How Do CNI Plugins Compare in Kubernetes?

intermediate|networkingdevopssreCKA
TL;DR

CNI plugins implement the Kubernetes networking model. Popular choices include Calico (BGP-based, supports NetworkPolicy), Cilium (eBPF-based, advanced observability), Flannel (simple overlay), and Weave Net (mesh overlay). The right choice depends on scale, security, and feature requirements.

Detailed Answer

What Is a CNI Plugin?

The Container Network Interface (CNI) is a specification that defines how networking is configured for containers. Kubernetes delegates all Pod networking to a CNI plugin, which must satisfy two requirements: assign each Pod a unique IP and enable all Pods to communicate without NAT.

CNI plugins are binaries stored in /opt/cni/bin/ with configuration files in /etc/cni/net.d/. When the kubelet creates a Pod, the container runtime calls the CNI plugin to set up networking for the Pod's network namespace.

Major CNI Plugins Compared

Calico

Calico uses BGP (Border Gateway Protocol) to distribute routes across the cluster, avoiding overlay encapsulation in many deployments. This results in near-native network performance.

Key features:

  • Native NetworkPolicy enforcement
  • BGP peering with physical network infrastructure
  • Optional VXLAN or IP-in-IP overlay for restricted environments
  • Supports both Linux and Windows nodes
# Install Calico
kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calico.yaml

# Verify Calico pods
kubectl get pods -n kube-system -l k8s-app=calico-node

Cilium

Cilium leverages eBPF (extended Berkeley Packet Filter) to implement networking, security, and observability directly in the Linux kernel. It avoids iptables entirely.

Key features:

  • eBPF-based data plane with no iptables overhead
  • L7-aware network policies (HTTP, gRPC, Kafka)
  • Built-in Hubble observability platform
  • Transparent encryption via WireGuard or IPsec
  • Service mesh capabilities without sidecars
# Install Cilium via Helm
helm repo add cilium https://helm.cilium.io/
helm install cilium cilium/cilium --version 1.15.0 \
  --namespace kube-system \
  --set hubble.relay.enabled=true \
  --set hubble.ui.enabled=true

Flannel

Flannel is the simplest CNI plugin. It creates a VXLAN overlay network and allocates a subnet to each node. It has no built-in NetworkPolicy support.

# Install Flannel
kubectl apply -f https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml

Flannel is often paired with Calico in a configuration called Canal, which uses Flannel for networking and Calico for policy enforcement.

Weave Net

Weave Net creates a mesh overlay that supports automatic encryption between nodes. It is easy to set up but has higher overhead at scale.

# Install Weave Net
kubectl apply -f https://github.com/weaveworks/weave/releases/download/v2.8.1/weave-daemonset-k8s.yaml

Feature Comparison Matrix

| Feature | Calico | Cilium | Flannel | Weave Net | |---|---|---|---|---| | NetworkPolicy | Yes | Yes (L3-L7) | No | Yes | | Encryption | WireGuard | WireGuard/IPsec | No | Yes (sleeve) | | Data plane | iptables/eBPF | eBPF | VXLAN | VXLAN/sleeve | | Performance | High | High | Moderate | Moderate | | Observability | Basic | Hubble | None | Basic | | Complexity | Medium | Medium-High | Low | Low |

Choosing the Right Plugin

Small clusters or development environments: Flannel is the easiest to set up and requires minimal configuration. If you need NetworkPolicy, use Canal (Flannel + Calico).

Production clusters with strict security: Calico provides robust NetworkPolicy enforcement and performs well at scale. Its BGP mode avoids overlay overhead when the underlying network permits it.

Advanced observability and L7 policy: Cilium is the best choice when you need deep visibility into traffic flows, L7-aware policies, or want to replace kube-proxy with eBPF-based service routing.

Verifying Your CNI Plugin

# Check which CNI config is active
ls /etc/cni/net.d/

# View CNI plugin binaries
ls /opt/cni/bin/

# Check Pod CIDR allocation
kubectl get nodes -o jsonpath='{.items[*].spec.podCIDR}'

# Test connectivity between Pods on different nodes
kubectl exec pod-on-node1 -- ping <pod-ip-on-node2>

Common Issues

When the CNI plugin is misconfigured or not installed, Pods will stay in ContainerCreating status. The kubelet logs will show errors like network plugin is not ready: cni config uninitialized. Always verify the CNI DaemonSet is running on all nodes and that the configuration file exists in /etc/cni/net.d/.

Why Interviewers Ask This

Interviewers want to know if you can evaluate networking solutions for production clusters and understand the trade-offs between simplicity, performance, and feature sets.

Common Follow-Up Questions

When would you choose Cilium over Calico?
When you need eBPF-based observability, transparent encryption, or advanced L7 network policies without a service mesh.
Is Flannel production-ready?
Flannel works for small clusters but lacks NetworkPolicy support natively. It is often paired with Calico (Canal) for policy enforcement.
How does the CNI plugin get installed?
Typically deployed as a DaemonSet that runs a binary on each node and drops a CNI configuration file into /etc/cni/net.d/.

Key Takeaways

  • CNI plugins are responsible for Pod IP allocation and cross-node routing
  • Calico and Cilium are the most feature-rich options for production clusters
  • Flannel is simple but lacks native NetworkPolicy support
Back to Networking Interview Questions