Kubernetes 1.0 Networking: Surviving the Overlay Jungle in Production
Kubernetes hit v1.0 last month. The hype is real, and the promise of Google-style infrastructure for the rest of us is tantalizing. But if you have actually tried to deploy a multi-node cluster beyond a simple laptop demo, you’ve likely hit the wall that is networking.
In the Docker world, we got used to port mapping. It was messy, but we understood it. Kubernetes changes the rules. It demands a flat IP space where every Pod can talk to every other Pod without NAT. On bare metal, this is a routing challenge. On virtualized infrastructure, it's a nightmare of encapsulation.
I’ve spent the last three weeks debugging packet drops between minion nodes. Here is what you need to know to keep your cluster alive, and why your choice of VPS provider in Norway matters more than your yaml configs.
The "Flat Space" Lie
Kubernetes assumes a flat network. It doesn't care how you provide it, it just assumes that if Pod A (10.1.0.1) wants to talk to Pod B (10.2.0.1) on a different host, the network will deliver the packet.
Cloud providers like AWS simplify this with VPC routing tables. But for those of us running on independent infrastructure—which we should be doing for data sovereignty reasons here in Europe—we have to build the roads ourselves using Overlay Networks.
The Contenders: Flannel vs. Weave
Right now, in August 2015, you have two main choices for overlay networking if you aren't a BGP wizard configuring Calico.
1. Flannel (CoreOS)
Flannel is currently the de-facto standard. It creates a specific subnet for each host and uses etcd to store the mapping. It encapsulates packets in UDP (usually VXLAN) to ship them across hosts.
The Config Reality:
# /etc/sysconfig/flanneld
FLANNEL_ETCD="http://127.0.0.1:2379"
FLANNEL_ETCD_KEY="/coreos.com/network"
FLANNEL_OPTIONS="-iface=eth0"
The problem? Encapsulation overhead. Wrapping every packet inside a UDP packet burns CPU cycles. On a shared, low-quality VPS, this leads to jitter. If your host's CPU is stealing cycles (noisy neighbors), your network throughput tanks.
2. Weave
Weave creates a mesh. It's robust and can traverse firewalls easier than Flannel, but it adds complexity. In my benchmarks involving a simple Nginx load test, Weave consumed slightly more CPU in user-space than Flannel's kernel-space VXLAN approach.
The Hidden Bottleneck: Etcd Latency
Everyone talks about the overlay, but they ignore the brain. Kubernetes relies on etcd for state. If etcd slows down, your cluster creates a split-brain scenario. The kube-controller-manager starts killing pods it thinks are dead.
This is where disk I/O kills you.
Etcd uses the Raft consensus algorithm. It necessitates writing to disk (WAL) before confirming a write. If you are running your control plane on a budget VPS with standard spinning rust or oversold SSDs, the fsync latency will destroy your cluster stability.
Pro Tip: Check your disk latency. Run ioping -c 10 . on your data directory. If you see spikes over 10ms, your Kubernetes cluster will be unstable under load.
Why Infrastructure Choice is not Just "Commodity"
There is a misconception in the DevOps community that since we are using containers, the underlying OS and hardware don't matter. "It's just a dumb pipe," they say.
They are wrong.
When you run an overlay network like Flannel on top of a hypervisor, you are doing virtualization within virtualization. The packet path looks like this:
- App generates packet.
- Docker bridge handles it.
- Flannel encapsulates it (VXLAN).
- Host OS processes it.
- Hypervisor (KVM/Xen) processes it.
- Physical NIC sends it.
At CoolVDS, we specifically tune our KVM instances to minimize the "Hypervisor Tax." We don't use OpenVZ or container-based virtualization for our VPS nodes because the kernel resource contention causes packet loss in UDP overlays.
The Norwegian Latency Advantage
For those of us serving the Norwegian market, physics is the final boss. Routing traffic through Frankfurt or London adds 20-30ms. In a microservices architecture where one user request triggers 50 internal RPC calls, that latency compounds.
Hosting locally isn't just about patriotism or the Data Protection Directive (though keeping data within Datatilsynet's jurisdiction is smart); it's about the speed of light. Connecting to NIX (Norwegian Internet Exchange) ensures your internal cluster communication and external user traffic is as fast as the fiber allows.
Summary: Building for Stability
Kubernetes 1.0 is ready for the brave, but don't let the networking stack surprise you.
- Use Flannel with VXLAN for the best balance of setup ease and performance.
- Monitor
etcddisk latency religiously. - Avoid "Shared Core" VPS hosting. You need dedicated CPU cycles for packet encapsulation.
If you are planning a Kubernetes deployment, you need raw IOPS and deterministic CPU performance. CoolVDS offers pure NVMe storage and KVM isolation that respects your need for speed. Don't build a Ferrari engine and put it in a tractor.
Ready to test your cluster? Deploy a high-performance KVM instance in Oslo in under 55 seconds.