Microsoft Azure Kubernetes Service (AKS)
Big pictureβ
Install Calico Enterprise on an AKS managed Kubernetes cluster.
Before you beginβ
CNI support
Calico CNI for networking with Calico Enterprise network policy
The geeky details of what you get:
Policy IPAM CNI Overlay Routing Datastore Azure CNI networking with Calico Enterprise network policy
The geeky details of what you get:
Policy IPAM CNI Overlay Routing Datastore Azure CNI with overlay networking with Calico Enterprise network policy
The geeky details of what you get:
Policy IPAM CNI Overlay Routing Datastore
Required
- To use the Calico CNI, you must configure the AKS cluster with Bring your own CNI
- To use the Azure CNI, see Azure CNI networking
- To use the Azure CNI with overlay networking, see Azure CNI with Overlay
Cluster is not using a Kubernetes reconciler
If your cluster has an existing version of Calico Enterprise installed, verify that the cluster is not managed by any kind of Kubernetes reconciler. For example, if addon-manager exists, there will be an annotation called,
addonmanager.kubernetes.io/modeon either of the following resources (if the resources exist):tigera-operatordeployment in thetigera-operatornamespacecalico-nodedaemonset in thekube-systemnamespace
User account has IAM permissions
Verify your user account has IAM permissions to create Kubernetes ClusterRoles, ClusterRoleBindings, Deployments, Service Accounts, and Custom Resource Definitions. The easiest way to grant permissions is to assign the "Kubernetes Service Cluster Admin Roleβ to your user account. For help, see AKS access control.
Cluster meets system requirements
- Option A: Install with Azure CNI networking
- Option B: Install with Calico networking
- Install the Calico Enterprise license
Install with Azure CNI networkingβ
Install the Tigera operator and custom resource definitions.
kubectl create -f https://downloads.tigera.io/ee/v3.18.2/manifests/tigera-operator.yamlInstall the Prometheus operator and related custom resource definitions. The Prometheus operator will be used to deploy Prometheus server and Alertmanager to monitor Calico Enterprise metrics.
noteIf you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with Calico Enterprise, your Prometheus operator must be v0.40.0 or higher.kubectl create -f https://downloads.tigera.io/ee/v3.18.2/manifests/tigera-prometheus-operator.yamlInstall your pull secret.
If pulling images directly from
quay.io/tigera, you will likely want to use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials instead.kubectl create secret generic tigera-pull-secret \
--type=kubernetes.io/dockerconfigjson -n tigera-operator \
--from-file=.dockerconfigjson=<path/to/pull/secret>For the Prometheus operator, create the pull secret in the
tigera-prometheusnamespace and then patch the deployment.kubectl create secret generic tigera-pull-secret \
--type=kubernetes.io/dockerconfigjson -n tigera-prometheus \
--from-file=.dockerconfigjson=<path/to/pull/secret>
kubectl patch deployment -n tigera-prometheus calico-prometheus-operator \
-p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name": "tigera-pull-secret"}]}}}}'Install any extra Calico Enterprise resources needed at cluster start using calicoctl.
Install the Tigera custom resources. For more information on configuration options available in this manifest, see the installation reference.
kubectl create -f https://downloads.tigera.io/ee/v3.18.2/manifests/aks/custom-resources.yamlYou can now monitor progress with the following command:
watch kubectl get tigerastatus
Wait until the apiserver shows a status of Available, then proceed to install the Calico Enterprise license.
Install with Calico Enterprise networkingβ
Install the Tigera operator and custom resource definitions.
kubectl create -f https://downloads.tigera.io/ee/v3.18.2/manifests/tigera-operator.yamlInstall the Prometheus operator and related custom resource definitions. The Prometheus operator will be used to deploy Prometheus server and Alertmanager to monitor Calico Enterprise metrics.
noteIf you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with Calico Enterprise, your Prometheus operator must be v0.40.0 or higher.kubectl create -f https://downloads.tigera.io/ee/v3.18.2/manifests/tigera-prometheus-operator.yamlInstall your pull secret.
If pulling images directly from
quay.io/tigera, you will likely want to use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials instead.kubectl create secret generic tigera-pull-secret \
--type=kubernetes.io/dockerconfigjson -n tigera-operator \
--from-file=.dockerconfigjson=<path/to/pull/secret>For the Prometheus operator, create the pull secret in the
tigera-prometheusnamespace and then patch the deployment.kubectl create secret generic tigera-pull-secret \
--type=kubernetes.io/dockerconfigjson -n tigera-prometheus \
--from-file=.dockerconfigjson=<path/to/pull/secret>
kubectl patch deployment -n tigera-prometheus calico-prometheus-operator \
-p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name": "tigera-pull-secret"}]}}}}'Install any extra Calico Enterprise resources needed at cluster start using calicoctl.
Install the Tigera custom resources. For more information on configuration options available in this manifest, see the installation reference.
kubectl create -f https://downloads.tigera.io/ee/v3.18.2/manifests/aks/custom-resources-calico-cni.yamlYou can now monitor progress with the following command:
watch kubectl get tigerastatus
Wait until the apiserver shows a status of Available, then proceed to install the Calico Enterprise license.
Install the Calico Enterprise licenseβ
In order to use Calico Enterprise, you must install the license provided to you by Tigera.
kubectl create -f </path/to/license.yaml>
You can now monitor progress with the following command:
watch kubectl get tigerastatus