Connect a cluster to Calico Cloud Free
Securely connect your cluster to Calico Cloud Free to access centralized network observability for your Kubernetes deployment.
Prerequisites​
- You have
kubectlaccess to a Kubernetes cluster that meets the following requirements:- Calico Open Source 3.30 or later on your cluster
- Calico Open Source was installed using the operator method. Manifest- and Helm-based installations are not supported.
- You have an active Calico Cloud Free account. To create an account, go to the Calico Cloud Free sign-up page.
- You are signed in to the Calico Cloud web console.
- If you're working in a restricted network environment, you are able to create allow rules for egress traffic TCP to the Calico Cloud management plane.
Connect your cluster​
-
From the web console, click the Connect a cluster button on the welcome screen.
-
Follow the prompts to create a name for your cluster and copy a
kubectlcommand to run in your cluster.What's happening in this command?
This command creates three resources in your cluster:
- A
ManagementClusterConnectionresource. This resource specifies the address of the Calico Cloud management cluster. - A
Secretresource (tigera-managed-cluster-connection). This resource provides certificates for secure communication between your cluster and the Calico Cloud management cluster. - A
Secretresource (tigera-voltron-linseed-certs-public). This resource provides certificates for secure communications for the specific components that Calico Cloud uses for log data and observability.
Example of generated kubectl command to connect a cluster to Calico Cloud Freekubectl apply -f - <<EOF
# Once applied to your managed cluster, a deployment is created to establish a secure tcp connection
# with the management cluster.
apiVersion: operator.tigera.io/v1
kind: ManagementClusterConnection
metadata:
name: tigera-secure
spec:
# ManagementClusterAddr should be the externally reachable address to which your managed cluster
# will connect. Valid examples are: "0.0.0.0:31000", "example.com:32000", "[::1]:32500"
managementClusterAddr: "oss-ui-01-management.calicocloud.io:443"
---
apiVersion: v1
kind: Secret
metadata:
name: tigera-managed-cluster-connection
namespace: tigera-operator
type: Opaque
data:
# This is the certificate of the management cluster side of the tunnel.
management-cluster.crt: ...
# The certificate and private key that are created and signed by the CA in the management cluster.
managed-cluster.crt: ...
managed-cluster.key: ...
---
apiVersion: v1
kind: Secret
metadata:
name: tigera-voltron-linseed-certs-public
namespace: tigera-operator
type: Opaque
data:
tls.crt: ...
EOF - A
-
To start the connection process, run the
kubectlcommand in your terminal.Sample outputmanagementclusterconnection.operator.tigera.io/tigera-secure created
secret/tigera-managed-cluster-connection created
secret/tigera-voltron-linseed-certs-public created -
After your run the command, click I applied the manifest to continue.
Verify your connection​
- From the web console, click Managed clusters to view a list of managed clusters. If your cluster connected successfully, you'll see its connection status is Connected.
Troubleshooting​
Connection status remains Disconnected​
Your network environment restricts egress traffic to the Calico Cloud management cluster​
If your network environment restricts egress traffic to the Calico Cloud management cluster, you need to create allow rules so your cluster can connect.
You can find the address of the Calico Cloud management cluster in the ManagementClusterAddr field of the ManagementClusterConnection resource:
kubectl get managementclusterconnection tigera-secure -o jsonpath='{.spec.managementClusterAddr}'
You'll see something like this:
oss-ui-01-management.calicocloud.io:443
Make sure your network allows TCP egress traffic to this address.