Installing Calico for policy (advanced)
You can also use Calico just for policy enforcement and achieve networking with another solution, such as static routes or a Kubernetes cloud provider integration.
To install Calico in this mode using the Kubernetes API datastore, complete the following steps.
-
Ensure that you have a Kubernetes cluster that meets the Calico system requirements. If you don’t, follow the steps in Using kubeadm to create a cluster.
-
If your cluster has RBAC enabled, issue the following command to configure the roles and bindings that Calico requires.
kubectl apply -f \ https://just-master--zealous-perlman-827aaa.netlify.com/v3.2/getting-started/kubernetes/installation/hosted/rbac-kdd.yamlNote: You can also view the manifest in your browser.
-
Ensure that the Kubernetes controller manager has the following flags set:
--cluster-cidr=192.168.0.0/16and--allocate-node-cidrs=true.Tip: On kubeadm, you can pass
--pod-network-cidr=192.168.0.0/16to kubeadm to set both Kubernetes controller flags. -
Download the Calico policy-only manifest for the Kubernetes API datastore.
curl \ https://just-master--zealous-perlman-827aaa.netlify.com/v3.2/getting-started/kubernetes/installation/hosted/kubernetes-datastore/policy-only/1.7/calico.yaml \ -O -
If your cluster contains more than 50 nodes:
-
In the
ConfigMapnamedcalico-config, locate thetypha_service_name, delete thenonevalue, and replace it withcalico-typha. -
Modify the replica count in the
Deploymentnamedcalico-typhato the desired number of replicas.apiVersion: apps/v1beta1 kind: Deployment metadata: name: calico-typha ... spec: ... replicas: <number of replicas>We recommend at least one replica for every 200 nodes and no more than 20 replicas. In production, we recommend a minimum of three replicas to reduce the impact of rolling upgrades and failures.
Tip: If you set
typha_service_namewithout increasing the replica count from its default of0Felix will try to connect to Typha, find no Typha instances to connect to, and fail to start.
-
-
Apply the manifest using the following command.
kubectl apply -f calico.yaml -
If you wish to enforce application layer policies and secure workload-to-workload communications with mutual TLS authentication, continue to Enabling application layer policy (optional).