About non-cluster hosts
Big picture
Secure non-cluster hosts and VMs by installing Calico for networking and/or networking policy.
Value
Not all hosts in your environment run pods/workloads. You may have physical machines or legacy applications that you cannot move into a Kubernetes cluster, but still need to securely communicate with pods in your cluster. Calico lets you enforce policy on these non-cluster hosts using the same robust Calico network policy that you use for pods.
Concepts
Non-cluster hosts and host endpoints
A non-cluster host is a computer that is running an application that is not part of a Kubernetes cluster. Using Calico network policy, you can secure these host interfaces using host endpoints. Host endpoints can have labels, and work the same as labels on pods/workload endpoints.
The advantage is, you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can write a cluster-wide policy for non-cluster hosts that is immediately applied to every host. To learn how to restrict traffic to/from hosts and VMs using Calico network policy, see Protect hosts.
If you are using the etcd3 database, you can also install Calico with networking as described below.
Install options for non-cluster hosts
| Install Calico with... | Requires | Use case | Supported install methods |
|---|---|---|---|
| Policy only | An etcd3 or Kubernetes datastore | Use Calico network policy to control firewalls on non-cluster hosts. | Binary install with/ without a package manager |
| Networking and network policy | An etcd3 datastore | Networking Use Calico networking (BGP, or overlay with VXLAN or IP-in-IP) to handle these communications: - pod ↔ pod - pod ↔ host Note: Calico does not handle host ↔ host networking; your underlying network must already be set up to handle this. Policy Use Calico network policy to control firewalls on your non-cluster hosts. | Docker container |
Before you begin
Supported
- All platforms in this release, except Windows
Required
- Non-cluster host meets system requirements for Calico. If you want to use a package manager for installation, the non-cluster host must be a system derived from Ubuntu or RedHat.
- Set up a datastore; if Calico is installed on a cluster, you already have a datastore
- Install
kubectlorcalicoctl. (kubectlworks only with the Kubernetes datastore.)
Next steps
Select an install method.
Calico must be installed on each non-cluster host that you want to control with networking and/or policy.
| Install method | Networking | Policy |
|---|---|---|
| Docker container | ✓ | ✓ |
| Binary install with package manager | ✓ | |
| Binary install without package manager | ✓ |