Skip to main content

Calico

Palette Network Pack(s) helps provision resources for setting up Cluster networking in Kubernetes. Design goals for the Kubernetes network model can be found here.

Project Calico is an open-source container networking provider and network policy engine.

Calico provides highly scalable networking and network policy solution for connecting Kubernetes pods based on the same IP networking principles as the internet, for both Linux (open source) and Windows (proprietary - available from Tigera). Calico can be deployed without encapsulation or overlays to provide high-performance, high-scale data center networking. Calico also provides a fine-grained, intent-based network security policy for Kubernetes pods via its distributed firewall.

Calico manifest used for networking does the following:

  • Installs the calico/node container on each host using a DaemonSet.
  • Installs the Calico CNI binaries and network config on each host using a DaemonSet.
  • Runs calico/kube-controllers as a deployment.
  • The calico-etcd-secrets secret, which optionally allows for providing etcd TLS assets.
  • The calico-config ConfigMap, which contains parameters for configuring the install.
warning

Limitations: AWS, VMWare supports IP-in-IP encapsulation type. Azure supports VXLAN encapsulation type.

Versions Supported

Prerequisites

  • You have created a bind mount for the /var/lib/calico folder on the Edge host. For more information, refer to Create Bind Mounts.

Parameters

NameSupported ValuesDefault valueDescription
calico.encapsulationTypeCALICO_IPV4POOL_IPIP, CALICO_IPV4POOL_VXLANCALICO_IPV4POOL_IPIP - AWS, VMware cloudsThe encapsulation type to be used for networking (depends on the cloud)
CALICO_IPV4POOL_VXLAN - Azure cloud
calico.encapsulationModeAlways, CrossSubnet, NeverAlwaysThe mode to use the IPv4 POOL created at start up
calico.calicoNetworkCIDRCIDR range192.168.0.0/16CIDR range to be assigned for Pods. This range should match the podCIDR range specified in the Kubernetes layer

Usage

Create Bind Mounts for Edge Deployments

In Edge deployments, Calico requires a bind mount on the host machine. Without the bind mount, it's possible for the Calico pods to be stuck in the init state. Use the following example to create a bind mount from /var/lib/calico on the Edge host. When you build an installer ISO with the bind_mounts block, the folders specified in the block will be mounted. For more information about building the installer ISO, refer to Build Installer ISO.

#cloud-config
stylus:
site:
debug: true
insecureSkipVerify: false
paletteEndpoint: api.console.spectrocloud.com
name: edge-appliance-1
caCerts:
- |
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

install:
bind_mounts:
- /var/lib/calico

Troubleshooting

  • A daemon set is installed and so a calico-node pod should run on all the nodes in the cluster to provide networking.
  • For any issues with networking, check calico-node and calico-kube-controller pods on the cluster.

Terraform

Use the following Terraform snippet to reference the Calico CNI pack in your Terraform template.


data "spectrocloud_registry" "public_registry" {
name = "Public Repo"
}

data "spectrocloud_pack_simple" "calico" {
name = "cni-calico"
version = "3.26.0"
type = "helm"
registry_uid = data.spectrocloud_registry.public_registry.id
}

References