Microsoft Azure Kubernetes Service (AKS)
Big picture
Enable Calico in AKS managed Kubernetes service.
Value
AKS has built-in support for Calico, providing a robust implementation of the full Kubernetes Network Policy API. AKS users wanting to go beyond Kubernetes network policy capabilities can make full use of the Calico Network Policy API.
You can also use Calico for networking on AKS in place of the default Azure VPC networking. This allows you to take advantage of the full set of Calico networking features.
How to
Install AKS with Calico for network policy
The geeky details of what you get:
Policy | IPAM | CNI | Overlay | Routing | Datastore |
---|---|---|---|---|---|
To enable Calico network policy enforcement, follow these step-by-step instructions: Create an AKS cluster and enable network policy.
Install AKS with Calico networking
Limitations
- Windows dataplane is not supported.
- eBPF dataplane is not supported.
- VPP dataplane is not supported.
The geeky details of what you get:
Policy | IPAM | CNI | Overlay | Routing | Datastore |
---|---|---|---|---|---|
Create an Azure AKS cluster with no Kubernetes CNI pre-installed. Please refer to Bring your own CNI with AKS for details.
Create a resource group
az group create --name my-calico-rg --location westcentralus
az aks create --resource-group my-calico-rg --name my-calico-cluster --location westcentralus --pod-cidr 192.168.0.0/16 --network-plugin none
Get credentials to allow you to access the cluster with
kubectl
:az aks get-credentials --resource-group my-calico-rg --name my-calico-cluster
Now that you have a cluster configured, you can install Calico.
Install the operator.
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.25.0/manifests/tigera-operator.yaml
Configure the Calico installation.
kubectl create -f - <<EOF
kind: Installation
apiVersion: operator.tigera.io/v1
metadata:
name: default
spec:
kubernetesProvider: AKS
cni:
type: Calico
calicoNetwork:
bgp: Disabled
ipPools:
- cidr: 192.168.0.0/16
encapsulation: VXLAN
---
apiVersion: operator.tigera.io/v1
kind: APIServer
metadata:
name: default
spec: {}
EOF
Confirm that all of the pods are running with the following command.
watch kubectl get pods -n calico-system
Wait until each pod has the
STATUS
ofRunning
.
Next steps
Recommended