Calico

Check if the calico-node container is running

The calicoctl command allows to check the status of the network workloads.

  • Check the status of Calico nodes
  1. calicoctl node status

or for versions prior to v1.0.0:

  1. calicoctl status
  • Show the configured network subnet for containers
  1. calicoctl get ippool -o wide

or for versions prior to v1.0.0:

  1. calicoctl pool show
  • Show the workloads (ip addresses of containers and their located)

and

  1. calicoctl get hostEndpoint -o wide

or for versions prior v1.0.0:

  1. calicoctl endpoint show --detail
Optional : Define network backend

In some cases you may want to define Calico network backend. Allowed values are ‘bird’, ‘gobgp’ or ‘none’. Bird is a default value.

To re-define you need to edit the inventory and add a group variable calico_network_backend

  1. calico_network_backend: none
Optional : Define the default pool CIDR
  1. calico_pool_cidr: 10.233.64.0/20
Optional : BGP Peering with border routers

In some cases you may want to route the pods subnet and so NAT is not needed on the nodes.For instance if you have a cluster spread on different locations and you want your pods to talk each other no matter where they are located.The following variables need to be set:peer_with_router to enable the peering with the datacenter’s border router (default value: false).you’ll need to edit the inventory and add a hostvar local_as by node.

Optional : Defining BGP peers

Peers can be defined using the peers variable (see docs/calico_peer_example examples).In order to define global peers, the peers variable can be defined in group_vars with the “scope” attribute of each global peer set to “global”.In order to define peers on a per node basis, the peers variable must be defined in hostvars.NB: Ansible’s hash_behaviour is by default set to “replace”, thus defining both global and per node peers would end up with having only per node peers. If having both global and per node peers defined was meant to happen, global peers would have to be defined in hostvars for each host (as well as per node peers)

Since calico 3.4, Calico supports advertising Kubernetes service cluster IPs over BGP, just as it advertises pod IPs.This can be enabled by setting the following variable as follow in group_vars (k8s-cluster/k8s-net-calico.yml)

  1. calico_advertise_cluster_ips: true
Optional : Define global AS number

Optional parameter global_as_num defines Calico global AS number (/calico/bgp/v1/global/as_num etcd key).It defaults to “64512”.

Optional : BGP Peering with route reflectors

At large scale you may want to disable full node-to-node mesh in order tooptimize your BGP topology and improve calico-node containers’ start times.

To do so you can deploy BGP route reflectors and peer calico-node with them asrecommended here:

You need to edit your inventory and add:

  • calico-rr group with nodes in it. At the moment it’s incompatible withkube-node due to BGP port conflict with calico-node container. So youshould not have nodes in both and kube-node groups.
  • cluster_id by route reflector node/group (see details)

Here’s an example of Kubespray inventory with route reflectors:

  1. [all]
  2. rr0 ansible_ssh_host=10.210.1.10 ip=10.210.1.10
  3. rr1 ansible_ssh_host=10.210.1.11 ip=10.210.1.11
  4. node2 ansible_ssh_host=10.210.1.12 ip=10.210.1.12
  5. node3 ansible_ssh_host=10.210.1.13 ip=10.210.1.13
  6. node4 ansible_ssh_host=10.210.1.14 ip=10.210.1.14
  7. node5 ansible_ssh_host=10.210.1.15 ip=10.210.1.15
  9. [kube-master]
  10. node2
  11. node3
  13. [etcd]
  14. node2
  15. node3
  16. node4
  18. [kube-node]
  19. node2
  20. node3
  21. node5
  24. kube-node
  25. kube-master
  27. [calico-rr]
  28. rr0
  29. rr1
  31. [rack0]
  32. rr0
  33. rr1
  34. node2
  35. node3
  36. node4
  37. node5
  39. [rack0:vars]
  40. cluster_id="1.0.0.1"

Optional : Define default endpoint to host action

By default Calico blocks traffic from endpoints to the host itself by using an iptables DROP action. When using it in kubernetes the action has to be changed to RETURN (default in kubespray) or ACCEPT (see and https://github.com/projectcalico/calicoctl/issues/1389). Otherwise all network packets from pods (with hostNetwork=False) to services endpoints (with hostNetwork=True) within the same node are dropped.

To re-define default action please set the following variable in your inventory:

  1. calico_endpoint_to_host_action: "ACCEPT"
Optional : Define address on which Felix will respond to health requests

Since Calico 3.2.0, HealthCheck default behavior changed from listening on all interfaces to just listening on localhost.

To re-define health host please set the following variable in your inventory:

  1. calico_healthhost: "0.0.0.0"

Cloud providers configuration

Please refer to the official documentation, for example requires a security rule for calico ip-ip tunnels. Note, calico is always configured with ipip: true if the cloud provider was defined.

Optional : Ignore kernel’s RPF check setting

By default the felix agent(calico-node) will abort if the Kernel RPF setting is not ‘strict’. If you want Calico to ignore the Kernel setting:

Note that in OpenStack you must allow ipip traffic in your security groups,otherwise you will experience timeouts.To do this you must add a rule which allows it, for example:

  1. neutron  security-group-rule-create  --protocol 4  --direction egress  k8s-a0tp4t