RKE2

Big picture

Install Calico Enterprise on RKE2 (RKE Government) clusters.

Before you begin

CNI support

Calico CNI for networking with Calico Enterprise network policy:

The geeky details of what you get:

Policy	IPAM	CNI	Overlay	Routing	Datastore

Required

• A compatible RKE2 cluster with 2.6.5 or later

  For help, see Rancher Kubernetes Engine cluster.

• Configure cluster with no CNI plugin using any of these methods:

  • RKE2 CLI: --cni none
  • Install script: RKE2_CNI=none
  • Configuration file: cni: none

• Cluster meets system requirements

• A Tigera license key and credentials.

• A kubectl environment with access to your cluster

  Ensure you have the Kubeconfig file that was generated when you created the cluster.

• If using a Kubeconfig file locally, install and set up the Kubectl CLI tool.

How to

• Install Calico Enterprise
• Install the Calico Enterprise license

Install Calico Enterprise

1. Configure a storage class for Calico Enterprise..

2. Install the Tigera operator and custom resource definitions.

   kubectl create -f https://downloads.tigera.io/ee/v3.19.4/manifests/tigera-operator.yaml

3. Install the Prometheus operator and related custom resource definitions. The Prometheus operator is used to deploy Prometheus server and Alertmanager to monitor Calico Enterprise metrics.

   note

   If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with Calico Enterprise, your Prometheus operator must be v0.40.0 or higher.

   kubectl create -f https://downloads.tigera.io/ee/v3.19.4/manifests/tigera-prometheus-operator.yaml

4. Install your pull secret.

   If pulling images directly from quay.io/tigera, you can use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials instead.

   kubectl create secret generic tigera-pull-secret \
       --type=kubernetes.io/dockerconfigjson -n tigera-operator \
       --from-file=.dockerconfigjson=<path/to/pull/secret>

5. Install any extra Calico resources needed at cluster start using calicoctl.

6. Install the Tigera custom resources. For more information on configuration options available, see the installation reference.

   kubectl create -f https://downloads.tigera.io/ee/v3.19.4/manifests/rancher/custom-resources-rke2.yaml

   Monitor progress with the following command:

   watch kubectl get tigerastatus

   Wait until the apiserver shows a status of Available, then proceed to the next section.

Install the Calico Enterprise license

kubectl create -f </path/to/license.yaml>

Monitor progress with the following command:

watch kubectl get tigerastatus

Next steps

Recommended

• Configure access to Calico Enterprise Manager UI
• Authentication quickstart
• Configure your own identity provider

Recommended - Networking

• The default networking uses VXLAN encapsulation with BGP routing. For all networking options, see Determine best networking option.

Recommended - Security

• Get started with Calico Enterprise tiered network policy