Skip to main content

What happens when you connect a cluster to Calico Cloud

Although connecting your cluster to Calico Cloud is easy, we also understand you may want details about what happens when your cluster is managed by Calico Cloud. We hope this article, along with the other topics in this section, gives you the information you need to install Calico Cloud with confidence. If you have other questions, let us know: Support policy or email:

What happens when you connect your cluster

  • Your cluster is registered and connected to Calico Cloud
  • Your Calico open source install is updated with resources for Calico Cloud features
  • Tigera components and services are added to collect metrics and logs that are sent to the Calico Cloud management plane, which provides the basis for visibility and troubleshooting
  • Policies are added to secure communications between Tigera components
  • A global threat feed is added to alert on any egress traffic to addresses in the threat feed to protect the cluster
  • All of your existing network policies (Kubernetes and Calico) can be found in a single place: the default tier

After your cluster is connected, it is listed in the Managed Clusters page where you can move between multiple clusters.


What happens when you disconnect your cluster

Whether you’ve finished your Calico Cloud Trial, or terminated your licensed Calico Cloud subscription, we know you want your cluster to remain functional. Calico Cloud provides a migration script that returns your cluster to a working state in open-source Calico. The migration script:

  • Removes and cleans up all Calico Cloud components and services that have no equivalent in open-source Calico
  • Switches the operator configuration to open-source Calico, which migrates your cluster to a version of open-source Calico
  • Ensures all Calico policies are migrated to the default tier, or allows you to remove all Calico policies

For details of the migration script, see Uninstall Calico Cloud from a cluster.

What happens under the covers when you connect your cluster


  • Verifies that your cluster can be migrated, and validates that the cluster platform and version is supported by Calico Cloud
  • Records the number of nodes and other basic attributes of your cluster. This data remains on your system and is used for troubleshooting in case there are issues connecting your cluster.

Install and connect

  • Based on the Calico install for your cluster, the manifest is upgraded/migrated to use the Calico Cloud Tigera operator. (Note that clusters installed using Helm are currently not supported.)
  • Tigera operator installs the required Calico Cloud Custom Defined Resources (CRDs), and a standard pull secret to allow access to Calico Cloud images
  • Installs a Prometheus instance for component metrics (if it doesn’t already exist on the cluster)
  • Pushes a license to the cluster so components receive appropriate entitlements
  • Adds custom namespaces, service account, and role bindings to support cluster access and permissions to the Calico Cloud user interface
  • Creates RBAC permissions to access these resources:
    • Number of nodes in the cluster and stats for billing purposes
    • Policies in the cluster, and pod information
  • Registers the cluster so it can connect to Calico Cloud
  • Creates a global threat feed to alert on any egress traffic to addresses in the threat feed
  • Adds policies to secure communication for Calico Cloud components, including safeguards that prevent any new network policies from impacting the vital functions of the cluster
  • Creates roles and bindings to allow the installer to operate and to allow Calico Cloud to operate after installation. Each of these objects is given minimal permissions for its specific function.
  • Creates roles and bindings for two user types for access to Manager UI:
    • Admin - full permissions for network policies and Calico Cloud resources, and read permissions for namespace and pods
    • User - read-only/view permissions to same resources above

How long does it take to connect a cluster?

Typically, about 5 minutes.

Troubleshooting an installation