How to use the calicoctl CLI in an RKE or Rancher provisioned Kubernetes cluster

Follow
Table of Contents

Task

The calicoctl CLI provides an interface for managing calico network and security policy.

In Kubernetes clusters provisioned by the Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x, and which use the Calico or Canal Container Networking Interface (CNI) Plugin, calicoctl can be used to configure Calico GlobalNetworkPolicy and NetworkPolicy resources.

Pre-requisites

  • A Kubernetes cluster provisioned with Rancher Kubernetes Engine (RKE) v0.x.x or v1.x.x, or Rancher v2.x.x
  • The Calico or Canal Container Networking Interface (CNI) Plugin (Canal is the default in both RKE and Rancher provisioned clusters).
  • A cluster-admin level kube config sourced via $KUBECONFIG on a host running Docker

Resolution

N.B. The commands in this section should be run from a host running Docker, with a cluster-admin level kube config sourced.

For the purpose of this example, we will demonstrate creating an empty GlobalNetworkPolicy resource via calicoctl.

Set $KUBECONFIG environment variable to the cluster-admin kube config

With the cluster-admin level kube config file present on the host, execute export KUBECONFIG=<full path to cluster-admin kube config> replacing with the full path of the kube config.

Create the desired resource in the working directory

Create a YAML file in the working directory with the NetworkPolicy resource definition(s) you want to apply to the cluster.

For this example create a file named globalpolicy.yaml in the working directory with the following contents:

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: allow-tcp-port-6379

Determine the calico-node version of the cluster

First get the version of the calico-node container running in the cluster.

In a cluster with the Canal CNI Network Provider, run the following, with the admin kube config sourced:

CALICOVERSION=`kubectl -n kube-system get daemonset canal -o yaml | grep 'rancher/calico-node:v' | tail -n1 | cut -d: -f3`
echo $CALICOVERSION

In a cluster with the Calico CNI Network Provider, run the following, with the admin kube config sourced:

CALICOVERSION=`kubectl -n kube-system get daemonset calico-node -o yaml | grep 'rancher/calico-node:v' | tail -n1 | cut -d: -f3`
echo $CALICOVERSION

Run calicoctl

With the calico-node version determined and now set in the variable $CALICOVERSION, calicoctl can be invoked. This is done by running the calico/ctl image, with the version matching the calico-node. The kube config file is mounted into the container, as is the present working directory (at the path /host), so that the desired resource (in this example in the file globalpolicy.yaml) is available.

To execute calicoctl run the following command, altering the filename as applicable to the resource you have created in the working directory:

docker run --rm -v $KUBECONFIG:/root/.kube/config -v $(pwd):/host -e KUBECONFIG=/root/.kube/config -e DATASTORE_TYPE=kubernetes calico/ctl:$CALICOVERSION apply -f /host/globalpolicy.yaml

We can now view the GlobalNetworkPolicy resource by using calicoctl get as follows:

docker run --rm -v $KUBECONFIG:/root/.kube/config -v $(pwd):/host -e KUBECONFIG=/root/.kube/config -e DATASTORE_TYPE=kubernetes calico/ctl:$CALICOVERSION get globalnetworkpolicy allow-tcp-port-6379 -o yaml

This should return output similar to the following:

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  creationTimestamp: "2020-04-08T15:12:45Z"
  name: allow-tcp-port-6379
  resourceVersion: "9033"
  uid: df2875a6-1142-4fe0-9f0c-5dc1372bd2c5
spec:
  types:
  - Ingress

Further reading

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.