About non-cluster hosts
Secure non-cluster hosts by installing Calico for networking and/or networking policy.
Not all hosts in your environment run pods/workloads. You may have physical machines or legacy applications that you cannot move into a Kubernetes cluster, but still need to securely communicate with pods in your cluster. Calico lets you enforce policy on these non-cluster hosts using the same robust Calico network policy that you use for pods.
Non-cluster hosts and host endpoints
A non-cluster host is a computer that is running an application that is not part of a Kubernetes cluster. Using Calico network policy, you can secure these host interfaces using host endpoints. Host endpoints can have labels, and work the same as labels on pods/workload endpoints.
The advantage is, you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can write a cluster-wide policy for non-cluster hosts that is immediately applied to every host. To learn how to restrict traffic to/from hosts using Calico network policy see, Protect hosts.
If you are using the etcd3 database, you can also install Calico with networking as described below.
Install options for non-cluster hosts
|Install Calico with...||Requires||Use case||Supported install methods|
|Policy only||An etcd3 or Kubernetes datastore||Use Calico network policy to control firewalls on non-cluster hosts.||Binary install with/ without a package manager|
|Networking and network policy||An etcd3 datastore||Networking|
Use Calico networking (BGP, or overlay with VXLAN or IP-in-IP) to handle these communications:
- pod ↔ pod
- pod ↔ host
Note: Calico does not handle host ↔ host networking; your underlying network must already be set up to handle this.
Use Calico network policy to control firewalls on your non-cluster hosts.
Before you begin
- All platforms in this release, except Windows
- Non-cluster host meets system requirements for Calico. If you want to use a package manager for installation, the non-cluster host must be a system derived from Ubuntu or RedHat.
- Set up a datastore; if Calico is installed on a cluster, you already have a datastore
kubectlworks only with the Kubernetes datastore.)
Select an install method.
Calico must be installed on each non-cluster host that you want to control with networking and/or policy.
|Binary install with package manager||✓|
|Binary install without package manager||✓|