Mastering Calicoctl: Install and Manage Kubernetes Network Policies from Scratch
This guide walks through installing calicoctl, a Calico command‑line tool for managing Kubernetes network policies, covering prerequisites, manifest deployment for both Kubernetes‑ and etcd‑backed data stores, verification commands, and practical tips for a smooth setup.
Introduction
In the era of cloud computing, Kubernetes is the de‑facto standard for container orchestration, but managing network policies can be challenging. calicoctl, part of the Calico project, provides powerful commands to view, create, and delete network policies.
Prerequisites
Kubernetes cluster up and running
Calico installed and operational
If Calico stores data in etcd, have the etcd certificates ready
Download required images in advance (due to network restrictions)
Install calicoctl (Data stored in Kubernetes)
Apply the following manifests to create a ServiceAccount, ClusterRole, ClusterRoleBinding, and Deployment for calicoctl.
<code>cat <<'EOF' | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
name: calicoctl
namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: calicoctl
rules:
- apiGroups: [""]
resources:
- namespaces
- nodes
verbs:
- get
- list
- update
- apiGroups: [""]
resources:
- nodes/status
verbs:
- update
- apiGroups: [""]
resources:
- pods
- serviceaccounts
verbs:
- get
- list
- apiGroups: [""]
resources:
- pods/status
verbs:
- update
- apiGroups: ["crd.projectcalico.org"]
resources:
- bgppeers
- bgpconfigurations
- clusterinformations
- felixconfigurations
- globalnetworkpolicies
- globalnetworksets
- ippools
- ipreservations
- kubecontrollersconfigurations
- networkpolicies
- networksets
- hostendpoints
- ipamblocks
- blockaffinities
- ipamhandles
- ipamconfigs
verbs:
- create
- get
- list
- update
- delete
- apiGroups: ["networking.k8s.io"]
resources:
- networkpolicies
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: calicoctl
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calicoctl
subjects:
- kind: ServiceAccount
name: calicoctl
namespace: kube-system
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: calicoctl
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: calicoctl
template:
metadata:
labels:
app: calicoctl
spec:
nodeSelector:
kubernetes.io/os: linux
hostNetwork: true
serviceAccountName: calicoctl
containers:
- image: calico/ctl:v3.23.5
command:
- calicoctl
args:
- version
- --poll=1m
env:
- name: DATASTORE_TYPE
value: kubernetes
EOF</code>Tips
Tip: If you cannot download the required image, the author can provide a working version.
Tip: Keep the image version consistent with the Calico image version.
Verification
Check node information:
<code>$ calicoctl get nodes -owide
NAME ASN IPV4 IPV6
k8s-master01 (64512) 172.139.20.121/24
k8s-master02 (64512) 172.139.20.176/24
k8s-master03 (64512) 172.139.20.151/24
k8s-node01 (64512) 172.139.20.175/24
k8s-node02 (64512) 172.139.20.75/24
k8s-node03 (64512) 172.139.20.66/24
k8s-node04 (64512) 172.139.20.19/24</code>Check IP pool information:
<code>$ calicoctl get ippool -owide
NAME CIDR NAT IPIPMODE VXLANMODE DISABLED DISABLEBGPEXPORT SELECTOR
default-ipv4-ippool 10.244.0.0/16 true Always Never false false all()</code>Show remaining IPs per node:
<code>$ calicoctl ipam show --show-blocks
+----------+-------------------+-----------+------------+--------------+
| GROUPING | CIDR | IPS TOTAL | IPS IN USE | IPS FREE |
+----------+-------------------+-----------+------------+--------------+
| IP Pool | 10.244.0.0/16 | 65536 | 90 (0%) | 65446 (100%) |
| Block | 10.244.122.128/26 | 64 | 2 (3%) | 62 (97%) |
| Block | 10.244.135.128/26 | 64 | 26 (41%) | 38 (59%) |
| Block | 10.244.195.0/26 | 64 | 2 (3%) | 62 (97%) |
| Block | 10.244.217.64/26 | 64 | 13 (20%) | 51 (80%) |
| Block | 10.244.32.128/26 | 64 | 2 (3%) | 62 (97%) |
| Block | 10.244.58.192/26 | 64 | 26 (41%) | 38 (59%) |
| Block | 10.244.85.192/26 | 64 | 19 (30%) | 45 (70%) |
+----------+-------------------+-----------+------------+--------------+</code>Install calicoctl (Data stored in etcd)
Apply a Deployment that mounts etcd certificates and references the calico‑config ConfigMap.
<code>$ cat <<'EOF' | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: calicoctl
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: calicoctl
template:
metadata:
labels:
app: calicoctl
spec:
nodeSelector:
kubernetes.io/os: linux
hostNetwork: true
containers:
- name: calicoctl
image: calico/ctl:v3.23.5
command:
- /calicoctl
args:
- version
- --poll=1m
env:
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_endpoints
- name: ETCD_CA_CERT_FILE
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_ca
- name: ETCD_KEY_FILE
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_key
- name: ETCD_CERT_FILE
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_cert
volumeMounts:
- mountPath: /calico-secrets
name: etcd-certs
volumes:
- name: etcd-certs
secret:
secretName: calico-etcd-secrets
EOF</code>Conclusion
This article demonstrated how to install calicoctl in different environments and introduced its basic commands. calicoctl offers many more capabilities for deep network control in Kubernetes clusters, and further advanced topics will be explored in future articles.
Linux Ops Smart Journey
The operations journey never stops—pursuing excellence endlessly.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.