Skip to main content
Calico Open Source 3.29 (latest) documentation

Calico nftables dataplane

note

This feature is tech preview. Tech preview features may be subject to significant changes before they become GA.

Big picture

Install Calico using the nftables data plane.

Value

Kubernetes introduced a beta status kube-proxy Service implementation based on nftables in Kubernetes v1.31 which promises better performance than the default iptables implementation. Installing Calico in nftables mode provides a networking and network policy implementation that is compatible with the upstream nftables kube-proxy.

Before you begin

Required

  • A Linux host that meets the following requirements:

    • x86-64, arm64, ppc64le, or s390x processor
    • 2CPU
    • 2GB RAM
    • 10GB free disk space
    • Linux kernel version 5.13 or later with nft >= 1.0.1
  • Calico can manage cali and tunl interfaces on the host

    If NetworkManager is present on the host, see Configure NetworkManager.

How to

Create a single-host Kubernetes cluster with the nftables kube-proxy enabled.

  1. Follow the Kubernetes instructions to install kubeadm

    note

    After installing kubeadm, do not power down or restart the host. Instead, continue directly to the next step.

  2. As a regular user with sudo privileges, open a terminal on the host that you installed kubeadm on.

  3. Create a kubeadm configuration file that enables the nftables kube-proxy mode.

    cat > config.yaml <<EOF
    apiVersion: kubeadm.k8s.io/v1beta4
    kind: InitConfiguration
    ---
    kind: ClusterConfiguration
    apiVersion: kubeadm.k8s.io/v1beta4
    kubernetesVersion: v1.31.0
    proxy: {}
    networking:
    podSubnet: "192.168.0.0/16"
    ---
    apiVersion: kubeproxy.config.k8s.io/v1alpha1
    kind: KubeProxyConfiguration
    mode: nftables
    EOF
    note

    If 192.168.0.0/16 is already in use within your network you must select a different pod network CIDR, replacing 192.168.0.0/16 in the above configuration.

  4. Initialize the control plane using the following command.

    sudo kubeadm init --config=config.yaml
  5. Execute the following commands to configure kubectl (also returned by kubeadm init).

    mkdir -p $HOME/.kube
    sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
    sudo chown $(id -u):$(id -g) $HOME/.kube/config

Install Calico in nftables dataplane mode

  1. Install the Tigera Calico operator and custom resource definitions.

    kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.29.1/manifests/tigera-operator.yaml
    note

    Due to the large size of the CRD bundle, kubectl apply might exceed request limits. Instead, use kubectl create or kubectl replace.

  2. Install Calico by creating the necessary custom resource. For more information on configuration options available in this manifest, see the installation reference.

    cat > custom-resources.yaml <<EOF
    apiVersion: operator.tigera.io/v1
    kind: Installation
    metadata:
    name: default
    spec:
    calicoNetwork:
    linuxDataplane: Nftables
    ipPools:
    - name: default-ipv4-ippool
    blockSize: 26
    cidr: 192.168.0.0/16
    encapsulation: VXLANCrossSubnet
    natOutgoing: Enabled
    nodeSelector: all()
    ---
    apiVersion: operator.tigera.io/v1
    kind: APIServer
    metadata:
    name: default
    spec: {}
    EOF
    kubectl create -f custom-resources.yaml
    note

    Before creating this manifest, read its contents and make sure its settings are correct for your environment. For example, you may need to change the default IP pool CIDR to match your pod network CIDR.

  3. Confirm that all of the pods are running with the following command.

    watch kubectl get pods -n calico-system

    Wait until each pod has the STATUS of Running.

    note

    The Tigera operator installs resources in the calico-system namespace. Other install methods may use the kube-system namespace instead.

  4. Remove the taints on the control plane so that you can schedule pods on it.

    kubectl taint nodes --all node-role.kubernetes.io/control-plane-

    It should return the following.

    node/<your-hostname> untainted
  5. Confirm that you now have a node in your cluster with the following command.

    kubectl get nodes -o wide

    It should return something like the following.

    NAME              STATUS   ROLES    AGE   VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION    CONTAINER-RUNTIME
    <your-hostname> Ready master 52m v1.12.2 10.128.0.28 <none> Ubuntu 18.04.1 LTS 4.15.0-1023-gcp docker://18.6.1

Congratulations! You now have a single-host Kubernetes cluster with Calico in nftables mode.

Next steps

Required

Recommended tutorials