Skip to main content
Version: 3.18 (latest)

Microsoft Azure Kubernetes Service (AKS)

Big picture​

Install Calico Enterprise on an AKS managed Kubernetes cluster.

Before you begin​

CNI support

  • Calico CNI for networking with Calico Enterprise network policy

    The geeky details of what you get:

    PolicyIPAMCNIOverlayRoutingDatastore
  • Azure CNI networking with Calico Enterprise network policy

    The geeky details of what you get:

    PolicyIPAMCNIOverlayRoutingDatastore
  • Azure CNI with overlay networking with Calico Enterprise network policy

    The geeky details of what you get:

    PolicyIPAMCNIOverlayRoutingDatastore

Recommended

  • Set suggested value for maximum number of pods per node

    It is recommended to set the maximum pods per node to be at least 60 for use with Calico Enterprise. The default value in AKS is 30. If you need to increase the number of pods per node, see Configure maximum pods per node.

Required

  • A compatible AKS cluster

  • Cluster is not using a Kubernetes reconciler

    If your cluster has an existing version of Calico Enterprise installed, verify that the cluster is not managed by any kind of Kubernetes reconciler. For example, if addon-manager exists, there will be an annotation called, addonmanager.kubernetes.io/mode on either of the following resources (if the resources exist):

    • tigera-operator deployment in the tigera-operator namespace
    • calico-node daemonset in the kube-system namespace
  • User account has IAM permissions

    Verify your user account has IAM permissions to create Kubernetes ClusterRoles, ClusterRoleBindings, Deployments, Service Accounts, and Custom Resource Definitions. The easiest way to grant permissions is to assign the "Kubernetes Service Cluster Admin Role” to your user account. For help, see AKS access control.

  • Cluster meets system requirements

  • A Tigera license key and credentials

  • Install kubectl

  1. Option A: Install with Azure CNI networking
  2. Option B: Install with Calico networking
  3. Install the Calico Enterprise license

Install with Azure CNI networking​

  1. Install the Tigera operator and custom resource definitions.

    kubectl create -f https://downloads.tigera.io/ee/v3.18.3/manifests/tigera-operator.yaml
  2. Install the Prometheus operator and related custom resource definitions. The Prometheus operator will be used to deploy Prometheus server and Alertmanager to monitor Calico Enterprise metrics.

    note
    If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with Calico Enterprise, your Prometheus operator must be v0.40.0 or higher.
    kubectl create -f https://downloads.tigera.io/ee/v3.18.3/manifests/tigera-prometheus-operator.yaml
  3. Install your pull secret.

    If pulling images directly from quay.io/tigera, you will likely want to use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials instead.

    kubectl create secret generic tigera-pull-secret \
    --type=kubernetes.io/dockerconfigjson -n tigera-operator \
    --from-file=.dockerconfigjson=<path/to/pull/secret>

    For the Prometheus operator, create the pull secret in the tigera-prometheus namespace and then patch the deployment.

    kubectl create secret generic tigera-pull-secret \
    --type=kubernetes.io/dockerconfigjson -n tigera-prometheus \
    --from-file=.dockerconfigjson=<path/to/pull/secret>
    kubectl patch deployment -n tigera-prometheus calico-prometheus-operator \
    -p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name": "tigera-pull-secret"}]}}}}'
  4. Install any extra Calico Enterprise resources needed at cluster start using calicoctl.

  5. Install the Tigera custom resources. For more information on configuration options available in this manifest, see the installation reference.

    kubectl create -f https://downloads.tigera.io/ee/v3.18.3/manifests/aks/custom-resources.yaml

    You can now monitor progress with the following command:

    watch kubectl get tigerastatus

Wait until the apiserver shows a status of Available, then proceed to install the Calico Enterprise license.

Install with Calico Enterprise networking​

  1. Configure a storage class for Calico Enterprise.

  2. Install the Tigera operator and custom resource definitions.

    kubectl create -f https://downloads.tigera.io/ee/v3.18.3/manifests/tigera-operator.yaml
  3. Install the Prometheus operator and related custom resource definitions. The Prometheus operator will be used to deploy Prometheus server and Alertmanager to monitor Calico Enterprise metrics.

    note
    If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with Calico Enterprise, your Prometheus operator must be v0.40.0 or higher.
    kubectl create -f https://downloads.tigera.io/ee/v3.18.3/manifests/tigera-prometheus-operator.yaml
  4. Install your pull secret.

    If pulling images directly from quay.io/tigera, you will likely want to use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials instead.

    kubectl create secret generic tigera-pull-secret \
    --type=kubernetes.io/dockerconfigjson -n tigera-operator \
    --from-file=.dockerconfigjson=<path/to/pull/secret>

    For the Prometheus operator, create the pull secret in the tigera-prometheus namespace and then patch the deployment.

    kubectl create secret generic tigera-pull-secret \
    --type=kubernetes.io/dockerconfigjson -n tigera-prometheus \
    --from-file=.dockerconfigjson=<path/to/pull/secret>
    kubectl patch deployment -n tigera-prometheus calico-prometheus-operator \
    -p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name": "tigera-pull-secret"}]}}}}'
  5. Install any extra Calico Enterprise resources needed at cluster start using calicoctl.

  6. Install the Tigera custom resources. For more information on configuration options available in this manifest, see the installation reference.

    kubectl create -f https://downloads.tigera.io/ee/v3.18.3/manifests/aks/custom-resources-calico-cni.yaml

    You can now monitor progress with the following command:

    watch kubectl get tigerastatus

Wait until the apiserver shows a status of Available, then proceed to install the Calico Enterprise license.

Install the Calico Enterprise license​

In order to use Calico Enterprise, you must install the license provided to you by Tigera.

kubectl create -f </path/to/license.yaml>

You can now monitor progress with the following command:

watch kubectl get tigerastatus

Next steps​