Skip to main content
Calico Enterprise 3.23 (latest) documentation

Operations

Post-installation tasks for managing Calico Enterprise.

Configuring the web console

Configure access to the web console

Expose the Calico Enterprise web console outside the cluster through ingress, a load balancer service, or port forwarding for administrator access.

Authentication quickstart

Sign in to the Calico Enterprise web console and Kibana with default service-account token authentication for a quick first-time setup.

Configure an external identity provider

Connect an external identity provider to Calico Enterprise so users authenticate against an existing IdP when signing in to the web console and Kibana.

Configure user roles and permissions

Configure Kubernetes RBAC roles and bindings to scope user access to Calico Enterprise features, tiered policies, observability views, and management plane APIs.

calicoctl and calicoq

Install calicoctl

Install the calicoctl command-line tool as a binary, container, or kubectl plugin so administrators can manage Calico Enterprise resources from any workstation.

Configure calicoctl

Overview reference for configuring calicoctl datastore access in Calico Enterprise, comparing config-file, environment-variable, and kubeconfig methods.

Configure calicoctl to connect to the datastore

Sample calicoctl configuration for connecting to the Kubernetes API datastore in a Calico Enterprise cluster, with kubeconfig credential settings.

Install calicoq

Install the calicoq command-line tool as a binary or container on any host with network access to the Calico Enterprise datastore.

Configure calicoq

Overview reference for configuring calicoq datastore access in Calico Enterprise, covering config files, environment variables, and Kubernetes credentials.

Configure calicoq to connect to the datastore

Sample calicoq configuration for connecting to the Kubernetes API datastore in a Calico Enterprise cluster, with kubeconfig credential settings.

Securing component communications

See Provide TLS certificates for Calico Enterprise components for the consolidated TLS reference.

Storage

Log storage recommendations

Reference recommendations for Calico Enterprise log storage covering Elastic Cloud on Kubernetes, StorageClasses, node sizing, and production capacity.

Configure storage for logs and reports

Configure persistent storage in Calico Enterprise for flow logs, DNS logs, audit logs, and compliance reports before installation.

Adjust log storage size

Resize the Calico Enterprise log storage cluster by tuning node counts, replicas, CPU, and memory during or after installation for production workloads.

Advanced Node Scheduling

Steer Calico Enterprise Elasticsearch pod and replica placement across Kubernetes nodes with data-node selectors and shard scheduling controls.

Monitoring

Prometheus support

Reference for Prometheus support in Calico Enterprise covering the bundled operator-managed install and bring-your-own Prometheus deployment options.

Bring your own Prometheus

Scrape Calico Enterprise component metrics from an existing bring-your-own Prometheus deployment instead of the bundled operator-managed Prometheus.

Configure Prometheus

Configure Calico Enterprise Prometheus rules for denied-packet alerts and persistent storage by editing the bundled PrometheusRule and StorageClass resources.

Configure Alertmanager

Configure Alertmanager in a Calico Enterprise cluster to route Prometheus alerts to operators with deduplication, grouping, silencing, and inhibition rules.

Recommended Prometheus metrics

Recommended Prometheus metrics for Calico Enterprise Typha, Felix, and policy components, covering the signals most critical to cluster health.

BGP metrics

Monitor BGP peering and route exchange in Calico Enterprise clusters by defining Prometheus rules and thresholds for peer health and route counts.

Policy metrics

Monitor the runtime effect of Calico Enterprise policies on cluster traffic by defining Prometheus rules and thresholds that fire alerts on policy hits.

Elasticsearch and Fluentd metrics

Track Calico Enterprise Elasticsearch and Fluentd metrics in Prometheus to alert on flow, DNS, audit, and compliance log collection or storage disruptions.

eBPF

eBPF use cases

Guidance on when the Calico Enterprise eBPF data plane fits a workload compared to the standard iptables data plane, with trade-offs and feature comparisons.

Enable eBPF on an existing cluster

Switch a running Calico Enterprise cluster to the eBPF data plane on an existing installation as an alternative to the iptables data plane.

Install in eBPF mode

Install Calico Enterprise with the eBPF data plane during initial cluster setup as an alternative to the iptables data plane.

Troubleshoot eBPF mode

Troubleshooting guide for the Calico Enterprise eBPF data plane covering verification logs, service connectivity, BPF map inspection, and common failure modes.

Troubleshooting

Troubleshooting and diagnostics

Troubleshooting guide for Calico Enterprise clusters covering kubectl-calico diagnostics bundles, log severity tuning, common failure patterns, and where to report issues.

Troubleshooting commands

Reference of command-line tools and kubectl invocations for verifying cluster, routing, policy, and component health in Calico Enterprise.

Component logs

Reference for locating and collecting Calico Enterprise component logs including calico/node, Felix, Typha, Linseed, and observability stack output.

Other operations tasks

Decommission a node

Manually decommission a node in a Calico Enterprise cluster, releasing IP allocations and BGP peers from the cluster datastore cleanly.

License expiration and renewal

Track Calico Enterprise license expiration through tigerastatus and operator-exposed Prometheus metrics to keep observability and management features available.