Flannel is a general purpose container network interface (CNI) for Kubernetes clusters but offers limited integration for mTLS and container security. Calico has more robust capabilities and direct support for Istio service mesh, offering pod traffic controls, ingress traffic, and additional firewall rules.Calico is compatible with a wide range of Kubernetes versions and cloud environments. It supports various Linux distributions and integrates with different container runtimes. Additionally, Calico can work with both on-premises and cloud-native infrastructures, including AWS, Azure, and Google Cloud.The below steps were successfully tested on a cluster running:
Kubernetes v1.29.8
Flannel v0.22.0
Calico v3.28.1
NOTE: live migration will NOT work on a full Lilt deployment. Nodes are unable to reschedule due to LLM image file sizes.
Since Live Migration is not available, must use the following steps for manual migration. This requires the the cluster be be DOWN for approximately 15 minutes. Please notify all users prior to proceeding.
On EVERY node in the cluster, ssh and delete ip interfaces associated with Flannel:
Copy
Ask AI
# Look for any CNI/Flannel related interfaces, and remove themsudo ip link# links are usually the followingsudo ip link delete cni0sudo ip link delete flannel.1
On the main node (or one of the control-plane nodes), restart kubelet and containerd services:
There are two options for installing Calico; operator and manifest. Manifest if the easiest option but only installs the basic CNI interface. Lilt requires the Calico operator for integration with Istio mesh services.If installing on a single-node cluster, need to remove taint on the control-plane so that the operator will schedule:
On the main (control-plane) node, create a values override file for the helm install. Need to ensure that the CIDR range is the same as the previous Flannel installation:
default Flannel CIDR: 192.168.0.0/17
Copy
Ask AI
mkdir /tigera-operatorcat <<EOF | sudo tee /tigera-operator/on-prem-values.yamltigeraOperator: registry: us-central1-docker.pkg.dev/lilt-service-48916b30/third-party image: tigera/operator version: v1.34.3calicoctl: image: us-central1-docker.pkg.dev/lilt-service-48916b30/third-party/calico/ctl tag: v3.28.1# this creates the secret for you, DO NOT use if already have existing secrets in the clusterimagePullSecrets: {}installation: enabled: true # custom registry for pulling additional images, similar to operator above # image tags MUST be default, i.e. calico/apiserver # must end with "/" registry: us-central1-docker.pkg.dev/lilt-service-48916b30/third-party/ # set if using existing secrets already in the cluster imagePullSecrets: - name: third-party - name: gar-json-key # network settings calicoNetwork: ipPools: # MUST match kubeadm init and previous flannel CIDRs - cidr: 192.168.0.0/17defaultFelixConfiguration: enabled: falseEOF
If have external internet access, pull helm chart and install with override file:
Install calicoctl (optional, but highly recommended)
calicoctl is a command line tool that can be used to manage the Calico network and security policies and other Calico configurations. It communicates directly with etcd to manipulate the datastore. It provides a number of resource management commands and can be used to troubleshoot Calico network issues.Install calicoctl as a binary on a single host (usually the main control-plane node):