Kubernetes Networking Deep Dive: Surviving the Packet Jungle in 2020
Let's be honest: Kubernetes networking is usually the first thing to break and the last thing you understand. You deploy a cluster, everything looks green in the dashboard, but your microservices are timing out, and latency between your frontend and your Redis cache is erratic. If I had a Krone for every time a developer told me "it works on Minikube," I'd own half of Aker Brygge by now.
I’ve spent the last three months debugging a high-traffic payment gateway for a Norwegian fintech client. The bottleneck wasn't the code; it was the network overlay. In this post, we are going to strip away the magic. We will look at CNI choices, the dreaded ndots:5 DNS issue, and why running Kubernetes on cheap, oversubscribed hosting is professional suicide.
The CNI Battlefield: Flannel vs. Calico
In May 2020, if you are spinning up a cluster, you generally have two main paths for the Container Network Interface (CNI): simple VXLAN overlays (Flannel) or BGP-based routing (Calico). There is Cilium with eBPF getting traction, but for production stability right now, BGP is king.
Flannel is easy. It encapsulates traffic in UDP packets (VXLAN). This adds overhead. Every packet has to be wrapped and unwrapped. On a high-performance cluster, that CPU overhead adds up. For our deployments at CoolVDS, where we have direct control over the KVM environment, we prefer Calico. It uses BGP to route packets natively without the encapsulation penalty, provided your network allows it.
Here is how you might configure Calico's IP Pool to disable IP-in-IP encapsulation for maximum performance if your nodes are on the same L2 subnet (typical in a private CoolVDS VLAN):
apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
name: default-ipv4-ippool
spec:
cidr: 192.168.0.0/16
ipipMode: Never # Disable IP-in-IP for raw routing speed
natOutgoing: truePro Tip: If you are using `ipipMode: Always` (the default), you are burning CPU cycles on encapsulation. Switch to `CrossSubnet` or `Never` if your infrastructure supports it. On CoolVDS NVMe instances, we expose the necessary VirtIO drivers to handle raw packet throughput efficiently.
The DNS Latency Killer: ndots:5
This is the most common misconfiguration I see in 2020. By default, Kubernetes configures /etc/resolv.conf in your pods with a search path of ndots:5. This means if you try to resolve google.com, the glibc resolver will try to append the cluster suffixes (like .svc.cluster.local, .default.svc.cluster.local, etc.) before it finally tries the absolute domain.
This generates unnecessary traffic to CoreDNS. If your CoreDNS pods are throttled or on a noisy node, your external API calls get a 50ms-200ms penalty.
Fix this by explicitly setting the dnsConfig in your Deployment spec:
apiVersion: apps/v1
kind: Deployment
metadata:
name: payment-service
spec:
template:
spec:
dnsConfig:
options:
- name: ndots
value: "2"
containers:
- name: app
image: registry.coolvds.com/payment:v2.1Setting ndots:2 forces the resolver to stop appending search domains earlier for qualified names. This single change reduced latency by 30% in our Oslo data center tests.
Ingress Tuning: Nginx is Thirsty
Most of you use the Nginx Ingress Controller. It’s the standard. But out of the box, it is not tuned for the high throughput allowed by modern NVMe storage and fast CPUs. If you are handling thousands of requests per second, the default `worker_connections` limit will choke you.
You need to modify the Nginx ConfigMap. Don't just rely on defaults.
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-configuration
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
data:
max-worker-connections: "65536"
worker-cpu-affinity: "auto"
keep-alive: "75"
upstream-keepalive-connections: "32"Also, enabling `upstream-keepalive-connections` is critical. Without it, Nginx opens a new connection to your backend pod for every single request. That is TCP handshake overhead you cannot afford.
The Hardware Reality: Why "Cloud" Isn't Enough
You can have the most optimized YAML in the world, but if the hypervisor underneath you is stealing CPU cycles (Steal Time), your network latency will spike. Kubernetes networking involves constant context switching and iptables/IPVS rule processing.
This is where the "cheap VPS" trap catches people. Providers oversell vCPUs. When your neighbor starts mining crypto or encoding video, your packet processing gets delayed. In a microservices architecture, one delayed packet causes a retry storm that can take down the whole cluster.
Comparison: CoolVDS KVM vs. Standard Container VPS
| Feature | Standard Container VPS | CoolVDS KVM Instance |
|---|---|---|
| Virtualization | OpenVZ / LXC (Shared Kernel) | KVM (Full Kernel Isolation) |
| Network Drivers | Emulated / Shared | VirtIO (Paravirtualized) |
| Neighbor Impact | High (Noisy Neighbors) | Zero (Dedicated Resources) |
| Storage Latency | SATA SSD (Avg) | NVMe (Low Latency) |
For our Norwegian clients bound by GDPR and needing low latency to NIX (Norwegian Internet Exchange), we specifically tune CoolVDS instances to handle the interrupt loads generated by Kubernetes. We use KVM because it allows you to load your own kernel modules—essential if you want to experiment with newer technologies like WireGuard (which just landed in kernel 5.6 recently, though getting it on standard distros is still a manual process).
Securing the Pipes: Network Policies
Finally, we cannot talk about "Deep Dive" without security. By default, K8s allows all pods to talk to all pods. If an attacker breaches your frontend, they have a straight line to your database. This is unacceptable, especially under Datatilsynet scrutiny.
Implement a default "Deny All" policy in every namespace immediately:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- EgressThen, whitelist only what is necessary. It is tedious, but it is the only way to sleep at night.
Final Thoughts
Kubernetes networking is complex, but it obeys the laws of physics. Latency comes from distance, serialization, and queuing. You can optimize serialization with protocol buffers and queuing with correct buffer sizes, but you cannot optimize a bad host.
If you are tired of debugging network flakes that vanish when you SSH in, it might be time to look at the infrastructure. Deploy a test cluster on CoolVDS today. Experience the difference dedicated NVMe and optimized KVM routing make for your workloads.