Skip to main content
Version: 3.27 (latest)

About non-cluster hosts

Big picture

Secure non-cluster hosts by installing Calico for networking and/or networking policy.


Not all hosts in your environment run pods/workloads. You may have physical machines or legacy applications that you cannot move into a Kubernetes cluster, but still need to securely communicate with pods in your cluster. Calico lets you enforce policy on these non-cluster hosts using the same robust Calico network policy that you use for pods.


Non-cluster hosts and host endpoints

A non-cluster host is a computer that is running an application that is not part of a Kubernetes cluster. Using Calico network policy, you can secure these host interfaces using host endpoints. Host endpoints can have labels, and work the same as labels on pods/workload endpoints.

The advantage is, you can write network policy rules to apply to both workload endpoints and host endpoints using label selectors; where each selector can refer to the either type (or be a mix of the two). For example, you can write a cluster-wide policy for non-cluster hosts that is immediately applied to every host. To learn how to restrict traffic to/from hosts using Calico network policy see, Protect hosts.

If you are using the etcd3 database, you can also install Calico with networking as described below.

Install options for non-cluster hosts

Install Calico with...RequiresUse caseSupported install methods
Policy onlyAn etcd3 or Kubernetes datastoreUse Calico network policy to control firewalls on non-cluster hosts.Binary install with/ without a package manager
Networking and network policyAn etcd3 datastoreNetworking
Use Calico networking (BGP, or overlay with VXLAN or IP-in-IP) to handle these communications:
- pod ↔ pod
- pod ↔ host

Note: Calico does not handle host ↔ host networking; your underlying network must already be set up to handle this.

Use Calico network policy to control firewalls on your non-cluster hosts.
Docker container

Before you begin


  • All platforms in this release, except Windows


  • Non-cluster host meets system requirements for Calico. If you want to use a package manager for installation, the non-cluster host must be a system derived from Ubuntu or RedHat.
  • Set up a datastore; if Calico is installed on a cluster, you already have a datastore
  • Install kubectl or calicoctl. (kubectl works only with the Kubernetes datastore.)

Next steps

Select an install method.


Calico must be installed on each non-cluster host that you want to control with networking and/or policy.

Install methodNetworkingPolicy
Docker container
Binary install with package manager
Binary install without package manager