Enable kubectl to manage Calico APIs

    Install the Calico API server on an existing cluster to enable management of Calico APIs using kubectl.

    Value

    The API server provides a REST API for Calico, and allows management of APIs using kubectl without the need for calicoctl.

    note

    Starting in Calico v3.20.0, new operator-based installations of Calico include the API server component by default, so the instructions in this document are not required.

    • Make sure you have a cluster with Calico installed using the Kubernetes API data store. If not, you can .

    • Upgrade to Calico v3.20+ using the appropriate upgrade instructions.

    • For non-operator installations, you will need a machine with openssl installed.

    Concepts

    In previous releases, calicoctl has been required to manage Calico API resources in the projectcalico.org/v3 API group. The calicoctl CLI tool provides important validation and defaulting on these APIs. The Calico API server performs that defaulting and validation server-side, exposing the same API semantics without a dependency on calicoctl.

    calicoctl is still required for the following subcommands:

    • Operator install
    • Manifest install

    1. Create an instance of an operator.tigera.io/APIServer with the following contents.

    2. Confirm it appears as Available with the following command.

      1. kubectl get tigerastatus apiserver

      You should see the following output:

      1. NAME        AVAILABLE   PROGRESSING   DEGRADED   SINCE

    3. Create the following manifest, which will install the API server as a deployment in the calico-apiserver namespace.

      1. kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.24.5/manifests/apiserver.yaml

      You will notice that the API server remains in a ContainerCreating state, as it is waiting for credentials to be provided for authenticating the main Kubernetes API server.

    4. Generate a private key and CA bundle using the following openssl command. This certificate will be used by the main API server to authenticate with the Calico API server.

      Enable kubectl to manage Calico APIs - 图2note

      Please note in the following command -addext argument requires openssl 1.1.1 or above. You can check your version of openssl using openssl version.

      2.     "{\"spec\": {\"caBundle\": \"$(kubectl get secret -n calico-apiserver calico-apiserver-certs -o go-template='{{ index .data "apiserver.crt" }}')\"}}"

    After following the above steps, you should see the API server pod become ready, and Calico API resources become available. You can check whether the APIs are available with the following command:

    1. kubectl api-resources | grep '\sprojectcalico.org'

    You should see the following output:

    note

    kubectl may continue to prefer the crd.projectcalico.org API group due to the way it caches APIs locally. You can force kubectl to update by removing its cache directory for your cluster. By default, the cache is located in $(HOME)/.kube/cache.

    Once the API server has been installed, you can use kubectl to interact with the Calico APIs. For example, you can view and edit IP pools.

    1. kubectl get ippools

    You should see output that looks like this:

    1. NAME                  CREATED AT
    2. default-ipv4-ippool   2021-03-19T16:47:12Z

    To uninstall the API server, use the following instructions depending on your install method.

    • Operator install
    • Manifest install

    Once removed, you will need to use calicoctl to manage projectcalico.org/v3 APIs.

    Next steps

    Recommended tutorials