Skip to main content
Calico Enterprise 3.22 (latest) documentation

Install Calico Enterprise using the nftables data plane

This guide shows you how to install Calico Enterprise using the nftables data plane.

nftables is a unified packet filtering and classification framework in the Linux kernel. It was designed to be the successor to the iptables module.

To use nftables, your Kubernetes installation must be configured to use kube-proxy in nftables mode. In Kubernetes versions 1.33 and later, nftables mode is the default. For versions 1.31 and 1.32, you can specify nftables in the KubeProxyConfiguration resource.

Before you begin

Required

  • A Linux host that meets the following requirements:

    • x86-64, arm64, ppc64le, or s390x processor
    • 2CPU
    • 2GB RAM
    • 10GB free disk space
    • Linux kernel version 5.13 or later with nft >= 1.0.1

  • Calico Enterprise can manage cali and tunl interfaces on the host

    If NetworkManager is present on the host, see Configure NetworkManager.

How to

Create a single-host Kubernetes cluster with the nftables kube-proxy enabled.

note

This procedure includes steps to explicitly configure nftables mode in kube-proxy, which is required for Kubernetes 1.31 and 1.32. If you're using Kubernetes 1.33 or later, you can create a cluster with kubeadm using the default settings.

  1. Follow the Kubernetes instructions to install kubeadm

    note

    After installing kubeadm, do not power down or restart the host. Instead, continue directly to the next step.

  2. As a regular user with sudo privileges, open a terminal on the host that you installed kubeadm on.

  3. Create a kubeadm configuration file that enables the nftables kube-proxy mode.

    cat > config.yaml <<EOF
    apiVersion: kubeadm.k8s.io/v1beta4
    kind: InitConfiguration
    ---
    kind: ClusterConfiguration
    apiVersion: kubeadm.k8s.io/v1beta4
    kubernetesVersion: v1.31.0
    proxy: {}
    networking:
      podSubnet: "192.168.0.0/16"
    ---
    apiVersion: kubeproxy.config.k8s.io/v1alpha1
    kind: KubeProxyConfiguration
    mode: nftables
    EOF
    note

    If 192.168.0.0/16 is already in use within your network you must select a different pod network CIDR, replacing 192.168.0.0/16 in the above configuration.

  4. Initialize the control plane using the following command.

    sudo kubeadm init --config=config.yaml

  5. Execute the following commands to configure kubectl (also returned by kubeadm init).

    mkdir -p $HOME/.kube
    sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
    sudo chown $(id -u):$(id -g) $HOME/.kube/config

Install Calico Enterprise in nftables data plane mode

Prerequisites

  • Your Kubernetes cluster has kube-proxy set to nftables mode. You can check this in the kube-proxy configuration: 
    kubectl -n kube-system get configmap kube-proxy -o yaml | grep "mode:"
    Expected output
    mode: "nftables"

Procedure

  1. Install the Tigera Operator and custom resource definitions.

    kubectl create -f https://downloads.tigera.io/ee/v3.22.1/manifests/operator-crds.yaml
    kubectl create -f https://downloads.tigera.io/ee/v3.22.1/manifests/tigera-operator.yaml
    note

    Due to the large size of the CRD bundle, kubectl apply might exceed request limits. Instead, use kubectl create or kubectl replace.

  2. Download, edit, and create the custom-resources.yaml file.

    1. Download the default custom-resources.yaml file:

      curl -O -L https://downloads.tigera.io/ee/v3.22.1/manifests/custom-resources.yaml

    2. Enable nftables mode by setting spec.linuxDataplane to nftables in the Installation resource:

      Snippet from custom-resources.yaml with nftables mode enabled
      operator.tigera.io/v1.Installation
      apiVersion: operator.tigera.io/v1
      kind: Installation
      metadata:
        name: default
      spec:
        # Install Calico Enterprise
        variant: TigeraSecureEnterprise

        # List of image pull secrets to use when installing images from a container registry.
        # If specified, secrets must be created in the `tigera-operator` namespace.
        imagePullSecrets:
          - name: tigera-pull-secret
        # Optionally, a custom registry to use for pulling images.
        # registry: <my-registry>
        linuxDataplane: Nftables

      If you have other customizations for your installation, you can add them now. For more information about configuration options , see the installation reference.

    3. To install Calico Enterprise, create the modified custom-resources.yaml file:

      kubectl create -f custom-resources.yaml
      note

      Before creating this manifest, read its contents and make sure its settings are correct for your environment. For example, you may need to change the default IP pool CIDR to match your pod network CIDR.

  3. Confirm that all of the pods are running with the following command.

    watch kubectl get pods -n calico-system

    Wait until each pod has the STATUS of Running.

    note

    The Tigera Operator installs resources in the calico-system namespace. Other install methods may use the kube-system namespace instead.

  4. Remove the taints on the control plane so that you can schedule pods on it.

    kubectl taint nodes --all node-role.kubernetes.io/control-plane-

    It should return the following.

    node/<your-hostname> untainted

  5. Confirm that you now have a node in your cluster with the following command.

    kubectl get nodes -o wide

    It should return something like the following.

    NAME              STATUS   ROLES    AGE   VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION    CONTAINER-RUNTIME
    <your-hostname>   Ready    master   52m   v1.12.2   10.128.0.28   <none>        Ubuntu 18.04.1 LTS   4.15.0-1023-gcp   docker://18.6.1

Congratulations! You now have a single-host Kubernetes cluster with Calico Enterprise in nftables mode.

Next steps

Required

Recommended tutorials