Skip to content

DOCS-2625: Update MKE3 install guide #2461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ctauchen wants to merge 1 commit into
base: main
Choose a base branch
from
Open

DOCS-2625: Update MKE3 install guide #2461

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 17 additions & 6 deletions calico-enterprise/getting-started/install-on-clusters/docker-enterprise.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
---
description: Install Calico Enterprise on an MKE cluster.
description: Install Calico Enterprise on an MKE 3 cluster.
---

# Mirantis Kubernetes Engine (MKE)
# Mirantis Kubernetes Engine (MKE 3)

## Big picture

Install $[prodname] on a Mirantis Kubernetes Engine (MKE) cluster (formerly Docker Enterprise).
Install $[prodname] on a Mirantis Kubernetes Engine (MKE 3) cluster (formerly Docker Enterprise).

## Before you begin

Expand All @@ -23,14 +23,25 @@

**Required**

- A [compatible MKE cluster](../compatibility.mdx#mke) with:
- A [compatible MKE 3 cluster](../compatibility.mdx#mke) with:

- A minimum of three nodes for non-production deployments
- CNI flag set to unmanaged, `--unmanaged-cni` so UCP does not install the default $[prodname] networking plugin
- CNI flag set to unmanaged, `--unmanaged-cni` so MKE 3 does not install the default $[prodname] networking plugin

Check failure on line 29 in calico-enterprise/getting-started/install-on-clusters/docker-enterprise.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'unmanaged'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'unmanaged'?", "location": {"path": "calico-enterprise/getting-started/install-on-clusters/docker-enterprise.mdx", "range": {"start": {"line": 29, "column": 21}}}, "severity": "ERROR"}

For help, see [Docker Enterprise](https://docs.docker.com/), and [Docker EE Best Practices and Design Considerations](https://docs.mirantis.com/docker-enterprise/v3.0/dockeree-ref-arch/deploy-manage/best-practices-design.html)

- Install UCP control plane to access the cluster using [Docker Universal Control Plane CLI-Based Access](https://dockerlabs.collabnix.com/advanced/Docker-UCP-overview.html). After installing the control plane, enable the option "Allow all authenticated users, including service accounts, to schedule on all nodes, including UCP managers and DTR nodes."
- To access the MKE 3 control plane via the CLI, you must download a Client Certificate Bundle from the web UI, which contains the necessary TLS certificates and environment scripts to authenticate kubectl and docker commands.

Check failure on line 33 in calico-enterprise/getting-started/install-on-clusters/docker-enterprise.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'kubectl'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'kubectl'?", "location": {"path": "calico-enterprise/getting-started/install-on-clusters/docker-enterprise.mdx", "range": {"start": {"line": 33, "column": 199}}}, "severity": "ERROR"}
For more information, see [Access an MKE cluster (Client Bundles)](https://docs.mirantis.com/mke/3.8/ops/access-cluster.html).
- Configure MKE 3 to allow the service account `tigera-operator` to schedule CNI workloads on all nodes in the cluster.
This can be done by executing the following command.
Refer to the MKE 3 documentation around obtaining an admin bearer authentication token for making this call.

```bash
curl -k -H "Authorization: Bearer <authentication-token>" -X PUT https://<manager-node-IP>/collectionGrants/system:serviceaccount:tigera-operator:tigera-operator/swarm/scheduler
Copy link

Copilot AI Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The placeholder <authentication-token> is inconsistent with the variable name AUTHTOKEN used in the explanation below. Use <AUTHTOKEN> in the code snippet to match the explanation.

Suggested change
curl -k -H "Authorization: Bearer <authentication-token>" -X PUT https://<manager-node-IP>/collectionGrants/system:serviceaccount:tigera-operator:tigera-operator/swarm/scheduler
curl -k -H "Authorization: Bearer <AUTHTOKEN>" -X PUT https://<manager-node-IP>/collectionGrants/system:serviceaccount:tigera-operator:tigera-operator/swarm/scheduler

Copilot uses AI. Check for mistakes.
```
Replace the following:
* `<authentication-token>`: The value of bearer admin token.
* `<manager-node-IP>`: The public IP for any manager node in the cluster.

- Cluster meets [system requirements](requirements.mdx)

Expand Down
25 changes: 18 additions & 7 deletions ...d_docs/version-3.19-2/getting-started/install-on-clusters/docker-enterprise.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
---
description: Install Calico Enterprise on an MKE cluster.
description: Install Calico Enterprise on an MKE 3 cluster.
---

# Mirantis Kubernetes Engine (MKE)
# Mirantis Kubernetes Engine (MKE 3)

## Big picture

Install $[prodname] on a Mirantis Kubernetes Engine (MKE) cluster (formerly Docker Enterprise).
Install $[prodname] on a Mirantis Kubernetes Engine (MKE 3) cluster (formerly Docker Enterprise).

## Before you begin

Expand All @@ -23,14 +23,25 @@

**Required**

- A [compatible MKE cluster](../compatibility.mdx#mke) with:
- A [compatible MKE 3 cluster](../compatibility.mdx#mke) with:

- A minimum of three nodes for non-production deployments
- CNI flag set to unmanaged, `--unmanaged-cni` so UCP does not install the default $[prodname] networking plugin
- CNI flag set to unmanaged, `--unmanaged-cni` so MKE 3 does not install the default $[prodname] networking plugin

Check failure on line 29 in calico-enterprise_versioned_docs/version-3.19-2/getting-started/install-on-clusters/docker-enterprise.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'unmanaged'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'unmanaged'?", "location": {"path": "calico-enterprise_versioned_docs/version-3.19-2/getting-started/install-on-clusters/docker-enterprise.mdx", "range": {"start": {"line": 29, "column": 21}}}, "severity": "ERROR"}

For help, see [Docker Enterprise](https://docs.docker.com/), and [Docker EE Best Practices and Design Considerations](https://docs.mirantis.com/docker-enterprise/v3.0/dockeree-ref-arch/deploy-manage/best-practices-design.html)

- Install UCP control plane to access the cluster using [Docker Universal Control Plane CLI-Based Access](https://dockerlabs.collabnix.com/advanced/Docker-UCP-overview.html). After installing the control plane, enable the option "Allow all authenticated users, including service accounts, to schedule on all nodes, including UCP managers and DTR nodes."
- To access the MKE 3 control plane via the CLI, you must download a Client Certificate Bundle from the web UI, which contains the necessary TLS certificates and environment scripts to authenticate kubectl and docker commands.

Check failure on line 33 in calico-enterprise_versioned_docs/version-3.19-2/getting-started/install-on-clusters/docker-enterprise.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'kubectl'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'kubectl'?", "location": {"path": "calico-enterprise_versioned_docs/version-3.19-2/getting-started/install-on-clusters/docker-enterprise.mdx", "range": {"start": {"line": 33, "column": 199}}}, "severity": "ERROR"}
For more information, see [Access an MKE cluster (Client Bundles)](https://docs.mirantis.com/mke/3.8/ops/access-cluster.html).
- Configure MKE 3 to allow the service account `tigera-operator` to schedule CNI workloads on all nodes in the cluster.
This can be done by executing the following command.
Refer to the MKE 3 documentation around obtaining an admin bearer authentication token for making this call.

```bash
curl -k -H "Authorization: Bearer <authentication-token>" -X PUT https://<manager-node-IP>/collectionGrants/system:serviceaccount:tigera-operator:tigera-operator/swarm/scheduler
```
Replace the following:
* `<authentication-token>`: The value of bearer admin token.
* `<manager-node-IP>`: The public IP for any manager node in the cluster.

- Cluster meets [system requirements](requirements.mdx)

Expand Down Expand Up @@ -128,4 +139,4 @@

**Recommended - Security**

- [Get started with $[prodname] tiered network policy](../../network-policy/policy-tiers/tiered-policy.mdx)
- [Get started with $[prodname] tiered network policy](../../network-policy/policy-tiers/tiered-policy.mdx)
25 changes: 18 additions & 7 deletions ...d_docs/version-3.20-2/getting-started/install-on-clusters/docker-enterprise.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
---
description: Install Calico Enterprise on an MKE cluster.
description: Install Calico Enterprise on an MKE 3 cluster.
---

# Mirantis Kubernetes Engine (MKE)
# Mirantis Kubernetes Engine (MKE 3)

## Big picture

Install $[prodname] on a Mirantis Kubernetes Engine (MKE) cluster (formerly Docker Enterprise).
Install $[prodname] on a Mirantis Kubernetes Engine (MKE 3) cluster (formerly Docker Enterprise).

## Before you begin

Expand All @@ -23,14 +23,25 @@

**Required**

- A [compatible MKE cluster](../compatibility.mdx#mke) with:
- A [compatible MKE 3 cluster](../compatibility.mdx#mke) with:

- A minimum of three nodes for non-production deployments
- CNI flag set to unmanaged, `--unmanaged-cni` so UCP does not install the default $[prodname] networking plugin
- CNI flag set to unmanaged, `--unmanaged-cni` so MKE 3 does not install the default $[prodname] networking plugin

Check failure on line 29 in calico-enterprise_versioned_docs/version-3.20-2/getting-started/install-on-clusters/docker-enterprise.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'unmanaged'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'unmanaged'?", "location": {"path": "calico-enterprise_versioned_docs/version-3.20-2/getting-started/install-on-clusters/docker-enterprise.mdx", "range": {"start": {"line": 29, "column": 21}}}, "severity": "ERROR"}

For help, see [Docker Enterprise](https://docs.docker.com/), and [Docker EE Best Practices and Design Considerations](https://docs.mirantis.com/docker-enterprise/v3.0/dockeree-ref-arch/deploy-manage/best-practices-design.html)

- Install UCP control plane to access the cluster using [Docker Universal Control Plane CLI-Based Access](https://dockerlabs.collabnix.com/advanced/Docker-UCP-overview.html). After installing the control plane, enable the option "Allow all authenticated users, including service accounts, to schedule on all nodes, including UCP managers and DTR nodes."
- To access the MKE 3 control plane via the CLI, you must download a Client Certificate Bundle from the web UI, which contains the necessary TLS certificates and environment scripts to authenticate kubectl and docker commands.

Check failure on line 33 in calico-enterprise_versioned_docs/version-3.20-2/getting-started/install-on-clusters/docker-enterprise.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'kubectl'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'kubectl'?", "location": {"path": "calico-enterprise_versioned_docs/version-3.20-2/getting-started/install-on-clusters/docker-enterprise.mdx", "range": {"start": {"line": 33, "column": 199}}}, "severity": "ERROR"}
For more information, see [Access an MKE cluster (Client Bundles)](https://docs.mirantis.com/mke/3.8/ops/access-cluster.html).
- Configure MKE 3 to allow the service account `tigera-operator` to schedule CNI workloads on all nodes in the cluster.
This can be done by executing the following command.
Refer to the MKE 3 documentation around obtaining an admin bearer authentication token for making this call.

```bash
curl -k -H "Authorization: Bearer <authentication-token>" -X PUT https://<manager-node-IP>/collectionGrants/system:serviceaccount:tigera-operator:tigera-operator/swarm/scheduler
```
Replace the following:
* `<authentication-token>`: The value of bearer admin token.
* `<manager-node-IP>`: The public IP for any manager node in the cluster.

- Cluster meets [system requirements](requirements.mdx)

Expand Down Expand Up @@ -128,4 +139,4 @@

**Recommended - Security**

- [Get started with $[prodname] tiered network policy](../../network-policy/policy-tiers/tiered-policy.mdx)
- [Get started with $[prodname] tiered network policy](../../network-policy/policy-tiers/tiered-policy.mdx)
25 changes: 18 additions & 7 deletions ...d_docs/version-3.21-2/getting-started/install-on-clusters/docker-enterprise.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
---
description: Install Calico Enterprise on an MKE cluster.
description: Install Calico Enterprise on an MKE 3 cluster.
---

# Mirantis Kubernetes Engine (MKE)
# Mirantis Kubernetes Engine (MKE 3)

## Big picture

Install $[prodname] on a Mirantis Kubernetes Engine (MKE) cluster (formerly Docker Enterprise).
Install $[prodname] on a Mirantis Kubernetes Engine (MKE 3) cluster (formerly Docker Enterprise).

## Before you begin

Expand All @@ -23,14 +23,25 @@

**Required**

- A [compatible MKE cluster](../compatibility.mdx#mke) with:
- A [compatible MKE 3 cluster](../compatibility.mdx#mke) with:

- A minimum of three nodes for non-production deployments
- CNI flag set to unmanaged, `--unmanaged-cni` so UCP does not install the default $[prodname] networking plugin
- CNI flag set to unmanaged, `--unmanaged-cni` so MKE 3 does not install the default $[prodname] networking plugin

Check failure on line 29 in calico-enterprise_versioned_docs/version-3.21-2/getting-started/install-on-clusters/docker-enterprise.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'unmanaged'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'unmanaged'?", "location": {"path": "calico-enterprise_versioned_docs/version-3.21-2/getting-started/install-on-clusters/docker-enterprise.mdx", "range": {"start": {"line": 29, "column": 21}}}, "severity": "ERROR"}

For help, see [Docker Enterprise](https://docs.docker.com/), and [Docker EE Best Practices and Design Considerations](https://docs.mirantis.com/docker-enterprise/v3.0/dockeree-ref-arch/deploy-manage/best-practices-design.html)

- Install UCP control plane to access the cluster using [Docker Universal Control Plane CLI-Based Access](https://dockerlabs.collabnix.com/advanced/Docker-UCP-overview.html). After installing the control plane, enable the option "Allow all authenticated users, including service accounts, to schedule on all nodes, including UCP managers and DTR nodes."
- To access the MKE 3 control plane via the CLI, you must download a Client Certificate Bundle from the web UI, which contains the necessary TLS certificates and environment scripts to authenticate kubectl and docker commands.

Check failure on line 33 in calico-enterprise_versioned_docs/version-3.21-2/getting-started/install-on-clusters/docker-enterprise.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'kubectl'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'kubectl'?", "location": {"path": "calico-enterprise_versioned_docs/version-3.21-2/getting-started/install-on-clusters/docker-enterprise.mdx", "range": {"start": {"line": 33, "column": 199}}}, "severity": "ERROR"}
For more information, see [Access an MKE cluster (Client Bundles)](https://docs.mirantis.com/mke/3.8/ops/access-cluster.html).
- Configure MKE 3 to allow the service account `tigera-operator` to schedule CNI workloads on all nodes in the cluster.
This can be done by executing the following command.
Refer to the MKE 3 documentation around obtaining an admin bearer authentication token for making this call.

```bash
curl -k -H "Authorization: Bearer <authentication-token>" -X PUT https://<manager-node-IP>/collectionGrants/system:serviceaccount:tigera-operator:tigera-operator/swarm/scheduler
```
Replace the following:
* `<authentication-token>`: The value of bearer admin token.
* `<manager-node-IP>`: The public IP for any manager node in the cluster.

- Cluster meets [system requirements](requirements.mdx)

Expand Down Expand Up @@ -129,4 +140,4 @@

**Recommended - Security**

- [Get started with $[prodname] tiered network policy](../../network-policy/policy-tiers/tiered-policy.mdx)
- [Get started with $[prodname] tiered network policy](../../network-policy/policy-tiers/tiered-policy.mdx)
25 changes: 18 additions & 7 deletions ...d_docs/version-3.22-2/getting-started/install-on-clusters/docker-enterprise.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
---
description: Install Calico Enterprise on an MKE cluster.
description: Install Calico Enterprise on an MKE 3 cluster.
---

# Mirantis Kubernetes Engine (MKE)
# Mirantis Kubernetes Engine (MKE 3)

## Big picture

Install $[prodname] on a Mirantis Kubernetes Engine (MKE) cluster (formerly Docker Enterprise).
Install $[prodname] on a Mirantis Kubernetes Engine (MKE 3) cluster (formerly Docker Enterprise).

## Before you begin

Expand All @@ -23,14 +23,25 @@

**Required**

- A [compatible MKE cluster](../compatibility.mdx#mke) with:
- A [compatible MKE 3 cluster](../compatibility.mdx#mke) with:

- A minimum of three nodes for non-production deployments
- CNI flag set to unmanaged, `--unmanaged-cni` so UCP does not install the default $[prodname] networking plugin
- CNI flag set to unmanaged, `--unmanaged-cni` so MKE 3 does not install the default $[prodname] networking plugin

Check failure on line 29 in calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/docker-enterprise.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'unmanaged'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'unmanaged'?", "location": {"path": "calico-enterprise_versioned_docs/version-3.22-2/getting-started/install-on-clusters/docker-enterprise.mdx", "range": {"start": {"line": 29, "column": 21}}}, "severity": "ERROR"}

For help, see [Docker Enterprise](https://docs.docker.com/), and [Docker EE Best Practices and Design Considerations](https://docs.mirantis.com/docker-enterprise/v3.0/dockeree-ref-arch/deploy-manage/best-practices-design.html)

- Install UCP control plane to access the cluster using [Docker Universal Control Plane CLI-Based Access](https://dockerlabs.collabnix.com/advanced/Docker-UCP-overview.html). After installing the control plane, enable the option "Allow all authenticated users, including service accounts, to schedule on all nodes, including UCP managers and DTR nodes."
- To access the MKE 3 control plane via the CLI, you must download a Client Certificate Bundle from the web UI, which contains the necessary TLS certificates and environment scripts to authenticate kubectl and docker commands.
For more information, see [Access an MKE cluster (Client Bundles)](https://docs.mirantis.com/mke/3.8/ops/access-cluster.html).
- Configure MKE 3 to allow the service account `tigera-operator` to schedule CNI workloads on all nodes in the cluster.
This can be done by executing the following command.
Refer to the MKE 3 documentation around obtaining an admin bearer authentication token for making this call.

```bash
curl -k -H "Authorization: Bearer <authentication-token>" -X PUT https://<manager-node-IP>/collectionGrants/system:serviceaccount:tigera-operator:tigera-operator/swarm/scheduler
```
Replace the following:
* `<authentication-token>`: The value of bearer admin token.
* `<manager-node-IP>`: The public IP for any manager node in the cluster.

- Cluster meets [system requirements](requirements.mdx)

Expand Down Expand Up @@ -129,4 +140,4 @@

**Recommended - Security**

- [Get started with $[prodname] tiered network policy](../../network-policy/policy-tiers/tiered-policy.mdx)
- [Get started with $[prodname] tiered network policy](../../network-policy/policy-tiers/tiered-policy.mdx)
Loading