Documentation Index
Fetch the complete documentation index at: https://docs.siderolabs.com/llms.txt
Use this file to discover all available pages before exploring further.
This documentation is designed to get you up and running with Talos and Calico CNI. Since both Calico and Talos support multiple networking technologies, you will learn how to run your environment with both the Calico eBPF dataplane and NFTables. Optionally, you can also enable Calico’s network observability stack to gain insights into your cluster networking and policy behavior.
Configuring Talos
To install Calico, you first need to disable the default CNI. This can be done by applying a patch file during cluster creation.
cat <<EOF > patch.yaml
cluster:
network:
cni:
name: none
EOF
--config-patch argument to your talosctl gen config.
talosctl gen config \
my-cluster https://calico-talos.local:6443 \
--config-patch @patch.yaml
Installation using Omni
If you are using Omni, you can deploy Calico using the manifest sync feature in a cluster template.
Step 1. Download the Tigera operator manifest:
curl -Lo tigera-operator.yaml https://raw.githubusercontent.com/projectcalico/calico/v3.31.4/manifests/tigera-operator.yaml
installation.yaml file with your desired Calico configuration. Choose the dataplane that fits your use case:
cat <<EOF > installation.yaml
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
name: default
spec:
calicoNetwork:
bgp: Disabled
linuxDataplane: Nftables
ipPools:
- name: default-ipv4-ippool
blockSize: 26
cidr: 10.244.0.0/16
encapsulation: VXLAN
natOutgoing: Enabled
nodeSelector: all()
kubeletVolumePluginPath: None
---
apiVersion: operator.tigera.io/v1
kind: APIServer
metadata:
name: default
EOF
cat <<EOF > installation.yaml
apiVersion: crd.projectcalico.org/v1
kind: FelixConfiguration
metadata:
name: default
spec:
cgroupV2Path: "/sys/fs/cgroup"
---
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
name: default
spec:
calicoNetwork:
bgp: Disabled
linuxDataplane: BPF
bpfNetworkBootstrap: Enabled
kubeProxyManagement: Enabled
ipPools:
- name: default-ipv4-ippool
blockSize: 26
cidr: 10.244.0.0/16
encapsulation: VXLAN
natOutgoing: Enabled
nodeSelector: all()
kubeletVolumePluginPath: None
---
apiVersion: operator.tigera.io/v1
kind: APIServer
metadata:
name: default
EOF
omnictl cluster template sync --file cluster-template.yaml
Installing Tigera operator
Recommended way to install Calico is via Tigera-operator manifest. The operator will make sure that all Calico components are always up and running.
Note: If you’d like to install Calico using Helm, check out the Install using Helm documentation.
Step 1. Install the latest Tigera operator.
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.31.4/manifests/tigera-operator.yaml
linuxDataplane key in the installation manifest.
Note: To learn more about the available Calico configurations, check out the Installation reference documentation.
Use the following command to run Calico with NFTables backend.kubectl create -f -<<EOF
# This section includes base Calico installation configuration.
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
name: default
spec:
calicoNetwork:
bgp: Disabled
linuxDataplane: Nftables
ipPools:
- name: default-ipv4-ippool
blockSize: 26
cidr: 10.244.0.0/16
encapsulation: VXLAN
natOutgoing: Enabled
nodeSelector: all()
kubeletVolumePluginPath: None
---
apiVersion: operator.tigera.io/v1
kind: APIServer
metadata:
name: default
EOF
By default, Calico uses the /var directory to mount cgroups. However, since this path is not writable in Talos Linux, you need to change it to /sys/fs/cgroup.Use the following command to update the cgroup mount path:kubectl create -f -<<EOF
apiVersion: crd.projectcalico.org/v1
kind: FelixConfiguration
metadata:
name: default
spec:
cgroupV2Path: "/sys/fs/cgroup"
EOF
linuxDataplane needs to be set to BPF.bpfNetworkBootstrap needs to be set to Enabled.- kubeProxyManagement to
Enabled so that the Tigera operator automatically disables the kube-proxy.
Next, you have to configure Calico:kubectl create -f -<<EOF
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
name: default
spec:
calicoNetwork:
bgp: Disabled
linuxDataplane: BPF
bpfNetworkBootstrap: Enabled
kubeProxyManagement: Enabled
ipPools:
- name: default-ipv4-ippool
blockSize: 26
cidr: 10.244.0.0/16
encapsulation: VXLAN
natOutgoing: Enabled
nodeSelector: all()
kubeletVolumePluginPath: None
EOF
Deploy Calico Whisker network observability stack
Use the following command to enable Calico observability stack:
kubectl create -f -<<EOF
# Configures the Calico Goldmane flow aggregator.
apiVersion: operator.tigera.io/v1
kind: Goldmane
metadata:
name: default
---
# Configures the Calico Whisker observability UI.
apiVersion: operator.tigera.io/v1
kind: Whisker
metadata:
name: default
EOF
kubectl port-forward -n calico-system service/whisker 8081:8081
localhost:8081 to observe your policies and network flows.
Next steps
- Enable Calico Prometheus and Grafana integrations, click here to learn more.
Considerations
In eBPF mode, if you cannot disable kube-proxy for any reason please make sure to adjust BPFKubeProxyIptablesCleanupEnabled to false.
This can be done with kubectl as follows:
kubectl patch felixconfiguration default --patch='{"spec": {"bpfKubeProxyIptablesCleanupEnabled": false}}'
Talos
Omni
Kubernetes Guides