Quickstart for Calico Enterprise on Kubernetes

Big picture

Install Calico Enterprise on a single-host Kubernetes cluster in approximately 15 minutes.

To deploy a cluster suitable for production, see Calico Enterprise on Kubernetes.

Before you begin

CNI support

Calico CNI for networking with Calico Enterprise network policy:

The geeky details of what you get:

Policy	IPAM	CNI	Overlay	Routing	Datastore

Required

A Linux host that meets the following requirements.

• x86-64
• 2CPU
• 12GB RAM
• 50GB free disk space
• Ubuntu Server 18.04
• Internet access
• Sufficient virtual memory

How to

• Install Kubernetes
• Install Calico Enterprise
• Install the Calico Enterprise license
• Log in to Calico Enterprise Manager

Install Kubernetes

1. Follow the Kubernetes instructions to install kubeadm. For a compatible version for this release, see Support and compatibility.

   note

   After installing kubeadm, do not power down or restart the host. Instead, continue directly to the next step.

2. As a regular user with sudo privileges, open a terminal on the host that you installed kubeadm on.

3. Initialize the control plane using the following command.

   sudo kubeadm init --pod-network-cidr=192.168.0.0/16 \
   --apiserver-cert-extra-sans=127.0.0.1
   note

   If 192.168.0.0/16 is already in use within your network you must select a different pod network CIDR, replacing 192.168.0.0/16 in the above command.

4. Execute the following commands to configure kubectl (also returned by kubeadm init).

   mkdir -p $HOME/.kube
   sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
   sudo chown $(id -u):$(id -g) $HOME/.kube/config

5. Remove the taint from the control plane to allow Kubernetes to schedule pods on the control plane node.

   kubectl taint nodes --all node-role.kubernetes.io/master-

Install Calico Enterprise

1. Configure a storage class for Calico Enterprise.

2. Install the Tigera operator and custom resource definitions.

   kubectl create -f https://downloads.tigera.io/ee/v3.18.2/manifests/tigera-operator.yaml

3. Install the Prometheus operator and related custom resource definitions. The Prometheus operator will be used to deploy Prometheus server and Alertmanager to monitor Calico Enterprise metrics.

   note

   If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with Calico Enterprise, your Prometheus operator must be v0.40.0 or higher.

   kubectl create -f https://downloads.tigera.io/ee/v3.18.2/manifests/tigera-prometheus-operator.yaml

4. Install your pull secret.

   If pulling images directly from quay.io/tigera, you will likely want to use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials instead.

   kubectl create secret generic tigera-pull-secret \
       --type=kubernetes.io/dockerconfigjson -n tigera-operator \
       --from-file=.dockerconfigjson=<path/to/pull/secret>

   For the Prometheus operator, create the pull secret in the tigera-prometheus namespace and then patch the deployment.

   kubectl create secret generic tigera-pull-secret \
       --type=kubernetes.io/dockerconfigjson -n tigera-prometheus \
       --from-file=.dockerconfigjson=<path/to/pull/secret>
   kubectl patch deployment -n tigera-prometheus calico-prometheus-operator \
       -p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name": "tigera-pull-secret"}]}}}}'

5. Install the Tigera custom resources. For more information on configuration options available in this manifest, see the installation reference.

   kubectl create -f https://downloads.tigera.io/ee/v3.18.2/manifests/custom-resources.yaml

   Monitor progress with the following command:

   watch kubectl get tigerastatus

   Wait until the apiserver shows a status of Available, then proceed to the next section.

Install the Calico Enterprise license

To use Calico Enterprise, you must install the license provided to you by Tigera.

kubectl create -f </path/to/license.yaml>

Monitor progress with the following command:

watch kubectl get tigerastatus

When all components show a status of Available, proceed to the next section.

Log in to Calico Enterprise Manager

1. Create network admin user "Jane".

   kubectl create sa jane -n default
   kubectl create clusterrolebinding jane-access --clusterrole tigera-network-admin --serviceaccount default:jane

2. Create a login token for use with the Calico Enterprise UI.

   kubectl create token jane --duration=24h

   Copy the token from the above command to your clipboard for use in the next step.

   note

   The token created above will expire after 24 hours.

3. Set up a channel from your local computer to the Calico Enterprise UI.

   kubectl port-forward -n tigera-manager svc/tigera-manager 9443

   Visit https://localhost:9443/ to log in to the Calico Enterprise UI. Use the token from the previous step to authenticate.

Congratulations! You now have a single-host Kubernetes cluster with Calico Enterprise.

Next steps

• By default, your cluster networking uses IP in IP encapsulation with BGP routing. To review other networking options, see Determine best networking option.
• Get started with Calico Enterprise tiered network policy