Unraveling the Knot: A Deep Dive into Kubernetes Networking, CNI Performance, and Hardware Reality
Most developers treat Kubernetes networking as a black box. You define a Service, throw in an Ingress, and assume the packets will flow. It works, until you hit 5,000 requests per second and your latency distribution starts looking like a heart attack.
I’ve spent the last week debugging a cluster that was randomly dropping 2% of TCP connections. The culprit wasn't the application code. It wasn't the load balancer. It was a saturated conntrack table on a worker node running on a budget VPS provider that oversold their CPU cycles. The abstraction leaked, and it was ugly.
Today, we are cutting through the marketing fluff. We are looking at what actually happens to a packet inside a K8s cluster, why your choice of CNI (Container Network Interface) matters more than you think, and why running this on bare-metal equivalent infrastructure—like CoolVDS—is critical for Norwegian businesses navigating the post-Schrems II landscape.
The CNI Battlefield: Calico vs. Flannel vs. Cilium
In 2022, sticking with the default networking provider is a rookie mistake. The choice generally boils down to three architectures: encapsulation (VXLAN), direct routing (BGP), or eBPF.
1. The "Simple" Overlay (Flannel/VXLAN)
Flannel is the default for many. It wraps packets in UDP packets (VXLAN) to transport them across nodes. It’s easy to set up.
The problem? CPU overhead. Every packet requires encapsulation and decapsulation. On a shared, noisy neighbor VPS, this CPU theft translates directly to latency.
2. The Performance King (Calico with BGP)
This is what we generally recommend for high-throughput workloads on CoolVDS. Instead of wrapping packets, Calico uses BGP (Border Gateway Protocol) to distribute routes between nodes. The packet leaves the pod and hits the wire natively.
If you are running on our infrastructure in Oslo, you can configure Calico to peer directly with the underlying fabric if needed, but even in IPIP mode, it outperforms pure VXLAN.
3. The eBPF Future (Cilium)
Cilium is gaining massive traction this year. It bypasses iptables entirely, using eBPF to route packets deep in the kernel. It’s brilliant, but it requires a modern kernel (5.10+). Fortunately, CoolVDS images are standardizing on newer Linux kernels that support this out of the box.
Kernel Tuning: When Defaults Fail
Linux is tuned for general-purpose computing, not for routing millions of micro-service packets. If you are deploying Kubernetes in production, you must tune your sysctls. Neglecting this is why your NGINX Ingress controller chokes under load.
Here is a snippet from a sysctl.conf setup we applied to a client's cluster handling financial data in Oslo:
# /etc/sysctl.d/99-k8s-network.conf
# Increase the connection tracking table size
net.netfilter.nf_conntrack_max = 1000000
net.netfilter.nf_conntrack_tcp_timeout_established = 86400
# Allow more pending connections
net.core.somaxconn = 32768
# Reuse TIME-WAIT sockets (careful with this one behind NAT, but essential for K8s internal comms)
net.ipv4.tcp_tw_reuse = 1
# Increase the read/write buffer sizes for high-speed NVMe backed networking
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
Applying this requires privileged access to the node. This is where managed Kubernetes services often limit you. On a robust VPS Norway solution like CoolVDS, you have root. You own the kernel parameters.
Network Policies: The Zero-Trust Imperative
By default, Kubernetes is an open flat network. Any pod can talk to any pod. If an attacker compromises your frontend, they can scan your database.
We need to lock this down. Here is a standard "Deny All" policy you should apply to every namespace immediately after creation:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: backend-services
spec:
podSelector: {}
policyTypes:
- Ingress
- EgressOnce the door is shut, you open specific paths. For example, allowing only the NGINX Ingress Controller to talk to your backend API:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress
namespace: backend-services
spec:
podSelector:
matchLabels:
app: my-api
ingress:
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
ports:
- protocol: TCP
port: 8080Pro Tip: Network Policies are enforced by the CNI plugin. If you use Flannel without extra modules, these YAML files do absolutely nothing. This is why we prefer Calico or Cilium—they enforce security at the kernel level.
The Hardware Under the Hood: Why IOPS Matter for Networking
This is the part nobody talks about. Kubernetes networking relies heavily on etcd for state. Every time a service endpoint changes, etcd writes to disk. If your disk latency is high, the API server slows down, and network updates (like new iptables rules) get delayed.
In 2022, running etcd on spinning rust (HDD) or shared SATA SSDs is negligence. You need NVMe.
| Storage Type | Etcd fsync Latency | Impact on Network Convergence |
|---|---|---|
| Standard HDD | 10ms - 100ms | Catastrophic. Updates lag by seconds. |
| SATA SSD (Shared) | 1ms - 10ms | Acceptable for dev, risky for production spikes. |
| CoolVDS NVMe | < 0.1ms | Instant. Network rules propagate immediately. |
We built CoolVDS on pure NVMe arrays precisely because of this bottleneck. When a pod dies and a new one spins up, the network route update needs to happen now, not in 5 seconds.
Data Sovereignty & Latency: The Norwegian Context
Since the Schrems II ruling, moving personal data to US-owned cloud providers has become a legal minefield. The Datatilsynet (Norwegian Data Protection Authority) is watching closely.
When you deploy a Kubernetes cluster, your Ingress Controller is the gateway for user data. If that Ingress sits on a server owned by a US hyper-scaler, you are potentially transferring data simply by terminating SSL there.
Hosting on CoolVDS in Norway solves two problems:
- Compliance: Your data stays within Norwegian borders, on Norwegian infrastructure.
- Latency: If your users are in Oslo, Bergen, or Trondheim, why route traffic through Frankfurt? Our direct peering at NIX (Norwegian Internet Exchange) ensures your ping times are single-digit milliseconds.
Conclusion
Kubernetes networking is powerful, but it's not forgiving. It exposes the weaknesses in the underlying infrastructure. A cheap VPS might run a WordPress blog fine, but it will crumble under the packet-switching load of a microservices mesh.
You need control over the kernel, you need the right CNI, and you absolutely need NVMe storage to keep etcd happy.
Ready to stop debugging network flakes and start shipping? Deploy a high-performance, K8s-ready instance on CoolVDS today.