Amazon Elastic Kubernetes Service (EKS)
Big picture
Install Calico Enterprise on an EKS managed Kubernetes cluster.
Before you begin
CNI support
-
Calico CNI for networking with Calico Enterprise network policy
The geeky details of what you get by default:
Policy IPAM CNI Overlay Routing Datastore -
AWS CNI networking with Calico Enterprise network policy
The geeky details of what you get by default:
Policy IPAM CNI Overlay Routing Datastore
Required
- You have a compatible EKS cluster.
- Your cluster meets the system requirements.
- You disabled network policy for the AWS VPC CNI.
- You have a Tigera license key and credentials.
- You installed kubectl on your workstation.
How to
- Option A: Install with Amazon VPC networking
- Option B: Install with Calico CNI networking
- Install the Calico Enterprise license
Install EKS with Amazon VPC networking
Install the Tigera operator and custom resource definitions.
kubectl create -f https://downloads.tigera.io/ee/v3.19.4/manifests/tigera-operator.yamlInstall the Prometheus operator and related custom resource definitions. The Prometheus operator will be used to deploy Prometheus server and Alertmanager to monitor Calico Enterprise metrics.
noteIf you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with Calico Enterprise, your Prometheus operator must be v0.40.0 or higher.kubectl create -f https://downloads.tigera.io/ee/v3.19.4/manifests/tigera-prometheus-operator.yamlInstall your pull secret.
If pulling images directly from
quay.io/tigera, you will likely want to use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials instead.kubectl create secret generic tigera-pull-secret \
--type=kubernetes.io/dockerconfigjson -n tigera-operator \
--from-file=.dockerconfigjson=<path/to/pull/secret>Install any extra Calico Enterprise resources needed at cluster start using calicoctl.
Install the Tigera custom resources. For more information on configuration options available in this manifest, see the installation reference.
kubectl create -f https://downloads.tigera.io/ee/v3.19.4/manifests/eks/custom-resources.yamlYou can now monitor progress with the following command:
watch kubectl get tigerastatusWait until the
apiservershows a status ofAvailable, then proceed to install the Calico Enterprise license.
Install EKS with Calico networking
Calico Enterprise networking cannot currently be installed on the EKS control plane nodes. As a result the control plane nodes will not be able to initiate network connections to Calico Enterprise pods. (This is a general limitation of EKS's custom networking support, not specific to Calico Enterprise.) As a workaround, trusted pods that require control plane nodes to connect to them, such as those implementing admission controller webhooks, can include hostNetwork:true in their pod spec. See the Kubernetes API pod spec definition for more information on this setting.
Create an EKS cluster
For these instructions, we will use eksctl to provision the cluster. However, you can use any of the methods in Getting Started with Amazon EKS
Before you get started, make sure you have downloaded and configured the necessary prerequisites
First, create an Amazon EKS cluster without any nodes.
eksctl create cluster --name my-calico-cluster --without-nodegroupSince this cluster will use Calico Enterprise for networking, you must delete the
aws-nodedaemon set to disable AWS VPC networking for pods.kubectl delete daemonset -n kube-system aws-node
Install Calico Enterprise
Install the Tigera operator and custom resource definitions.
kubectl create -f https://downloads.tigera.io/ee/v3.19.4/manifests/tigera-operator.yamlInstall the Prometheus operator and related custom resource definitions. The Prometheus operator will be used to deploy Prometheus server and Alertmanager to monitor Calico Enterprise metrics.
noteIf you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with Calico Enterprise, your Prometheus operator must be v0.40.0 or higher.kubectl create -f https://downloads.tigera.io/ee/v3.19.4/manifests/tigera-prometheus-operator.yamlInstall your pull secret.
If pulling images directly from
quay.io/tigera, you will likely want to use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials instead.kubectl create secret generic tigera-pull-secret \
--type=kubernetes.io/dockerconfigjson -n tigera-operator \
--from-file=.dockerconfigjson=<path/to/pull/secret>Install any extra Calico Enterprise resources needed at cluster start using calicoctl.
To configure Calico Enterprise for use with the Calico CNI plugin, we must create an
Installationresource that hasspec.cni.type: Calico. Install thecustom-resources-calico-cni.yamlmanifest, which includes this configuration. For more information on configuration options available in this manifest, see the installation reference.kubectl create -f https://downloads.tigera.io/ee/v3.19.4/manifests/eks/custom-resources-calico-cni.yamlFinally, add nodes to the cluster.
eksctl create nodegroup --cluster my-calico-cluster --node-type t3.xlarge --node-ami auto --max-pods-per-node 100Tip: Without the
--max-pods-per-nodeoption above, EKS will limit the number of pods based on node-type. Seeeksctl create nodegroup --helpfor the full set of node group options.Monitor progress with the following command:
watch kubectl get tigerastatusWait until the
apiservershows a status ofAvailable, then proceed to the next section.
Install the Calico Enterprise license
In order to use Calico Enterprise, you must install the license provided to you by Tigera.
kubectl create -f </path/to/license.yaml>
You can now monitor progress with the following command:
watch kubectl get tigerastatus
Next steps
Recommended