Calico Installation Guide: Setting Up Network Policies in Kubernetes


Introduction

Calico is an open-source networking and network security solution for Kubernetes. It provides powerful network policy enforcement and allows secure communication between your pods. This guide will take you through installing Calico on a Kubernetes cluster to handle networking, manage IP addresses, and enforce network policies.


Prerequisites

Before you install Calico, make sure you have:

  • A Kubernetes Cluster: Running locally with Minikube or on a cloud provider (e.g., GKE, EKS, or AKS).
  • kubectl: Installed and configured to interact with your Kubernetes cluster.

If you don’t have a Kubernetes cluster set up yet, follow the Kubernetes Installation Guide to set up Minikube locally.


Step 1: Verify Kubernetes Installation

Make sure your Kubernetes cluster is running correctly:

kubectl get nodes

You should see the nodes of your cluster listed, indicating that the cluster is operational.


Step 2: Install Calico

Now we can install Calico as the networking plugin. We’ll apply the Calico manifest to the cluster, which configures the required components.

Run the following command to apply the Calico network manifest:

kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml

This manifest sets up Calico to manage networking across your cluster. You can verify that the Calico components are running by checking the pods in the calico-system namespace:

kubectl get pods -n calico-system

You should see several pods running, including calico-kube-controllers and calico-node.


Step 3: Configure Network Policies

Calico allows you to enforce network policies in your cluster to control communication between pods. Let’s create a simple network policy that only allows ingress traffic to a pod from within the same namespace.

Create a file named allow-ingress-policy.yaml:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector: {}

Apply the policy with:

kubectl apply -f allow-ingress-policy.yaml

This policy allows all ingress traffic between pods in the default namespace.


Step 4: Verify Calico Installation

To confirm that Calico is working, check if your pods are reachable under the policy. You can run a simple network test by creating two pods and checking if they can communicate under the network policy:

kubectl run pod-a --image=busybox --command -- sleep 3600
kubectl run pod-b --image=busybox --command -- sleep 3600
kubectl exec pod-a -- ping pod-b

This will verify that the network policy is applied, allowing traffic between the pods as specified.


Step 5: Clean Up

To remove the network policy and Calico from your cluster, run:

kubectl delete -f allow-ingress-policy.yaml
kubectl delete -f https://docs.projectcalico.org/manifests/calico.yaml

This will remove both the network policy and Calico components from your cluster.


Conclusion

You’ve successfully installed Calico on your Kubernetes cluster and configured a basic network policy. Calico provides a powerful way to manage network security and enforce strict controls on how pods interact within your Kubernetes environment.