System requirements
Before you connect your cluster to Calico Cloud, make sure your cluster meets the system requirements. Your cluster must already have a CNI installed before you can connect to Calico Cloud.
Kubernetes distributions and CNIs
Calico Cloud works with Kubernetes on self-provisioned infrastructure and on managed Kubernetes distributions. To use Calico Cloud for both networking and network policy, your cluster must have Calico Open Source installed before you connect to Calico Cloud. For most managed distributions, you can use the provider's CNI for networking and use Calico Cloud for network policy.
Distribution | Supported CNIs |
---|---|
Kubernetes on self-provisioned infrastructure | - Calico Open Source 3.20 or later |
Amazon Elastic Kubernetes Service | - Calico Open Source 3.20 or later - Amazon VPC CNI |
Azure Kubernetes Service | - Calico Open Source 3.20 or later - Azure CNI |
Google Kubernetes Engine | - Calico Open Source 3.20 or later - GKE CNI |
Rancher Kubernetes Engine 2 | - Calico Open Source 3.20 or later |
The Kubernetes distributions listed above are those that Tigera currently tests and supports for Calico Cloud. You may be able to connect clusters on other distributions with Calico Open Source installed as the CNI. For more information about connecting other cluster types to Calico Cloud, contact Support.
Other distributions
The Calico Cloud installer may be able to successfully connect
Kubernetes versions
Your Kubernetes distribution must be based on one of the following Kubernetes versions:
- Kubernetes 1.30
- Kubernetes 1.29
- Kubernetes 1.28
Architectures
Calico Cloud can be installed on nodes based on the following chip architectures:
- x86-64
- ARM64
Windows node support for hybrid clusters
Calico Cloud supports hybrid Kubernetes clusters that use a Linux control plane with Windows nodes. You can install Calico Cloud on clusters of this type on the following managed distributions:
- Amazon Elastic Kubernetes Service
- Azure Kubernetes Service
Browser support for the Manager UI web console
To access the Manager UI web console, you can use latest two versions of the following web browsers:
- Chrome
- Safari
Kubernetes reconcilers
-
Calico Cloud cannot be usually be installed on clusters that are managed by any kind of Kubernetes reconciler (for example, Addon-manager). To verify, look for an annotation called
addonmanager.kubernetes.io/mode
on either of the following resources. (The resources may not exist).tigera-operator
deployment in thetigera-operator
namespacecalico-node
daemonset in thekube-system
namespace
If the following command finds addonmanager on either of the resources, then Addon-manager is being used. Find a different cluster to use.
kubectl get <type> -n <namespace> <resource-name> -o yaml | grep ' addonmanager.kubernetes.io/mode:'
-
Some AKS clusters with AddonManager are compatible with Calico Cloud. If output from the following command includes "EnsureExists", then the install is compatible with Calico Cloud.
kubectl get CustomResourceDefinition installations.operator.tigera.io -o yaml | grep ' addonmanager.kubernetes.io/mode:'
noteIf the command output does not include "EnsureExists" and you are on a recent version of AKS your cluster might still be compatible. You can contact Support for more information.
warningIf your cluster already has Calico installed by AKS and managed by AddonManager, the standard uninstall is not supported. You will need to reach out to support to create a plan to uninstall Calico Cloud.
Distribution-specific requirements
Azure Kubernetes Service
-
Your cluster uses a supported combination of the
networkPlugin
andnetworkPolicy
configurations:"networkPlugin": "none"
and"networkPolicy": null
"networkPlugin": "azure"
and"networkPolicy": null
"networkPlugin": "azure"
and"networkPolicy": "calico"
You can check your configuration by running the following command:
az aks show --query 'networkProfile'
-
If your cluster uses the Azure CNI, your cluster's CNI is set to transparent mode.
az vmss run-command invoke -g <resource-group> -n <vmss-name> --scripts "cat /etc/cni/net.d/*" --command-id RunShellScript --instance-id 0 --query 'value[0].message'
If the Azure CNI is enabled, the output should include
"mode": "transparent"
.
Google Kubernetes Service
-
Your cluster's network policy is disabled. To verify, run the following command:
gcloud container clusters describe <cluster-name> --flatten addonsConfig.networkPolicyConfig.disabled
-
Your cluster's Dataplane V2 is set to
null
. To verify, run the following command:gcloud container clusters describe <cluster-name> --flatten networkConfig.datapathProvider
Rancher Kubernetes Engine 2
-
The Calico Open Source CNI must not be provisioned by the RKE2 installer. You can connect an RKE2 cluster to Calico Cloud only if:
- the RKE2 cluster was installed without a CNI
- Calico Open Source was installed manually
To verify, run this command to see the configuration on your control-plane node:
cat /etc/rancher/rke2/config.yaml
You should see
cni: none
.If you're creating a new RKE2 cluster, you can set this configuration as an environment variable (
RKE2_CNI=none
) when you run the installation script.