|
| 1 | +--- |
| 2 | +title: "Deploying Calico CNI" |
| 3 | +description: "In this guide you will learn how to set up Calico CNI on Talos in two mode eBPF and NFtables." |
| 4 | +--- |
| 5 | + |
| 6 | +This documentation is designed to get you up and running with Talos and Calico CNI. Since both Calico and Talos support multiple networking technologies, you will learn how to run your environment with both the [Calico eBPF dataplane](https://docs.tigera.io/calico/latest/operations/ebpf/enabling-ebpf) and [NFTables](https://docs.tigera.io/calico/latest/getting-started/kubernetes/nftables). Optionally, you can also enable Calico's network [observability stack](https://docs.tigera.io/calico/latest/observability/) to gain insights into your cluster networking and policy behavior. |
| 7 | + |
| 8 | +## Configuring Talos |
| 9 | + |
| 10 | +To install Calico, you first need to disable the default CNI. This can be done by applying a patch file during cluster creation. |
| 11 | +The store the following YAML template in a file (`patch.yaml`). |
| 12 | + |
| 13 | +```yaml |
| 14 | +cluster: |
| 15 | + network: |
| 16 | + cni: |
| 17 | + name: none |
| 18 | +``` |
| 19 | +
|
| 20 | +After generating the patch file add the `--config-patch` argument to your `talosctl gen config`. |
| 21 | + |
| 22 | +```bash |
| 23 | +talosctl gen config \ |
| 24 | + my-cluster https://calico-talos.local:6443 \ |
| 25 | + --config-patch @patch.yaml |
| 26 | +``` |
| 27 | + |
| 28 | +## Installing Tigera Operator |
| 29 | + |
| 30 | +Recommended way to install Calico is via `Tigera-operator` manifest. The operator will make sure that all Calico components are always up and running. |
| 31 | + |
| 32 | +> **Note** If you like to install Calico using Helm [checkout this document](https://docs.tigera.io/calico/latest/getting-started/kubernetes/helm). |
| 33 | + |
| 34 | +Use the following command to install the latest Tigera operator. |
| 35 | + |
| 36 | +```bash |
| 37 | +kubectl create -f https://docs.tigera.io/calico/latest/manifests/tigera-operator.yaml |
| 38 | +``` |
| 39 | + |
| 40 | +### Configuring Calico Networking |
| 41 | + |
| 42 | +Calico has a pluggable dataplane architecture that lets you choose the networking technology based on your use case. You can configure the dataplane by setting the `linuxDataplane` key in the installation manifest. |
| 43 | + |
| 44 | +> **Note** If you like to learn more about the available Calico configurations [checkout this document](https://docs.tigera.io/calico/latest/reference/installation/api). |
| 45 | + |
| 46 | +{{< tabpane text=true >}} |
| 47 | +{{% tab header="eBPF" %}} |
| 48 | + |
| 49 | +By default, Calico uses the `/var` directory to mount cgroups. However, since this path is not writable in Talos, you need to change it to `/sys/fs/cgroup`. |
| 50 | + |
| 51 | +Use the following command to update the cgroup mount path: |
| 52 | + |
| 53 | +```bash |
| 54 | +kubectl create -f -<<EOF |
| 55 | +apiVersion: crd.projectcalico.org/v1 |
| 56 | +kind: FelixConfiguration |
| 57 | +metadata: |
| 58 | + name: default |
| 59 | +spec: |
| 60 | + cgroupV2Path: "/sys/fs/cgroup" |
| 61 | +EOF |
| 62 | +``` |
| 63 | + |
| 64 | +> **Note** If you’d like to learn more about the available Calico configurations, [checkout this document](https://docs.tigera.io/calico/latest/reference/installation/api). |
| 65 | + |
| 66 | +In eBPF mode, Calico completely replaces the need for kube-proxy by programming all networking logic via eBPF programs. Before disabling kube-proxy, however, you need to ensure that Calico components can reach the API server. This can be done by creating a `kubernetes-services-endpoint` ConfigMap. |
| 67 | + |
| 68 | +Store the following YAML template in a file (e.g., `endpoint.yaml`), and replace <API server host> and <API server port> with your Kubernetes API server host and port. |
| 69 | +If [KubePrism]({{< relref "../configuration/kubeprism" >}}) is enabled (which is the default), use `localhost` as the API server host and `7445` as the port. |
| 70 | + |
| 71 | +```yaml |
| 72 | +kind: ConfigMap |
| 73 | +apiVersion: v1 |
| 74 | +metadata: |
| 75 | + name: kubernetes-services-endpoint |
| 76 | + namespace: tigera-operator |
| 77 | +data: |
| 78 | + KUBERNETES_SERVICE_HOST: '<API server host>' |
| 79 | + KUBERNETES_SERVICE_PORT: '<API server port>' |
| 80 | +``` |
| 81 | + |
| 82 | +After editing the file, apply it using: |
| 83 | + |
| 84 | +```bash |
| 85 | +kubectl create -f endpoint.yaml |
| 86 | +``` |
| 87 | + |
| 88 | +You can now safely disable `kube-proxy` by using the following command: |
| 89 | + |
| 90 | +```bash |
| 91 | +kubectl patch ds -n kube-system kube-proxy -p '{"spec":{"template":{"spec":{"nodeSelector":{"non-calico": "true"}}}}}' |
| 92 | +``` |
| 93 | + |
| 94 | +Next, you have to configure Calico: |
| 95 | + |
| 96 | +```bash |
| 97 | +kubectl create -f -<<EOF |
| 98 | +# This section includes base Calico installation configuration. |
| 99 | +apiVersion: operator.tigera.io/v1 |
| 100 | +kind: Installation |
| 101 | +metadata: |
| 102 | + name: default |
| 103 | +spec: |
| 104 | + calicoNetwork: |
| 105 | + bgp: Disabled |
| 106 | + linuxDataplane: BPF |
| 107 | + cni: |
| 108 | + ipam: |
| 109 | + type: HostLocal |
| 110 | + type: Calico |
| 111 | + kubeletVolumePluginPath: None |
| 112 | +--- |
| 113 | +# Kubectl integration for Calico unique resources. |
| 114 | +apiVersion: operator.tigera.io/v1 |
| 115 | +kind: APIServer |
| 116 | +metadata: |
| 117 | + name: default |
| 118 | +spec: {} |
| 119 | +EOF |
| 120 | +``` |
| 121 | + |
| 122 | +{{% /tab %}} |
| 123 | +{{% tab header="NFTables" %}} |
| 124 | + |
| 125 | +Use the following command to run Calico with NFTables backend. |
| 126 | + |
| 127 | +```bash |
| 128 | +kubectl create -f -<<EOF |
| 129 | +# This section includes base Calico installation configuration. |
| 130 | +apiVersion: operator.tigera.io/v1 |
| 131 | +kind: Installation |
| 132 | +metadata: |
| 133 | + name: default |
| 134 | +spec: |
| 135 | + calicoNetwork: |
| 136 | + bgp: Disabled |
| 137 | + linuxDataplane: Nftables |
| 138 | + cni: |
| 139 | + ipam: |
| 140 | + type: HostLocal |
| 141 | + type: Calico |
| 142 | + kubeletVolumePluginPath: None |
| 143 | +--- |
| 144 | +# Kubectl integration for Calico unique resources. |
| 145 | +apiVersion: operator.tigera.io/v1 |
| 146 | +kind: APIServer |
| 147 | +metadata: |
| 148 | + name: default |
| 149 | +spec: {} |
| 150 | +EOF |
| 151 | +``` |
| 152 | + |
| 153 | +{{% /tab %}} |
| 154 | +{{< /tabpane >}} |
| 155 | + |
| 156 | +## Deploy Calico Whisker Network Observability Stack |
| 157 | + |
| 158 | +Use the following command to enable Calico observability stack: |
| 159 | + |
| 160 | +```bash |
| 161 | +kubectl create -f -<<EOF |
| 162 | +# Configures the Calico Goldmane flow aggregator. |
| 163 | +apiVersion: operator.tigera.io/v1 |
| 164 | +kind: Goldmane |
| 165 | +metadata: |
| 166 | + name: default |
| 167 | +--- |
| 168 | +# Configures the Calico Whisker observability UI. |
| 169 | +apiVersion: operator.tigera.io/v1 |
| 170 | +kind: Whisker |
| 171 | +metadata: |
| 172 | + name: default |
| 173 | +EOF |
| 174 | +``` |
| 175 | + |
| 176 | +Use the following command to access Calico Whisker: |
| 177 | + |
| 178 | +```bash |
| 179 | +kubectl port-forward -n calico-system service/whisker 8081:8081 |
| 180 | +``` |
| 181 | + |
| 182 | +Fire up a browser and point it to `localhost:8081` to observe your policies and network flows. |
| 183 | + |
| 184 | +## Next steps |
| 185 | + |
| 186 | +- Enable Calico Prometheus and Grafana integrations, click here to [learn more](https://docs.tigera.io/calico/latest/operations/monitor/). |
| 187 | + |
| 188 | +## Considerations |
| 189 | + |
| 190 | +**In eBPF mode**, if you cannot disable kube-proxy for any reason please make sure to adjust `BPFKubeProxyIptablesCleanupEnabled` to `false`. |
| 191 | +This can be done with kubectl as follows: |
| 192 | + |
| 193 | +```bash |
| 194 | +kubectl patch felixconfiguration default --patch='{"spec": {"bpfKubeProxyIptablesCleanupEnabled": false}}' |
| 195 | +``` |
0 commit comments