Taming the Beast: A Deep Dive into Kubernetes 1.4 Networking & CNI Choices
Let’s be honest: the first time you ran kubectl expose and actually got traffic to a pod, you felt like a wizard. But then you tried to debug a connection timeout between two microservices across different nodes, and the magic died. You were left staring at a 5,000-line iptables dump, wondering where it all went wrong.
Kubernetes (k8s) has gained massive traction this year, especially with the 1.4 release making deployment smoother with kubeadm. But networking remains the dark art of the ecosystem. Unlike the old days of mapping Docker ports manually to the host, Kubernetes assumes a flat network where every pod can talk to every other pod without NAT. Achieving this requires an overlay network or advanced routing, and that is where performance often goes to die.
I've spent the last month migrating a high-traffic media streaming backend from a monolithic setup to a k8s cluster. Here is the brutal truth about what happens to your packets, why latency spikes happen, and how to fix it.
The Flat Network Lie & The CNI Solution
Kubernetes dictates that pods must have their own IP addresses. In a typical setup on bare metal or VPS, your provider doesn't just hand you thousands of routable IPs. Enter the Container Network Interface (CNI).
In 2016, we essentially have three main contenders for the CNI throne:
- Flannel: The simple one. Uses VXLAN to encapsulate packets. Easy to set up, but that encapsulation costs CPU.
- Calico: The BGP one. Pure Layer 3 routing. No encapsulation, just routing tables. Faster, but harder to debug if you don't know BGP.
- Weave Net: The mesh one. Great for encryption, but can be heavy.
The Performance Cost of VXLAN
Most tutorials tell you to just install Flannel and move on. Don't do this blindly. Flannel usually defaults to VXLAN backend. This means every packet leaving a pod is wrapped in a UDP packet, sent to the other node, unwrapped, and delivered. This is CPU intensive.
If you are running on a budget VPS with "noisy neighbors" stealing your CPU cycles, your network throughput will tank. I've seen latency jump from 0.5ms to 15ms just because the hypervisor was overloaded.
Pro Tip: If you are using Flannel, try switching the backend to
host-gwif your nodes share a Layer 2 network. It removes the VXLAN overhead entirely.
Here is how you check your current CNI config in Kubernetes 1.4 (usually found in /etc/cni/net.d/):
{
"name": "cbr0",
"type": "flannel",
"delegate": {
"isDefaultGateway": true
}
}Debugging the iptables Nightmare
Kubernetes uses kube-proxy to handle Service discovery. In version 1.4, the default mode is purely iptables based (userspace proxying is deprecated and slow). When you create a Service, kube-proxy writes rules to trap traffic destined for the Service IP and redirect it to a random backing Pod.
If you suspect a service is black-holing traffic, do not rely on logs. Go to the node and look at the NAT table.
# Check the NAT table for KUBE-SERVICES chain
sudo iptables -t nat -L KUBE-SERVICES -n | head -n 20You will see a chain of rules. If you have high latency on connection establishment, it might be because you have thousands of services. iptables is a linear list; it wasn't designed for O(1) lookups. This is why having a kernel optimized for high throughput is critical.
Service Discovery: DNS Latency
Another silent killer is kube-dns. If your application makes a connection to mysql.production.svc.cluster.local, it hits the internal DNS first. I recently debugged an issue where a PHP application on a Norwegian e-commerce site was adding 300ms to every request. The culprit? UDP packet drops on the overlay network causing DNS timeouts.
We fixed it by tuning the ndots configuration in /etc/resolv.conf inside the containers, but more importantly, by moving to a hosting provider that didn't throttle UDP packets.
Ingress: Exposing to the World
You cannot give every pod a public IP. In 1.4, the Ingress resource is beta but essential. Using the NGINX Ingress Controller is the standard way to route external HTTP traffic to internal services.
Here is a battle-tested ingress.yaml for a TLS-enabled service:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: production-ingress
annotations:
ingress.kubernetes.io/rewrite-target: /
ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- api.coolvds-demo.no
secretName: tls-secret
rules:
- host: api.coolvds-demo.no
http:
paths:
- path: /v1
backend:
serviceName: api-service
servicePort: 80When you apply this, the NGINX controller dynamically reloads its configuration. Warning: In large clusters, frequent reloads can drop connections. Ensure your NGINX controller has enough resources allocated.
Why Infrastructure Matters (The Norway Context)
You can tune sysctl parameters until you are blue in the face, but you cannot software-patch bad hardware. Kubernetes networking—especially with VXLAN encapsulation—is heavy on I/O and CPU interrupts.
When hosting in Norway, you also have to consider data sovereignty. With the Datatilsynet becoming more aggressive about where data lives (especially post-Safe Harbor invalidation), keeping traffic local is not just about latency; it's about compliance.
This is why we architected CoolVDS on pure KVM (Kernel-based Virtual Machine). Unlike OpenVZ (container-based virtualization), KVM allows you to load your own kernel modules, which is often necessary for advanced CNI plugins like Calico or Weave. Furthermore, we use local NVMe storage. When etcd is writing cluster state to disk, high I/O latency can crash your entire Kubernetes cluster. NVMe ensures etcd stays happy.
Benchmarking Network Throughput
Don't take my word for it. Run iperf between two pods on different nodes. On a standard budget VPS, you might see 600-800 Mbps with high jitter. On optimized infrastructure, you should be saturating the link.
# Server Pod
iperf -s
# Client Pod
iperf -c <server-pod-ip> -t 30| Network Mode | Throughput (Gbps) | CPU Usage |
|---|---|---|
| Host Network | 9.4 | Low |
| Flannel (VXLAN) | 3.2 | High |
| Calico (IPIP) | 8.1 | Medium |
Conclusion
Kubernetes 1.4 is powerful, but it exposes the weakness of your underlying infrastructure. If your network creates bottlenecks, your microservices architecture will fail. You need low latency (ideally <10ms to NIX in Oslo), high CPU availability for packet encapsulation, and rock-solid I/O for etcd.
Stop fighting against noisy neighbors and stolen CPU cycles. If you are serious about Kubernetes in production, you need a virtualization layer that respects your resource needs.
Ready to build a cluster that doesn't choke? Deploy a high-performance KVM instance on CoolVDS today and see the difference NVMe makes.