Install Calico for policy and flannel (aka Canal) for networking
Before you begin
note
Calico includes native VXLAN capabilities without the need for flannel. If you’re planning on using flannel for VXLAN, we recommend instead installing Calico using IP-in-IP or VXLAN mode. See how to determine the best networking option for your cluster. If you’re already using flannel for networking, you can migrate your existing clusters to Calico networking.
Ensure that you have a Kubernetes cluster that meets the Calico system requirements. If you don’t, follow the steps in Installing kubeadm.
Installing Calico for policy and flannel (aka Canal) for networking
Selecting a datastore type
The procedure differs according to your datastore type. Refer to the section that matches your type.
Kubernetes API datastore (recommended)
Installing with the Kubernetes API datastore (recommended)
Ensure that the Kubernetes controller manager has the following flags set:
--cluster-cidr=<your-pod-cidr>
and--allocate-node-cidrs=true
.tip
On kubeadm, you can pass
--pod-network-cidr=<your-pod-cidr>
to kubeadm to set both Kubernetes controller flags.Download the flannel networking manifest for the Kubernetes API datastore.
curl https://raw.githubusercontent.com/projectcalico/calico/v3.24.5/manifests/canal.yaml -O
If you are using pod CIDR
10.244.0.0/16
, skip to the next step. If you are using a different pod CIDR with kubeadm, no changes are required - Calico will automatically detect the CIDR based on the running configuration. For other platforms, make sure you uncomment the CALICO_IPV4POOL_CIDR variable in the manifest and set it to the same value as your chosen pod CIDR.Issue the following command to install Calico.
kubectl apply -f canal.yaml
If you wish to enforce application layer policies and secure workload-to-workload communications with mutual TLS authentication, continue to Enable application layer policy (optional).
The geeky details of what you get:
Policy | IPAM | CNI | Overlay | Routing | Datastore |
---|---|---|---|---|---|
Installing with the etcd datastore
We strongly recommend using the Kubernetes API datastore, but if you prefer to use etcd, complete the following steps.
Download the Calico networking manifest.
curl https://raw.githubusercontent.com/projectcalico/calico/v3.24.5/manifests/canal-etcd.yaml -O
If you are using pod CIDR
10.244.0.0/16
, skip to the next step. If you are using a different pod CIDR with kubeadm, no changes are required - Calico will automatically detect the CIDR based on the running configuration. For other platforms, make sure you uncomment the CALICO_IPV4POOL_CIDR variable in the manifest and set it to the same value as your chosen pod CIDR.In the
ConfigMap
namedcalico-config
, set the value ofetcd_endpoints
to the IP address and port of your etcd server.tip
You can specify more than one using commas as delimiters.
Apply the manifest using the following command.
kubectl apply -f canal-etcd.yaml
If you wish to enforce application layer policies and secure workload-to-workload communications with mutual TLS authentication, continue to Enable application layer policy (optional).
The geeky details of what you get:
Policy | IPAM | CNI | Overlay | Routing | Datastore |
---|---|---|---|---|---|