In revision.
Crisp5 min readGo deeper →

Networking (CNI, kube-proxy, eBPF)

CNI gives Pods IPs and connects them, kube-proxy implements Services in iptables/IPVS, eBPF can replace both with kernel-level programs.

Three pieces. CNI gives Pods network identity. kube-proxy translates Service VIPs to Pod IPs. eBPF is replacing both with programs that run inside the kernel.

The Kubernetes network model

Three rules, no exceptions:

  1. Every Pod gets its own IP, routable from every other Pod with no NAT.
  2. Every Node can reach every Pod, no NAT.
  3. The IP a Pod sees as its own is the IP others see for it.

This flat model is what makes Services, NetworkPolicy, and service mesh possible. The CNI plugin is what implements it.

CNI: the plugin that wires Pods

When the kubelet creates a Pod sandbox, it invokes a CNI binary with the network namespace path. The CNI plugin:

  1. Allocates an IP (from a node-local pool, an overlay subnet, or the cloud VPC).
  2. Creates a virtual interface inside the Pod namespace.
  3. Sets up routes so the Pod can reach the rest of the cluster.

Major CNIs:

  • AWS VPC CNI: Pods get real VPC IPs. No overlay. Limited by ENI/IP density per instance type. Default on EKS.
  • Cilium: eBPF-based. Replaces kube-proxy. Best-in-class NetworkPolicy, observability (Hubble).
  • Calico: BGP routing or overlay. Strong NetworkPolicy, mature.
  • Flannel: simple VXLAN overlay. Fine for small clusters.

kube-proxy: Service VIP translation

Watches Services and EndpointSlices. Programs iptables or IPVS rules on every node. When a packet hits a Service ClusterIP, kernel netfilter DNATs to a real Pod IP.

Modes: iptables (default, scales to ~1k Services), IPVS (scales to 10k+), nftables (modern replacement), or replaced entirely by Cilium's eBPF.

eBPF: programs in the kernel

eBPF lets you run sandboxed programs at kernel hook points (socket, XDP, tc, kprobe). Cilium uses eBPF to:

  • Implement Service VIP translation at socket layer (faster than iptables).
  • Enforce NetworkPolicy at L3/L4 and L7 (HTTP, gRPC, Kafka).
  • Provide observability (Hubble) with near-zero overhead.

On large clusters or latency-sensitive workloads, Cilium without kube-proxy is materially faster than iptables-based kube-proxy.

The interview answer

CNI assigns Pod IPs and wires them into the cluster network. kube-proxy programs iptables/IPVS for Service VIPs. eBPF (via Cilium) replaces both layers with kernel programs - faster, better observability, richer NetworkPolicy. On EKS the default is AWS VPC CNI plus kube-proxy; Cilium is the upgrade.

Learn more