Skip to main content
Version: 3.28 (latest)

Configure encryption and authentication to secure Calico components

Connections from Calico components to etcd

Operator based installations do not required communication to etcd, and so this section does not apply.

Connections from Calico components to kube-apiserver (Kubernetes and OpenShift)

We recommend enabling TLS on kube-apiserver, as well as the client certificate and JSON web token (JWT) authentication modules. This ensures that all of its communications with Calico components occur over TLS. The Calico components present either an X.509 certificate or a JWT to kube-apiserver so that kube-apiserver can verify their identities.

Connections from Felix to Typha (Kubernetes)

Operator based installations automatically configure mutual TLS authentication on connections from Felix to Typha.