AKS requirements
Verify system requirementsβ
Although Calico Cloud checks that your cluster meets System requirements, verifying now can save you time troubleshooting.
Verify AKS settingsβ
Check that you're using a supported CNI and network policy configuration by running the following command on your AKS cluster:
az aks show --query 'networkProfile'You must have one of the following combinations of values for
networkPluginandnetworkPolicy:"networkPlugin": "none"and"networkPolicy": null"networkPlugin": "azure"and"networkPolicy": null"networkPlugin": "azure"and"networkPolicy": "calico"
Verify that transparent mode is being used by running one of the following commands.
cat /etc/cni/net.d/*OR
az vmss run-command invoke -g <resource-group> -n <vmss-name> --scripts "cat /etc/cni/net.d/*" --command-id RunShellScript --instance-id 0 --query 'value[0].message'If the Azure CNI is enabled, the output should include
"mode": "transparent".
For help in the Azure portal, see Azure CNI in transparent mode.
Verify IAM permissionsβ
Verify that your user account has IAM permissions to create Kubernetes ClusterRoles, ClusterRoleBindings, Deployments, Service Accounts, and Custom Resource Definitions. The easiest way to grant permissions is to assign the "Kubernetes Service Cluster Admin Roleβ to your user account. For help, see AKS access control.
Verify AddonManager is compatibleβ
If the AKS cluster already has Calico installed and is managed by AKS it may still be compatible with Calico Cloud. If output from the following command includes "EnsureExists" then the install is compatible with Calico Cloud.
kubectl get CustomResourceDefinition installations.operator.tigera.io -o yaml | grep ' addonmanager.kubernetes.io/mode:'
If the command output does not include "EnsureExists" and you are on a recent version of AKS your cluster might still be compatible. Please click the question icon in Manager UI under the user icon in the upper right to get help from Support:
Remove taints from Linux node poolsβ
Hybrid clusters on AKS may have taints applied to Linux nodes that prevent Calico Cloud from scheduling pods on those nodes. These taints must be removed before you connect your cluster to Calico Cloud.
You can check whether any node pools in your cluster have taints by running the following command:
az aks nodepool list --resource-group <group-name> --cluster-name <cluster-name> --query "[].{name:name nodeTaints:nodeTaints}"
Remove any taints in the Linux node pools by running the command:
az aks nodepool update --resource-group <group-name> --cluster-name <cluster-name> --name <nodepool-name> --node-taints ""