Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started

CNIs (Guides)

CNI (Container Network Interface) plugins provide networking for Kubernetes pods. Different CNI plugins offer different features, performance characteristics, and capabilities. Choosing the right CNI plugin is crucial for your cluster’s networking requirements, security needs, and operational complexity.

What are CNI Plugins?

CNI plugins are network implementations that:

  • Assign IP addresses to pods
  • Configure network interfaces and routes
  • Enable pod-to-pod communication
  • Support Network Policies (some plugins)
graph TB A[Pod Created] --> B[CNI Plugin] B --> C[Assigns IP Address] C --> D[Configures Network] D --> E[Pod Can Communicate] style B fill:#e8f5e9 style E fill:#fff4e1

Calico

Features:

  • Network policies
  • BGP routing
  • IP-in-IP or VXLAN
  • Enterprise features

Best for: Production clusters needing network policies and BGP

Cilium

Features:

  • eBPF-based (high performance)
  • Network policies
  • Service mesh integration
  • Advanced observability

Best for: High-performance clusters with advanced networking needs

Flannel

Features:

  • Simple overlay network
  • VXLAN or host-gw backend
  • Easy to set up
  • Minimal configuration

Best for: Simple clusters, development, learning

Weave Net

Features:

  • Automatic mesh networking
  • Network policies
  • Encryption support
  • Simple deployment

Best for: Clusters needing automatic mesh networking

graph TB A[CNI Plugins] --> B[Calico<br/>Policy + BGP] A --> C[Cilium<br/>eBPF Performance] A --> D[Flannel<br/>Simple Overlay] A --> E[Weave Net<br/>Auto Mesh] style B fill:#fff4e1 style C fill:#fff4e1 style D fill:#fff4e1 style E fill:#fff4e1

Comparison Matrix

FeatureCalicoCiliumFlannelWeave Net
Network Policies✅ Full✅ Full⚠️ Limited✅ Full
PerformanceHighVery HighMediumMedium
ComplexityMediumMediumLowLow
BGP Support
Encryption
eBPF
Setup DifficultyMediumMediumEasyEasy

Choosing a CNI Plugin

Consider Your Needs

Network Policies:

  • Need Network Policies? → Calico, Cilium, or Weave Net
  • Don’t need Network Policies? → Any plugin works

Performance:

  • Maximum performance? → Cilium (eBPF-based)
  • High performance? → Calico
  • Standard performance? → Flannel or Weave Net

Complexity:

  • Simple setup? → Flannel
  • Advanced features? → Calico or Cilium
  • Automatic mesh? → Weave Net

BGP Integration:

  • Need BGP? → Calico
  • Don’t need BGP? → Any plugin

Cloud vs On-Premises:

  • Cloud (managed)? → Usually pre-configured
  • On-premises? → Choose based on requirements

CNI Plugin Features

Network Policy Support

Not all CNI plugins support Network Policies:

  • Full support: Calico, Cilium, Weave Net
  • Limited support: Flannel (depends on backend)
  • No support: Basic bridge plugins

Important: Network Policies won’t work if your CNI doesn’t support them.

Encapsulation Methods

CNI plugins use different encapsulation:

  • VXLAN - Overlay network, works everywhere
  • IP-in-IP - Simpler, but may not work in all environments
  • Host-gw - No encapsulation, requires L2 connectivity
  • eBPF - Kernel-level, no encapsulation needed (Cilium)

Routing Methods

  • Overlay - Encapsulated traffic (VXLAN, IP-in-IP)
  • BGP - Direct routing with BGP (Calico)
  • Host gateway - Direct routing without encapsulation
  • eBPF - Kernel-level routing (Cilium)

Installation Considerations

Managed Kubernetes

Cloud providers often pre-configure CNI:

  • EKS - Uses VPC CNI (AWS-specific)
  • GKE - Uses GKE CNI
  • AKS - Uses Azure CNI

You may not need to choose a CNI for managed clusters.

Self-Managed Kubernetes

For self-managed clusters:

  1. Choose CNI based on requirements
  2. Install CNI before creating pods
  3. Configure CNI for your network
  4. Test connectivity and policies

Best Practices

  1. Choose before cluster creation - Install CNI before creating workloads
  2. Test Network Policies - Verify Network Policy support if needed
  3. Plan IP ranges - Ensure pod subnet doesn’t conflict
  4. Monitor performance - Track network performance metrics
  5. Keep updated - Update CNI plugins regularly
  6. Document configuration - Document CNI configuration
  7. Test upgrades - Test CNI upgrades in non-production
  8. Backup configs - Backup CNI configuration files
  9. Use supported plugins - Use well-maintained CNI plugins
  10. Consider cloud options - Use cloud-provided CNI when available

Troubleshooting

CNI Plugin Not Working

  1. Check plugin installed: ls /opt/cni/bin/
  2. Verify configuration: cat /etc/cni/net.d/*
  3. Check kubelet logs: journalctl -u kubelet
  4. Verify plugin executable: Ensure permissions are correct
  5. Review CNI logs: Check CNI plugin-specific logs

Network Policies Not Working

  1. Verify CNI support: Check if CNI supports Network Policies
  2. Check CNI version: Ensure CNI version supports policies
  3. Review CNI configuration: Verify policy support is enabled
  4. Test with simple policy: Create a basic policy to test
  5. Check CNI documentation: Review CNI-specific Network Policy docs

Performance Issues

  1. Check encapsulation method: Some methods are faster than others
  2. Review CNI metrics: Monitor CNI performance metrics
  3. Consider eBPF: Cilium with eBPF offers high performance
  4. Optimize configuration: Review and optimize CNI config
  5. Check node resources: Ensure nodes have adequate resources

Topics

  • Calico - Network policies and BGP routing
  • Cilium - eBPF-based high-performance networking
  • Flannel - Simple overlay network

See Also