Configure the Calico CNI plugins

Configure the Calico CNI plugins - 图1note

The Calico CNI plugins do not need to be configured directly when installed by the operator. For a complete operator configuration reference, see the installation API reference documentation.

The Calico CNI plugin is configured through the standard CNI configuration mechanism

A minimal configuration file that uses Calico for networking and IPAM looks like this

  1. {
  2. "name": "any_name",
  3. "cniVersion": "0.1.0",
  4. "type": "calico",
  5. "ipam": {
  6. "type": "calico-ipam"
  7. }
  8. }

If the calico/node container on a node registered with a NODENAME other than the node hostname, the CNI plugin on this node must be configured with the same nodename:

  1. {
  2. "name": "any_name",
  3. "nodename": "<NODENAME>",
  4. "type": "calico",
  5. "ipam": {
  6. "type": "calico-ipam"
  7. }
  8. }

Additional configuration can be added as detailed below.

Generic

Datastore type

The following option allows configuration of the Calico datastore type.

  • datastore_type (default: etcdv3)

The Calico CNI plugin supports the following datastore types:

  • etcdv3 (default)
  • kubernetes

etcd location

The following options are valid when datastore_type is etcdv3.

Configure access to your etcd cluster using the following options.

Option nameDefaultDescription
etcd_endpointsNoneComma-separated list of endpoints. Example: http://127.0.0.1:2379,http://127.0.0.2:2379string
etcd_discovery_srvNoneDomain name to discover etcd endpoints via SRV records. Mutually exclusive with etcdEndpoints. Example: example.com (optional)string
etcd_key_fileNonePath to the file containing the private key matching the CNI plugin’s client certificate. Enables the CNI plugin to participate in mutual TLS authentication and identify itself to the etcd server. Example: /etc/calico-cni/key.pem (optional)string
etcd_cert_fileNonePath to the file containing the client certificate issued to the CNI plugin. Enables the CNI plugin to participate in mutual TLS authentication and identify itself to the etcd server. Example: /etc/calico-cni/cert.pem (optional)string
etcd_ca_cert_fileNonePath to the file containing the root certificate of the certificate authority (CA) that issued the etcd server certificate. Configures the CNI plugin to trust the CA that signed the root certificate. The file may contain multiple root certificates, causing the CNI plugin to trust each of the CAs included.string

The following options are deprecated.

  • etcd_authority (default is 127.0.0.1:2379)
    • If etcd_authority is set at the same time as etcd_endpoints then etcd_endpoints is used.
  • etcd_scheme (default is http)

Logging

Logging is always to stderr. Logs are also written to /var/log/calico/cni/cni.log on each host by default.

Logging can be configured using the following options in the netconf.

Option nameDefaultDescription
log_levelINFOLogging level. Allowed levels are ERROR, WARNING, INFO, and DEBUG.
log_file_path/var/log/calico/cni/cni.logLocation on each host to write CNI log files to. Logging to file can be disabled by removing this option.
log_file_max_size100Max file size in MB log files can reach before they are rotated.
log_file_max_age30Max age in days that old log files will be kept on the host before they are removed.
log_file_max_count10Max number of rotated log files allowed on the host before they are cleaned up.
  1. {
  2. "name": "any_name",
  3. "cniVersion": "0.1.0",
  4. "type": "calico",
  5. "log_level": "DEBUG",
  6. "log_file_path": "/var/log/calico/cni/cni.log",
  7. "ipam": {
  8. "type": "calico-ipam"
  9. }
  10. }

IPAM

When using Calico IPAM, the following flags determine what IP addresses should be assigned. NOTE: These flags are strings and not boolean values.

  • assign_ipv4 (default: "true")
  • assign_ipv6 (default: "false")

A specific IP address can be chosen by using CNI_ARGS and setting IP to the desired value.

By default, Calico IPAM will assign IP addresses from all the available IP pools.

Optionally, the list of possible IPv4 and IPv6 pools can also be specified via the following properties:

  • ipv4_pools: An array of CIDR strings or pool names. (e.g., "ipv4_pools": ["10.0.0.0/24", "20.0.0.0/16", "default-ipv4-ippool"])
  • ipv6_pools: An array of CIDR strings or pool names. (e.g., "ipv6_pools": ["2001:db8::1/120", "namedpool"])

Example CNI config:

  1. {
  2. "name": "any_name",
  3. "cniVersion": "0.1.0",
  4. "type": "calico",
  5. "ipam": {
  6. "type": "calico-ipam",
  7. "assign_ipv4": "true",
  8. "assign_ipv6": "true",
  9. "ipv4_pools": ["10.0.0.0/24", "20.0.0.0/16", "default-ipv4-ippool"],
  10. "ipv6_pools": ["2001:db8::1/120", "default-ipv6-ippool"]
  11. }
  12. }

Configure the Calico CNI plugins - 图2note

ipv6_pools will be respected only when assign_ipv6 is set to "true".

Any IP pools specified in the CNI config must have already been created. It is an error to specify IP pools in the config that do not exist.

Container settings

The following options allow configuration of settings within the container namespace.

  • allow_ip_forwarding (default is false)
  1. {
  2. "name": "any_name",
  3. "cniVersion": "0.1.0",
  4. "type": "calico",
  5. "ipam": {
  6. "type": "calico-ipam"
  7. },
  8. "container_settings": {
  9. "allow_ip_forwarding": true
  10. }
  11. }

Readiness Gates

The following option makes CNI plugin wait for specified endpoint(s) to be ready before configuring pod networking.

  • readiness_gates

This is an optional property that takes an array of URLs. Each URL specified will be polled for readiness and pod networking will continue startup once all readiness_gates are ready.

Example CNI config:

  1. {
  2. "name": "any_name",
  3. "cniVersion": "0.1.0",
  4. "type": "calico",
  5. "ipam": {
  6. "type": "calico-ipam"
  7. },
  8. "readiness_gates": ["http://localhost:9099/readiness", "http://localhost:8888/status"]
  9. }

Kubernetes specific

When using the Calico CNI plugin with Kubernetes, the plugin must be able to access the Kubernetes API server to find the labels assigned to the Kubernetes pods. The recommended way to configure access is through a kubeconfig file specified in the kubernetes section of the network config. e.g.

  1. {
  2. "name": "any_name",
  3. "cniVersion": "0.1.0",
  4. "type": "calico",
  5. "kubernetes": {
  6. "kubeconfig": "/path/to/kubeconfig"
  7. },
  8. "ipam": {
  9. "type": "calico-ipam"
  10. }
  11. }

As a convenience, the API location can also be configured directly, e.g.

  1. {
  2. "name": "any_name",
  3. "cniVersion": "0.1.0",
  4. "type": "calico",
  5. "kubernetes": {
  6. "k8s_api_root": "http://127.0.0.1:8080"
  7. },
  8. "ipam": {
  9. "type": "calico-ipam"
  10. }
  11. }

Enabling Kubernetes policy

If you wish to use the Kubernetes NetworkPolicy resource then you must set a policy type in the network config. There is a single supported policy type, k8s. When set, you must also run calico/kube-controllers with the policy, profile, and workloadendpoint controllers enabled.

  1. {
  2. "name": "any_name",
  3. "cniVersion": "0.1.0",
  4. "type": "calico",
  5. "policy": {
  6. "type": "k8s"
  7. },
  8. "kubernetes": {
  9. "kubeconfig": "/path/to/kubeconfig"
  10. },
  11. "ipam": {
  12. "type": "calico-ipam"
  13. }
  14. }

When using type: k8s, the Calico CNI plugin requires read-only Kubernetes API access to the Pods resource in all namespaces.

IPAM

Using host-local IPAM

Calico can be configured to use host-local IPAM instead of the default calico-ipam. Host local IPAM uses a pre-determined CIDR per-host, and stores allocations locally on each node. This is in contrast to Calico IPAM, which dynamically allocates blocks of addresses and single addresses alike in response to cluster needs.

Host local IPAM is generally only used on clusters where integration with the Kubernetes route controller is necessary. Note that some Calico features - such as the ability to request a specific address or pool for a pod - require Calico IPAM to function, and will not work with host-local IPAM enabled.

  • Operator
  • Manifest

The host-local IPAM plugin can be configured by setting the Spec.CNI.IPAM.Plugin field to HostLocal on the operator.tigera.io/Installation API.

Calico will use the host-local IPAM plugin to allocate IPv4 addresses from the node’s IPv4 pod CIDR if there is an IPv4 pool configured in Spec.IPPools, and an IPv6 address from the node’s IPv6 pod CIDR if there is an IPv6 pool configured in Spec.IPPools.

The following example configures Calico to assign dual-stack IPs to pods using the host-local IPAM plugin.

  1. kind: Installation
  2. apiVersion: operator.tigera.io/v1
  3. metadata:
  4. name: default
  5. spec:
  6. calicoNetwork:
  7. ipPools:
  8. - cidr: 192.168.0.0/16
  9. - cidr: 2001:db8::/64
  10. cni:
  11. type: Calico
  12. ipam:
  13. type: HostLocal

When using the CNI host-local IPAM plugin, two special values - usePodCidr and usePodCidrIPv6 - are allowed for the subnet field (either at the top-level, or in a “range”). This tells the plugin to determine the subnet to use from the Kubernetes API based on the Node.podCIDR field. Calico does not use the gateway field of a range so that field is not required and it will be ignored if present.

Configure the Calico CNI plugins - 图3note

usePodCidr and usePodCidrIPv6 can only be used as the value of the subnet field, it cannot be used in rangeStart or rangeEnd so those values are not useful if subnet is set to usePodCidr.

Calico supports the host-local IPAM plugin’s routes field as follows:

  • If there is no routes field, Calico will install a default 0.0.0.0/0, and/or ::/0 route into the pod (depending on whether the pod has an IPv4 and/or IPv6 address).
  • If there is a routes field then Calico will program only the routes in the routes field into the pod. Since Calico implements a point-to-point link into the pod, the gw field is not required and it will be ignored if present. All routes that Calico installs will have Calico’s link-local IP as the next hop.

Calico CNI plugin configuration:

  • node_name
    • The node name to use when looking up the CIDR value (defaults to current hostname)
  1. {
  2. "name": "any_name",
  3. "cniVersion": "0.1.0",
  4. "type": "calico",
  5. "kubernetes": {
  6. "kubeconfig": "/path/to/kubeconfig",
  7. "node_name": "node-name-in-k8s"
  8. },
  9. "ipam": {
  10. "type": "host-local",
  11. "ranges": [[{ "subnet": "usePodCidr" }], [{ "subnet": "usePodCidrIPv6" }]],
  12. "routes": [{ "dst": "0.0.0.0/0" }, { "dst": "2001:db8::/96" }]
  13. }
  14. }

When making use of the usePodCidr or usePodCidrIPv6 options, the Calico CNI plugin requires read-only Kubernetes API access to the Nodes resource.

Configuring node and typha

When using host-local IPAM with the Kubernetes API datastore, you must configure both calico/node and the Typha deployment to use the Node.podCIDR field by setting the environment variable USE_POD_CIDR=true in each.

Using Kubernetes annotations

Specifying IP pools on a per-namespace or per-pod basis

In addition to specifying IP pools in the CNI config as discussed above, Calico IPAM supports specifying IP pools per-namespace or per-pod using the following Kubernetes annotations.

  • cni.projectcalico.org/ipv4pools: A list of configured IPv4 Pools from which to choose an address for the pod.

    Example:

    1. annotations:
    2. 'cni.projectcalico.org/ipv4pools': '["default-ipv4-ippool"]'
  • cni.projectcalico.org/ipv6pools: A list of configured IPv6 Pools from which to choose an address for the pod.

    Example:

    1. annotations:
    2. 'cni.projectcalico.org/ipv6pools': '["2001:db8::1/120"]'

If provided, these IP pools will override any IP pools specified in the CNI config.

Configure the Calico CNI plugins - 图4note

This requires the IP pools to exist before ipv4pools or ipv6pools annotations are used. Requesting a subset of an IP pool is not supported. IP pools requested in the annotations must exactly match a configured IPPool resource.

Configure the Calico CNI plugins - 图5note

The Calico CNI plugin supports specifying an annotation per namespace. If both the namespace and the pod have this annotation, the pod information will be used. Otherwise, if only the namespace has the annotation the annotation of the namespace will be used for each pod in it.

Requesting a specific IP address

You can also request a specific IP address through Kubernetes annotations with Calico IPAM. There are two annotations to request a specific IP address:

  • cni.projectcalico.org/ipAddrs: A list of IPv4 and/or IPv6 addresses to assign to the Pod. The requested IP addresses will be assigned from Calico IPAM and must exist within a configured IP pool.

    Example:

    1. annotations:
    2. 'cni.projectcalico.org/ipAddrs': '["192.168.0.1"]'
  • cni.projectcalico.org/ipAddrsNoIpam: A list of IPv4 and/or IPv6 addresses to assign to the Pod, bypassing IPAM. Any IP conflicts and routing have to be taken care of manually or by some other system. Calico will only distribute routes to a Pod if its IP address falls within a Calico IP pool using BGP mode. Calico will not distribute ipAddrsNoIpam routes when operating in VXLAN mode. If you assign an IP address that is not in a Calico IP pool or if its IP address falls within a Calico IP pool that uses VXLAN encapsulation, you must ensure that routing to that IP address is taken care of through another mechanism.

    Example:

    1. annotations:
    2. 'cni.projectcalico.org/ipAddrsNoIpam': '["10.0.0.1"]'

    The ipAddrsNoIpam feature is disabled by default. It can be enabled in the feature_control section of the CNI network config:

    1. {
    2. "name": "any_name",
    3. "cniVersion": "0.1.0",
    4. "type": "calico",
    5. "ipam": {
    6. "type": "calico-ipam"
    7. },
    8. "feature_control": {
    9. "ip_addrs_no_ipam": true
    10. }
    11. }

    Configure the Calico CNI plugins - 图6caution

    This feature allows for the bypassing of network policy via IP spoofing. Users should make sure the proper admission control is in place to prevent users from selecting arbitrary IP addresses.

Configure the Calico CNI plugins - 图7note

  • The ipAddrs and ipAddrsNoIpam annotations can’t be used together.
  • You can only specify one IPv4/IPv6 or one IPv4 and one IPv6 address with these annotations.
  • When ipAddrs or ipAddrsNoIpam is used with ipv4pools or ipv6pools, ipAddrs / ipAddrsNoIpam take priority.

Requesting a floating IP

You can request a floating IP address for a pod through Kubernetes annotations with Calico.

Configure the Calico CNI plugins - 图8note

The specified address must belong to an IP Pool for advertisement to work properly.

  • cni.projectcalico.org/floatingIPs: A list of floating IPs which will be assigned to the pod’s workload endpoint.

    Example:

    1. annotations:
    2. 'cni.projectcalico.org/floatingIPs': '["10.0.0.1"]'

    The floatingIPs feature is disabled by default. It can be enabled in the feature_control section of the CNI network config:

    1. {
    2. "name": "any_name",
    3. "cniVersion": "0.1.0",
    4. "type": "calico",
    5. "ipam": {
    6. "type": "calico-ipam"
    7. },
    8. "feature_control": {
    9. "floating_ips": true
    10. }
    11. }

    Configure the Calico CNI plugins - 图9caution

    This feature can allow pods to receive traffic which may not have been intended for that pod. Users should make sure the proper admission control is in place to prevent users from selecting arbitrary floating IP addresses.

Using IP pools node selectors

Nodes will only assign workload addresses from IP pools which select them. By default, IP pools select all nodes, but this can be configured using the nodeSelector field. Check out the IP pool resource document

for more details.

Example:

  1. Create (or update) an IP pool that only allocates IPs for nodes where it contains a label rack=0.

    1. calicoctl create -f -<<EOF
    2. apiVersion: projectcalico.org/v3
    3. kind: IPPool
    4. metadata:
    5. name: rack-0-ippool
    6. spec:
    7. cidr: 192.168.0.0/24
    8. ipipMode: Always
    9. natOutgoing: true
    10. nodeSelector: rack == "0"
    11. EOF
  2. Label a node with rack=0.

    1. kubectl label nodes kube-node-0 rack=0

Check out the usage guide on assign IP addresses based on topology

for a full example.

CNI network configuration lists

The CNI 0.3.0 spec supports “chaining” multiple CNI plugins together. Calico supports the following Kubernetes CNI plugins, which are enabled by default. Although chaining other CNI plugins may work, we support only the following tested CNI plugins.

Port mapping plugin

Calico is required to implement Kubernetes host port functionality and is enabled by default.

Configure the Calico CNI plugins - 图10note

Be aware of the following portmap plugin CNI issue where draining nodes may take a long time with a cluster of 100+ nodes and 4000+ services.

To disable it, remove the portmap section from the CNI network configuration in the Calico manifests.

  1. {
  2. "type": "portmap",
  3. "snat": true,
  4. "capabilities": { "portMappings": true }
  5. }

Traffic shaping plugin

The traffic shaping Kubernetes CNI plugin supports pod ingress and egress traffic shaping. This bandwidth management technique delays the flow of certain types of network packets to ensure network performance for higher priority applications. It is enabled by default.

You can add the kubernetes.io/ingress-bandwidth and kubernetes.io/egress-bandwidth annotations to your pod. For example, the following sets a 1 megabit-per-second connection for ingress and egress traffic.

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4. annotations:
  5. kubernetes.io/ingress-bandwidth: 1M
  6. kubernetes.io/egress-bandwidth: 1M
  7. ...

To disable it, remove the bandwidth section from the CNI network configuration in the Calico manifests.

  1. {
  2. "type": "bandwidth",
  3. "capabilities": { "bandwidth": true }
  4. }

Order of precedence

If more than one of these methods are used for IP address assignment, they will take on the following precedence, 1 being the highest:

  1. Kubernetes annotations
  2. CNI configuration
  3. IP pool node selectors

Configure the Calico CNI plugins - 图11note

Calico IPAM will not reassign IP addresses to workloads that are already running. To update running workloads with IP addresses from a newly configured IP pool, they must be recreated. We recommend doing this before going into production or during a maintenance window.

Specify num_queues for veth interfaces

num_rx_queues and num_tx_queues can be set using the num_queues option in the CNI configuration. Default: 1

For example:

  1. {
  2. "num_queues": 3
  3. }