Blogs

Kubernetes – Calico Documentation – Tigera

Posted on by admin

Node Requirements

  • x86-64, arm64, ppc64le, or s390x

    • processor

  • Calico must be able to manage cali* interfaces on the host. When IPIP is enabled (the default), Calico also needs to be able to manage tunl* interfaces. When VXLAN is enabled, Calico also needs to be able to manage the vxlan.calico interface.

  • Linux kernel 3.10 or later with required dependencies. The following distributions have the required kernel, its dependencies, and are known to work well with Calico and Kubernetes.

    • RedHat

      • Linux 7

    • CentOS 7 CoreOS
    • Container Linux stable
    • Ubuntu 16.04
    • Debian 8
  • If your Linux distribution comes with Firewalld installed or another iptables manager, it should be disabled. These can interfere with the rules added by Calico and cause unexpected behavior.

Calico

key/value store

requires an accessible key/value store for all Calico components. In Kubernetes, you can configure Calico to directly access an etcdv3 cluster or to use the Kubernetes API data store.

Network requirements

Ensure that your hosts and firewalls allow the necessary traffic based on your configuration.

ConfigurationHost(s)Connection typePort/ProtocolCalico Networks (BGP)AllBidirectionalTCP 179Calico Networks with IP on IP enabled (default)AllBidirectionalIP-in-IP, often represented by its protocol number 4Calico Networks with VXLAN enabledAllBidirectionalUDP 4789Calico Networks with Typha enabledTypha agent hostsIncomingTCP 5473 (default)Calico networks with Wireguard IPv4 enabledAllBidirectionalUDP 51820 (default)Calico networks with Wireguard IPv6 enabledAllBidirectionalUDP 51821 (default)flannel networking (VXLAN)AllBidirectionalUDP 4789Allkube-apiserver hostIncomingOften TCP 443 or 6443*etcd datastoreetcd hostsIncomingOfficially TCP 2379 but may vary

* The value passed to kube-apiserver using the -secure-port flag. If you can’t find this, check the targetPort value returned bykubectl get svc kubernetes -o yaml.

Privileges Make sure

Calico has the privilege CAP_SYS_ADMIN

.

The easiest way to provide the necessary privilege is to run Calico as root or in

a privileged container.

When installed as a Kubernetes daemon set, Calico fulfills this requirement by running as a privileged container. This requires that the kubelet be allowed to run privileged containers. There are two ways to achieve this.

  • Specify -allow-privileged in the kubelet (deprecated).
  • Use a pod security policy.

Kubernetes Requirements

Supported versions

We tested Calico v3.25 with the following Kubernetes versions. v1.23 v1.24 v1.25 v1.26 Due to Kubernetes API changes,

Calico v3.25 will not work on Kubernetes

v1.15 or earlier. v1.16-v1.18

may work, but are no longer tested.

Newer versions can also work, but we recommend upgrading to a version of Calico that is tested with the latest version of Kubernetes.

Plug-in

CNI enabled

Calico is installed as a CNI plug-in. The kubelet must be configured to use CNI networks by passing the argument -network-plugin=cni. (In kubeadm, this is the default.)

Other network providers

Calico must be the only network provider in each cluster. We do not currently support migrating a cluster with another network provider to use Calico networks.

Supported kube-proxy modes

Calico supports the following kube-proxy modes:

  • iptables (default)
  • ipvs Requires Kubernetes >=v1.9.3. See Using IPVS kube-proxy for details.

IP address pool configuration The IP address range selected for pod IP addresses

cannot overlap with any other IP range on the network, including:

The IP range

  • of the Kubernetes services cluster The range
  • from which host IP addresses are assigned

Application

layer policy requirements

  • MutatingAdmissionWebhook enabled
  • for Istio v1.9 or v1.10

Note that Kubernetes version 1.16+ requires Istio version 1.2 or higher. Note that Istio version 1.9 requires Kubernetes version 1.17-1.20. Note that Istio version 1.10 supports Kubernetes version 1.18-1.21, but has been tested on Kubernetes version 1.22.

Due

to the

large number of distributions and kernel versions that exist, it is difficult to be precise about the names of the particular kernel modules that are required to run Calico. However, in general, you will need:

  • The iptables modules (“legacy” and “nft” variants are supported). They are usually divided into many small modules, one for each type of matching criterion and one for each type of action. Calico requires

    :The “base” modules (including IPv6 versions if IPv6 is enabled on your cluster). At least the following

    • matching criteria: set,rpfilter, addrtype, comment,conntrack, icmp, tcp,udp, ipvs, icmpv6 (if IPv6 is enabled in your kernel), mark, multiport,rpfilter, sctp, ipvs (if you use kube-proxy in IPVS mode). At least the following
    • actions: REJECT, ACCEPT, DELETE, REGISTER.

  • Support of IP sets.

  • Support for Netfilter Conntrack compiled in (with SCTP support if SCTP is used).

  • IPVS support if using kube-proxy in IPVS mode.

  • Support IPIP, VXLAN, Wireguard, if you use Caliconetworking in one of those modes.

  • eBPF (including tc link support) and XDP (if you want to use the eBPF data plane).

admin