Calico nftables data plane

Big picture

Install Calico using the nftables data plane.

Value

Kubernetes introduced a beta status kube-proxy Service implementation based on nftables in Kubernetes v1.31 which promises better performance than the default iptables implementation. Installing Calico in nftables mode provides a networking and network policy implementation that is compatible with the upstream nftables kube-proxy.

important

To use Calico in nftables mode, your cluster's kube-proxy must also be in nftables mode.

Example KubeProxyConfiguration resource

apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: nftables

Before you begin

Required

• A Linux host that meets the following requirements:

  • x86-64, arm64, ppc64le, or s390x processor
  • 2CPU
  • 2GB RAM
  • 10GB free disk space
  • Linux kernel version 5.13 or later with nft >= 1.0.1

• Calico can manage cali and tunl interfaces on the host

  If NetworkManager is present on the host, see Configure NetworkManager.

How to

Create a single-host Kubernetes cluster with the nftables kube-proxy enabled.

1. Follow the Kubernetes instructions to install kubeadm

   note

   After installing kubeadm, do not power down or restart the host. Instead, continue directly to the next step.

2. As a regular user with sudo privileges, open a terminal on the host that you installed kubeadm on.

3. Create a kubeadm configuration file that enables the nftables kube-proxy mode.

   cat > config.yaml <<EOF
   apiVersion: kubeadm.k8s.io/v1beta4
   kind: InitConfiguration
   ---
   kind: ClusterConfiguration
   apiVersion: kubeadm.k8s.io/v1beta4
   kubernetesVersion: v1.31.0
   proxy: {}
   networking:
     podSubnet: "192.168.0.0/16"
   ---
   apiVersion: kubeproxy.config.k8s.io/v1alpha1
   kind: KubeProxyConfiguration
   mode: nftables
   EOF

   note

   If 192.168.0.0/16 is already in use within your network you must select a different pod network CIDR, replacing 192.168.0.0/16 in the above configuration.

4. Initialize the control plane using the following command.

   sudo kubeadm init --config=config.yaml

5. Execute the following commands to configure kubectl (also returned by kubeadm init).

   mkdir -p $HOME/.kube
   sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
   sudo chown $(id -u):$(id -g) $HOME/.kube/config

Install Calico in nftables data plane mode

1. Install the Tigera Operator and custom resource definitions.

   kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.31.0/manifests/operator-crds.yaml
   kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.31.0/manifests/tigera-operator.yaml

   note

   Due to the large size of the CRD bundle, kubectl apply might exceed request limits. Instead, use kubectl create or kubectl replace.

2. Install Calico by creating the necessary custom resource. For more information on configuration options available in this manifest, see the installation reference.

   cat > custom-resources.yaml <<EOF
   apiVersion: operator.tigera.io/v1
   kind: Installation
   metadata:
     name: default
   spec:
     calicoNetwork:
       linuxDataplane: Nftables
       ipPools:
       - name: default-ipv4-ippool
         blockSize: 26
         cidr: 192.168.0.0/16
         encapsulation: VXLANCrossSubnet
         natOutgoing: Enabled
         nodeSelector: all()
   ---
   apiVersion: operator.tigera.io/v1
   kind: APIServer
   metadata:
     name: default
   spec: {}
   EOF

   kubectl create -f custom-resources.yaml

   note

   Before creating this manifest, read its contents and make sure its settings are correct for your environment. For example, you may need to change the default IP pool CIDR to match your pod network CIDR.

3. Confirm that all of the pods are running with the following command.

   watch kubectl get pods -n calico-system

   Wait until each pod has the STATUS of Running.

   note

   The Tigera Operator installs resources in the calico-system namespace. Other install methods may use the kube-system namespace instead.

4. Remove the taints on the control plane so that you can schedule pods on it.

   kubectl taint nodes --all node-role.kubernetes.io/control-plane-

   It should return the following.

   node/<your-hostname> untainted

5. Confirm that you now have a node in your cluster with the following command.

   kubectl get nodes -o wide

   It should return something like the following.

   NAME              STATUS   ROLES    AGE   VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION    CONTAINER-RUNTIME
   <your-hostname>   Ready    master   52m   v1.12.2   10.128.0.28   <none>        Ubuntu 18.04.1 LTS   4.15.0-1023-gcp   docker://18.6.1

Congratulations! You now have a single-host Kubernetes cluster with Calico in nftables mode.

Next steps

Required

• Install and configure calicoctl

Recommended tutorials

• Secure a simple application using the Kubernetes NetworkPolicy API
• Control ingress and egress traffic using the Kubernetes NetworkPolicy API
• Run a tutorial that shows blocked and allowed connections in real time
• Hands-on workshop: Learn the basics of Calico, and Kubernetes.