Mirantis Kubernetes Engine (MKE 3)

Big picture

Install Calico Enterprise on a Mirantis Kubernetes Engine (MKE 3) cluster (formerly Docker Enterprise).

Before you begin

CNI support

Calico CNI for networking with Calico Enterprise network policy:

The geeky details of what you get:

Policy	IPAM	CNI	Overlay	Routing	Datastore

Required

• A compatible MKE 3 cluster with:

  • A minimum of three nodes for non-production deployments
  • CNI flag set to unmanaged, --unmanaged-cni so MKE 3 does not install the default Calico Enterprise networking plugin

  For help, see Docker Enterprise, and Docker EE Best Practices and Design Considerations

• To access the MKE 3 control plane via the CLI, you must download a Client Certificate Bundle from the web UI, which contains the necessary TLS certificates and environment scripts to authenticate kubectl and docker commands. For more information, see Access an MKE cluster (Client Bundles).

• Configure MKE 3 to allow the service account tigera-operator to schedule CNI workloads on all nodes in the cluster. This can be done by executing the following command. Refer to the MKE 3 documentation around obtaining an admin bearer authentication token for making this call.

  curl -k -H "Authorization: Bearer <authentication-token>" -X PUT https://<manager-node-IP>/collectionGrants/system:serviceaccount:tigera-operator:tigera-operator/swarm/scheduler

  Replace the following:

  • <authentication-token>: The value of bearer admin token.
  • <manager-node-IP>: The public IP for any manager node in the cluster.

• Cluster meets system requirements

• A Tigera license key and credentials

• Install Install kubectl

How to

• Install Calico Enterprise
• Install the Calico Enterprise license

Install Calico Enterprise

1. Configure a storage class for Calico Enterprise.

2. Configure Tigera Operator and Calico CNI plugin role bindings for Docker EE.

   kubectl create clusterrolebinding tigera-operator-cluster-admin -n tigera-operator \
    --clusterrole cluster-admin --serviceaccount tigera-operator:tigera-operator
   kubectl create clusterrolebinding calico-cni-plugin-cluster-admin -n calico-system \
    --clusterrole cluster-admin --serviceaccount calico-system:calico-cni-plugin

3. Install the Tigera Operator and custom resource definitions.

   kubectl create -f https://downloads.tigera.io/ee/v3.21.5/manifests/operator-crds.yaml
   kubectl create -f https://downloads.tigera.io/ee/v3.21.5/manifests/tigera-operator.yaml

4. Install the Prometheus operator and related custom resource definitions. The Prometheus operator will be used to deploy Prometheus server and Alertmanager to monitor Calico Enterprise metrics.

   note

   If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with Calico Enterprise, your Prometheus operator must be v0.40.0 or higher.

   kubectl create -f https://downloads.tigera.io/ee/v3.21.5/manifests/tigera-prometheus-operator.yaml

5. Install your pull secret.

   If pulling images directly from quay.io/tigera, you will likely want to use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials instead.

   kubectl create secret generic tigera-pull-secret \
       --type=kubernetes.io/dockerconfigjson -n tigera-operator \
       --from-file=.dockerconfigjson=<path/to/pull/secret>

6. Install any extra Calico Enterprise resources needed at cluster start using calicoctl.

7. Install the Tigera custom resources. For more information on configuration options available in this manifest, see the installation reference.

   kubectl create -f https://downloads.tigera.io/ee/v3.21.5/manifests/custom-resources.yaml

   Monitor progress with the following command:

   watch kubectl get tigerastatus

   Wait until the apiserver shows a status of Available, then proceed to the next section.

Install the Calico Enterprise license

To use Calico Enterprise, you must install the license provided to you by Tigera.

kubectl create -f </path/to/license.yaml>

Monitor progress with the following command:

watch kubectl get tigerastatus

Next steps

Recommended

• Configure access to the Calico Enterprise web console
• Authentication quickstart
• Configure an external identity provider

Recommended - Networking

• The default networking uses IP-in-IP with BGP routing. For all networking options, see Determine best networking option.

Recommended - Security

• Get started with Calico Enterprise tiered network policy