How to use the calicoctl CLI in an RKE CLI or Rancher-provisioned RKE cluster
This document (000020158) is provided subject to the disclaimer at the end of this document.
Environment
-
An RKE Kubernetes cluster provisioned with the Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x
-
The Calico or Canal Container Networking Interface (CNI) Plugin (Canal is the default in both RKE CLI and Rancher provisioned RKE clusters).
-
A cluster-admin level kube config sourced via $KUBECONFIG on a host running Docker
Situation
The calicoctl CLI provides an interface for managing calico network and security policy.
In RKE Kubernetes clusters provisioned by the Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x, and which use the Calico or Canal Container Networking Interface (CNI) Plugin, calicoctl can be used to configure Calico GlobalNetworkPolicy and NetworkPolicy resources.
Resolution
N.B. The commands in this section should be run from a host running Docker, with a cluster-admin level kube config sourced.
For this example, we will demonstrate creating an empty GlobalNetworkPolicy resource via calicoctl.
1. Set $KUBECONFIG environment variable to the cluster-admin kube config
With the cluster-admin level kube config file present on the host, execute export KUBECONFIG=<full path to cluster-admin kube config> replacing with the full path of the kube config.
2. Create the desired resource in the working directory
Create a YAML file in the working directory with the NetworkPolicy resource definition(s) you want to apply to the cluster.
For this example create a file named globalpolicy.yaml in the working directory with the following contents:
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: allow-tcp-port-6379
3. Determine the calico-node version of the cluster
First get the version of the calico-node container running in the cluster.
In a cluster with the Canal CNI Network Provider, run the following, with the admin kube config sourced:
CALICOVERSION=`kubectl -n kube-system get daemonset canal -o yaml | grep 'rancher/mirrored-calico-node:v' | tail -n1 | cut -d: -f3`
echo $CALICOVERSION
In a cluster with the Calico CNI Network Provider, run the following, with the admin kube config sourced:
CALICOVERSION=`kubectl -n kube-system get daemonset calico-node -o yaml | grep 'rancher/mirrored-calico-node:v' | tail -n1 | cut -d: -f3`
echo $CALICOVERSION
4. Run calicoctl
With the calico-node version determined and now set in the variable $CALICOVERSION, calicoctl can be invoked. This is done by running the calico/ctl image, with the version matching the calico-node. The kube config file is mounted into the container, as is the present working directory (at the path /host), so that the desired resource (in this example in the file globalpolicy.yaml) is available.
To execute calicoctl run the following command, altering the filename as applicable to the resource you have created in the working directory:
docker run --rm -v $KUBECONFIG:/root/.kube/config -v $(pwd):/host -e KUBECONFIG=/root/.kube/config -e DATASTORE_TYPE=kubernetes calico/ctl:$CALICOVERSION apply -f /host/globalpolicy.yaml
We can now view the GlobalNetworkPolicy resource by using calicoctl get as follows:
docker run --rm -v $KUBECONFIG:/root/.kube/config -v $(pwd):/host -e KUBECONFIG=/root/.kube/config -e DATASTORE_TYPE=kubernetes calico/ctl:$CALICOVERSION get globalnetworkpolicy allow-tcp-port-6379 -o yaml
This should return output similar to the following:
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
creationTimestamp: "2020-04-08T15:12:45Z"
name: allow-tcp-port-6379
resourceVersion: "9033"
uid: df2875a6-1142-4fe0-9f0c-5dc1372bd2c5
spec:
types:
- Ingress
Additional Information
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.