Amazon Elastic Kubernetes Service (EKS)

Big picture

Enable Calico in EKS managed Kubernetes service.

Value

EKS has built-in support for Calico, providing a robust implementation of the full Kubernetes Network Policy API. EKS users wanting to go beyond Kubernetes network policy capabilities can make full use of the Calico Network Policy API.

You can also use Calico for networking on EKS in place of the default AWS VPC networking without the need to use IP addresses from the underlying VPC. This allows you to take advantage of the full set of Calico networking features, including Calico's flexible IP address management capabilities.

How to

Install EKS with Amazon VPC networking

The geeky details of what you get:

Policy	IPAM	CNI	Overlay	Routing	Datastore

note

When using the Amazon VPC CNI plugin, Calico does not support enforcement of network policy on IPv6 pods with ENABLE_V4_EGRESS set to true.

Prerequisites

• You disabled network policy for the AWS VPC CNI.

1. First, create an Amazon EKS cluster.

   eksctl create cluster --name  <my-calico-cluster>

2. Install the operator.

   kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.29.0/manifests/tigera-operator.yaml

3. Configure the Calico installation.

   kubectl create -f - <<EOF
   kind: Installation
   apiVersion: operator.tigera.io/v1
   metadata:
     name: default
   spec:
     kubernetesProvider: EKS
     cni:
       type: AmazonVPC
     calicoNetwork:
       bgp: Disabled
   EOF

4. Confirm installation by checking the STATUS, your cluster nodes should have a Ready status.

   kubectl get nodes -o wide

   It should return something like the following.

   NAME              STATUS   ROLES    AGE   VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION    CONTAINER-RUNTIME
   <your-hostname>   Ready    master   52m   v1.12.2   10.128.0.28   <none>        Ubuntu 18.04.1 LTS   4.15.0-1023-gcp   docker://18.6.1

Install EKS with Calico networking

The geeky details of what you get:

Policy	IPAM	CNI	Overlay	Routing	Datastore

note

Calico networking cannot currently be installed on the EKS control plane nodes. As a result the control plane nodes will not be able to initiate network connections to Calico pods. (This is a general limitation of EKS's custom networking support, not specific to Calico.) As a workaround, trusted pods that require control plane nodes to connect to them, such as those implementing admission controller webhooks, can include hostNetwork:true in their pod spec. See the Kubernetes API pod spec definition for more information on this setting.

For these instructions, we will use eksctl to provision the cluster. However, you can use any of the methods in Getting Started with Amazon EKS

Before you get started, make sure you have downloaded and configured the necessary prerequisites

1. First, create an Amazon EKS cluster without any nodes.

   eksctl create cluster --name my-calico-cluster --without-nodegroup

2. Since this cluster will use Calico for networking, you must delete the aws-node daemon set to disable AWS VPC networking for pods.

   kubectl delete daemonset -n kube-system aws-node

3. Now that you have a cluster configured, you can install Calico.

Operator

1. Install the operator.

   kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.29.0/manifests/tigera-operator.yaml

2. Configure the Calico installation.

   kubectl create -f - <<EOF
   kind: Installation
   apiVersion: operator.tigera.io/v1
   metadata:
     name: default
   spec:
     kubernetesProvider: EKS
     cni:
       type: Calico
     calicoNetwork:
       bgp: Disabled
   EOF

3. Finally, add nodes to the cluster.

   eksctl create nodegroup --cluster <my-calico-cluster> --node-type t3.medium --max-pods-per-node 100

Manifest

1. Install the Calico manifest.

   kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.29.0/manifests/calico-vxlan.yaml

2. Configure Calico to disable AWS src/dst checks.

   kubectl -n kube-system set env daemonset/calico-node FELIX_AWSSRCDSTCHECK=Disable

3. Finally, add nodes to the cluster.

   eksctl create nodegroup --cluster my-calico-cluster --node-type t3.medium --max-pods-per-node 100

Helm

1. Add Calico into your Helm repository.

   helm repo add projectcalico https://docs.tigera.io/calico/charts

2. If Calico is already added, update it to get the latest released version.

   helm repo update

3. Create the tigera-operator namespace.

   kubectl create namespace tigera-operator

4. Install version v3.29.0 of the Calico operator and custom resource definitions.

   helm install calico projectcalico/tigera-operator --version v3.29.0 --namespace tigera-operator

5. Patch the CNI type with value Calico.

   kubectl patch installation default --type='json' -p='[{"op": "replace", "path": "/spec/cni", "value": {"type":"Calico"} }]'

6. Finally, add nodes to the cluster.

   eksctl create nodegroup --cluster my-calico-cluster --node-type t3.medium --max-pods-per-node 100

tip

Without the --max-pods-per-node option above, EKS will limit the number of pods based on node-type. See eksctl create nodegroup --help for the full set of node group options.

Next steps

Required

• Install calicoctl command line tool

Recommended

• Video: Everything you need to know about Kubernetes pod networking on AWS
• Get started with Kubernetes network policy
• Get started with Calico network policy
• Enable default deny for Kubernetes pods