Skip to main content
Version: 3.27 (latest)

Calico the hard way

About this tutorial

The "Hard Way" is a tutorial for learning how Kubernetes and Calico components fit together. The name “Calico the hard way” is inspired by Kubernetes the hard way by Kelsey Hightower. This tutorial is optimized for learning what happens “under the hood,” and uses manifests for installation. The steps are not suitable for production installs.

For the most direct path to a production-ready Calico install, see our install guides.

Target Audience

This guide is for someone

  • evaluating Kubernetes networking & security options looking to deep dive, or
  • planning to build and support a Calico cluster in production, wanting to understand how it works

This guide assumes proficiency with either AWS web console or CLI for provisioning and accessing nodes.

Cluster Details

Calico runs in many environments and supports many cluster types. To keep things reasonably prescriptive this guide focuses on Kubernetes running on AWS, but the lessons you learn apply to wherever you choose to run Calico. See Getting Started for a full list of cluster types (OpenShift, OpenStack, etc.).

The guide will help you install a cluster with the following Calico options

  • Kubernetes as the datastore
  • Calico CNI plugin, with BGP networking
  • Calico IP address management (IPAM)
  • No overlays
  • IPv4 addresses
  • Highly available Typha with mutually authenticated TLS


  1. Standing up Kubernetes
  2. The Calico datastore
  3. Configure IP pools
  4. Install CNI plugin
  5. Install Typha
  6. Install calico/node
  7. Configure BGP peering
  8. Test networking
  9. Test network policy
  10. End user RBAC
  11. Istio integration