Installing the Calico add-on
Project Calico
Considerations
-
Calico is not supported when using Fargate with Amazon EKS.
-
Calico adds rules to
iptables
on the node that may be higher priority than existing rules that you've already implemented outside of Calico. Consider adding existingiptables
rules to your Calico policies to avoid having rules outside of Calico policy overridden by Calico. -
If you're using the Amazon VPC CNI add-on version 1.10 or earlier, security groups for pods traffic flow to pods on branch network interfaces is not subjected to Calico network policy enforcement and is limited to Amazon EC2 security group enforcement only. If you're using 1.11.0 or later of the Amazon VPC CNI add-on, traffic flow to pods on branch network interfaces is subject to Calico network policy enforcement if you set
POD_SECURITY_GROUP_ENFORCING_MODE
=standard
for the Amazon VPC CNI add-on.
Prerequisites
An existing Amazon EKS cluster. To deploy one, see Getting started with Amazon EKS.
The
kubectl
command line tool installed on your computer or Amazon CloudShell. The version must be the same, or up to two versions later than your cluster version. To install or upgradekubectl
, see Installing kubectl.
The following procedure shows you how to install Calico on Linux nodes in your Amazon EKS
cluster. To install Calico on Windows nodes, see Using Calico
on Amazon EKS Windows Containers
Install Calico on your Amazon EKS Linux nodes
Amazon EKS doesn't maintain the manifests or charts used in the following procedures. The
recommended way to install Calico on Amazon EKS is by using the Calico Operator
You can install Calico using the procedure for Helm or manifests.
Stars policy demo
This section walks through the Stars policy demo
Before you create any network policies, all services can communicate bidirectionally. After you apply the network policies, you can see that the client can only communicate with the front-end service, and the back-end only accepts traffic from the front-end.
To run the Stars policy demo
-
Apply the front-end, back-end, client, and management user interface services:
kubectl apply -f https://docs.projectcalico.org/v3.5/getting-started/kubernetes/tutorials/stars-policy/manifests/00-namespace.yaml kubectl apply -f https://docs.projectcalico.org/v3.5/getting-started/kubernetes/tutorials/stars-policy/manifests/01-management-ui.yaml kubectl apply -f https://docs.projectcalico.org/v3.5/getting-started/kubernetes/tutorials/stars-policy/manifests/02-backend.yaml kubectl apply -f https://docs.projectcalico.org/v3.5/getting-started/kubernetes/tutorials/stars-policy/manifests/03-frontend.yaml kubectl apply -f https://docs.projectcalico.org/v3.5/getting-started/kubernetes/tutorials/stars-policy/manifests/04-client.yaml
-
View all pods on the cluster.
kubectl get pods -A
Example output:
In your output, you should see pods in the namespaces shown in the following output. Your pod
NAMES
and the number of pods in theREADY
column are different than those in the following output. Don't continue until you see pods with similar names and they all haveRunning
in theSTATUS
column.NAMESPACE NAME READY STATUS RESTARTS AGE ... client client-
xlffc
1/1
Running 05m19s
... management-ui management-ui-qrb2g
1/1
Running 05m24s
stars backend-sz87q
1/1
Running 05m23s
stars frontend-cscnf
1/1
Running 05m21s
... -
To connect to the management user interface, forward your local port 9001 to the
management-ui
service running on your cluster:kubectl port-forward service/management-ui -n management-ui 9001
-
Open a browser on your local system and point it to http://localhost:9001/
. You should see the management user interface. The C node is the client service, the F node is the front-end service, and the B node is the back-end service. Each node has full communication access to all other nodes, as indicated by the bold, colored lines. -
Apply the following network policies to isolate the services from each other:
kubectl apply -n stars -f https://docs.projectcalico.org/v3.5/getting-started/kubernetes/tutorials/stars-policy/policies/default-deny.yaml kubectl apply -n client -f https://docs.projectcalico.org/v3.5/getting-started/kubernetes/tutorials/stars-policy/policies/default-deny.yaml
-
Refresh your browser. You see that the management user interface can no longer reach any of the nodes, so they don't show up in the user interface.
-
Apply the following network policies to allow the management user interface to access the services:
kubectl apply -f https://docs.projectcalico.org/v3.5/getting-started/kubernetes/tutorials/stars-policy/policies/allow-ui.yaml kubectl apply -f https://docs.projectcalico.org/v3.5/getting-started/kubernetes/tutorials/stars-policy/policies/allow-ui-client.yaml
-
Refresh your browser. You see that the management user interface can reach the nodes again, but the nodes cannot communicate with each other.
-
Apply the following network policy to allow traffic from the front-end service to the back-end service:
kubectl apply -f https://docs.projectcalico.org/v3.5/getting-started/kubernetes/tutorials/stars-policy/policies/backend-policy.yaml
-
Refresh your browser. You see that the front-end can communicate with the back-end.
-
Apply the following network policy to allow traffic from the client to the front-end service.
kubectl apply -f https://docs.projectcalico.org/v3.5/getting-started/kubernetes/tutorials/stars-policy/policies/frontend-policy.yaml
-
Refresh your browser. You see that the client can communicate to the front-end service. The front-end service can still communicate to the back-end service.
-
(Optional) When you are done with the demo, you can delete its resources.
kubectl delete -f https://docs.projectcalico.org/v3.5/getting-started/kubernetes/tutorials/stars-policy/manifests/04-client.yaml kubectl delete -f https://docs.projectcalico.org/v3.5/getting-started/kubernetes/tutorials/stars-policy/manifests/03-frontend.yaml kubectl delete -f https://docs.projectcalico.org/v3.5/getting-started/kubernetes/tutorials/stars-policy/manifests/02-backend.yaml kubectl delete -f https://docs.projectcalico.org/v3.5/getting-started/kubernetes/tutorials/stars-policy/manifests/01-management-ui.yaml kubectl delete -f https://docs.projectcalico.org/v3.5/getting-started/kubernetes/tutorials/stars-policy/manifests/00-namespace.yaml
Even after deleting the resources, there can still be
iptables
rules on the nodes that might interfere in unexpected ways with networking in your cluster. The only sure way to remove Calico is to terminate all of the nodes and recycle them. To terminate all nodes, either set the Auto Scaling Group desired count to 0, then back up to the desired number, or just terminate the nodes. If you are unable to recycle the nodes, then see Disabling and removing Calico Policyin the Calico GitHub repository for a last resort procedure.
Remove Calico
Remove Calico using the method that you installed Calico with.