Kubernetes Networking Deep Dive: Surviving the Packet Storm
Let’s be honest: Kubernetes networking is where performance goes to die. You spend weeks micro-optimizing your Go binaries, only to lose 50ms because your packets are bouncing between three different overlay networks and a choked virtual switch. With the CJEU's ruling on Schrems II just dropping last week (July 16), invalidating the Privacy Shield, the game has changed. If you are serving Norwegian customers, relying on US-owned cloud load balancers is now a legal minefield. You need your data—and your traffic termination—right here in Norway.
I’ve debugged enough CrashLoopBackOff errors to know that the network is always the first suspect. In this deep dive, we are ignoring the marketing fluff. We are looking at CNI choices, why your conntrack tables are exploding, and how to configure your cluster for the low-latency reality of the Nordic market.
The CNI Battlefield: Calico vs. Flannel vs. Cilium
Your Container Network Interface (CNI) plugin determines how pods talk to each other. In 2020, if you are still using the default settings provided by most installers, you are likely running an overlay network (VXLAN or IP-in-IP) that encapsulates every packet. That encapsulation costs CPU cycles.
1. Flannel (The Old Guard)
Flannel is simple. It uses VXLAN. It works. But under high load, that encapsulation overhead adds up. It’s fine for a dev environment, but I wouldn't put a high-frequency trading bot on it.
2. Calico (The Standard)
Calico offers a BGP mode (Bird) that allows purely routed traffic without encapsulation if your underlying network supports it. This is where hosting choice matters. On CoolVDS, because we give you KVM isolation and legitimate Layer 2 access, you can actually run BGP peering if you are advanced enough. For most, Calico in IP-in-IP mode is the sweet spot between performance and ease of use.
3. Cilium (The New Challenger)
Cilium uses eBPF (extended Berkeley Packet Filter) to route traffic effectively bypassing iptables entirely. It is blazing fast but requires a very modern kernel (Linux 4.19+). If you are running on older CentOS 7 nodes, forget it.
Pro Tip: If you are seeing high latency, check your MTU settings. A double-encapsulated packet (Overlay + VPN + Physical) often exceeds the standard 1500 bytes, causing fragmentation.
War Story: We recently migrated a Magento cluster from a public cloud to CoolVDS NVMe instances. Their checkout was timing out. Why? Their CNI was set to VXLAN, but the underlying cloud network was also VXLAN. The double encapsulation was causing massive packet fragmentation. We switched to Calico with BGP, and latency dropped by 40% instantly.
Kube-Proxy: IPTables vs. IPVS
By default, Kubernetes uses iptables to manage services. This works fine for 50 services. But if you have 5,000 services, the kernel has to traverse a massive list of sequential rules for every packet. It’s O(n) complexity. It kills CPU.
Switching to IPVS (IP Virtual Server) mode changes this lookup to O(1) hash table complexity. It is significantly faster and supports better load balancing algorithms (like Least Connection).
Here is how you enable it in your kube-proxy config map (assuming you are using `kubeadm`):
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: "ipvs"
ipvs:
strictARP: true
scheduler: "rr" # Round RobinMake sure the IPVS kernel modules are loaded on your CoolVDS node before restarting kube-proxy:
modprobe ip_vs
modprobe ip_vs_rr
modprobe ip_vs_wrr
modprobe ip_vs_sh
modprobe nf_conntrackThe Hardware Reality: Why VPS "Quality" Matters
This is the part most developers ignore. You can tune your K8s config all day, but if your underlying host is stealing CPU cycles, your network throughput will tank.
Network processing in Linux is handled by softirq. If you are on a cheap, oversold VPS, your "neighbor" might be mining crypto, causing the hypervisor to pause your CPU for milliseconds. To a database, a few milliseconds is an eternity. This is "Steal Time" (st), and it destroys consistent latency.
| Feature | Cheap VPS | CoolVDS (KVM) |
|---|---|---|
| CPU Allocation | Shared / Oversold | Dedicated Threads |
| Disk I/O | SATA / Hybrid | Pure NVMe |
| Network Interrupts | Throttled | Passthrough Performance |
| Data Location | Often Unknown | Norway (GDPR Compliant) |
We built CoolVDS on KVM with local NVMe specifically to solve the I/O wait problem. When ETCD is writing cluster state to disk, it needs immediate acknowledgement. Slow disks lead to API server timeouts and split-brain scenarios.
Ingress Tuning for High Traffic
Most of you are using NGINX Ingress Controller. It is robust, but the defaults are conservative. If you expect a traffic spike (like Nordic retail holidays), you need to tune the `sysctls` and NGINX buffers.
Add these configurations to your NGINX ConfigMap to handle high concurrency:
data:
worker-processes: "auto"
max-worker-open-files: "10240"
keep-alive: "65"
upstream-keepalive-connections: "100"
enable-vts-status: "true"Furthermore, ensure you adjust the kernel parameters on the node itself to allow for a higher volume of connections. Add this to /etc/sysctl.conf on your CoolVDS nodes:
net.core.somaxconn = 32768
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_tw_reuse = 1
fs.file-max = 2097152Security: The Default Deny Policy
In a post-Schrems II world, data leakage is not just a bug; it's a legal liability. By default, K8s allows all pods to talk to all other pods. If a hacker compromises your frontend, they can scan your database.
Implement a "Default Deny" NetworkPolicy immediately. This forces you to whitelist traffic explicitly.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- EgressOnce applied, nothing moves until you say so. It is annoying to configure, but it is necessary.
The Norwegian Edge
Latency is physics. If your users are in Oslo, Bergen, or Trondheim, routing traffic through Frankfurt or London adds 20-30ms of round-trip time. By hosting on CoolVDS, you are peering directly at NIX (Norwegian Internet Exchange). We are talking sub-5ms latency to most ISPs in Norway.
Plus, with the legal landscape shifting under our feet in 2020, knowing exactly where your physical server rack sits—and under whose jurisdiction it falls—is critical for compliance with the Norwegian Datatilsynet.
Conclusion
Kubernetes is powerful, but it relies heavily on the underlying infrastructure. You can have the best manifests in the world, but they won't save you from noisy neighbors, slow disks, or legal non-compliance. Don't build a skyscraper on a swamp.
Ready to lower your latency? Deploy a high-performance KVM instance on CoolVDS today and keep your data safely within Norwegian borders.