Operations | Calico Documentation

Expose the Calico Enterprise web console outside the cluster through ingress, a load balancer service, or port forwarding for administrator access.

Sign in to the Calico Enterprise web console and Kibana with default service-account token authentication for a quick first-time setup.

Connect an external identity provider to Calico Enterprise so users authenticate against an existing IdP when signing in to the web console and Kibana.

Configure Kubernetes RBAC roles and bindings to scope user access to Calico Enterprise features, tiered policies, observability views, and management plane APIs.

Install the calicoctl command-line tool as a binary, container, or kubectl plugin so administrators can manage Calico Enterprise resources from any workstation.

Overview reference for configuring calicoctl datastore access in Calico Enterprise, comparing config-file, environment-variable, and kubeconfig methods.

Sample calicoctl configuration for connecting to the Kubernetes API datastore in a Calico Enterprise cluster, with kubeconfig credential settings.

Install the calicoq command-line tool as a binary or container on any host with network access to the Calico Enterprise datastore.

Overview reference for configuring calicoq datastore access in Calico Enterprise, covering config files, environment variables, and Kubernetes credentials.

Sample calicoq configuration for connecting to the Kubernetes API datastore in a Calico Enterprise cluster, with kubeconfig credential settings.

Configure TLS authentication and encryption across Calico Enterprise components, the Kubernetes control plane, Typha, Node, and shared observability traffic.

Restrict access to Calico Enterprise Prometheus metric endpoints with network policy so only authorized scrapers can read sensitive component telemetry.

Configure BGP session passwords on Calico Enterprise BGP peers to block attackers from injecting false routing information into the cluster.

Provide TLS certificates that secure browser access to the Calico Enterprise web console user interface in place of the default self-signed certificate.

Provide TLS certificates that secure access to Calico Enterprise log storage as part of a zero-trust deployment model.

Provide TLS certificates that secure access to the Calico Enterprise Linseed APIs as part of a zero-trust deployment model.

Provide TLS certificates that secure access to the Calico Enterprise API server as part of a zero-trust deployment model.

Provide a custom CA and TLS certificates for mutual TLS authentication between Calico Enterprise Node and Typha components at scale.

Provide TLS certificates that secure access to the Calico Enterprise compliance components as part of a zero-trust deployment model.

Provide TLS certificates that secure access to the Calico Enterprise PacketCapture APIs as part of a zero-trust deployment model.

Manage TLS certificates for Calico Enterprise components by controlling the certificate issuer through the Kubernetes Certificates API and operator configuration.

Reference recommendations for Calico Enterprise log storage covering Elastic Cloud on Kubernetes, StorageClasses, node sizing, and production capacity.

Configure persistent storage in Calico Enterprise for flow logs, DNS logs, audit logs, and compliance reports before installation.

Resize the Calico Enterprise log storage cluster by tuning node counts, replicas, CPU, and memory during or after installation for production workloads.

Steer Calico Enterprise Elasticsearch pod and replica placement across Kubernetes nodes with data-node selectors and shard scheduling controls.

Reference for Prometheus support in Calico Enterprise covering the bundled operator-managed install and bring-your-own Prometheus deployment options.

Scrape Calico Enterprise component metrics from an existing bring-your-own Prometheus deployment instead of the bundled operator-managed Prometheus.

Configure Calico Enterprise Prometheus rules for denied-packet alerts and persistent storage by editing the bundled PrometheusRule and StorageClass resources.

Configure Alertmanager in a Calico Enterprise cluster to route Prometheus alerts to operators with deduplication, grouping, silencing, and inhibition rules.

Recommended Prometheus metrics for Calico Enterprise Typha, Felix, and policy components, covering the signals most critical to cluster health.

Monitor BGP peering and route exchange in Calico Enterprise clusters by defining Prometheus rules and thresholds for peer health and route counts.

Monitor Calico Enterprise license metrics such as how many days until license expires.

Monitor the runtime effect of Calico Enterprise policies on cluster traffic by defining Prometheus rules and thresholds that fire alerts on policy hits.

Track Calico Enterprise Elasticsearch and Fluentd metrics in Prometheus to alert on flow, DNS, audit, and compliance log collection or storage disruptions.

Guidance on when the Calico Enterprise eBPF data plane fits a workload compared to the standard iptables data plane, with trade-offs and feature comparisons.

Switch a running Calico Enterprise cluster to the eBPF data plane on an existing installation as an alternative to the iptables data plane.

Install Calico Enterprise with the eBPF data plane during initial cluster setup as an alternative to the iptables data plane.

Troubleshooting guide for the Calico Enterprise eBPF data plane covering verification logs, service connectivity, BPF map inspection, and common failure modes.

Troubleshooting guide for Calico Enterprise clusters covering kubectl-calico diagnostics bundles, log severity tuning, common failure patterns, and where to report issues.

Reference of command-line tools and kubectl invocations for verifying cluster, routing, policy, and component health in Calico Enterprise.

Reference for locating and collecting Calico Enterprise component logs including calico/node, Felix, Typha, Linseed, and observability stack output.

Manually decommission a node in a Calico Enterprise cluster, releasing IP allocations and BGP peers from the cluster datastore cleanly.

Track Calico Enterprise license expiration through operator-exposed Prometheus metrics and renewal workflows to avoid unplanned cluster degradation.

Configuring the web console​

Configure access to the web console

Authentication quickstart

Configure an external identity provider

Configure user roles and permissions

calicoctl and calicoq​

Install calicoctl

Configure calicoctl

Configure calicoctl to connect to the datastore

Install calicoq

Configure calicoq

Configure calicoq to connect to the datastore

Securing component communications​

Configure encryption and authentication to secure Calico Enterprise components

Secure Calico Enterprise Prometheus endpoints

Secure BGP sessions

Provide TLS certificates for Calico Enterprise Manager

Provide TLS certificates for log storage

Provide TLS certificates for Linseed APIs

Provide TLS certificates for the API server

Provide TLS certificates for Typha and Node

Provide TLS certificates for compliance

Provide TLS certificates for PacketCapture APIs

Manage TLS certificates used by Calico Enterprise

Storage​

Log storage recommendations

Configure storage for logs and reports

Adjust log storage size

Advanced Node Scheduling

Monitoring​

Prometheus support

Bring your own Prometheus

Configure Prometheus

Configure Alertmanager

Recommended Prometheus metrics

BGP metrics

License metrics

Policy metrics

Elasticsearch and Fluentd metrics

eBPF​

eBPF use cases

Enable eBPF on an existing cluster

Install in eBPF mode

Troubleshoot eBPF mode

Troubleshooting​

Troubleshooting and diagnostics

Troubleshooting commands

Component logs

Other operations tasks​

Decommission a node

License expiration and renewal

Configuring the web console

calicoctl and calicoq

Securing component communications

Storage

Monitoring

eBPF

Troubleshooting

Other operations tasks