Creating Calico-enabled Cluster with Platform9 Managed Kubernetes

Platform9 Managed Kubernetes integrates with Calico for pod-to-pod communication in Kubernetes clusters.

Calico is a Cluster Network Interface (CNI) plugin that can be used for Kubernetes networking.

Once Calico has been installed, you can create network policy on Kubernetes to define the incoming and outgoing network traffic.

Let us look at how Calico integrates with Kubernetes, before we understand how to enable Calico integration during cluster creation for Platform9 Managed Kubernetes.

Integration with Calico

Calico is a Layer 3 based networking solution that is used to interconnect virtual machines or Linux containers with the help of virtual routers. For more information on Calico, refer to Project Calico website.

Calico is installed within the Kubernetes environment. calico-controller and calico-node run as pods on the Kubernetes nodes.

As Calico is a Layer 3 solution, it is not required to have an overlay network to be able to integrate with a Calico network.

Calico uses iptables and route table to route traffic between Kubernetes nodes.

You can configure a network policy to define security settings for Kubernetes pods, with the NetworkPolicy Resource in Kubernetes.

Following is an example of a NetworkPolicy file. (source: Kubernetes documentation)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 6379
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 5978

Platform9 Managed Kubernetes uses the default upstream settings that are specified in Calico networking manifest, calico.yaml.

Prerequisites

The following prerequisites must be met to be able to use Calico with a Kubernetes cluster.

  • The VM or container running the Kubernetes cluster must have one of the following Linux-based operating system versions in order to run Calico.
    • Ubuntu 16.04 or above
    • CentOS 7 or above
  • The following ports must be open on the nodes.
    • 4001 (TCP)
    • 2380 (for etcd communication)
  • IP-in-IP protocol must be enabled if security rules have been configured on the firewall. Additionally, the firewall must allow IP-in-IP traffic.
  • Contact Platform9 support to enable Kubernetes networking on your Platform9 Managed Kubernetes setup, before you can create a cluster having an integration with a network backend like Calico.

Create Calico-enabled Cluster

While creating the cluster, under Network Configuration, select Calico as the network backend.

Configure Network backend

To create a cluster, follow the steps in Create Multi-master, Highly Available Kubernetes Clusters.