tigera · ctauchen · Jan 6, 2025 · Jan 6, 2025 · hjiawei · Jan 6, 2025
@@ -2,12 +2,78 @@
 description: Review requirements before installing Calico to ensure success.
 ---
 
-import ReqsSys from '@site/calico/_includes/components/ReqsSys';
-import ReqsKernel from '@site/calico/_includes/components/ReqsKernel';
-
 # System requirements
 
-<ReqsSys orch='Kubernetes' />
+## Node requirements
+
+* x86-64, arm64, ppc64le, or s390x processor
+
+* Calico must be able to manage `cali*` interfaces on the host.
+  When IPIP is enabled (the default), Calico also needs to be able to manage `tunl*` interfaces.
+  When VXLAN is enabled, Calico also needs to be able to manage the `vxlan.calico` interface.
+
+* Linux kernel 3.10 or later with [required dependencies](#kernel-dependencies). The following distributions have the required kernel, its dependencies, and are known to work well with Calico and Kubernetes.
+  * RedHat Linux 7
+  * CentOS 7
+  * Flatcar Container Linux
+  * Fedora CoreOS
+  * Ubuntu 18.04
+  * Debian 8
+
+:::note
+
+Many Linux distributions, such as most of the above, include NetworkManager.
+By default, NetworkManager does not allow Calico to manage interfaces.
+If your nodes have NetworkManager, complete the steps in [Preventing NetworkManager from controlling Calico interfaces](../../operations/troubleshoot/troubleshooting.mdx#configure-networkmanager) before installing Calico.
+
+:::
+
+* If your Linux distribution comes with installed Firewalld or another iptables manager it should be disabled.
+  These may interfere with rules added by Calico and result in unexpected behavior.
+
+:::note
+
+If a host firewall is needed, it can be configured by Calico HostEndpoint and GlobalNetworkPolicy.
+More information about configuration at Security for host.
+
+:::
+
+## Key/value store
+
+Calico requires a key/value store accessible by all Calico components.
+On Kubernetes, you can configure Calico to access an etcdv3 cluster directly or to use the Kubernetes API datastore.
+
+## Network requirements
+
+Ensure that your hosts and firewalls allow the necessary traffic based on your configuration.
+
+| Configuration                                     | Host(s)        | Connection Type | Port/Protocol                                                                                                                 |
+|---------------------------------------------------|----------------|-----------------|-------------------------------------------------------------------------------------------------------------------------------|
+| Calico networking (BGP)                           | All            | Bidirectional   | TCP 179                                                                                                                       |
+| Calico networking with IP-in-IP enabled (default) | All            | Bidirectional   | IP-in-IP, often represented by its protocol number `4`                                                                        |
+| Calico networking with VXLAN enabled              | All            | Bidirectional   | UDP 4789                                                                                                                      |
+| Calico networking with Typha enabled              | Typha agent hosts    | Incoming        | TCP 5473 (default)                                                                                                            |
+| Calico networking with IPv4 Wireguard enabled     | All            | Bidirectional   | UDP 51820 (default)                                                                                                           |
+| Calico networking with IPv6 Wireguard enabled     | All            | Bidirectional   | UDP 51821 (default)                                                                                                           |
+| flannel networking (VXLAN)                        | All            | Bidirectional   | UDP 4789                                                                                                                      |
+| All                                               | kube-apiserver hosts | Incoming        | Often TCP 443 or 6443\*                                                                                                       |
+| etcd datastore                                    | etcd hosts     | Incoming        | [Officially](http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt) TCP 2379 but can vary |
+
+\* *The value passed to kube-apiserver using the `--secure-port` flag.
+If you cannot locate this, check the `targetPort` value returned by `kubectl get svc kubernetes -o yaml`.*
+
+## Privileges
+
+Ensure that Calico has the `CAP_SYS_ADMIN` privilege.
+
+The simplest way to provide the necessary privilege is to run Calico as root or in a privileged container.
+
+When installed as a Kubernetes daemon set, Calico meets this requirement by running as a privileged container.
+This requires that the kubelet be allowed to run privileged containers.
+There are two ways this can be achieved.
+
+* Specify `--allow-privileged` on the kubelet (deprecated).
+* Use a pod security policy.
 
 ## Kubernetes requirements
 
@@ -66,4 +132,23 @@ Note that Kubernetes version 1.16+ requires Istio version 1.2 or greater.
 Note that Istio version 1.9 requires Kubernetes version 1.17-1.20.
 Note that Istio version 1.10 is supported on Kubernetes version 1.18-1.21, but has been tested on Kubernetes version 1.22.
 
-<ReqsKernel />
+## Kernel Dependencies
+
+:::tip
+
+If you are using one of the recommended distributions, you will already satisfy these.
+
+:::
+
+Due to the large number of distributions and kernel version out there, it’s hard to be precise about the names of the particular kernel modules that are required to run Calico.
+However, in general, you’ll need:
+
+* The `iptables` modules (both the “legacy” and “nft” variants are supported). These are typically broken up into many small modules, one for each type of match criteria and one for each type of action. Calico requires:
+  * The “base” modules (including the IPv6 versions if IPv6 is enabled in your cluster).
+  * At least the following match criteria: `set`, `rpfilter`, `addrtype`, `comment`, `conntrack`, `icmp`, `tcp`, `udp`, `ipvs`, `icmpv6` (if IPv6 is enabled in your kernel), `mark`, `multiport`, `rpfilter`, `sctp`, `ipvs` (if using `kube-proxy` in IPVS mode).
+  * At least the following actions: `REJECT`, `ACCEPT`, `DROP`, `LOG`.
+* IP sets support.
+* Netfilter Conntrack support compiled in (with SCTP support if using SCTP).
+* IPVS support if using `kube-proxy` in IPVS mode.
+* IPIP, VXLAN, Wireguard support, if using Calico networking in one of those modes.
+* eBPF (including the `tc` hook support) and XDP (if you want to use the eBPF dataplane).
@@ -2,12 +2,78 @@
 description: Review requirements before installing Calico to ensure success.
 ---
 
-import ReqsSys from '@site/calico_versioned_docs/version-3.29/_includes/components/ReqsSys';
-import ReqsKernel from '@site/calico_versioned_docs/version-3.29/_includes/components/ReqsKernel';
-
 # System requirements
 
-<ReqsSys orch='Kubernetes' />
+## Node requirements
+
+* x86-64, arm64, ppc64le, or s390x processor
+
+* Calico must be able to manage `cali*` interfaces on the host.
+  When IPIP is enabled (the default), Calico also needs to be able to manage `tunl*` interfaces.
+  When VXLAN is enabled, Calico also needs to be able to manage the `vxlan.calico` interface.
+
+* Linux kernel 3.10 or later with [required dependencies](#kernel-dependencies). The following distributions have the required kernel, its dependencies, and are known to work well with Calico and Kubernetes.
+  * RedHat Linux 7
+  * CentOS 7
+  * Flatcar Container Linux
+  * Fedora CoreOS
+  * Ubuntu 18.04
+  * Debian 8
+
+:::note
+
+Many Linux distributions, such as most of the above, include NetworkManager.
+By default, NetworkManager does not allow Calico to manage interfaces.
+If your nodes have NetworkManager, complete the steps in [Preventing NetworkManager from controlling Calico interfaces](../../operations/troubleshoot/troubleshooting.mdx#configure-networkmanager) before installing Calico.
+
+:::
+
+* If your Linux distribution comes with installed Firewalld or another iptables manager it should be disabled.
+  These may interfere with rules added by Calico and result in unexpected behavior.
+
+:::note
+
+If a host firewall is needed, it can be configured by Calico HostEndpoint and GlobalNetworkPolicy.
+More information about configuration at [Policy for hosts and VMs](../../network-policy/hosts/index.mdx).
+
+:::
+
+## Key/value store
+
+Calico requires a key/value store accessible by all Calico components.
+On Kubernetes, you can configure Calico to access an etcdv3 cluster directly or to use the Kubernetes API datastore.
+
+## Network requirements
+
+Ensure that your hosts and firewalls allow the necessary traffic based on your configuration.
+
+| Configuration                                     | Host(s)        | Connection Type | Port/Protocol                                                                                                                 |
+|---------------------------------------------------|----------------|-----------------|-------------------------------------------------------------------------------------------------------------------------------|
+| Calico networking (BGP)                           | All            | Bidirectional   | TCP 179                                                                                                                       |
+| Calico networking with IP-in-IP enabled (default) | All            | Bidirectional   | IP-in-IP, often represented by its protocol number `4`                                                                        |
+| Calico networking with VXLAN enabled              | All            | Bidirectional   | UDP 4789                                                                                                                      |
+| Calico networking with Typha enabled              | Typha agent hosts    | Incoming        | TCP 5473 (default)                                                                                                            |
+| Calico networking with IPv4 Wireguard enabled     | All            | Bidirectional   | UDP 51820 (default)                                                                                                           |
+| Calico networking with IPv6 Wireguard enabled     | All            | Bidirectional   | UDP 51821 (default)                                                                                                           |
+| flannel networking (VXLAN)                        | All            | Bidirectional   | UDP 4789                                                                                                                      |
+| All                                               | kube-apiserver hosts | Incoming        | Often TCP 443 or 6443\*                                                                                                       |
+| etcd datastore                                    | etcd hosts     | Incoming        | [Officially](http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt) TCP 2379 but can vary |
+
+\* *The value passed to kube-apiserver using the `--secure-port` flag.
+If you cannot locate this, check the `targetPort` value returned by `kubectl get svc kubernetes -o yaml`.*
+
+## Privileges
+
+Ensure that Calico has the `CAP_SYS_ADMIN` privilege.
+
+The simplest way to provide the necessary privilege is to run Calico as root or in a privileged container.
+
+When installed as a Kubernetes daemon set, Calico meets this requirement by running as a privileged container.
+This requires that the kubelet be allowed to run privileged containers.
+There are two ways this can be achieved.
+
+* Specify `--allow-privileged` on the kubelet (deprecated).
+* Use a [pod security policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/).
 
 ## Kubernetes requirements
 
@@ -66,4 +132,23 @@
 Note that Istio version 1.9 requires Kubernetes version 1.17-1.20.
 Note that Istio version 1.10 is supported on Kubernetes version 1.18-1.21, but has been tested on Kubernetes version 1.22.
 
-<ReqsKernel />
+## Kernel Dependencies
+
+:::tip
+
+If you are using one of the recommended distributions, you will already satisfy these.
+
+:::
+
+Due to the large number of distributions and kernel version out there, it’s hard to be precise about the names of the particular kernel modules that are required to run Calico.
+However, in general, you’ll need:
+
+* The `iptables` modules (both the “legacy” and “nft” variants are supported). These are typically broken up into many small modules, one for each type of match criteria and one for each type of action. Calico requires:
+  * The “base” modules (including the IPv6 versions if IPv6 is enabled in your cluster).
+  * At least the following match criteria: `set`, `rpfilter`, `addrtype`, `comment`, `conntrack`, `icmp`, `tcp`, `udp`, `ipvs`, `icmpv6` (if IPv6 is enabled in your kernel), `mark`, `multiport`, `rpfilter`, `sctp`, `ipvs` (if using `kube-proxy` in IPVS mode).
+  * At least the following actions: `REJECT`, `ACCEPT`, `DROP`, `LOG`.
+* IP sets support.
+* Netfilter Conntrack support compiled in (with SCTP support if using SCTP).
+* IPVS support if using `kube-proxy` in IPVS mode.
+* IPIP, VXLAN, Wireguard support, if using Calico networking in one of those modes.
+* eBPF (including the `tc` hook support) and XDP (if you want to use the eBPF dataplane).