Skip to main content
Calico Open Source 3.29 (latest) documentation

System requirements

Node requirements

  • x86-64, arm64, ppc64le, or s390x processor

  • Calico must be able to manage cali* interfaces on the host. When IPIP is enabled (the default), Calico also needs to be able to manage tunl* interfaces. When VXLAN is enabled, Calico also needs to be able to manage thevxlan.calico interface.

  • Linux kernel 3.10 or later with required dependencies. The following distributions have the required kernel, its dependencies, and are known to work well with Calico and Kubernetes.

    • RedHat Linux 7
    • CentOS 7
    • Flatcar Container Linux
    • Fedora CoreOS
    • Ubuntu 18.04
    • Debian 8
note

Many Linux distributions, such as most of the above, include NetworkManager. By default, NetworkManager does not allow Calico to manage interfaces. If your nodes have NetworkManager, complete the steps in Preventing NetworkManager from controlling Calico interfaces before installing Calico.

  • If your Linux distribution comes with installed Firewalld or another iptables manager it should be disabled. These may interfere with rules added by Calico and result in unexpected behavior.
note

If a host firewall is needed, it can be configured by Calico HostEndpoint and GlobalNetworkPolicy. More information about configuration at Security for host.

Key/value store

Calico requires a key/value store accessible by all Calico components. On Kubernetes, you can configure Calico to access an etcdv3 cluster directly or to use the Kubernetes API datastore.

Network requirements

Ensure that your hosts and firewalls allow the necessary traffic based on your configuration.

ConfigurationHost(s)Connection typePort/protocol
Calico networking (BGP)AllBidirectionalTCP 179
Calico networking with IP-in-IP enabled (default)AllBidirectionalIP-in-IP, often represented by its protocol number 4
Calico networking with VXLAN enabledAllBidirectionalUDP 4789
Calico networking with Typha enabledTypha agent hostsIncomingTCP 5473 (default)
Calico networking with IPv4 Wireguard enabledAllBidirectionalUDP 51820 (default)
Calico networking with IPv6 Wireguard enabledAllBidirectionalUDP 51821 (default)
flannel networking (VXLAN)AllBidirectionalUDP 4789
Allkube-apiserver hostIncomingOften TCP 443 or 6443*
etcd datastoreetcd hostsIncomingOfficially TCP 2379 but can vary

* The value passed to kube-apiserver using the --secure-port flag. If you cannot locate this, check the targetPort value returned bykubectl get svc kubernetes -o yaml.

Privileges

Ensure that Calico has the CAP_SYS_ADMIN privilege.

The simplest way to provide the necessary privilege is to run Calico as root or in a privileged container.

When installed as a Kubernetes daemon set, Calico meets this requirement by running as a privileged container. This requires that the kubelet be allowed to run privileged containers. There are two ways this can be achieved.

Kubernetes requirements

Supported versions

We test Calico v3.29 against the following Kubernetes versions. Other versions may work, but we are not actively testing them.

  • v1.29
  • v1.30
  • v1.31

Due to changes in the Kubernetes API, Calico v3.29 will not work on Kubernetes v1.20 or below. v1.21 may work, but is no longer tested. Newer versions may also work, but we recommend upgrading to a version of Calico that is tested against the newer Kubernetes version.

CNI plug-in enabled

Calico must be installed as a CNI plugin in the container runtime.

This installation must use the Kubernetes default CNI configuration directory (/etc/cni/net.d) and binary directory (/opt/cni/bin).

Other network providers

Generally, you cannot use Calico together with another network provider.

Notable exceptions include the following:

If you're working with a cluster that already uses another CNI, you cannot migrate to Calico.

Supported kube-proxy modes

Calico supports the following kube-proxy modes:

IP pool configuration

The IP range selected for pod IP addresses cannot overlap with any other IP ranges in your network, including:

  • The Kubernetes service cluster IP range
  • The range from which host IPs are allocated

Application layer policy requirements

Note that Kubernetes version 1.16+ requires Istio version 1.2 or greater. Note that Istio version 1.9 requires Kubernetes version 1.17-1.20. Note that Istio version 1.10 is supported on Kubernetes version 1.18-1.21, but has been tested on Kubernetes version 1.22.

Node requirements

  • x86-64, arm64, ppc64le, or s390x processor

  • Calico must be able to manage cali* interfaces on the host. When IPIP is enabled (the default), Calico also needs to be able to manage tunl* interfaces. When VXLAN is enabled, Calico also needs to be able to manage thevxlan.calico interface.

  • Linux kernel 3.10 or later with required dependencies. The following distributions have the required kernel, its dependencies, and are known to work well with Calico and .

    • RedHat Linux 7
note

Many Linux distributions, such as most of the above, include NetworkManager. By default, NetworkManager does not allow Calico to manage interfaces. If your nodes have NetworkManager, complete the steps in Preventing NetworkManager from controlling Calico interfaces before installing Calico.

  • If your Linux distribution comes with installed Firewalld or another iptables manager it should be disabled. These may interfere with rules added by Calico and result in unexpected behavior.
note

If a host firewall is needed, it can be configured by Calico HostEndpoint and GlobalNetworkPolicy. More information about configuration at Security for host.

Key/value store

Calico requires a key/value store accessible by all Calico components. 

Network requirements

Ensure that your hosts and firewalls allow the necessary traffic based on your configuration.

ConfigurationHost(s)Connection typePort/protocol
Calico networking (BGP)AllBidirectionalTCP 179
Calico networking with IP-in-IP enabled (default)AllBidirectionalIP-in-IP, often represented by its protocol number 4
Alletcd hostsIncomingOfficially TCP 2379 but can vary

Privileges

Ensure that Calico has the CAP_SYS_ADMIN privilege.

The simplest way to provide the necessary privilege is to run Calico as root or in a privileged container.