From 2c0a918315548e406789c21c1ef29d6ac6fdca9e Mon Sep 17 00:00:00 2001 From: Christopher Tauchen Date: Wed, 14 Jan 2026 10:09:12 +0000 Subject: [PATCH] Update MKE3 install guide DOCS-2625 --- .../install-on-clusters/docker-enterprise.mdx | 23 ++++++++++++----- .../install-on-clusters/docker-enterprise.mdx | 25 +++++++++++++------ .../install-on-clusters/docker-enterprise.mdx | 25 +++++++++++++------ .../install-on-clusters/docker-enterprise.mdx | 25 +++++++++++++------ .../install-on-clusters/docker-enterprise.mdx | 25 +++++++++++++------ 5 files changed, 89 insertions(+), 34 deletions(-) diff --git a/calico-enterprise/getting-started/install-on-clusters/docker-enterprise.mdx b/calico-enterprise/getting-started/install-on-clusters/docker-enterprise.mdx index 10632316d5..b5876d9c8d 100644 --- a/calico-enterprise/getting-started/install-on-clusters/docker-enterprise.mdx +++ b/calico-enterprise/getting-started/install-on-clusters/docker-enterprise.mdx @@ -1,12 +1,12 @@ --- -description: Install Calico Enterprise on an MKE cluster. +description: Install Calico Enterprise on an MKE 3 cluster. --- -# Mirantis Kubernetes Engine (MKE) +# Mirantis Kubernetes Engine (MKE 3) ## Big picture -Install $[prodname] on a Mirantis Kubernetes Engine (MKE) cluster (formerly Docker Enterprise). +Install $[prodname] on a Mirantis Kubernetes Engine (MKE 3) cluster (formerly Docker Enterprise). ## Before you begin @@ -23,14 +23,25 @@ The geeky details of what you get: **Required** -- A [compatible MKE cluster](../compatibility.mdx#mke) with: +- A [compatible MKE 3 cluster](../compatibility.mdx#mke) with: - A minimum of three nodes for non-production deployments - - CNI flag set to unmanaged, `--unmanaged-cni` so UCP does not install the default $[prodname] networking plugin + - CNI flag set to unmanaged, `--unmanaged-cni` so MKE 3 does not install the default $[prodname] networking plugin For help, see [Docker Enterprise](https://docs.docker.com/), and [Docker EE Best Practices and Design Considerations](https://docs.mirantis.com/docker-enterprise/v3.0/dockeree-ref-arch/deploy-manage/best-practices-design.html) -- Install UCP control plane to access the cluster using [Docker Universal Control Plane CLI-Based Access](https://dockerlabs.collabnix.com/advanced/Docker-UCP-overview.html). After installing the control plane, enable the option "Allow all authenticated users, including service accounts, to schedule on all nodes, including UCP managers and DTR nodes." +- To access the MKE 3 control plane via the CLI, you must download a Client Certificate Bundle from the web UI, which contains the necessary TLS certificates and environment scripts to authenticate kubectl and docker commands. + For more information, see [Access an MKE cluster (Client Bundles)](https://docs.mirantis.com/mke/3.8/ops/access-cluster.html). +- Configure MKE 3 to allow the service account `tigera-operator` to schedule CNI workloads on all nodes in the cluster. + This can be done by executing the following command. + Refer to the MKE 3 documentation around obtaining an admin bearer authentication token for making this call. + + ```bash + curl -k -H "Authorization: Bearer " -X PUT https:///collectionGrants/system:serviceaccount:tigera-operator:tigera-operator/swarm/scheduler + ``` + Replace the following: + * ``: The value of bearer admin token. + * ``: The public IP for any manager node in the cluster. - Cluster meets [system requirements](requirements.mdx) diff --git a/calico-enterprise_versioned_docs/version-3.19-2/getting-started/install-on-clusters/docker-enterprise.mdx b/calico-enterprise_versioned_docs/version-3.19-2/getting-started/install-on-clusters/docker-enterprise.mdx index 1d69103ef5..c9b65e1bda 100644 --- a/calico-enterprise_versioned_docs/version-3.19-2/getting-started/install-on-clusters/docker-enterprise.mdx +++ b/calico-enterprise_versioned_docs/version-3.19-2/getting-started/install-on-clusters/docker-enterprise.mdx @@ -1,12 +1,12 @@ --- -description: Install Calico Enterprise on an MKE cluster. +description: Install Calico Enterprise on an MKE 3 cluster. --- -# Mirantis Kubernetes Engine (MKE) +# Mirantis Kubernetes Engine (MKE 3) ## Big picture -Install $[prodname] on a Mirantis Kubernetes Engine (MKE) cluster (formerly Docker Enterprise). +Install $[prodname] on a Mirantis Kubernetes Engine (MKE 3) cluster (formerly Docker Enterprise). ## Before you begin @@ -23,14 +23,25 @@ The geeky details of what you get: **Required** -- A [compatible MKE cluster](../compatibility.mdx#mke) with: +- A [compatible MKE 3 cluster](../compatibility.mdx#mke) with: - A minimum of three nodes for non-production deployments - - CNI flag set to unmanaged, `--unmanaged-cni` so UCP does not install the default $[prodname] networking plugin + - CNI flag set to unmanaged, `--unmanaged-cni` so MKE 3 does not install the default $[prodname] networking plugin For help, see [Docker Enterprise](https://docs.docker.com/), and [Docker EE Best Practices and Design Considerations](https://docs.mirantis.com/docker-enterprise/v3.0/dockeree-ref-arch/deploy-manage/best-practices-design.html) -- Install UCP control plane to access the cluster using [Docker Universal Control Plane CLI-Based Access](https://dockerlabs.collabnix.com/advanced/Docker-UCP-overview.html). After installing the control plane, enable the option "Allow all authenticated users, including service accounts, to schedule on all nodes, including UCP managers and DTR nodes." +- To access the MKE 3 control plane via the CLI, you must download a Client Certificate Bundle from the web UI, which contains the necessary TLS certificates and environment scripts to authenticate kubectl and docker commands. + For more information, see [Access an MKE cluster (Client Bundles)](https://docs.mirantis.com/mke/3.8/ops/access-cluster.html). +- Configure MKE 3 to allow the service account `tigera-operator` to schedule CNI workloads on all nodes in the cluster. + This can be done by executing the following command. + Refer to the MKE 3 documentation around obtaining an admin bearer authentication token for making this call. + + ```bash + curl -k -H "Authorization: Bearer " -X PUT https:///collectionGrants/system:serviceaccount:tigera-operator:tigera-operator/swarm/scheduler + ``` + Replace the following: + * ``: The value of bearer admin token. + * ``: The public IP for any manager node in the cluster. - Cluster meets [system requirements](requirements.mdx) @@ -128,4 +139,4 @@ watch kubectl get tigerastatus **Recommended - Security** -- [Get started with $[prodname] tiered network policy](../../network-policy/policy-tiers/tiered-policy.mdx) +- [Get started with $[prodname] tiered network policy](../../network-policy/policy-tiers/tiered-policy.mdx) \ No newline at end of file diff --git a/calico-enterprise_versioned_docs/version-3.20-2/getting-started/install-on-clusters/docker-enterprise.mdx b/calico-enterprise_versioned_docs/version-3.20-2/getting-started/install-on-clusters/docker-enterprise.mdx index 1d69103ef5..c9b65e1bda 100644 --- a/calico-enterprise_versioned_docs/version-3.20-2/getting-started/install-on-clusters/docker-enterprise.mdx +++ b/calico-enterprise_versioned_docs/version-3.20-2/getting-started/install-on-clusters/docker-enterprise.mdx @@ -1,12 +1,12 @@ --- -description: Install Calico Enterprise on an MKE cluster. +description: Install Calico Enterprise on an MKE 3 cluster. --- -# Mirantis Kubernetes Engine (MKE) +# Mirantis Kubernetes Engine (MKE 3) ## Big picture -Install $[prodname] on a Mirantis Kubernetes Engine (MKE) cluster (formerly Docker Enterprise). +Install $[prodname] on a Mirantis Kubernetes Engine (MKE 3) cluster (formerly Docker Enterprise). ## Before you begin @@ -23,14 +23,25 @@ The geeky details of what you get: **Required** -- A [compatible MKE cluster](../compatibility.mdx#mke) with: +- A [compatible MKE 3 cluster](../compatibility.mdx#mke) with: - A minimum of three nodes for non-production deployments - - CNI flag set to unmanaged, `--unmanaged-cni` so UCP does not install the default $[prodname] networking plugin + - CNI flag set to unmanaged, `--unmanaged-cni` so MKE 3 does not install the default $[prodname] networking plugin For help, see [Docker Enterprise](https://docs.docker.com/), and [Docker EE Best Practices and Design Considerations](https://docs.mirantis.com/docker-enterprise/v3.0/dockeree-ref-arch/deploy-manage/best-practices-design.html) -- Install UCP control plane to access the cluster using [Docker Universal Control Plane CLI-Based Access](https://dockerlabs.collabnix.com/advanced/Docker-UCP-overview.html). After installing the control plane, enable the option "Allow all authenticated users, including service accounts, to schedule on all nodes, including UCP managers and DTR nodes." +- To access the MKE 3 control plane via the CLI, you must download a Client Certificate Bundle from the web UI, which contains the necessary TLS certificates and environment scripts to authenticate kubectl and docker commands. + For more information, see [Access an MKE cluster (Client Bundles)](https://docs.mirantis.com/mke/3.8/ops/access-cluster.html). +- Configure MKE 3 to allow the service account `tigera-operator` to schedule CNI workloads on all nodes in the cluster. + This can be done by executing the following command. + Refer to the MKE 3 documentation around obtaining an admin bearer authentication token for making this call. + + ```bash + curl -k -H "Authorization: Bearer " -X PUT https:///collectionGrants/system:serviceaccount:tigera-operator:tigera-operator/swarm/scheduler + ``` + Replace the following: + * ``: The value of bearer admin token. + * ``: The public IP for any manager node in the cluster. - Cluster meets [system requirements](requirements.mdx) @@ -128,4 +139,4 @@ watch kubectl get tigerastatus **Recommended - Security** -- [Get started with $[prodname] tiered network policy](../../network-policy/policy-tiers/tiered-policy.mdx) +- [Get started with $[prodname] tiered network policy](../../network-policy/policy-tiers/tiered-policy.mdx) \ No newline at end of file diff --git a/calico-enterprise_versioned_docs/version-3.21-2/getting-started/install-on-clusters/docker-enterprise.mdx b/calico-enterprise_versioned_docs/version-3.21-2/getting-started/install-on-clusters/docker-enterprise.mdx index 10632316d5..16e959837c 100644 --- a/calico-enterprise_versioned_docs/version-3.21-2/getting-started/install-on-clusters/docker-enterprise.mdx +++ b/calico-enterprise_versioned_docs/version-3.21-2/getting-started/install-on-clusters/docker-enterprise.mdx @@ -1,12 +1,12 @@ --- -description: Install Calico Enterprise on an MKE cluster. +description: Install Calico Enterprise on an MKE 3 cluster. --- -# Mirantis Kubernetes Engine (MKE) +# Mirantis Kubernetes Engine (MKE 3) ## Big picture -Install $[prodname] on a Mirantis Kubernetes Engine (MKE) cluster (formerly Docker Enterprise). +Install $[prodname] on a Mirantis Kubernetes Engine (MKE 3) cluster (formerly Docker Enterprise). ## Before you begin @@ -23,14 +23,25 @@ The geeky details of what you get: **Required** -- A [compatible MKE cluster](../compatibility.mdx#mke) with: +- A [compatible MKE 3 cluster](../compatibility.mdx#mke) with: - A minimum of three nodes for non-production deployments - - CNI flag set to unmanaged, `--unmanaged-cni` so UCP does not install the default $[prodname] networking plugin + - CNI flag set to unmanaged, `--unmanaged-cni` so MKE 3 does not install the default $[prodname] networking plugin For help, see [Docker Enterprise](https://docs.docker.com/), and [Docker EE Best Practices and Design Considerations](https://docs.mirantis.com/docker-enterprise/v3.0/dockeree-ref-arch/deploy-manage/best-practices-design.html) -- Install UCP control plane to access the cluster using [Docker Universal Control Plane CLI-Based Access](https://dockerlabs.collabnix.com/advanced/Docker-UCP-overview.html). After installing the control plane, enable the option "Allow all authenticated users, including service accounts, to schedule on all nodes, including UCP managers and DTR nodes." +- To access the MKE 3 control plane via the CLI, you must download a Client Certificate Bundle from the web UI, which contains the necessary TLS certificates and environment scripts to authenticate kubectl and docker commands. + For more information, see [Access an MKE cluster (Client Bundles)](https://docs.mirantis.com/mke/3.8/ops/access-cluster.html). +- Configure MKE 3 to allow the service account `tigera-operator` to schedule CNI workloads on all nodes in the cluster. + This can be done by executing the following command. + Refer to the MKE 3 documentation around obtaining an admin bearer authentication token for making this call. + + ```bash + curl -k -H "Authorization: Bearer " -X PUT https:///collectionGrants/system:serviceaccount:tigera-operator:tigera-operator/swarm/scheduler + ``` + Replace the following: + * ``: The value of bearer admin token. + * ``: The public IP for any manager node in the cluster. - Cluster meets [system requirements](requirements.mdx) @@ -129,4 +140,4 @@ watch kubectl get tigerastatus **Recommended - Security** -- [Get started with $[prodname] tiered network policy](../../network-policy/policy-tiers/tiered-policy.mdx) +- [Get started with $[prodname] tiered network policy](../../network-policy/policy-tiers/tiered-policy.mdx) \ No newline at end of file diff --git a/calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/docker-enterprise.mdx b/calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/docker-enterprise.mdx index 10632316d5..16e959837c 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/docker-enterprise.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/docker-enterprise.mdx @@ -1,12 +1,12 @@ --- -description: Install Calico Enterprise on an MKE cluster. +description: Install Calico Enterprise on an MKE 3 cluster. --- -# Mirantis Kubernetes Engine (MKE) +# Mirantis Kubernetes Engine (MKE 3) ## Big picture -Install $[prodname] on a Mirantis Kubernetes Engine (MKE) cluster (formerly Docker Enterprise). +Install $[prodname] on a Mirantis Kubernetes Engine (MKE 3) cluster (formerly Docker Enterprise). ## Before you begin @@ -23,14 +23,25 @@ The geeky details of what you get: **Required** -- A [compatible MKE cluster](../compatibility.mdx#mke) with: +- A [compatible MKE 3 cluster](../compatibility.mdx#mke) with: - A minimum of three nodes for non-production deployments - - CNI flag set to unmanaged, `--unmanaged-cni` so UCP does not install the default $[prodname] networking plugin + - CNI flag set to unmanaged, `--unmanaged-cni` so MKE 3 does not install the default $[prodname] networking plugin For help, see [Docker Enterprise](https://docs.docker.com/), and [Docker EE Best Practices and Design Considerations](https://docs.mirantis.com/docker-enterprise/v3.0/dockeree-ref-arch/deploy-manage/best-practices-design.html) -- Install UCP control plane to access the cluster using [Docker Universal Control Plane CLI-Based Access](https://dockerlabs.collabnix.com/advanced/Docker-UCP-overview.html). After installing the control plane, enable the option "Allow all authenticated users, including service accounts, to schedule on all nodes, including UCP managers and DTR nodes." +- To access the MKE 3 control plane via the CLI, you must download a Client Certificate Bundle from the web UI, which contains the necessary TLS certificates and environment scripts to authenticate kubectl and docker commands. + For more information, see [Access an MKE cluster (Client Bundles)](https://docs.mirantis.com/mke/3.8/ops/access-cluster.html). +- Configure MKE 3 to allow the service account `tigera-operator` to schedule CNI workloads on all nodes in the cluster. + This can be done by executing the following command. + Refer to the MKE 3 documentation around obtaining an admin bearer authentication token for making this call. + + ```bash + curl -k -H "Authorization: Bearer " -X PUT https:///collectionGrants/system:serviceaccount:tigera-operator:tigera-operator/swarm/scheduler + ``` + Replace the following: + * ``: The value of bearer admin token. + * ``: The public IP for any manager node in the cluster. - Cluster meets [system requirements](requirements.mdx) @@ -129,4 +140,4 @@ watch kubectl get tigerastatus **Recommended - Security** -- [Get started with $[prodname] tiered network policy](../../network-policy/policy-tiers/tiered-policy.mdx) +- [Get started with $[prodname] tiered network policy](../../network-policy/policy-tiers/tiered-policy.mdx) \ No newline at end of file