Installing Calico for policy (advanced)
You can also use Calico just for policy enforcement and achieve networking with another solution, such as static routes or a Kubernetes cloud provider integration.
To install Calico in this mode using the Kubernetes API datastore, complete the following steps.
Ensure that the Kubernetes controller manager has the following flags set:
Tip: On kubeadm, you can pass
--pod-network-cidr=<your-pod-cidr>to kubeadm to set both Kubernetes controller flags.
Download the Calico policy-only manifest for the Kubernetes API datastore.
curl \ https://docs.projectcalico.org/v3.4/getting-started/kubernetes/installation/hosted/kubernetes-datastore/policy-only/1.7/calico.yaml \ -O
If you are using pod CIDR
192.168.0.0/16, skip to the next step. If you are using a different pod CIDR, use the following commands to set an environment variable called
POD_CIDRcontaining your pod CIDR and replace
192.168.0.0/16in the manifest with your pod CIDR.
POD_CIDR="<your-pod-cidr>" \ sed -i -e "s?192.168.0.0/16?$POD_CIDR?g" calico.yaml
If your cluster contains more than 50 nodes:
calico-config, locate the
typha_service_name, delete the
nonevalue, and replace it with
Modify the replica count in the
calico-typhato the desired number of replicas.
We recommend at least one replica for every 200 nodes and no more than 20 replicas. In production, we recommend a minimum of three replicas to reduce the impact of rolling upgrades and failures. The number of replicas should always be less than the number of nodes, otherwise rolling upgrades will stall. In addition, Typha only helps with scale if there are fewer Typha instances than there are nodes.
Tip: If you set
typha_service_namewithout increasing the replica count from its default of
0Felix will try to connect to Typha, find no Typha instances to connect to, and fail to start.
Apply the manifest using the following command.
kubectl apply -f calico.yaml
If you wish to enforce application layer policies and secure workload-to-workload communications with mutual TLS authentication, continue to Enabling application layer policy (optional).