Skip to main content
Calico Enterprise 3.19 (latest) documentation

Install calicoctl

Big picture

calicoctl allows you to create, read, update, and delete Calico Enterprise objects from the command line. These objects represent the networking and policy of your cluster.

You should limit access to calicoctl and your Calico Enterprise datastore to trusted administrators. We discuss methods of limiting access to the Calico Enterprise datastore in the configuration section.

You can run calicoctl on any host with network access to the Calico Enterprise datastore as either a binary or a container. As a binary on a single host, you can also run it as a kubectl plugin.

How to

note

Make sure you always install the version of calicoctl that matches the version of Calico Enterprise running on your cluster.

Install calicoctl as a binary on a single host

Log into the host, open a terminal prompt, and navigate to the location where you want to install the binary.

note

Consider navigating to a location that's in your PATH. For example, /usr/local/bin/.

Use the following command to download the calicoctl binary.

curl -o calicoctl -L https://downloads.tigera.io/ee/binaries/v3.19.4/calicoctl
curl -o calicoctl -L https://downloads.tigera.io/ee/binaries/v3.19.4/calicoctl

Set the file to be executable.

chmod +x calicoctl
note

If the location of calicoctl is not already in your PATH, move the file to one that is or add its location to your PATH. This will allow you to invoke it without having to prepend its location.

Install calicoctl as a kubectl plugin on a single host

Log into the host, open a terminal prompt, and navigate to the location where you want to install the binary.

note

Consider navigating to a location that's in your PATH. For example, /usr/local/bin/.

Use the following command to download the calicoctl binary.

curl -o kubectl-calico -L https://downloads.tigera.io/ee/binaries/v3.19.4/calicoctl

Set the file to be executable.

chmod +x kubectl-calico
note

If the location of kubectl-calico is not already in your PATH, move the file to one that is or add its location to your PATH. This is required for kubectl to detect the plugin and allow you to use it.

Verify the plugin works.

kubectl calico -h

You can now run any calicoctl subcommands through kubectl calico.

note

If you run these commands from your local machine (instead of a host node), some of the node related subcommands will not work (like node status).

Install calicoctl as a container on a single host

  1. Ensure that you have the config.json file with the private Tigera registry credentials.

  2. From a terminal prompt, use the following command to either create or open the ~/.docker/config.json file.

    vi ~/.docker/config.json

  3. Depending on the existing contents of the file, edit it in one of the following ways.

    • New file: Paste in the entire contents of the config.json file from Tigera.

    • Existing file without quay.io object: Add the following lines from the config.json inside the "auth" object.

      "quay.io": {
        "auth": "<ROBOT-TOKEN-VALUE>",
        "email": ""
      }

    • Existing file with quay.io object: Add the following lines from the config.json inside the "quay.io" object.

      "auth": "<ROBOT-TOKEN-VALUE>",
      "email": ""

  4. Save and close the file.

  5. Use the following commands to pull the calicoctl image from the Tigera registry.

    docker pull quay.io/tigera/calicoctl:v3.19.4

  6. Confirm that the image has loaded by typing docker images.

    REPOSITORY                TAG               IMAGE ID       CREATED         SIZE
    tigera/calicoctl    v3.19.4            e07d59b0eb8a   2 minutes ago   42MB

Next step:

Configure calicoctl to connect to your datastore.