Kubernetes Networking Deep Dive: Surviving the Overlay Chaos in 2020
Let’s be honest. Kubernetes networking is a black box that works beautifully until it doesn't. You apply a manifest, a Service gets an IP, and traffic flows. Magic. But when latency spikes or packets drop between nodes, that abstraction layer becomes a nightmare.
It is October 2020. We are living in the wake of the Schrems II ruling from July, effectively killing the Privacy Shield. If you are running sensitive workloads for Norwegian clients on US-owned clouds, your legal team is likely panicking. You need control. You need to know exactly where your packets are going.
I’ve spent the last month debugging a microservices cluster that was throwing random 502s. The culprit wasn't the code. It was a saturated conntrack table on the host. This guide isn't about the basics of Service or Ingress. This is about what happens underneath, how to optimize it, and why the underlying metal—specifically high-performance VPS Norway solutions like CoolVDS—matters more than ever.
The CNI Battlefield: Calico vs. Flannel in 2020
The Container Network Interface (CNI) is the first decision you make, and often the one you regret later. In 2020, the debate usually settles on Flannel vs. Calico.
Flannel is the "it just works" option. It creates a simple VXLAN overlay. But VXLAN entails encapsulation overhead. Every packet is wrapped in UDP, sent across the wire, and unwrapped. On a low-quality VPS with noisy neighbors, this CPU overhead adds up.
My choice? Calico. Why? Because Calico can run in Pure IP mode (without encapsulation) if your underlay network supports it, or use IPIP which is generally lighter than VXLAN. More importantly, it supports Network Policies. Security is not optional.
Here is how you define a Calico IPPool to enable IPIP encapsulation only when crossing subnet boundaries (Cross-Subnet), which saves CPU cycles on traffic within the same rack:
apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
name: default-ipv4-ippool
spec:
cidr: 192.168.0.0/16
ipipMode: CrossSubnet
natOutgoing: trueThis configuration is a performance savior. It tells Calico: "If the nodes are on the same L2 network, just route the packets natively. Don't wrap them." This is where hosting on CoolVDS shines. Their flattened network architecture allows for efficient peer-to-peer traffic between instances, reducing the jitter that kills overlay networks.
The Bottleneck: iptables vs. IPVS
By default, Kubernetes uses iptables to implement Services. kube-proxy watches the API server and updates iptables rules on every node. This works fine for 50 services. It fails hard at 5,000.
In iptables mode, traffic is load-balanced via a long list of linear rules. O(n) complexity. Every packet has to traverse this list. I recently migrated a cluster handling high-frequency trading data, and the CPU usage on kube-proxy was eating 20% of the node just updating rules.
The Fix: Switch to IPVS (IP Virtual Server).
IPVS is built on top of the Netfilter framework but uses hash tables. Complexity is O(1). It doesn't care if you have 10 services or 10,000. It is stable.
To check what mode you are running, check the logs of your kube-proxy pod:
kubectl logs -n kube-system -l k8s-app=kube-proxyIf you see "Using iptables Proxier", it is time to upgrade. First, ensure the IPVS kernel modules are loaded on your underlying Linux host. On a CoolVDS NVMe instance running Ubuntu 20.04 or CentOS 8, you run:
modprobe ip_vs
modprobe ip_vs_rr
modprobe ip_vs_wrr
modprobe ip_vs_shThen, update your kube-proxy ConfigMap to enable IPVS mode:
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: "ipvs"
ipvs:
strictARP: true
tcpTimeout: 0s
tcpFinTimeout: 0s
udpTimeout: 0sPro Tip: Enabling strictARP is often required for MetalLB if you are running a bare-metal style LoadBalancer on your VPS.Ingress Controllers: NGINX is Still King
While Traefik v2 is gaining traction with its fancy middleware, the NGINX Ingress Controller remains the battle-tested standard for 2020. It is predictable. However, the default settings are too conservative for production.
A common issue we see in Norway, especially with media companies uploading large assets, is the dreaded 413 Request Entity Too Large. Or worse, timeouts during SSL handshakes on slow mobile networks.
You need to tune the `sysctl` settings and the NGINX configuration. Here is a production-ready ConfigMap for high-throughput environments:
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-configuration
namespace: ingress-nginx
data:
proxy-body-size: "50m"
proxy-connect-timeout: "10"
proxy-read-timeout: "120"
proxy-send-timeout: "120"
worker-processes: "4"
max-worker-connections: "10240"
ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"
use-http2: "true"Don't forget to optimize the kernel on the node itself. K8s cannot bypass the host OS limitations. Raise the connection tracking limits:
sysctl -w net.netfilter.nf_conntrack_max=131072The Storage & Latency Connection (etcd)
You cannot talk about networking without talking about storage. Kubernetes state lives in etcd. Etcd uses the Raft consensus algorithm, which is extremely sensitive to disk write latency (fsync). If your disk is slow, etcd heartbeats time out. If heartbeats time out, the leader is lost. If the leader is lost, the cluster API goes down, and networking updates (like new Pod IPs) stop propagating.
I have seen "Cloud Native" architectures crumble because the provider used cheap shared SSDs. Latency spikes above 10ms for fsync will destabilize your cluster.
This is why we deploy critical clusters on CoolVDS NVMe instances. The I/O consistency is unmatched. You can verify your etcd performance directly:
etcdctl check perfIf you aren't seeing "PASS", your networking problems are actually storage problems.
The Schrems II Reality Check
Let’s address the elephant in the server room. The Court of Justice of the European Union (CJEU) invalidated the Privacy Shield framework in July 2020. If you are a Norwegian business dumping customer data into a Kubernetes cluster managed by a US hyperscaler, you are now in a legal grey zone.
The safest technical architecture in late 2020 involves data localization. Hosting your Kubernetes worker nodes and persistent volumes on Norwegian soil, under Norwegian jurisdiction. CoolVDS provides that sovereignty. Our datacenters in Oslo connect directly to NIX (Norwegian Internet Exchange), ensuring your traffic often doesn't even leave the country.
This isn't just about compliance; it's about physics. Distance equals latency. Pinging a server in Frankfurt takes ~25ms from Oslo. Pinging a CoolVDS server in Oslo takes ~2ms.
ping -c 4 oslo-gw.coolvds.comConclusion: Build on Solid Ground
Kubernetes is powerful, but it introduces complexity. To survive the networking chaos of 2020:
- Use Calico with Cross-Subnet modes to minimize encapsulation overhead.
- Switch
kube-proxyto IPVS to handle service scaling without CPU thrashing. - Tune your NGINX Ingress for real-world traffic patterns, not defaults.
- Ensure your underlying infrastructure (disk and network) is rock solid.
The overlay network can only be as good as the physical network it sits on. Don't let a noisy neighbor or a slow disk kill your cluster's stability. Test your workloads on infrastructure designed for performance and compliance.
Ready to stabilize your K8s network? Deploy a high-performance NVMe instance on CoolVDS today and keep your data safely within Norway.