Skip to main content
Calico Cloud documentation

Prepare your cluster for Calico Cloud

Get your cluster ready to connect to Calico Cloud.

Prerequisites

Allow outbound traffic from pods to Calico Cloud endpoints

Pods running in your Kubernetes cluster must allow outbound traffic to the following endpoints:

  • https://installer.calicocloud.io:443/*
  • https://www.calicocloud.io:443/api/*
  • https://client-auth.calicocloud.io:443/*
  • TCP to <management-cluster>.calicocloud.io:9000

For each node, Docker must be able to pull images from the following endpoints:

  • quay.io
  • cdn01.quay.io
  • cdn02.quay.io
  • us-docker.pkg.dev

Make sure you have the right permissions for your platform user account

If your cluster is installed on a managed service, you must have sufficient permissions from your identity and access management system. Check that you are authorized to create the following Kubernetes resource types:

  • ClusterRole
  • ClusterRoleBinding
  • Deployment
  • ServiceAccount
  • CustomResourceDefinition

Prepare your cluster on Azure Kubernetes Service

Remove taints from Linux node pools

If you have a hybrid clusters with both Windows and Linux nodes, the Linux nodes may have taints that prevent Calico Cloud from scheduling pods on those nodes. These taints must be removed before you connect your cluster to Calico Cloud.

You can check whether any node pools in your cluster have taints by running the following command:

az aks nodepool list --resource-group <group-name> --cluster-name <cluster-name> --query "[].{name:name nodeTaints:nodeTaints}"

Remove any taints in the Linux node pools by running the command:

az aks nodepool update --resource-group <group-name> --cluster-name <cluster-name> --name <nodepool-name> --node-taints ""

Prepare your cluster Google Kubernetes Engine

Turn on intranode visibility for your cluster

Verify that intranode visibility is set to Enabled by running the following command:

gcloud container clusters describe <cluster-name> --flatten networkConfig.enableIntraNodeVisibility

If intranode visibiliity is not enabled, you must enable it by following running the following command:

gcloud container clusters update <cluster-name> --enable-intra-node-visibility

Next steps