Skip to main content
Calico Open Source 3.29 (latest) documentation

Amazon Elastic Kubernetes Service (EKS)

Big picture

Enable Calico in EKS managed Kubernetes service.

Value

EKS has built-in support for Calico, providing a robust implementation of the full Kubernetes Network Policy API. EKS users wanting to go beyond Kubernetes network policy capabilities can make full use of the Calico Network Policy API.

You can also use Calico for networking on EKS in place of the default AWS VPC networking without the need to use IP addresses from the underlying VPC. This allows you to take advantage of the full set of Calico networking features, including Calico's flexible IP address management capabilities.

How to

Install EKS with Amazon VPC networking

The geeky details of what you get:

PolicyIPAMCNIOverlayRoutingDatastore
note

When using the Amazon VPC CNI plugin, Calico does not support enforcement of network policy on IPv6 pods with ENABLE_V4_EGRESS set to true.

Prerequisites

  1. First, create an Amazon EKS cluster.

    eksctl create cluster --name  <my-calico-cluster>
  2. Install the operator.

    kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.29.1/manifests/tigera-operator.yaml
  3. Configure the Calico installation.

    kubectl create -f - <<EOF
    kind: Installation
    apiVersion: operator.tigera.io/v1
    metadata:
    name: default
    spec:
    kubernetesProvider: EKS
    cni:
    type: AmazonVPC
    calicoNetwork:
    bgp: Disabled
    EOF
  4. Confirm installation by checking the STATUS, your cluster nodes should have a Ready status.

    kubectl get nodes -o wide

    It should return something like the following.

    NAME              STATUS   ROLES    AGE   VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION    CONTAINER-RUNTIME
    <your-hostname> Ready master 52m v1.12.2 10.128.0.28 <none> Ubuntu 18.04.1 LTS 4.15.0-1023-gcp docker://18.6.1

Install EKS with Calico networking

The geeky details of what you get:

PolicyIPAMCNIOverlayRoutingDatastore
note

Calico networking cannot currently be installed on the EKS control plane nodes. As a result the control plane nodes will not be able to initiate network connections to Calico pods. (This is a general limitation of EKS's custom networking support, not specific to Calico.) As a workaround, trusted pods that require control plane nodes to connect to them, such as those implementing admission controller webhooks, can include hostNetwork:true in their pod spec. See the Kubernetes API pod spec definition for more information on this setting.

For these instructions, we will use eksctl to provision the cluster. However, you can use any of the methods in Getting Started with Amazon EKS

Before you get started, make sure you have downloaded and configured the necessary prerequisites

  1. First, create an Amazon EKS cluster without any nodes.

    eksctl create cluster --name my-calico-cluster --without-nodegroup
  2. Since this cluster will use Calico for networking, you must delete the aws-node daemon set to disable AWS VPC networking for pods.

    kubectl delete daemonset -n kube-system aws-node
  3. Now that you have a cluster configured, you can install Calico.

  1. Install the operator.

    kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.29.1/manifests/tigera-operator.yaml
  2. Configure the Calico installation.

    kubectl create -f - <<EOF
    kind: Installation
    apiVersion: operator.tigera.io/v1
    metadata:
    name: default
    spec:
    kubernetesProvider: EKS
    cni:
    type: Calico
    calicoNetwork:
    bgp: Disabled
    EOF
  3. Finally, add nodes to the cluster.

    eksctl create nodegroup --cluster <my-calico-cluster> --node-type t3.medium --max-pods-per-node 100
tip

Without the --max-pods-per-node option above, EKS will limit the number of pods based on node-type. See eksctl create nodegroup --help for the full set of node group options.

Next steps

Required

Recommended