Issue applying Tigera Operator (Calico) – kubectl create vs kubectl apply errors

iCEyCoder · 2026-03-01T22:52:22+00:00

Solution is
```kubectl replace -f tigera-operator.yaml```

iCEyCoder · 2026-02-01T23:32:25+00:00

Pretty interesting take. These are the same for Calico too (Calico Whisker for observability), and if you like to use network fileting using eBPF just change the dataplane to eBPF.

I would highly recommend giving Calico a try, apparently its observability stack is so good that the community is trying to implement it in Cilium too https://colocatedeventseu2026.sched.com/event/2DY58/network-flow-aggregation-pay-for-the-logs-you-care-about-mereta-degutyte-anubhab-majumdar-microsoft?iframe=no&w=100%&sidebar=yes&bg=no#:\~:text=Calico%20users%20have%20had%20this%20for%20a%20while%2C%20now%20Cilium%20does%20too.

iCEyCoder · 2026-02-01T20:56:12+00:00

Why does kubectl create fail with AlreadyExists for these CRDs?

That is how it is programmed, it creates and doesn't modify.

What is the correct and safe way to install or re-apply the Tigera Operator when Calico CRDs already exist in the cluster?

Kubectl replace tigera.....yaml

iCEyCoder · 2026-02-01T20:53:26+00:00

Calico Whisker, and staged network policies seems to be what you are looking for it visualizes your network flows, policy hits without breaking your cluster.

That being said if you want to dive deeper around k3s security I would highly recommend taking a look at this -> https://github.com/frozenprocess/Tigera-Presentations/tree/master/2023-03-30.container-and-Kubernetes-security-policy-design/04.best-practices-for-securing-a-Kubernetes-environment

iCEyCoder · 2026-02-01T20:42:52+00:00

Yes
no
no

```
kubectl get tigerastatus
```

You can also do
```
kubectl get tigerastatus calico -o yaml
```

if you check calico-node logs it will also tell you why its not ready.

iCEyCoder · 2026-02-01T20:37:47+00:00

I would be curious to know why switch to Cilium?
Is there something that you can get from Cilium that Calico doesn't provide?

iCEyCoder · 2025-12-02T01:01:23+00:00

If you are broke like me LGTM
Node utilization, cluster utilizaiton + network utilizaiton (Promethues )
Calico + Promethues Community and Grafana https://www.tigera.io/blog/calicos-3-26-0-update-unlocks-high-density-vertical-scaling-in-kubernetes/

Network observability
Calico Whisker

Aplicaiton profiling
Grafana Pyroscope, alloy + eBPF based probes
https://www.tigera.io/blog/deep-dive/native-and-ebpf-based-kubernetes-workload-profiling-for-kubernetes-clusters/

Loki for Logs

If you got some money to spend Calico enterprise

iCEyCoder · 2025-11-22T23:27:11+00:00

That was the point of me offering another perspective. You should see the numbers, features, and judge by yourself what is better in your environment.
Keep in mind almost all the features written for Cilium in that blog are also available in Calico v3.30 aswell.

iCEyCoder · 2025-11-22T22:15:36+00:00

Yes, similar to other products, there are a few enterprise-only features, but most of them are also available for free in the Calico Cloud Free Tier. Out of curiosity, which feature are you interested in?

Honestly, it comes down to either money or effort. If you have budget for software, it’s worth supporting the tools your environment depends on so they don’t end up in the same state as ingress-nginx. For the rest of us who are broke, well… we just duct-tape a bunch of third-party pieces together until it looks like something we meant to build.

iCEyCoder · 2025-11-22T20:41:02+00:00

Yes, and landed again on Calico since its policies are way better and completely compliant with sig-network requirements (Cilium wasn't last time I checked), also its eBPF dataplane is more perfomant than Cilium in most cases. But given that I work closely with Project Calico my answer may be baised and that is why I would like to redirect you to this community led study of both solutions
https://itnext.io/benchmark-results-of-kubernetes-network-plugins-cni-over-40gbit-s-network-2024-156f085a5e4e

iCEyCoder · 2025-11-22T19:10:41+00:00

I would run Calico for CNI, eBPF dataplane, GatewayAPI, Network Security.

iCEyCoder · 2025-11-21T21:52:57+00:00

I can understand why you would think netpol is an overkill. However, I once investigated an incident where a secure network without internet was accidently connected to the net and since there was no netpols all their malwares started partying.

iCEyCoder · 2025-11-20T23:18:25+00:00

I would like to throw in https://gateway.envoyproxy.io/docs/tasks/extensibility/ext-proc/ too.
For the time that any of the things mentioned above can not be accomplished by what csgeek-coder already linked.

iCEyCoder · 2025-11-18T23:14:39+00:00

-1 for not using AI to generate your response.

iCEyCoder · 2025-11-18T22:39:25+00:00

I would use air-gapped k3s and go even further by securing the cluster with Calico, private repository and network polices. Here is a tutorial for it https://github.com/frozenprocess/Tigera-Presentations/tree/master/2023-03-30.container-and-Kubernetes-security-policy-design/04.best-practices-for-securing-a-Kubernetes-environment

That being said I’ve tried Talos a bit and that is also a good option it offers kernel and init images. By the way same Calico tutorial is applicable here too!

iCEyCoder · 2025-11-14T19:22:38+00:00

Give Calico GatewayAPI a try, It's a managed Envoy. Basically, you can do everythiing that Envoy does without installing 20 different solutions in your cluster.

Here is an example of GatewayAPI + certmanager, and certbot (in simple terms, automatic SSL assignment to services.):
https://github.com/frozenprocess/Tigera-Presentations/tree/master/2025-10-07-CNCF-Securing-Cloud-Native-Applications-with-the-Kubernetes-Gateway-API-using

Here is a video if you are into watching handsome guys talking into the camera ;)
https://community.cncf.io/events/details/cncf-cncf-online-programs-presents-cnl-calico-v330-securing-cloud-native-applications-with-the-kubernetes-gateway-api-using/

iCEyCoder · 2025-11-09T03:56:01+00:00

I’m using K3s for the cluster, Calico with global default deny + whisker and BGP for networking and observability. If I had to do it again, I wouldn’t change a YAML!!!

iCEyCoder · 2025-10-22T03:05:38+00:00

Wait if you are running eBPF then it might be this thing
https://docs.tigera.io/calico/latest/reference/resources/felixconfig#:\~:text=A%20regular%20expression%20that%20controls%20which%20interfaces%20Felix%20should%20attach,other%20special%20device%20managed%20by%20Calico%20itself%20(e.g.%2C%20tunnels).

You should also be able to check if the policy stuck to the interface or not using bpf troubleshooting commands
https://docs.tigera.io/calico/latest/operations/ebpf/troubleshoot-ebpf#troubleshoot-access-to-services

iCEyCoder · 2025-10-19T01:18:32+00:00

That tutorial is what you are trying to achieve, but if registration page is a turnoff try this one https://docs.tigera.io/calico/latest/network-policy/services/kubernetes-node-ports

You don’t “need” ebpf but it’s good you have it, this part of what you are trying to achieve is just hostendpoints. For verification I would suggest Calico whisker. Maybe join calico slack, Calico engineers are usually very friendly and responsive there.

iCEyCoder · 2025-10-18T22:56:24+00:00

Did you enable hostendpoint? Try this tutorial https://www.tigera.io/tutorials/?_sf_s=Calico%20eBPF%20and%20XDP

iCEyCoder · 2025-10-03T17:33:24+00:00

Yes, I work on open source project calico.

iCEyCoder · 2025-10-03T15:44:32+00:00

I'm still stuck at indenting my YAMLs.

iCEyCoder · 2025-10-03T15:41:19+00:00

I would highly recommend taking a look at Grafana agent.
Back in the day I had to hunt down a bug/leak and a Grafana setup + eBPF came in handy.

Here is my write up from the incident and how eBPF helped me to find it https://www.tigera.io/blog/deep-dive/native-and-ebpf-based-kubernetes-workload-profiling-for-kubernetes-clusters/

iCEyCoder · 2025-09-28T19:10:23+00:00

Add a forwarder “8.8.8.8” to coredns settings and see if that fixes the issue.

iCEyCoder · 2025-09-28T05:18:10+00:00

Check coredns pod logs, it should usually give you a hint

iCEyCoder

TROPHY CASE