System requirements

    • Linux kernel 3.10 or later with . The following distributions have the required kernel, its dependencies, and are known to work well with Calico and OpenShift.

      • RedHat Linux 7
      • RedHat Container OS

    note

    Many Linux distributions, such as most of the above, include NetworkManager. By default, NetworkManager does not allow Calico to manage interfaces. If your nodes have NetworkManager, complete the steps in Preventing NetworkManager from controlling Calico interfaces before installing Calico.

    • If your Linux distribution comes with installed Firewalld or another iptables manager it should be disabled. These may interfere with rules added by Calico and result in unexpected behavior.

    System requirements - 图2note

    If a host firewall is needed, it can be configured by Calico HostEndpoint and GlobalNetworkPolicy. More information about configuration at .

    Key/value store

    Ensure that your hosts and firewalls allow the necessary traffic based on your configuration.

    * The value passed to kube-apiserver using the --secure-port flag. If you cannot locate this, check the targetPort value returned bykubectl get svc kubernetes -o yaml.

    Privileges

    Ensure that Calico has the CAP_SYS_ADMIN privilege.

    The simplest way to provide the necessary privilege is to run Calico as root or in a privileged container.

    Calico v3.24 supports:

    • OpenShift Container Platform 4.3+

    Refer to the OpenShift documentation for additional requirements.

    Kernel Dependencies

    If you are using one of the recommended distributions, you will already satisfy these.

    Due to the large number of distributions and kernel version out there, it’s hard to be precise about the names of the particular kernel modules that are required to run Calico. However, in general, you’ll need:

    • The iptables modules (both the “legacy” and “nft” variants are supported). These are typically broken up into many small modules, one for each type of match criteria and one for each type of action. Calico requires:

      • At least the following match criteria: set,, addrtype, comment,conntrack, icmp, tcp,udp, ipvs, icmpv6 (if IPv6 is enabled in your kernel), mark, ,rpfilter, sctp, ipvs (if usingkube-proxy in IPVS mode).
      • At least the following actions: REJECT,ACCEPT, DROP, LOG.

    • IP sets support.

    • Netfilter Conntrack support compiled in (with SCTP support if using SCTP).

    • IPVS support if using kube-proxy in IPVS mode.

    • eBPF (including the hook support) and XDP (if you want to use the eBPF dataplane).