Skip to main content
Calico Enterprise 3.19 documentation

Create a Calico Enterprise management cluster

Big picture​

Create a Calico Enterprise management cluster to manage multiple clusters from a single management plane.

Value​

Managing standalone clusters and multiple instances of Elasticsearch is not onerous when you first install Calico Enterprise. But as you move to production with 300+ clusters, it is not scalable; you need centralized cluster management and log storage. With Calico Enterprise multi-cluster management, you can securely connect multiple clusters from different cloud providers in a single management plane, and control user access using RBAC. This architecture also supports federation of network policy resources across clusters, and lays the foundation for a “single pane of glass.”

Before you begin...​

Required

  • A Calico Enterprise cluster, see here for help
  • A reachable, public IP address for the management cluster

How to​

Create a management cluster​

To control managed clusters from your central management plane, you must ensure it is reachable for connections. The simplest way to get started (but not for production scenarios), is to configure a NodePort service to expose the management cluster. Note that the service must live within the tigera-manager namespace.

  1. Create a service to expose the management cluster. The following example of a NodePort service may not be suitable for production and high availability. For options, see Fine-tune multi-cluster management for production. Apply the following service manifest.

    kubectl create -f - <<EOF
    apiVersion: v1
    kind: Service
    metadata:
      name: tigera-manager-mcm
      namespace: tigera-manager
    spec:
      ports:
      - nodePort: 30449
        port: 9449
        protocol: TCP
        targetPort: 9449
      selector:
        k8s-app: tigera-manager
      type: NodePort
    EOF

  2. Export the service port number, and the public IP or host of the management cluster. (Ex. "example.com:1234" or "10.0.0.10:1234".)

    export MANAGEMENT_CLUSTER_ADDR=<your-management-cluster-addr>

  3. Apply the ManagementCluster CR.

    kubectl apply -f - <<EOF
    apiVersion: operator.tigera.io/v1
    kind: ManagementCluster
    metadata:
      name: tigera-secure
    spec:
      address: $MANAGEMENT_CLUSTER_ADDR
    EOF

Create an admin user and verify management cluster connection​

To access resources in a managed cluster from the Calico Enterprise web console within the management cluster, the logged-in user must have appropriate permissions defined in that managed cluster (clusterrole bindings).

  1. Create an admin user called, mcm-user in the default namespace with full permissions, by applying the following commands.

    kubectl create sa mcm-user
    kubectl create clusterrolebinding mcm-user-admin --serviceaccount=default:mcm-user --clusterrole=tigera-network-admin

  2. Create a secret for the service account

    note

    This step is needed if your Kubernetes cluster is version v1.24 or above. Prior to Kubernetes v1.24, this secret is created automatically.

    kubectl apply -f - <<EOF
    apiVersion: v1
    kind: Secret
    type: kubernetes.io/service-account-token
    metadata:
      name: mcm-user
      annotations:
        kubernetes.io/service-account.name: "mcm-user"
    EOF

  3. For Kubernetes v1.24+, use the following command to obtain the token for the secret associated with your host

    kubectl describe secret mcm-user

    For Kubernetes clusters prior to version v1.24, use the following command to retrieve your token:

    kubectl get secret $(kubectl get serviceaccount mcm-user -o jsonpath='{range .secrets[*]}{.name}{"\n"}{end}' | grep token) -o go-template='{{.data.token | base64decode}}' && echo

    In the top right banner, your management cluster is displayed as the first entry in the cluster selection drop-down menu with the fixed name, management cluster.

    Cluster Created

You have successfully installed a management cluster.

Next steps​