Replacing kube-proxy

Umair KhanUmair Khan
2 min read

Table of contents

  • kube-proxy adjusts the iptables ruleset controlling load balancing of Kubernetes services to pods acting as service endpoints using forwarding rules for virtual IP addresses.

  • kube-proxy installs multiple iptables rules for each backend a service is serving. For each service added to Kubernetes, the list of iptables rules to be traversed grows exponentially! This can have serious performance impacts at large production scales.

  • With eBPF, it's possible to replace kube-proxy entirely with Cilium, so that eBPF programs are performing the same service endpoint load balancing for increased scalability.

  • Once kube-proxy is replaced with Cilium iptables rules can be significantly reduced.

  • By default, Cilium only handles per-packet in-cluster load-balancing of ClusterIP services and kube-proxy is used for handling services of types NodePort and LoadBalancer and handling service ExternalIPs. Cilium’s eBPF-based kube-proxy replacement takes over handling of all service types and service ExternalIP handling.

  • To replace kube-proxy we need to start with a fresh cluster with kube-proxy disabled.

kind: Cluster  
apiVersion: kind.x-k8s.io/v1alpha4  
nodes:  
- role: control-plane  
- role: worker  
- role: worker  
networking:  
  disableDefaultCNI: true  
  kubeProxyMode: none

kind create cluster --config kind-no-kp-config.yaml

  • To confirm that kube-proxy is not installed following output should be empty.
kubectl get --all-namespaces daemonsets | grep kube-proxy  
kubectl get --all-namespaces pods | grep kube-proxy  
kubectl get --all-namespaces configmaps |grep kube-proxy

  • Now install Cilium using Cilium CLI tool.
    cilium install

  • Now validate.
    kubectl -n kube-system exec ds/cilium -- cilium status | grep KubeProxyReplacement

  • We can create a NodePort service and verify that it working and than we check that all functions are being performed by Cilium eBPF and no IPtables rules are assosiated with it.

  • Run this command from inside of Cilium agent.
    iptables-save | grep KUBE-SVC

0
Subscribe to my newsletter

Read articles from Umair Khan directly inside your inbox. Subscribe to the newsletter, and don't miss out.

KubernetesciliumeBPF

Written by

Umair Khan
Umair Khan