Skip to main content
Version: 3.18 (latest)

Amazon Elastic Kubernetes Service (EKS)

Big picture

Install Calico Enterprise on an EKS managed Kubernetes cluster.

Before you begin

CNI support

  • Calico CNI for networking with Calico Enterprise network policy

    The geeky details of what you get by default:

    PolicyIPAMCNIOverlayRoutingDatastore
  • AWS CNI networking with Calico Enterprise network policy

    The geeky details of what you get by default:

    PolicyIPAMCNIOverlayRoutingDatastore

Required

How to

  1. Option A: Install with Amazon VPC networking
  2. Option B: Install with Calico CNI networking
  3. Install the Calico Enterprise license

Install EKS with Amazon VPC networking

  1. Install the Tigera operator and custom resource definitions.

    kubectl create -f https://downloads.tigera.io/ee/v3.18.3/manifests/tigera-operator.yaml
  2. Install the Prometheus operator and related custom resource definitions. The Prometheus operator will be used to deploy Prometheus server and Alertmanager to monitor Calico Enterprise metrics.

    note
    If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with Calico Enterprise, your Prometheus operator must be v0.40.0 or higher.
    kubectl create -f https://downloads.tigera.io/ee/v3.18.3/manifests/tigera-prometheus-operator.yaml
  3. Install your pull secret.

    If pulling images directly from quay.io/tigera, you will likely want to use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials instead.

    kubectl create secret generic tigera-pull-secret \
    --type=kubernetes.io/dockerconfigjson -n tigera-operator \
    --from-file=.dockerconfigjson=<path/to/pull/secret>

    For the Prometheus operator, create the pull secret in the tigera-prometheus namespace and then patch the deployment.

    kubectl create secret generic tigera-pull-secret \
    --type=kubernetes.io/dockerconfigjson -n tigera-prometheus \
    --from-file=.dockerconfigjson=<path/to/pull/secret>
    kubectl patch deployment -n tigera-prometheus calico-prometheus-operator \
    -p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name": "tigera-pull-secret"}]}}}}'
  4. Install any extra Calico Enterprise resources needed at cluster start using calicoctl.

  5. Install the Tigera custom resources. For more information on configuration options available in this manifest, see the installation reference.

    kubectl create -f https://downloads.tigera.io/ee/v3.18.3/manifests/eks/custom-resources.yaml

    You can now monitor progress with the following command:

    watch kubectl get tigerastatus

    Wait until the apiserver shows a status of Available, then proceed to install the Calico Enterprise license.

Install EKS with Calico networking

Calico Enterprise networking cannot currently be installed on the EKS control plane nodes. As a result the control plane nodes will not be able to initiate network connections to Calico Enterprise pods. (This is a general limitation of EKS's custom networking support, not specific to Calico Enterprise.) As a workaround, trusted pods that require control plane nodes to connect to them, such as those implementing admission controller webhooks, can include hostNetwork:true in their pod spec. See the Kubernetes API pod spec definition for more information on this setting.

Create an EKS cluster

For these instructions, we will use eksctl to provision the cluster. However, you can use any of the methods in Getting Started with Amazon EKS

Before you get started, make sure you have downloaded and configured the necessary prerequisites

  1. First, create an Amazon EKS cluster without any nodes.

    eksctl create cluster --name my-calico-cluster --without-nodegroup
  2. Since this cluster will use Calico Enterprise for networking, you must delete the aws-node daemon set to disable AWS VPC networking for pods.

    kubectl delete daemonset -n kube-system aws-node
Install Calico Enterprise
  1. Configure a storage class for Calico Enterprise.

  2. Install the Tigera operator and custom resource definitions.

    kubectl create -f https://downloads.tigera.io/ee/v3.18.3/manifests/tigera-operator.yaml
  3. Install the Prometheus operator and related custom resource definitions. The Prometheus operator will be used to deploy Prometheus server and Alertmanager to monitor Calico Enterprise metrics.

    note
    If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with Calico Enterprise, your Prometheus operator must be v0.40.0 or higher.
    kubectl create -f https://downloads.tigera.io/ee/v3.18.3/manifests/tigera-prometheus-operator.yaml
  4. Install your pull secret.

    If pulling images directly from quay.io/tigera, you will likely want to use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials instead.

    kubectl create secret generic tigera-pull-secret \
    --type=kubernetes.io/dockerconfigjson -n tigera-operator \
    --from-file=.dockerconfigjson=<path/to/pull/secret>

    For the Prometheus operator, create the pull secret in the tigera-prometheus namespace and then patch the deployment.

    kubectl create secret generic tigera-pull-secret \
    --type=kubernetes.io/dockerconfigjson -n tigera-prometheus \
    --from-file=.dockerconfigjson=<path/to/pull/secret>
    kubectl patch deployment -n tigera-prometheus calico-prometheus-operator \
    -p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name": "tigera-pull-secret"}]}}}}'
  5. Install any extra Calico Enterprise resources needed at cluster start using calicoctl.

  6. To configure Calico Enterprise for use with the Calico CNI plugin, we must create an Installation resource that has spec.cni.type: Calico. Install the custom-resources-calico-cni.yaml manifest, which includes this configuration. For more information on configuration options available in this manifest, see the installation reference.

    kubectl create -f https://downloads.tigera.io/ee/v3.18.3/manifests/eks/custom-resources-calico-cni.yaml
  7. Finally, add nodes to the cluster.

    eksctl create nodegroup --cluster my-calico-cluster --node-type t3.xlarge --node-ami auto --max-pods-per-node 100

    Tip: Without the --max-pods-per-node option above, EKS will limit the number of pods based on node-type. See eksctl create nodegroup --help for the full set of node group options.

  8. Monitor progress with the following command:

    watch kubectl get tigerastatus

    Wait until the apiserver shows a status of Available, then proceed to the next section.

Install the Calico Enterprise license

In order to use Calico Enterprise, you must install the license provided to you by Tigera.

kubectl create -f </path/to/license.yaml>

You can now monitor progress with the following command:

watch kubectl get tigerastatus

Next steps

Recommended