System requirements
Node requirements
x86-64 or arm64 processor with at least 2 cores, 8.0GB RAM and 20 GB free disk space
Linux kernel 3.10 or later with required dependencies. The following distributions have the required kernel, its dependencies, and are known to work well with Calico Enterprise and Kubernetes.
- Ubuntu 20.04 and 22.04
- RHEL 8 and 9
- Debian 10
- Azure Linux Container Host
If your node is running RHEL 8 or RHEL 9, you must install a specialized policy package before you install Calico Enterprise. With this package, Calico Enterprise can use SELinux contexts in a series of rules that allow it to interact with persistent and ephemeral data in nonstandard host system locations.
If your node has RHEL 8 installed, then run the following command:
dnf install https://downloads.tigera.io/ee/archives/calico-selinux-1.0-1.el8.noarch.rpmIf your node has RHEL 9 installed, then run the following command:
dnf install https://downloads.tigera.io/ee/archives/calico-selinux-1.0-1.el9.noarch.rpm
Calico Enterprise must be able to manage
cali*interfaces on the host. When IPIP is enabled (the default),Calico Enterprise also needs to be able to managetunl*interfaces. When VXLAN is enabled, Calico Enterprise also needs to be able to manage thevxlan.calicointerface.noteMany Linux distributions, such as most of the above, include NetworkManager. By default, NetworkManager does not allowCalico Enterprise to manage interfaces. If your nodes have NetworkManager, complete the steps in Preventing NetworkManager from controlling Calico Enterprise interfaces before installing Calico Enterprise.
If your Linux distribution comes with installed Firewalld or another iptables manager it should be disabled. These may interfere with rules added by Calico Enterprise and result in unexpected behavior.
noteIf a host firewall is needed, it can be configured by Calico Enterprise HostEndpoint and GlobalNetworkPolicy. More information about configuration at Security for host.
In order to properly run Elasticsearch, nodes must be configured according to the Elasticsearch system configuration documentation.
The Typha autoscaler requires a minimum number of Linux worker nodes based on total number of schedulable nodes.
Total schedulable nodes Required Linux nodes for Typha replicas 1 1 2 2 3 3 up to 250 4 up to 500 5 up to 1000 6 up to 1500 7 up to 2000 8 2000 or more 10
Network requirements
Ensure that your hosts and firewalls allow the necessary traffic based on your configuration. See Component architecture to view the following components.
| Configuration | Host(s) | Port/protocol |
|---|---|---|
| Calico Enterprise networking options | IP-in-IP (default) | Protocol number 4 |
| BGP | TCP 179 | |
| VXLAN | UDP 4789 | |
| Wireguard | UDP 51820 (default) | |
| IPv6 Wireguard | UDP 51821 (default) | |
| Cluster scaling | Any Calico Enterprise networking option above with Typha agents enabled | TCP 5473 (default) |
| APIs | Kubernetes API (kube-apiserver) to access Kubernetes API datastore | Often TCP 443 or 6443* |
| Calico Enterprise API server | TCP 8080 and 5443 (default) | |
| Nodes | calico-node (Felix, BIRD, confd) | TCP 9090 (default) |
| Component metrics | Prometheus metrics | TCP 9081 (default) |
| Prometheus BGP metrics | TCP 9900 (default) | |
| Prometheus API service | TCP 9090 (default) | |
| Prometheus Alertmanager | TCP 9093 (default) | |
| Logs and storage | Elasticsearch with fluentd datastore | TCP 9200 (default) |
| Elasticssearch for cloud (ECK) | TCP 9443 (default) | |
| Elasticsearch gateway | TCP 5444 (default) | |
| Visibility and troubleshooting | Kibana | TCP 5601 (default) |
| Packet capture API | TCP 8444 (default) | |
| Calico Enterprise Manager UI | TCP 9443 (default) | |
| Intrusion Detection System (IDS) | Calico Enterprise intrusion detection | TCP 5443 (default) |
| Compliance | Calico Enterprise compliance | TCP 5443 (default) |
| Multi-cluster management | Additional port required for Manager UI | TCP 9449 |
| Egress gateway | Calico Enterprise egress gateway | UDP 4790 |
* The value passed to kube-apiserver using the --secure-portflag. If you cannot locate this, check the targetPort value returned by kubectl get svc kubernetes -o yaml.
Privilege requirements
Ensure that Calico Enterprise has the CAP_SYS_ADMIN privilege.
The simplest way to provide the necessary privilege is to run Calico Enterprise as root or in a privileged container.
When installed as a Kubernetes daemon set, Calico Enterprise meets this requirement by running as a privileged container. This requires that the kubelet be allowed to run privileged containers. There are two ways this can be achieved.
- Specify
--allow-privilegedon the kubelet (deprecated). - Use a pod security policy.
CNI plug-in enabled
Calico Enterprise must be installed as a CNI plugin in the container runtime.
This installation must use the Kubernetes default CNI configuration directory (/etc/cni/net.d) and binary directory (/opt/cni/bin).
Other network providers
Generally, you cannot use Calico Enterprise together with another network provider.
Notable exceptions include certain platform-specific CNIs, such as the AWS VPC CNI and Azure VNET CNI plugins.
If you're working with a cluster that already uses another CNI, you cannot migrate to Calico Enterprise.
Supported kube-proxy modes
Calico Enterprise supports the following kube-proxy modes:
iptables(default)
IP pool configuration
The IP range selected for pod IP addresses cannot overlap with any other IP ranges in your network, including:
- The Kubernetes service cluster IP range
- The range from which host IPs are allocated
Kernel Dependencies
If you are using one of the recommended distributions, you will already satisfy these.
Due to the large number of distributions and kernel version out there, it’s hard to be precise about the names of the particular kernel modules that are required to run Calico Enterprise. However, in general, you’ll need:
The
iptablesmodules (both the “legacy” and “nft” variants are supported). These are typically broken up into many small modules, one for each type of match criteria and one for each type of action. Calico Enterprise requires:- The “base” modules (including the IPv6 versions if IPv6 is enabled in your cluster).
- At least the following match criteria:
set,rpfilter,addrtype,comment,conntrack,icmp,tcp,udp,ipvs,icmpv6(if IPv6 is enabled in your kernel),mark,multiport,rpfilter,sctp,ipvs(if usingkube-proxyin IPVS mode). - At least the following actions:
REJECT,ACCEPT,DROP,LOG.
IP sets support.
Netfilter Conntrack support compiled in (with SCTP support if using SCTP).
IPVS support if using
kube-proxyin IPVS mode.IPIP, VXLAN, Wireguard support, if using Calico Enterprise networking in one of those modes.
eBPF (including the
tchook support) and XDP (if you want to use the eBPF dataplane).