -f calico.yaml
  7. If you wish to enforce application layer policies and secure workload-to-workload communications with mutual TLS authentication, continue to Enabling application layer policy (optional).