Skip to content

[DOCS] Document netkit pod interfaces for Calico CNI (tech preview) #2713

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
tomastigera wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[DOCS] Document netkit pod interfaces for Calico CNI (tech preview) #2713

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions calico/operations/ebpf/enabling-ebpf.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -420,6 +420,47 @@

Switching external traffic mode can disrupt in-progress connections.

## Use netkit pod interfaces (tech preview)

Check failure on line 423 in calico/operations/ebpf/enabling-ebpf.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'netkit'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'netkit'?", "location": {"path": "calico/operations/ebpf/enabling-ebpf.mdx", "range": {"start": {"line": 423, "column": 8}}}, "severity": "ERROR"}

:::note

This feature is tech preview. Tech preview features may be subject to significant changes before they become GA.

:::

By default, the Calico CNI plugin creates a veth pair for each pod's network interface.
On Linux 6.7 and later, you can opt the CNI plugin into creating a [netkit](https://docs.kernel.org/networking/netkit.html) L2 pair instead.

Check failure on line 432 in calico/operations/ebpf/enabling-ebpf.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'netkit'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'netkit'?", "location": {"path": "calico/operations/ebpf/enabling-ebpf.mdx", "range": {"start": {"line": 432, "column": 69}}}, "severity": "ERROR"}
With netkit, the eBPF data plane attaches its policy and forwarding programs via `BPF_NETKIT_PRIMARY` inside `ndo_start_xmit()`, which improves throughput and tail latency under contention compared to attaching via TC/TCX on a veth.

Check failure on line 433 in calico/operations/ebpf/enabling-ebpf.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'netkit'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'netkit'?", "location": {"path": "calico/operations/ebpf/enabling-ebpf.mdx", "range": {"start": {"line": 433, "column": 6}}}, "severity": "ERROR"}

Netkit is recommended for the eBPF data plane.

Check failure on line 435 in calico/operations/ebpf/enabling-ebpf.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Netkit'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'Netkit'?", "location": {"path": "calico/operations/ebpf/enabling-ebpf.mdx", "range": {"start": {"line": 435, "column": 1}}}, "severity": "ERROR"}
For the iptables and nftables data planes it is functionally equivalent to veth.

***Prerequisites***

* Kernel 6.7 or later on every node where you want netkit interfaces.

Check failure on line 440 in calico/operations/ebpf/enabling-ebpf.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'netkit'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'netkit'?", "location": {"path": "calico/operations/ebpf/enabling-ebpf.mdx", "range": {"start": {"line": 440, "column": 52}}}, "severity": "ERROR"}
Older kernels silently fall back to veth, so it is safe to set the field on heterogeneous clusters — but only nodes on a 6.7+ kernel will see the performance benefit.
* You are using the Calico CNI plugin (`spec.cni.type: Calico`).

***Procedure***

Set `spec.calicoNetwork.linuxPodInterfaceType` to `Netkit` on the operator's `Installation` resource:

```bash
kubectl patch installation.operator.tigera.io default --type merge -p '{"spec":{"calicoNetwork":{"linuxPodInterfaceType":"Netkit"}}}'
```

The operator updates the CNI configuration on each node.
Existing pods keep their veth interfaces; new pods (and pods that are restarted) get netkit interfaces on nodes that support them.

Check failure on line 453 in calico/operations/ebpf/enabling-ebpf.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'netkit'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'netkit'?", "location": {"path": "calico/operations/ebpf/enabling-ebpf.mdx", "range": {"start": {"line": 453, "column": 86}}}, "severity": "ERROR"}

To revert to veth, set the field back to `Veth` (or remove it):

```bash
kubectl patch installation.operator.tigera.io default --type merge -p '{"spec":{"calicoNetwork":{"linuxPodInterfaceType":"Veth"}}}'
```

Existing pods keep their netkit interfaces, but the eBPF data plane treats those as veth (programs attach via TC/TCX, the same path used for actual veth interfaces).

Check failure on line 461 in calico/operations/ebpf/enabling-ebpf.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'netkit'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'netkit'?", "location": {"path": "calico/operations/ebpf/enabling-ebpf.mdx", "range": {"start": {"line": 461, "column": 26}}}, "severity": "ERROR"}
Only newly created pods get veth interfaces.

## Reversing the process

To revert to standard Linux networking:
Expand Down
Loading