Operations
Post-installation tasks for managing Calico.
Upgrading Calico
Upgrade Calico on Kubernetes
Upgrade Calico Open Source on Kubernetes from v3.15 or later for Helm, operator-managed, and manifest-based installs on both Kubernetes API and etcd datastores.
Upgrade Calico on OpenShift 4
Upgrade Calico Open Source on OpenShift 4 by reapplying manifests and updating OwnerReferences for projectcalico.org/v3 resources.
Upgrade Calico on OpenStack
Upgrade Calico Open Source on OpenStack from v3.0 or later by updating system packages on CentOS or Ubuntu compute and control nodes.
calicoctl
Install calicoctl
Install the calicoctl command-line tool as a binary, container, or kubectl plugin so administrators can manage Calico Open Source resources from any workstation.
Configure calicoctl
Overview reference for configuring calicoctl datastore access in Calico Open Source, comparing config-file, environment-variable, and kubeconfig credential methods.
Configure calicoctl to connect to an etcd datastore
Sample calicoctl configuration files for connecting to an etcdv3 datastore in a Calico Open Source cluster, with TLS, endpoints, and authentication settings.
Configure calicoctl to connect to the Kubernetes API datastore
Sample calicoctl configuration files for connecting to the Kubernetes API datastore in a Calico Open Source cluster using kubeconfig credentials.
Deploy image options
Install images by registry digest
Pin Calico Open Source operator deployments to immutable image digests with an ImageSet resource so security teams can review and verify each image.
Configure use of your image registry
Configure Calico Open Source to pull operator and component images from a public or private container registry, including air-gapped and constrained networks.
eBPF
eBPF use cases
Guidance on when the Calico Open Source eBPF data plane fits a workload compared to the standard iptables data plane, with trade-offs and feature comparisons.
Enabling the eBPF data plane
Switch a running Calico Open Source cluster to the eBPF data plane through automatic Tigera Operator detection on kubeadm clusters or a manual configuration path.
Install in eBPF mode
Install Calico Open Source with the eBPF data plane during initial cluster setup as an alternative to the iptables data plane.
Troubleshoot eBPF mode
Troubleshooting guide for the Calico Open Source eBPF data plane covering verification logs, service connectivity, BPF map inspection, and common failure modes.
Monitoring
Monitor Calico component metrics
Scrape Calico Open Source Felix, Typha, and kube-controllers metrics with open-source Prometheus and configure alerting rules from time-series data.
Visualizing metrics via Grafana
Visualize Calico Open Source component metrics scraped by Prometheus on Grafana dashboards to spot anomalies in Felix, Typha, and node performance.
Troubleshooting
Troubleshooting and diagnostics
Troubleshooting guide for Calico Open Source clusters covering diagnostics, common failure patterns, log severity tuning, and where to file upstream issues.
Troubleshooting commands
Reference of command-line tools and kubectl invocations for verifying cluster, routing, and component health in a Calico Open Source installation.
Component logs
Reference for locating and collecting Calico Open Source component logs including calico/node, Felix, Typha, kube-controllers, and CNI plugin output.
VPP data plane troubleshooting
Troubleshooting guide for the Calico Open Source VPP data plane covering log collection, diagnostic helpers, and recovery from common VPP failure modes.
Other operations tasks
Migrate Calico data from an etcdv3 datastore to a Kubernetes datastore
Migrate a Calico Open Source cluster from the etcdv3 datastore to the Kubernetes API datastore with calicoctl, preserving network and policy state on a live cluster.
Migrate Calico to an operator-managed installation
Migrate a Calico Open Source installation from manifest-based resources to an operator-managed install for automatic platform detection, simpler upgrades, and lifecycle management.
Enable kubectl to manage Calico APIs
Install the Calico Open Source aggregated API server on an existing cluster so kubectl can manage projectcalico.org/v3 resources without calicoctl.
Decommission a node
Manually decommission a node in a self-managed Calico Open Source cluster with calicoctl, releasing IP allocations and BGP peers from the datastore cleanly.
FIPS mode
Run Calico Open Source in FIPS 140-2 compliant mode using NIST-validated cryptographic modules and FIPS-approved algorithms across all data plane components.
Manage TLS certificates used by Calico
Manage TLS certificates for Calico Open Source components by controlling the certificate issuer through the Kubernetes Certificates API and operator configuration.