Skip to main content
Calico Enterprise 3.19 (latest) documentation

Create kubeconfig for manually installed Calico for Windows nodes

note

The manual method for installing Calico Enterprise for Windows is deprecated in favor of using the Operator and Windows HostProcess containers (HPC). Support for this method will be dropped in a future Calico Enterprise version.

Big picture

Create kubeconfig for Windows nodes for manual installations of Calico Enterprise for Windows.

How to

In a manual installation of Calico Enterprise for Windows, Calico Enterprise requires a kubeconfig file to access the API server. This section describes how to find an existing calico-node service account used by Calico Enterprise on Linux side, and then to export the service account token as a kubeconfig file for Calico Enterprise to use.

note

In general, the node kubeconfig as used by kubelet does not have enough permissions to access Calico Enterprise-specific resources.

Export calico-node service account token as a kubeconfig file

note

If your Kubernetes version is v1.24.0 or higher, service account token secrets are no longer automatically created. Before continuing, manually create the calico-node service account token:

kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: calico-node-token
namespace: calico-system
annotations:
kubernetes.io/service-account.name: calico-node
type: kubernetes.io/service-account-token
EOF
note

Note: if Calico Enterprise is installed in kube-system, update the namespace in the above command.

To make the kubeconfig file, you'll need the URL of your Kubernetes API server.

note

Kubernetes for Windows does not support access to services from the host so you must use the address of your server, not the Kubernetes service IP.

Set a variable to the URL of your API server:

$ server=https://<server>:<port>

Then, find the secret containing the service account token for the calico-node service account:

kubectl get secret -n calico-system | grep calico-node

Inspect the output and find the name of the token, store it in a variable:

$ name=calico-node-token-xxxxx

Extract the parts of the secret, storing them in variables:

$ ca=$(kubectl get secret/$name -o jsonpath='{.data.ca\.crt}' -n calico-system)

$ token=$(kubectl get secret/$name -o jsonpath='{.data.token}' -n calico-system | base64 --decode)

$ namespace=$(kubectl get secret/$name -o jsonpath='{.data.namespace}' -n calico-system | base64 --decode)

Then, output the file:

cat <<EOF > calico-config
apiVersion: v1
kind: Config
clusters:
- name: kubernetes
cluster:
certificate-authority-data: ${ca}
server: ${server}
contexts:
- name: calico-windows@kubernetes
context:
cluster: kubernetes
namespace: calico-system
user: calico-windows
current-context: calico-windows@kubernetes
users:
- name: calico-windows
user:
token: ${token}
EOF

Copy this config file to the windows node C:\TigeraCalico\calico-kube-config and set the KUBECONFIG environment variable in config.ps1 to point to it.