[question] Why is host network and path /var/lib/calico required by the operator?

[stevehipwell]

I'm currently moving over from the legacy EKS Helm charts Calico implementation in favour of using the operator and I'm interested as to why the operator needs to be on the host network as well as have access to /var/lib/calico on the host?

[lwr20]

Operator is the one installing Calico, and until that happens there is no pod-network. i.e. operator has to run host-networked to avoid a chicken-and-egg scenario (there's no pod-network until it runs, but it can't run because there's no pod-network).

I'll leave someone else to answer the part about /var/lib/calico

[stevehipwell]

Thanks @lwr20, does that mean it's only required when Calico is going to be the CNI then?

[tmjd]

The /var/lib/calico mount is so that the operator can read the auto detected MTU that calico-node writes. To anticipate your question, I think it could probably be left off when not using Calico as the CNI also.

You might be able to remove host-networked from operator but we don't test that. You'd also want to make sure that you don't cut-off tigera-operator traffic with NetworkPolicy since it now being pod networked would make it subject to network policy.

[stevehipwell]

Thanks @tmjd that makes sense.

[tmjd]

I don't think there are any more questions to answer here so I'm going to close this issue.