---
title: "Unleashing the tides of kubernetes networking by removing kube-proxy"
weight: 6
tags:
 - rejekts
 - isovalent
 - cilium
---

<!-- {{% button href="https://youtu.be/rkteV6Mzjfs" style="warning" icon="video" %}}Watch talk on YouTube{{% /button %}} -->
<!-- {{% button href="https://docs.google.com/presentation/d/1nEK0CVC_yQgIDqwsdh-PRihB6dc9RyT-" style="tip" icon="person-chalkboard" %}}Slides{{% /button %}} -->
{{% button href="https://github.com/ttarczynski/cilium-kpr-demo" style="info" icon="code" %}}Code/Demo{{% /button %}}
<!-- {{% button href="https://cloudnativeplatforms.com" style="info" icon="link" %}}Website/Homepage{{% /button %}}  -->

A talk by isovalent (now part of cisco - god i love that they have to say this every time).
It'S a good baseline introduction to how kubernetes service routing works but also a bit dry (in terms of the presentation itself).
I skipped the introduction to cilium in these notes. The docs exist for a reason.

## Kubernetes Services - a baseline

- East-West: ClusterIP -> App2App inside the cluster
- North-South: NodePort -> External Client to app in Cluster

## Kube-Proxy - IPTables Mode

- IPTables: Traffics flows through different tables/chains - most imporantly the NAT-Table
- Every Node has it's own kube-proxy next to the kubelet
- ClusterIP: Scales to a huge numer of rules when exposing multiple services
- NodePort: Masquerades sources if routing cross-node (Source-IP is lost)

TODO: Steal iptables visualizer
TODO: Steal livecycle of a packet clusterip
TODO: Steal livecycle of a packet nodeport

## Kube-Proxy free

- Cilium deploys one agent pod per node that handles management of eBPF on the kernel
- ClusterIP: LoadBalancing happens on the socket-level
- NodePort: Also does SNAT
- Adds hubble for observability