Requirements
What's supported in this release​
✓ Install:
- Manual install for Kubernetes clusters on Windows nodes
- Operator install for Kubernetes clusters using hostprocess containers (HPC) on Windows nodes
✓ Platforms: Kubernetes, OpenShift, RKE, EKS, AKS
✓ Networking:
- Kubernetes, on-premises: Calico CNI with BGP or VXLAN
- OpenShift: Calico CNI with BGP or VXLAN
- Rancher Kubernetes Engine: Calico CNI with BGP or VXLAN
- EKS: VPC CNI
- AKS: Azure CNI
Requirements​
Because the Kubernetes and Calico Enterprise control components do not run on Windows yet, a hybrid Linux/Windows cluster is required.
CNI and networking options​
The following table summarizes the networking options and considerations.
| Networking | Components | Value/Content |
|---|---|---|
| Calico Enterprise BGP | Windows CNI plugin: calico.exe Linux: Calico Enterprise for policy and networking | Calico Enterprise's native networking approach, supports: - Auto-configured node-to-node BGP mesh over an L2 fabric - Peering with external routers for an L3 fabric - Calico Enterprise IPAM and IP aggregation (with some limitations) - Route reflectors (including the new in-cluster route reflector introduced in Calico Enterprise v3.3). Note: Windows node cannot act as route reflectors. - Kubernetes API datastore driver AWS users: If running on AWS, you must disable the source/dest check on your EC2 instances so that hosts can forward traffic on behalf of pods. |
| Calico Enterprise VXLAN | Windows CNI plugin: calico.exe Linux: Calico Enterprise for policy and networking | Calico Enterprise's VXLAN overlay, supports: - VXLAN overlay, which can traverse most networks. - Auto-configured node-to-node routing - Calico Enterprise IPAM and IP aggregation (with some limitations) - Kubernetes API datastore driver Note: VXLAN runs on UDP port 4789 (this is the only port supported by Windows), remember to open that port between your Calico Enterprise hosts in any firewalls / security groups. |
| Cloud provider | Windows CNI plugin: win-bridge.exe Linux: Calico Enterprise policy-only | A useful fallback, particularly if you have a Kubernetes cloud provider that automatically installs inter-host routes. Calico Enterprise has been tested with the standard win-bridge.exe CNI plugin so it should work with any networking provider that ultimately uses win-bridge.exe to network the pod (such as the Azure CNI plugin and cloud provider). |
If Calico CNI with VXLAN is used, BGP must be disabled. See the installation reference.
Kubernetes version​
For Kubernetes versions for your platform, see Support and compatibility.
When using Operator install and Windows hostprocess containers (HPC), see here for the additional requirements.
Linux platform requirements​
- At least four Linux Kubernetes worker nodes to run Calico Enterprise's cluster-wide components that meets Linux system requirements, and is installed with Calico Enterprise v3.5.0+
- Must not be running in eBPF mode
- VXLAN or BGP without encapsulation is supported if using Calico Enterprise CNI. IPIP (Calico Enterprise's default encapsulation mode) is not supported. Use the following command to turn off IPIP.
kubectl patch felixconfiguration default -p '{"spec":{"ipipEnabled":false}}'
- If using Calico Enterprise IPAM, strict affinity of IPAM configuration must be set to
true.
kubectl patch ipamconfigurations default --type merge --patch='{"spec": {"strictAffinity": true}}'
For operator-managed Linux Calico Enterprise clusters, three Linux worker nodes are required to meet high-availability requirements for Typha.
Windows platform requirements​
Windows versions:
- Windows Server 1809 (build 17763.1432 or later)
- Windows Server 2022 (build 20348.169 or later)
noteWindows Server version support differs for each Kubernetes version. Review the Windows OS Version Support table for the Windows Server versions supported by each Kubernetes version.
Operator install requirements​
- Kubernetes v1.22+
- Enable HostProcess containers support. For Kubernetes v1.22, see here. For Kubernetes v1.23+, HostProcess containers are enabled by default.
- containerd v1.6.0+
- The Windows nodes have joined the cluster.
- See this section of the operator install guide for example commands.
Manual install requirements​
The Calico Enterprise for Windows standard manual installation is distributed as a .zip archive.
The manual method for installing Calico Enterprise for Windows is deprecated in favor of using the Operator and Windows HostProcess containers (HPC). Support for this method will be dropped in a future Calico Enterprise version.
- Be able to run commands as Administrator using PowerShell.
- Container runtime: Docker or containerd is installed and running. If containerd is running, it will be used as the container runtime otherwise Docker is assumed.
- Remote access to the Windows node via Remote Desktop Protocol (RDP), Windows Remote Management (WinRM) or ssh.
- If you are using Calico Enterprise BGP networking, the RemoteAccess service must be installed for the Windows BGP Router.
- Windows nodes support only a single IP pool type (so, if using a VXLAN pool, you should only use VXLAN throughout the cluster).
- TLS v1.2 enabled. For example:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
EKS requirements​
- The VPC controllers must be installed to run Windows pods.
- An instance role on the Windows instance must have permissions to get
namespacesand getsecretsin the calico-system namespace (or kube-system namespace if you are using a non operator-managed Calico Enterprise installation.)
AKS requirements​
- Calico Enterprise for Windows can be enabled only on newly created clusters.
- Non-HPC Calico Enterprise for Windows is available with Kubernetes version 1.20 or later
Next steps​
Install Calico for Windows using operator Install Calico for Windows using the manual installation method