Installing Calico for policy (advanced)
You can also use Calico just for policy enforcement and achieve networking with another solution, such as static routes or a Kubernetes cloud provider integration.
To install Calico in this mode using the Kubernetes API datastore, complete the following steps.
Ensure that the Kubernetes controller manager has the following flags set:
Tip: On kubeadm, you can pass
--pod-network-cidr=<your-pod-cidr>to kubeadm to set both Kubernetes controller flags.
Download the Calico policy-only manifest for the Kubernetes API datastore.
curl https://docs.projectcalico.org/v3.9/manifests/calico-policy-only.yaml -O
If you are using pod CIDR
192.168.0.0/16, skip to the next step. If you are using a different pod CIDR, use the following commands to set an environment variable called
POD_CIDRcontaining your pod CIDR and replace
192.168.0.0/16in the manifest with your pod CIDR.
POD_CIDR="<your-pod-cidr>" \ sed -i -e "s?192.168.0.0/16?$POD_CIDR?g" calico.yaml
If your cluster contains more than 50 nodes:
By default the replica count in the
calico-typhais set to 1. You may want to consider changing this for large clusters or production environments.
We recommend at least one replica for every 200 nodes up to a maximum of 20. In production, we recommend a minimum of three replicas to reduce the impact of rolling upgrades and failures. The number of replicas should always be less than the number of nodes, otherwise rolling upgrades will stall. In addition, Typha only helps with scale if there are fewer Typha instances than there are nodes.
Apply the manifest using the following command.
kubectl apply -f calico.yaml
If you wish to enforce application layer policies and secure workload-to-workload communications with mutual TLS authentication, continue to Enabling application layer policy (optional).