Running Calico on GKE

[mxmxmx]

Hi guys,

I would like to know if its possible to run Calico on GKE to enable fine-grained network policies ?
If not, is it something planned ?

Thanks for any advice !

[Christopher Liljenstolpe]

Greetings,

It is possible to enable Calico on GKE.  I haven't personally done it, but we have tested it here.  You need to enable CNI in your config, then spin-up a self-hosted Calico install and you should be good to go.  Calico will only be providing policy control at that point (which is what it looks like you want).   If you have questions, please join our slack at slack.projectcalico.org, or e-mail me directly.

Christopher

[Tim Hockin]

I am not sure that is true for GKE - where the whole node config is
blown away on node upgrade.

We are currently considering options for supporting NetworkPolicy on
GKE, but we don't have a finished plan just yet.

> --
> You received this message because you are subscribed to the Google Groups
> "Kubernetes user discussion and Q&A" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to kubernetes-use...@googlegroups.com.
> To post to this group, send email to kubernet...@googlegroups.com.
> Visit this group at https://groups.google.com/group/kubernetes-users.
> For more options, visit https://groups.google.com/d/optout.

[mxmxmx]

Thanks for your answer.
Thats mainly why we were sceptical about it.
Do you think it could be done using a DaemonSet, or is there other main issues to consider ?

Is there some public discussion to follow on this topic somewhere around ?

[Tim Hockin]

The trick is that it has to drop files in the root filesystem,
configure a kubelet flag, and restart kubelet. There's really no way
to do that from daemonset.

[Brandon Philips]

Aside: kube-flannel takes care of dropping the CNI plugin on the root filesystem in this way today. But, yes, the kubelet needs to be in CNI mode first.