Skip to main content
Version: 3.27 (latest)

Amazon Elastic Kubernetes Service (EKS)

Big picture

Enable Calico in EKS managed Kubernetes service.

Value

EKS has built-in support for Calico, providing a robust implementation of the full Kubernetes Network Policy API. EKS users wanting to go beyond Kubernetes network policy capabilities can make full use of the Calico Network Policy API.

You can also use Calico for networking on EKS in place of the default AWS VPC networking without the need to use IP addresses from the underlying VPC. This allows you to take advantage of the full set of Calico networking features, including Calico's flexible IP address management capabilities.

Before you begin...

note

Calico makes use of the Kubernetes Container Storage Interface (CSI) to support various types of volumes. The necessary drivers required for CSI to function correctly in EKS clusters will no longer be present by default in clusters running Kubernetes 1.23. Please see the following link to ensure your cluster is configured correctly based on the version of Kubernetes being used in your cluster: AWS EBS CSI driver

How to

Install EKS with Amazon VPC networking

The geeky details of what you get:

PolicyIPAMCNIOverlayRoutingDatastore

To enable Calico network policy enforcement on an EKS cluster using the AWS VPC CNI plugin, follow these step-by-step instructions: Installing Calico on Amazon EKS

Install EKS with Calico networking

The geeky details of what you get:

PolicyIPAMCNIOverlayRoutingDatastore
note

Calico networking cannot currently be installed on the EKS control plane nodes. As a result the control plane nodes will not be able to initiate network connections to Calico pods. (This is a general limitation of EKS's custom networking support, not specific to Calico.) As a workaround, trusted pods that require control plane nodes to connect to them, such as those implementing admission controller webhooks, can include hostNetwork:true in their pod spec. See the Kubernetes API pod spec definition for more information on this setting.

For these instructions, we will use eksctl to provision the cluster. However, you can use any of the methods in Getting Started with Amazon EKS

Before you get started, make sure you have downloaded and configured the necessary prerequisites

  1. First, create an Amazon EKS cluster without any nodes.

    eksctl create cluster --name my-calico-cluster --without-nodegroup
  2. Since this cluster will use Calico for networking, you must delete the aws-node daemon set to disable AWS VPC networking for pods.

    kubectl delete daemonset -n kube-system aws-node
  3. Now that you have a cluster configured, you can install Calico.

  1. Install the operator.

    kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.2/manifests/tigera-operator.yaml
  2. Configure the Calico installation.

    kubectl create -f - <<EOF
    kind: Installation
    apiVersion: operator.tigera.io/v1
    metadata:
    name: default
    spec:
    kubernetesProvider: EKS
    cni:
    type: Calico
    calicoNetwork:
    bgp: Disabled
    EOF
  3. Finally, add nodes to the cluster.

    eksctl create nodegroup --cluster my-calico-cluster --node-type t3.medium --max-pods-per-node 100
tip

Without the --max-pods-per-node option above, EKS will limit the number of pods based on node-type. See eksctl create nodegroup --help for the full set of node group options.

Next steps

Required

Recommended