docs: update Calico installation docs #11993
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -39,14 +39,48 @@ kubectl create -f https://docs.tigera.io/calico/latest/manifests/tigera-operator | |
|
|
||
| ### Configuring Calico Networking | ||
|
|
||
| Calico has a pluggable dataplane architecture that lets you choose the networking technology based on your use case. Networking technology is the backend that allows your nodes to move a packet from a source or destination to your Kubernetes resources. | ||
|
|
||
| > **Note** If you like to learn more about the available Calico configurations [checkout this document](https://docs.tigera.io/calico/latest/reference/installation/api). | ||
|
|
||
| {{< tabpane text=true >}} | ||
| {{% tab header="NFTables" %}} | ||
|
|
||
| > **Note**: Calico also supports iptables backend, if you wish to run Calico in iptables mode change `linuxdataplane` value to `Iptables`. | ||
|
|
||
| Use the following command to run Calico with NFTables backend. | ||
|
|
||
| ```bash | ||
| kubectl create -f -<<EOF | ||
| # This section includes base Calico installation configuration. | ||
| apiVersion: operator.tigera.io/v1 | ||
| kind: Installation | ||
| metadata: | ||
| name: default | ||
| spec: | ||
| calicoNetwork: | ||
| bgp: Disabled | ||
| linuxDataplane: Nftables | ||
| ipPools: | ||
| - name: default-ipv4-ippool | ||
| blockSize: 26 | ||
| cidr: 10.244.0.0/16 | ||
| encapsulation: VXLAN | ||
| natOutgoing: Enabled | ||
| nodeSelector: all() | ||
| kubeletVolumePluginPath: None | ||
| --- | ||
| apiVersion: operator.tigera.io/v1 | ||
| kind: APIServer | ||
| metadata: | ||
| name: default | ||
| EOF | ||
| ``` | ||
|
|
||
| {{% /tab %}} | ||
| {{% tab header="eBPF" %}} | ||
|
|
||
| By default, Calico uses the `/var` directory to mount cgroups. However, since this path is not writable in Talos Linux, you need to change it to `/sys/fs/cgroup`. | ||
|
There was a problem hiding this comment. if using eBPF mode. Also might want to prefix this section and point out that eBPF mode has downsides+doesn't work everywhere. e.g. it doesn't support all architectures |
||
|
|
||
| Use the following command to update the cgroup mount path: | ||
|
|
||
|
|
@@ -61,28 +95,21 @@ spec: | |
| EOF | ||
| ``` | ||
|
|
||
| In eBPF mode, Calico completely replaces the need for kube-proxy by programming all networking logic via eBPF programs. Before disabling kube-proxy, however, you need to ensure that Calico components can reach the API server. This can be done by creating a `kubernetes-services-endpoint` ConfigMap. | ||
|
|
||
| > **Note**: In this part we assume you are using [KubePrism]({{< relref "../configuration/kubeprism" >}}) (which is enabled by the default). | ||
|
|
||
| ```bash | ||
| kubectl create -f -<<EOF | ||
| kind: ConfigMap | ||
| apiVersion: v1 | ||
| metadata: | ||
| name: kubernetes-services-endpoint | ||
| namespace: tigera-operator | ||
| data: | ||
| KUBERNETES_SERVICE_HOST: 'localhost' | ||
| KUBERNETES_SERVICE_PORT: '7445' | ||
| EOF | ||
| ``` | ||
|
|
||
| You can now safely disable `kube-proxy` by using the following command: | ||
|
|
@@ -104,49 +131,14 @@ spec: | |
| calicoNetwork: | ||
| bgp: Disabled | ||
| linuxDataplane: BPF | ||
|
There was a problem hiding this comment. @smira I removed API server since I found a bug (not talos related) with it when using kubeprsim IP. I'll have another update later to include it but for now it is safe to remove it. There was a problem hiding this comment. Out of curiousity, what's the bug? (I'm currently debugging something related to calico and talking to api server right now; so maybe you found it!) |
||
| ipPools: | ||
| - name: default-ipv4-ippool | ||
| blockSize: 26 | ||
| cidr: 10.244.0.0/16 | ||
|
There was a problem hiding this comment. This cidr block came out of nowhere: should mention how to pick it |
||
| encapsulation: VXLAN | ||
| natOutgoing: Enabled | ||
| nodeSelector: all() | ||
| kubeletVolumePluginPath: None | ||
| EOF | ||
| ``` | ||
|
|
||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@james-callahan WDYT? I think this should be a bit more clear that I'm not suggesting what you should pick.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah that's fine.
As a side note, you might want to point out that you don't have to use the tigera-operator (we don't)