Edit this page

Installing Calico for policy (advanced)

You can also use Calico just for policy enforcement and achieve networking with another solution, such as static routes or a Kubernetes cloud provider integration.

To install Calico in this mode using the Kubernetes API datastore, complete the following steps.

Ensure that you have a Kubernetes cluster that meets the Calico system requirements. If you don’t, follow the steps in Using kubeadm to create a cluster.
Ensure that the Kubernetes controller manager has the following flags set:
--cluster-cidr=<your-pod-cidr> and --allocate-node-cidrs=true.

Tip: On kubeadm, you can pass --pod-network-cidr=<your-pod-cidr> to kubeadm to set both Kubernetes controller flags.

Download the Calico policy-only manifest for the Kubernetes API datastore.

curl \
https://deploy-preview-2459--calico.netlify.com/v3.5/getting-started/kubernetes/installation/hosted/kubernetes-datastore/policy-only/1.7/calico.yaml \
-O

If you are using pod CIDR 192.168.0.0/16, skip to the next step. If you are using a different pod CIDR, use the following commands to set an environment variable called POD_CIDR containing your pod CIDR and replace 192.168.0.0/16 in the manifest with your pod CIDR.
```
POD_CIDR="<your-pod-cidr>" \
sed -i -e "s?192.168.0.0/16?$POD_CIDR?g" calico.yaml
```
If your cluster contains more than 50 nodes:
- In the ConfigMap named calico-config, locate the typha_service_name, delete the none value, and replace it with calico-typha.
- Modify the replica count in theDeployment named calico-typha to the desired number of replicas.
```
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: calico-typha
  ...
spec:
  ...
  replicas: <number of replicas>
```
  We recommend at least one replica for every 200 nodes and no more than 20 replicas. In production, we recommend a minimum of three replicas to reduce the impact of rolling upgrades and failures.
  
  Tip: If you set typha_service_name without increasing the replica count from its default of 0 Felix will try to connect to Typha, find no Typha instances to connect to, and fail to start.
Apply the manifest using the following command.
```
kubectl apply -f calico.yaml
```
If you wish to enforce application layer policies and secure workload-to-workload communications with mutual TLS authentication, continue to Enabling application layer policy (optional).

Provide Feedback Get Help via Slack Training