How to use the calicoctl CLI in an RKE CLI or Rancher-provisioned RKE cluster

• An RKE Kubernetes cluster provisioned with the Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x

• The Calico or Canal Container Networking Interface (CNI) Plugin (Canal is the default in both RKE CLI and Rancher provisioned RKE clusters).

• A cluster-admin level kube config sourced via $KUBECONFIG on a host running Docker

The calicoctl CLI provides an interface for managing calico network and security policy.

In RKE Kubernetes clusters provisioned by the Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x, and which use the Calico or Canal Container Networking Interface (CNI) Plugin, calicoctl can be used to configure Calico GlobalNetworkPolicy and NetworkPolicy resources.

N.B. The commands in this section should be run from a host running Docker, with a cluster-admin level kube config sourced.

For this example, we will demonstrate creating an empty GlobalNetworkPolicy resource via calicoctl.

1. Set $KUBECONFIG environment variable to the cluster-admin kube config

With the cluster-admin level kube config file present on the host, execute export KUBECONFIG=<full path to cluster-admin kube config> replacing with the full path of the kube config.

2. Create the desired resource in the working directory

Create a YAML file in the working directory with the NetworkPolicy resource definition(s) you want to apply to the cluster.

For this example create a file named globalpolicy.yaml in the working directory with the following contents:

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: allow-tcp-port-6379

3. Determine the calico-node version of the cluster

First get the version of the calico-node container running in the cluster.

In a cluster with the Canal CNI Network Provider, run the following, with the admin kube config sourced:

CALICOVERSION=`kubectl -n kube-system get daemonset canal -o yaml | grep 'rancher/mirrored-calico-node:v' | tail -n1 | cut -d: -f3`
echo $CALICOVERSION

In a cluster with the Calico CNI Network Provider, run the following, with the admin kube config sourced:

CALICOVERSION=`kubectl -n kube-system get daemonset calico-node -o yaml | grep 'rancher/mirrored-calico-node:v' | tail -n1 | cut -d: -f3`
echo $CALICOVERSION

4. Run calicoctl

With the calico-node version determined and now set in the variable $CALICOVERSION, calicoctl can be invoked. This is done by running the calico/ctl image, with the version matching the calico-node. The kube config file is mounted into the container, as is the present working directory (at the path /host), so that the desired resource (in this example in the file globalpolicy.yaml) is available.

To execute calicoctl run the following command, altering the filename as applicable to the resource you have created in the working directory:

docker run --rm -v $KUBECONFIG:/root/.kube/config -v $(pwd):/host -e KUBECONFIG=/root/.kube/config -e DATASTORE_TYPE=kubernetes calico/ctl:$CALICOVERSION apply -f /host/globalpolicy.yaml

We can now view the GlobalNetworkPolicy resource by using calicoctl get as follows:

docker run --rm -v $KUBECONFIG:/root/.kube/config -v $(pwd):/host -e KUBECONFIG=/root/.kube/config -e DATASTORE_TYPE=kubernetes calico/ctl:$CALICOVERSION get globalnetworkpolicy allow-tcp-port-6379 -o yaml

This should return output similar to the following:

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  creationTimestamp: "2020-04-08T15:12:45Z"
  name: allow-tcp-port-6379
  resourceVersion: "9033"
  uid: df2875a6-1142-4fe0-9f0c-5dc1372bd2c5
spec:
  types:
  - Ingress

• Calico's Get started with Calico network policy.

• The calicoctl user reference documentation.