Skip to main content
Calico Cloud documentation

System requirements

Before you connect your cluster to Calico Cloud, make sure your cluster meets the system requirements. Your cluster must already have a CNI installed before you can connect to Calico Cloud.

Kubernetes distributions and CNIs

Calico Cloud works with Kubernetes on self-provisioned infrastructure and on managed Kubernetes distributions. To use Calico Cloud for both networking and network policy, your cluster must have Calico Open Source installed before you connect to Calico Cloud. For most managed distributions, you can use the provider's CNI for networking and use Calico Cloud for network policy.

DistributionSupported CNIs
Kubernetes on self-provisioned infrastructure- Calico Open Source 3.20 or later
Amazon Elastic Kubernetes Service- Calico Open Source 3.20 or later
- Amazon VPC CNI
Azure Kubernetes Service- Calico Open Source 3.20 or later
- Azure CNI
Google Kubernetes Engine- Calico Open Source 3.20 or later
- GKE CNI
Rancher Kubernetes Engine 2- Calico Open Source 3.20 or later
note

The Kubernetes distributions listed above are those that Tigera currently tests and supports for Calico Cloud. You may be able to connect clusters on other distributions with Calico Open Source installed as the CNI. For more information about connecting other cluster types to Calico Cloud, contact Support.

Kubernetes versions

Your Kubernetes distribution must be based on one of the following Kubernetes versions:

  • Kubernetes 1.30
  • Kubernetes 1.29
  • Kubernetes 1.28

Architectures

Calico Cloud can be installed on nodes based on the following chip architectures:

  • x86-64
  • ARM64

Browser support for the Manager UI web console

To access the Manager UI web console, you can use latest two versions of the following web browsers:

  • Chrome
  • Safari

Kubernetes reconcilers

  • Calico Cloud cannot be usually be installed on clusters that are managed by any kind of Kubernetes reconciler (for example, Addon-manager). To verify, look for an annotation called addonmanager.kubernetes.io/mode on either of the following resources. (The resources may not exist).

    • tigera-operator deployment in the tigera-operator namespace
    • calico-node daemonset in the kube-system namespace

    If the following command finds addonmanager on either of the resources, then Addon-manager is being used. Find a different cluster to use.

    kubectl get <type> -n <namespace> <resource-name> -o yaml | grep ' addonmanager.kubernetes.io/mode:'

  • Some AKS clusters with AddonManager are compatible with Calico Cloud. If output from the following command includes "EnsureExists", then the install is compatible with Calico Cloud.

    kubectl get CustomResourceDefinition installations.operator.tigera.io -o yaml | grep ' addonmanager.kubernetes.io/mode:'
    note

    If the command output does not include "EnsureExists" and you are on a recent version of AKS your cluster might still be compatible. You can contact Support for more information.

    warning

    If your cluster already has Calico installed by AKS and managed by AddonManager, the standard uninstall is not supported. You will need to reach out to support to create a plan to uninstall Calico Cloud.

Distribution-specific requirements

Azure Kubernetes Service

  • Your cluster uses a supported combination of the networkPlugin and networkPolicy configurations:

    • "networkPlugin": "none" and "networkPolicy": null
    • "networkPlugin": "azure" and "networkPolicy": null
    • "networkPlugin": "azure" and "networkPolicy": "calico"

    You can check your configuration by running the following command:

    az aks show --query 'networkProfile'

  • If your cluster uses the Azure CNI, your cluster's CNI is set to transparent mode.

    az vmss run-command invoke -g <resource-group> -n <vmss-name> --scripts "cat /etc/cni/net.d/*" --command-id RunShellScript --instance-id 0 --query 'value[0].message'

    If the Azure CNI is enabled, the output should include "mode": "transparent".

Google Kubernetes Service

  • Your cluster's network policy is disabled. To verify, run the following command:

    gcloud container clusters describe <cluster-name> --flatten addonsConfig.networkPolicyConfig.disabled

  • Your cluster's Dataplane V2 is set to null. To verify, run the following command:

    gcloud container clusters describe <cluster-name> --flatten networkConfig.datapathProvider

Rancher Kubernetes Engine 2

  • The Calico Open Source CNI must not be provisioned by the RKE2 installer. You can connect an RKE2 cluster to Calico Cloud only if:

    • the RKE2 cluster was installed without a CNI
    • Calico Open Source was installed manually

    To verify, run this command to see the configuration on your control-plane node:

    cat /etc/rancher/rke2/config.yaml

    You should see cni: none.

    If you're creating a new RKE2 cluster, you can set this configuration as an environment variable (RKE2_CNI=none) when you run the installation script.

Next steps