Calico CRD with Juju

Hello all,

Is there any (recommended) option how to deploy and use Calico with Calico CRDs? By default Calico charm did not implement the Calico CRDs. I tried to deploy Calico CRDs using standard Calico yaml charts ( to our Juju k8s cluster (Calico 3.21.4, k8s 1.26.5). I know that there is mismatch in versions but older versions of CRDs are not available. CRDs are available under api-versions but it seems that’s not enough - Calico Network Policy / Global Policy definitions won’t work. What we are trying to achieve is to use port ranges for Network Policy definitions as is described here (syntax start:end):

If there is any other option how to be able to define/use port ranges within Network Policy (Policies) please advise (maybe another CNI supported by Juju/Charmed Kubernetes).

Thank you

UPDATE: I also tried to use more recent version of Calico so I tried the most recent version available on which is 3.25.1 (both calico-node-image and calico-policy-image) but no CRDs are deployed in this version either. I also tried to not deploy Charmed Kubernetes without any CNI but it also could not work due to cluster is not accessible without CNI. I was also thinking if I can deploy Charmed Kubernetes with Flannel and then switch to standard Calico operator but there are relations in the model which will break the cluster if I remove the Flannel next. So I got stuck.

I’m not sure how to do it in “Canonical” way but official Calico way is to install [calico-api-server].

Hi @alex, the calico charm leverages etcd instead of kubernetes as its datastore, so it doesn’t use calico’s k8s custom resources. For reference, here’s the charm manifest that gets applied; note the lack of CRDs in there.

I fear bootstrapping with flannel and swapping with a manual calico deployment would lead to future maintenance headaches. It is possible to deploy charmed-k8s without a CNI, but I think you’d eventually run into inconsistencies with things like juju status and charm relation data not matching your actual cluster state.

Would the k8s built-in NetworkPolicy be an option for you? I see as of 1.25, it supports port ranges.

If that’s not an option, charmed-k8s does support other CNIs including kube-ovn and cilium. Would one of those fit your CNI needs better than calico?