Customizing the manifests

Each manifest contains all the necessary resources for installing Calico on each node in your Kubernetes cluster.

It installs the following Kubernetes resources:

• The calico-config ConfigMap, which contains parameters for configuring the install.
• Installs the calico/node container on each host using a DaemonSet.
• Installs the Calico CNI binaries and network config on each host using a DaemonSet.
• Runs calico/kube-controllers as a deployment.
• The calico-etcd-secrets secret, which optionally allows for providing etcd TLS assets.

Configuration options

The ConfigMap in calico.yaml provides a way to configure a Calico self-hosted installation. It exposes the following configuration parameters.

Configuring the pod IP range

Calico IPAM assigns IP addresses from IP pools.

To change the default IP range used for pods, modify the CALICO_IPV4POOL_CIDR section of the calico.yaml manifest. For more information, see Configuring calico/node.

Configuring IP-in-IP

By default, the manifests enable IP-in-IP encapsulation across subnets. Many users may want to disable IP-in-IP encapsulation, such as under the following circumstances.

• Their cluster is running in a properly configured AWS VPC.
• All their Kubernetes nodes are connected to the same L2 network.
• They intend to use BGP peering to make their underlying infrastructure aware of pod IP addresses.

To disable IP-in-IP encapsulation, modify the CALICO_IPV4POOL_IPIP section of the manifest. For more information, see Configuring calico/node.

etcd configuration

By default, these manifests do not configure secure access to etcd and assume an etcd proxy is running on each host. The following configuration options let you specify custom etcd cluster endpoints as well as TLS.

The following table outlines the supported ConfigMap options for etcd:

To use these manifests with a TLS-enabled etcd cluster you must do the following:

• Populate the calico-etcd-secrets secret with the contents of the following files:
  • etcd-ca
  • etcd-key
  • etcd-cert
• Populate the following options in the ConfigMap which will trigger the various services to expect the provided TLS assets:
  • etcd_ca: /calico-secrets/etcd-ca
  • etcd_key: /calico-secrets/etcd-key
  • etcd_cert: /calico-secrets/etcd-cert

Authorization options

Calico’s manifests assign its components one of two service accounts. Depending on your cluster’s authorization mode, you’ll want to back these service accounts with the necessary permissions.

Other configuration options

The following table outlines the remaining supported ConfigMap options.

CNI network configuration template

The cni_network_config configuration option supports the following template fields, which will be filled in automatically by the calico/cni container: