calicoctl CLI provides an interface for managing calico network and security policy.
In Kubernetes clusters provisioned by the Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x, and which use the Calico or Canal Container Networking Interface (CNI) Plugin,
calicoctl can be used to configure Calico GlobalNetworkPolicy and NetworkPolicy resources.
- A Kubernetes cluster provisioned with Rancher Kubernetes Engine (RKE) v0.x.x or v1.x.x, or Rancher v2.x.x
- The Calico or Canal Container Networking Interface (CNI) Plugin (Canal is the default in both RKE and Rancher provisioned clusters).
- A cluster-admin level kube config sourced via $KUBECONFIG on a host running Docker
N.B. The commands in this section should be run from a host running Docker, with a cluster-admin level kube config sourced.
For the purpose of this example, we will demonstrate creating an empty GlobalNetworkPolicy resource via
Set $KUBECONFIG environment variable to the cluster-admin kube config
With the cluster-admin level kube config file present on the host, execute
export KUBECONFIG=<full path to cluster-admin kube config> replacing with the full path of the kube config.
Create the desired resource in the working directory
Create a YAML file in the working directory with the NetworkPolicy resource definition(s) you want to apply to the cluster.
For this example create a file named
globalpolicy.yaml in the working directory with the following contents:
apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: name: allow-tcp-port-6379
Determine the calico-node version of the cluster
First get the version of the
calico-node container running in the cluster.
In a cluster with the Canal CNI Network Provider, run the following, with the admin kube config sourced:
CALICOVERSION=`kubectl -n kube-system get daemonset canal -o yaml | grep 'rancher/calico-node:v' | tail -n1 | cut -d: -f3` echo $CALICOVERSION
In a cluster with the Calico CNI Network Provider, run the following, with the admin kube config sourced:
CALICOVERSION=`kubectl -n kube-system get daemonset calico-node -o yaml | grep 'rancher/calico-node:v' | tail -n1 | cut -d: -f3` echo $CALICOVERSION
calico-node version determined and now set in the variable
calicoctl can be invoked. This is done by running the
calico/ctl image, with the version matching the
calico-node. The kube config file is mounted into the container, as is the present working directory (at the path
/host), so that the desired resource (in this example in the file globalpolicy.yaml) is available.
calicoctl run the following command, altering the filename as applicable to the resource you have created in the working directory:
docker run --rm -v $KUBECONFIG:/root/.kube/config -v $(pwd):/host -e KUBECONFIG=/root/.kube/config -e DATASTORE_TYPE=kubernetes calico/ctl:$CALICOVERSION apply -f /host/globalpolicy.yaml
We can now view the GlobalNetworkPolicy resource by using
calicoctl get as follows:
docker run --rm -v $KUBECONFIG:/root/.kube/config -v $(pwd):/host -e KUBECONFIG=/root/.kube/config -e DATASTORE_TYPE=kubernetes calico/ctl:$CALICOVERSION get globalnetworkpolicy allow-tcp-port-6379 -o yaml
This should return output similar to the following:
apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: creationTimestamp: "2020-04-08T15:12:45Z" name: allow-tcp-port-6379 resourceVersion: "9033" uid: df2875a6-1142-4fe0-9f0c-5dc1372bd2c5 spec: types: - Ingress