Skip to main content
Calico Enterprise 3.19 (latest) documentation

Requirements

What's supported in this release

✓ Install:

  • Manual install for Kubernetes clusters on Windows nodes
  • Operator install for Kubernetes clusters using hostprocess containers (HPC) on Windows nodes

✓ Platforms: Kubernetes, OpenShift, RKE, EKS, AKS

✓ Networking:

  • Kubernetes, on-premises: Calico CNI with BGP or VXLAN
  • OpenShift: Calico CNI with BGP or VXLAN
  • Rancher Kubernetes Engine: Calico CNI with BGP or VXLAN
  • EKS: VPC CNI
  • AKS: Azure CNI

Requirements

Because the Kubernetes and Calico Enterprise control components do not run on Windows yet, a hybrid Linux/Windows cluster is required.

CNI and networking options

The following table summarizes the networking options and considerations.

NetworkingComponentsValue/Content
Calico Enterprise BGPWindows CNI plugin:

calico.exe

Linux: Calico Enterprise for policy and networking
Calico Enterprise's native networking approach, supports:
- Auto-configured node-to-node BGP mesh over an L2 fabric
- Peering with external routers for an L3 fabric
- Calico Enterprise IPAM and IP aggregation (with some limitations)
- Route reflectors Note: Windows node cannot act as route reflectors.
- Kubernetes API datastore driver

AWS users: If running on AWS, you must disable the source/dest check on your EC2 instances so that hosts can forward traffic on behalf of pods.
Calico Enterprise VXLANWindows CNI plugin:
calico.exe

Linux: Calico Enterprise for policy and networking
Calico Enterprise's VXLAN overlay, supports:

- VXLAN overlay, which can traverse most networks.
- Auto-configured node-to-node routing
- Calico Enterprise IPAM and IP aggregation (with some limitations)
- Kubernetes API datastore driver
Note: VXLAN runs on UDP port 4789 (this is the only port supported by Windows), remember to open that port between your Calico Enterprise hosts in any firewalls / security groups.
Cloud providerWindows CNI plugin: win-bridge.exe

Linux: Calico Enterprise policy-only
A useful fallback, particularly if you have a Kubernetes cloud provider that automatically installs inter-host routes. Calico Enterprise has been tested with the standard win-bridge.exe CNI plugin so it should work with any networking provider that ultimately uses win-bridge.exe to network the pod (such as the Azure CNI plugin and cloud provider).
note

If Calico CNI with VXLAN is used, BGP must be disabled. See the installation reference.

Kubernetes version

For Kubernetes versions for your platform, see Support and compatibility.

When using Operator install and Windows hostprocess containers (HPC), see here for the additional requirements.

Linux platform requirements

  • At least four Linux Kubernetes worker nodes to run Calico Enterprise's cluster-wide components that meets Linux system requirements, and is installed with Calico Enterprise v3.5.0+
  • Must not be running in eBPF mode
  • VXLAN or BGP without encapsulation is supported if using Calico Enterprise CNI. IPIP (Calico Enterprise's default encapsulation mode) is not supported. Use the following command to turn off IPIP.
kubectl patch felixconfiguration default -p '{"spec":{"ipipEnabled":false}}'
  • If using Calico Enterprise IPAM, strict affinity of IPAM configuration must be set to true.
kubectl patch ipamconfigurations default --type merge --patch='{"spec": {"strictAffinity": true}}'
note

For operator-managed Linux Calico Enterprise clusters, three Linux worker nodes are required to meet high-availability requirements for Typha.

Windows platform requirements

  • Windows versions:

    • Windows Server 1809 (build 17763.1432 or later)
    • Windows Server 2022 (build 20348.169 or later)
    note

    Windows Server version support differs for each Kubernetes version. Review the Windows OS Version Support table for the Windows Server versions supported by each Kubernetes version.

Operator install requirements

Manual install requirements

The Calico Enterprise for Windows standard manual installation is distributed as a .zip archive.

note

The manual method for installing Calico Enterprise for Windows is deprecated in favor of using the Operator and Windows HostProcess containers (HPC). Support for this method will be dropped in a future Calico Enterprise version.

  • Be able to run commands as Administrator using PowerShell.
  • Container runtime: Docker or containerd is installed and running. If containerd is running, it will be used as the container runtime otherwise Docker is assumed.
  • Remote access to the Windows node via Remote Desktop Protocol (RDP), Windows Remote Management (WinRM) or ssh.
  • If you are using Calico Enterprise BGP networking, the RemoteAccess service must be installed for the Windows BGP Router.
  • Windows nodes support only a single IP pool type (so, if using a VXLAN pool, you should only use VXLAN throughout the cluster).
  • TLS v1.2 enabled. For example:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

EKS requirements

  • The VPC controllers must be installed to run Windows pods.
  • An instance role on the Windows instance must have permissions to get namespaces and get secrets in the calico-system namespace (or kube-system namespace if you are using a non operator-managed Calico Enterprise installation.)

AKS requirements

  • Calico Enterprise for Windows can be enabled only on newly created clusters.
  • Non-HPC Calico Enterprise for Windows is available with Kubernetes version 1.20 or later

Next steps

Install Calico for Windows using operator Install Calico for Windows using the manual installation method