Skip to main content
Version: 3.18 (latest)

System requirements

Node requirements

  • x86-64 processor with at least 2 cores, 8.0GB RAM and 20 GB free disk space

  • Linux kernel 3.10 or later with required dependencies. The following distributions have the required kernel, its dependencies, and are known to work well with Calico Enterprise and Kubernetes.

    • Ubuntu 20.04 and 22.04
    • RHEL 8 and 9
    • Debian 10
  • If your node is running RHEL 8 or RHEL 9, you must install a specialized policy package before you install Calico Enterprise. With this package, Calico Enterprise can use SELinux contexts in a series of rules that allow it to interact with persistent and ephemeral data in nonstandard host system locations.

    • If your node has RHEL 8 installed, then run the following command:

      dnf install
    • If your node has RHEL 9 installed, then run the following command:

      dnf install
  • Calico Enterprise must be able to manage cali*interfaces on the host. When IPIP is enabled (the default),Calico Enterprise also needs to be able to manage tunl*interfaces. When VXLAN is enabled, Calico Enterprise also needs to be able to manage the vxlan.calico interface.


    Many Linux distributions, such as most of the above, include NetworkManager. By default, NetworkManager does not allowCalico Enterprise to manage interfaces. If your nodes have NetworkManager, complete the steps in Preventing NetworkManager from controlling Calico Enterprise interfaces before installing Calico Enterprise.

  • If your Linux distribution comes with installed Firewalld or another iptables manager it should be disabled. These may interfere with rules added by Calico Enterprise and result in unexpected behavior.


    If a host firewall is needed, it can be configured by Calico Enterprise HostEndpoint and GlobalNetworkPolicy. More information about configuration at Security for host.

  • In order to properly run Elasticsearch, nodes must be configured according to the Elasticsearch system configuration documentation.

  • The Typha autoscaler requires a minimum number of Linux worker nodes based on total number of schedulable nodes.

    Total schedulable nodesRequired Linux nodes for Typha replicas
    up to 2504
    up to 5005
    up to 10006
    up to 15007
    up to 20008
    2000 or more10

Network requirements

Ensure that your hosts and firewalls allow the necessary traffic based on your configuration. See Component architecture to view the following components.

Calico Enterprise networking optionsIP-in-IP (default)Protocol number 4
WireguardUDP 51820 (default)
IPv6 WireguardUDP 51821 (default)
Cluster scalingAny Calico Enterprise networking option above with Typha agents enabledTCP 5473 (default)
APIsKubernetes API (kube-apiserver) to access Kubernetes API datastoreOften TCP 443 or 6443*
Calico Enterprise API serverTCP 8080 and 5443 (default)
Nodescalico-node (Felix, BIRD, confd)TCP 9090 (default)
Component metricsPrometheus metricsTCP 9081 (default)
Prometheus BGP metricsTCP 9900 (default)
Prometheus API serviceTCP 9090 (default)
Prometheus AlertmanagerTCP 9093 (default)
Logs and storageElasticsearch with fluentd datastoreTCP 9200 (default)
Elasticssearch for cloud (ECK)TCP 9443 (default)
Elasticsearch gatewayTCP 5444 (default)
Visibility and troubleshootingKibanaTCP 5601 (default)
Packet capture APITCP 8444 (default)
Calico Enterprise Manager UITCP 9443 (default)
Intrusion Detection System (IDS)Calico Enterprise intrusion detectionTCP 5443 (default)
ComplianceCalico Enterprise complianceTCP 5443 (default)
Multi-cluster managementAdditional port required for Manager UITCP 9449
Egress gatewayCalico Enterprise egress gateway UDP 4790

* The value passed to kube-apiserver using the --secure-portflag. If you cannot locate this, check the targetPort value returned by  kubectl get svc kubernetes -o yaml.

Privilege requirements

Ensure that Calico Enterprise has the CAP_SYS_ADMIN privilege.

The simplest way to provide the necessary privilege is to run Calico Enterprise as root or in a privileged container.

When installed as a Kubernetes daemon set, Calico Enterprise meets this requirement by running as a privileged container. This requires that the kubelet be allowed to run privileged containers. There are two ways this can be achieved.

CNI plug-in enabled

Calico Enterprise must be installed as a CNI plugin in the container runtime.

This installation must use the Kubernetes default CNI configuration directory (/etc/cni/net.d) and binary directory (/opt/cni/bin).

Other network providers

Generally, you cannot use Calico Enterprise together with another network provider.

Notable exceptions include certain platform-specific CNIs, such as the AWS VPC CNI and Azure VNET CNI plugins.

If you're working with a cluster that already uses another CNI, you cannot migrate to Calico Enterprise.

Supported kube-proxy modes

Calico Enterprise supports the following kube-proxy modes:

  • iptables (default)

IP pool configuration

The IP range selected for pod IP addresses cannot overlap with any other IP ranges in your network, including:

  • The Kubernetes service cluster IP range
  • The range from which host IPs are allocated

Kernel Dependencies


If you are using one of the recommended distributions, you will already satisfy these.

Due to the large number of distributions and kernel version out there, it’s hard to be precise about the names of the particular kernel modules that are required to run Calico Enterprise. However, in general, you’ll need:

  • The iptables modules (both the “legacy” and “nft” variants are supported). These are typically broken up into many small modules, one for each type of match criteria and one for each type of action. Calico Enterprise requires:

    • The “base” modules (including the IPv6 versions if IPv6 is enabled in your cluster).
    • At least the following match criteria: set,rpfilter, addrtype, comment,conntrack, icmp, tcp,udp, ipvs, icmpv6 (if IPv6 is enabled in your kernel), mark, multiport,rpfilter, sctp, ipvs (if usingkube-proxy in IPVS mode).
    • At least the following actions: REJECT,ACCEPT, DROP, LOG.
  • IP sets support.

  • Netfilter Conntrack support compiled in (with SCTP support if using SCTP).

  • IPVS support if using kube-proxy in IPVS mode.

  • IPIP, VXLAN, Wireguard support, if using Calico Enterprisenetworking in one of those modes.

  • eBPF (including the tc hook support) and XDP (if you want to use the eBPF dataplane).