System requirements
Node requirements
x86-64, arm64, ppc64le, or s390x processor
Calico must be able to manage
cali*interfaces on the host. When IPIP is enabled (the default), Calico also needs to be able to managetunl*interfaces. When VXLAN is enabled, Calico also needs to be able to manage thevxlan.calicointerface.Linux kernel 3.10 or later with required dependencies. The following distributions have the required kernel, its dependencies, and are known to work well with Calico and host protection.
- RedHat Linux 7
- CentOS 7
- Flatcar Container Linux
- Fedora CoreOS
- Ubuntu 18.04
- Debian 8
Many Linux distributions, such as most of the above, include NetworkManager. By default, NetworkManager does not allow Calico to manage interfaces. If your nodes have NetworkManager, complete the steps in Preventing NetworkManager from controlling Calico interfaces before installing Calico.
- If your Linux distribution comes with installed Firewalld or another iptables manager it should be disabled. These may interfere with rules added by Calico and result in unexpected behavior.
If a host firewall is needed, it can be configured by Calico HostEndpoint and GlobalNetworkPolicy. More information about configuration at Security for host.
Key/value store
Calico requires a key/value store accessible by all Calico components. The key/value store must be etcdv3.
Network requirements
Ensure that your hosts and firewalls allow the necessary traffic based on your configuration.
| Configuration | Host(s) | Connection type | Port/protocol |
|---|---|---|---|
| Calico networking (BGP) | All | Bidirectional | TCP 179 |
| Calico networking with IP-in-IP enabled (default) | All | Bidirectional | IP-in-IP, often represented by its protocol number 4 |
| All | etcd hosts | Incoming | Officially TCP 2379 but can vary |
Privileges
Ensure that Calico has the CAP_SYS_ADMIN privilege.
The simplest way to provide the necessary privilege is to run Calico as root or in a privileged container.
Node requirements
x86-64, arm64, ppc64le, or s390x processor
Calico must be able to manage
cali*interfaces on the host. When IPIP is enabled (the default), Calico also needs to be able to managetunl*interfaces. When VXLAN is enabled, Calico also needs to be able to manage thevxlan.calicointerface.Linux kernel 3.10 or later with required dependencies. The following distributions have the required kernel, its dependencies, and are known to work well with Calico and .
- RedHat Linux 7
Many Linux distributions, such as most of the above, include NetworkManager. By default, NetworkManager does not allow Calico to manage interfaces. If your nodes have NetworkManager, complete the steps in Preventing NetworkManager from controlling Calico interfaces before installing Calico.
- If your Linux distribution comes with installed Firewalld or another iptables manager it should be disabled. These may interfere with rules added by Calico and result in unexpected behavior.
If a host firewall is needed, it can be configured by Calico HostEndpoint and GlobalNetworkPolicy. More information about configuration at Security for host.
Key/value store
Calico requires a key/value store accessible by all Calico components.
Network requirements
Ensure that your hosts and firewalls allow the necessary traffic based on your configuration.
| Configuration | Host(s) | Connection type | Port/protocol |
|---|---|---|---|
| Calico networking (BGP) | All | Bidirectional | TCP 179 |
| Calico networking with IP-in-IP enabled (default) | All | Bidirectional | IP-in-IP, often represented by its protocol number 4 |
| All | etcd hosts | Incoming | Officially TCP 2379 but can vary |
Privileges
Ensure that Calico has the CAP_SYS_ADMIN privilege.
The simplest way to provide the necessary privilege is to run Calico as root or in a privileged container.