From e56a014b1845a4f0f38a98e1f97b47d715e774ae Mon Sep 17 00:00:00 2001 From: Tomas Hruby Date: Fri, 8 May 2026 12:36:08 -0700 Subject: [PATCH] Document netkit pod interfaces (tech preview) Adds a section to the eBPF "enabling" page describing how to opt the Calico CNI plugin into creating netkit L2 pairs (Linux 6.7+) instead of veth, via spec.calicoNetwork.linuxPodInterfaceType=Netkit on the operator's Installation. Notes the BPF_NETKIT_PRIMARY perf benefit, the 6.7 kernel prerequisite (with silent veth fallback on older kernels), and the asymmetric revert behavior (existing netkit interfaces stay, but eBPF treats them as veth via TC/TCX). Co-Authored-By: Claude Opus 4.7 (1M context) --- calico/operations/ebpf/enabling-ebpf.mdx | 41 ++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/calico/operations/ebpf/enabling-ebpf.mdx b/calico/operations/ebpf/enabling-ebpf.mdx index 0a1eb6facb..cc7400e262 100644 --- a/calico/operations/ebpf/enabling-ebpf.mdx +++ b/calico/operations/ebpf/enabling-ebpf.mdx @@ -420,6 +420,47 @@ calicoctl patch felixconfiguration default --patch='{"spec": {"bpfExternalServic Switching external traffic mode can disrupt in-progress connections. +## Use netkit pod interfaces (tech preview) + +:::note + +This feature is tech preview. Tech preview features may be subject to significant changes before they become GA. + +::: + +By default, the Calico CNI plugin creates a veth pair for each pod's network interface. +On Linux 6.7 and later, you can opt the CNI plugin into creating a [netkit](https://docs.kernel.org/networking/netkit.html) L2 pair instead. +With netkit, the eBPF data plane attaches its policy and forwarding programs via `BPF_NETKIT_PRIMARY` inside `ndo_start_xmit()`, which improves throughput and tail latency under contention compared to attaching via TC/TCX on a veth. + +Netkit is recommended for the eBPF data plane. +For the iptables and nftables data planes it is functionally equivalent to veth. + +***Prerequisites*** + +* Kernel 6.7 or later on every node where you want netkit interfaces. + Older kernels silently fall back to veth, so it is safe to set the field on heterogeneous clusters — but only nodes on a 6.7+ kernel will see the performance benefit. +* You are using the Calico CNI plugin (`spec.cni.type: Calico`). + +***Procedure*** + +Set `spec.calicoNetwork.linuxPodInterfaceType` to `Netkit` on the operator's `Installation` resource: + +```bash +kubectl patch installation.operator.tigera.io default --type merge -p '{"spec":{"calicoNetwork":{"linuxPodInterfaceType":"Netkit"}}}' +``` + +The operator updates the CNI configuration on each node. +Existing pods keep their veth interfaces; new pods (and pods that are restarted) get netkit interfaces on nodes that support them. + +To revert to veth, set the field back to `Veth` (or remove it): + +```bash +kubectl patch installation.operator.tigera.io default --type merge -p '{"spec":{"calicoNetwork":{"linuxPodInterfaceType":"Veth"}}}' +``` + +Existing pods keep their netkit interfaces, but the eBPF data plane treats those as veth (programs attach via TC/TCX, the same path used for actual veth interfaces). +Only newly created pods get veth interfaces. + ## Reversing the process To revert to standard Linux networking: