How to use the calicoctl CLI in an RKE or Rancher provisioned Kubernetes cluster

This document (000020158) is provided subject to the disclaimer at the end of this document.

Situation

Task

The calicoctl CLI provides an interface for managing calico network and security policy.

In Kubernetes clusters provisioned by the Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x, and which use the Calico or Canal Container Networking Interface (CNI) Plugin, calicoctl can be used to configure Calico GlobalNetworkPolicy and NetworkPolicy resources.

Pre-requisites

  • A Kubernetes cluster provisioned with Rancher Kubernetes Engine (RKE) v0.x.x or v1.x.x, or Rancher v2.x.x
  • The Calico or Canal Container Networking Interface (CNI) Plugin (Canal is the default in both RKE and Rancher provisioned clusters).
  • A cluster-admin level kube config sourced via $KUBECONFIG on a host running Docker

Resolution

N.B. The commands in this section should be run from a host running Docker, with a cluster-admin level kube config sourced.

For the purpose of this example, we will demonstrate creating an empty GlobalNetworkPolicy resource via calicoctl.

Set $KUBECONFIG environment variable to the cluster-admin kube config

With the cluster-admin level kube config file present on the host, execute export KUBECONFIG=<full path to cluster-admin kube config> replacing with the full path of the kube config.

Create the desired resource in the working directory

Create a YAML file in the working directory with the NetworkPolicy resource definition(s) you want to apply to the cluster.

For this example create a file named globalpolicy.yaml in the working directory with the following contents:

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: allow-tcp-port-6379
Determine the calico-node version of the cluster

First get the version of the calico-node container running in the cluster.

In a cluster with the Canal CNI Network Provider, run the following, with the admin kube config sourced:

CALICOVERSION=`kubectl -n kube-system get daemonset canal -o yaml | grep 'rancher/calico-node:v' | tail -n1 | cut -d: -f3`
echo $CALICOVERSION

In a cluster with the Calico CNI Network Provider, run the following, with the admin kube config sourced:

CALICOVERSION=`kubectl -n kube-system get daemonset calico-node -o yaml | grep 'rancher/calico-node:v' | tail -n1 | cut -d: -f3`
echo $CALICOVERSION
Run calicoctl

With the calico-node version determined and now set in the variable $CALICOVERSION, calicoctl can be invoked. This is done by running the calico/ctl image, with the version matching the calico-node. The kube config file is mounted into the container, as is the present working directory (at the path /host), so that the desired resource (in this example in the file globalpolicy.yaml) is available.

To execute calicoctl run the following command, altering the filename as applicable to the resource you have created in the working directory:

docker run --rm -v $KUBECONFIG:/root/.kube/config -v $(pwd):/host -e KUBECONFIG=/root/.kube/config -e DATASTORE_TYPE=kubernetes calico/ctl:$CALICOVERSION apply -f /host/globalpolicy.yaml

We can now view the GlobalNetworkPolicy resource by using calicoctl get as follows:

docker run --rm -v $KUBECONFIG:/root/.kube/config -v $(pwd):/host -e KUBECONFIG=/root/.kube/config -e DATASTORE_TYPE=kubernetes calico/ctl:$CALICOVERSION get globalnetworkpolicy allow-tcp-port-6379 -o yaml

This should return output similar to the following:

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  creationTimestamp: "2020-04-08T15:12:45Z"
  name: allow-tcp-port-6379
  resourceVersion: "9033"
  uid: df2875a6-1142-4fe0-9f0c-5dc1372bd2c5
spec:
  types:
  - Ingress

Further reading

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020158
  • Creation Date: 06-May-2021
  • Modified Date:06-May-2021
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center