Install Calico on non-cluster hosts and VMs
Big picture
Secure hosts and virtual machines (VMs) running outside of Kubernetes by installing Calico Enterprise.
Value
Calico Enterprise can also be used to protect hosts and VMs running outside of a Kubernetes cluster. In many cases, these are applications and workloads that cannot be easily containerized. Calico Enterprise lets you protect and gain visibility into these non-cluster hosts and use the same robust Calico network policy that you use for pods.
Concepts
Non-cluster hosts and host endpoints
A non-cluster host or VM is a computer that is running an application that is not part of a Kubernetes cluster. Calico Enterprise enables you to protect these hosts and VMs using the same Calico network policy that you use for workloads running inside a Kubernetes cluster. It also generates flow logs that provide visibility into the communication that host or VM is having with other endpoints in your environment.
In the following diagram, a Kubernetes cluster is running Calico Enterprise with networking (for pod-to-pod communication) and network policy; the non-cluster host uses Calico network policy for host protection and to generate flow logs for observability.
For non-cluster hosts and VMs, you can secure host interfaces using host endpoints. Host endpoints can have labels that work the same as labels on pods/workload endpoints in Kubernetes. The advantage is that you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can easily write a global policy that applies to every host, VM, or pod that is running Calico.
To learn how to restrict traffic to/from hosts and VMs using Calico network policy, see Protect hosts and VMs.
Before you begin
Required
-
Kubernetes API datastore is up and running and is accessible from the host
If Calico Enterprise is installed on a cluster, you already have a datastore.
-
Non-cluster host or VM meets Calico Enterprise system requirements
Ensure that your node OS includes the
ipsetandconntrackkernel dependencies.
How to
Set up your Kubernetes cluster to work with a non-cluster host or VM
-
Create a
NonClusterHostcustom resource.This resource enables the cluster-side ingestion endpoint to receive logs from non-cluster hosts. Additionally, it provides a dedicated Typha deployment for managing communication between the non-cluster host agent and Typha.
Field Description Accepted Values Schema endpoint Required. Location of the log ingestion point for non-cluster hosts. Any HTTPS URL with a domain name and a port number string typhaEndpoint Required. Location of the Typha endpoint for non-cluster host agent and Typha communication. Any IP address or domain name with a port number string kubectl create -f - <<EOF
apiVersion: operator.tigera.io/v1
kind: NonClusterHost
metadata:
name: tigera-secure
spec:
endpoint: <https://domain-or-ip-address:port>
typhaEndpoint: <domain-or-ip-address:port>
EOFWait until the Tigera Manager and non-cluster Typha deployments reach the Available status before proceeding to the next step.
-
Obtain the token for
tigera-noncluster-hostservice account.kubectl get secret -n calico-system tigera-noncluster-host -o jsonpath='{.data.token}' | base64 --decode -
Create a
kubeconfigfile for your non-cluster host or VM similar to the following:apiVersion: v1
kind: Config
current-context: noncluster-hosts
preferences: {}
clusters:
- cluster:
certificate-authority-data: <certificate-authority-data>
server: <server>
name: noncluster-hosts
contexts:
- context:
cluster: noncluster-hosts
user: tigera-noncluster-host
name: noncluster-hosts
users:
- name: tigera-noncluster-host
user:
token: <token>Replace the following:
- Cluster:
<server>: The URL of the Kubernetes API server.<certificate-authority-data>: Base64 encoded CA certificate to verify the Kubernetes API server's certificate.
- User:
<token>: A bearer token associated with thetigera-noncluster-hostservice account obtained in the previous step.
- Cluster:
-
Create a
HostEndpointresource for each non-cluster host or VM. ThenodeandexpectedIPsfields are required to match the hostname and the expected interface IP addresses.
Set up your non-cluster host or VM
-
Configure the Calico Enterprise repository.
curl -sfL https://downloads.tigera.io/ee/rpms/v3.21/calico-enterprise.repo -o /etc/yum.repos.d/calico-enterprise.repoOnly Red Hat Enterprise Linux 8 and 9 x86-64 operating systems are supported in this version of Calico Enterprise.
-
Install Calico node and fluent-bit log forwarder packages.
-
Use
dnfto install thecalico-nodeandcalico-fluent-bitpackages:dnf install calico-node calico-fluent-bit
-
-
Copy the kubeconfig created in cluster setup step 3 to host folder
/etc/calico/kubeconfigand change ownership tocalico:calico. -
Start Calico node and log forwarder.
systemctl enable --now calico-node.service
systemctl enable --now calico-fluent-bit.serviceYou can configure the Calico node by tuning the environment variables defined in the
/etc/calico/calico-node/calico-node.envfile. For more information, see the Felix configuration reference.
Configure hosts to communicate with your Kubernetes cluster
You must ensure that the non-cluster hosts or VMs can communicate with your Kubernetes cluster. If you are using an ingress controller or an external load balancer, ensure it is configured to allow TCP Layer 4 passthrough. This is required for non-cluster host agent to establish a mutual TLS (mTLS) connection to the cluster via the typhaEndpoint endpoint.
Below are some vendor-specific considerations:
AWS
- The node must reside in the same VPC as the nodes in your Kubernetes cluster, and utilize the AWS VPC CNI plugin (the default for Amazon EKS).
- Ensure that the Kubernetes cluster's security group permits inbound traffic from the host. You may need to add a rule allowing traffic from the hosts or VMs.
- For successful communication with an EKS cluster, the appropriate IAM roles must be configured.
- The host or VM must also be authenticated to access the cluster using tools such as aws-iam-authenticator and the AWS CLI
GKE
- To enable communication with your Kubernetes cluster from a non-cluster host, the host must be directly reachable or routable. This configuration is not enabled by default when using GKE’s VPC-native network routing.