What is CNI (Container Network Interface)?

The Container Network Interface (CNI) is a specification and a set of libraries for designing plugins used to configure network interfaces in Linux containers. It’s a project under the Cloud Native Computing Foundation . Technically, a CNI is a framework responsible for dynamically configuring the container’s networking resources and making necessary changes on the host. It assigns an IP address to the interface and sets up the routes consistent with the IP Address Management by invoking the appropriate IP Address Management (IPAM) plugin.

In terms of Kubernetes, the CNI comes along with a plugin from a third party.

The list that we are going to discuss in this article is as follows:

• Cilium
• Calico
• Weave
• Flannel

Role in Kubernetes

Networking Facilitation

• CNIs are crucial for enabling communication between containers in a Kubernetes cluster.
• CNI seamlessly integrates with the kubelet to allow automatic network configuration between pods using an underlay or overlay network. The underlay network is defined at the physical level and consists of routers and switches. The overlay network uses a virtual interface to encapsulate network traffic such as Virtual Extensible LAN.

Operational Mechanism

• IP Address Management: When a pod is created or deleted, the CNI assigns or releases an IP address to its network interface, playing a critical role in managing the network namespace of pods.
• Traffic Routing: CNIs also handle the routing of network traffic to and from these IP addresses, ensuring that the data reaches its intended destination within the cluster.

Importance in Kubernetes

• Application Communication: Effective CNI implementation is vital for the performance of applications running on Kubernetes, as it directly impacts how efficiently they can communicate.

Selection Criteria

• Choosing the right CNI involves considering factors like network performance, security features, scalability, ease of use, and compatibility with specific Kubernetes environments.

CNI approaches

Advanced Networking and Security (eBPF-based)

This approach, used by Cilium, focuses on providing advanced networking capabilities, security, and fine-grained policy control, leveraging modern technologies like eBPF.

Simplicity and Compatibility

This approach, exemplified by Flannel and Weave, focuses on ease of setup and broad compatibility, prioritising simplicity over advanced features.

Hybrid Approach

Canal represents a hybrid approach, combining the simplicity of Flannel’s networking with the advanced security and policy features of Calico. The Canal CNI is not supported for Kubernetes 1.28 or later. Hence this approach will not be discussed further

Comparative Overview of CNIs

Cilium

• Technology: Utilises eBPF for networking, observability, and security.
• Features: Advanced security with transparent encryption, fine-grained policy enforcement, and application-aware networking.
• Best For: High-performance requirements and environments needing advanced security and policy management.

Calico

• Technology: Primarily uses standard Linux networking and routing capabilities.
• Features: Offers rich network policy enforcement, high performance, and scalability.
• Best For: Environments requiring robust network security policies and those integrating with legacy systems.

Weave

• Technology: Creates a virtual network that connects Docker containers across multiple hosts.
• Features: Simple to set up, offers network encryption, and does not require an external database.
• Best For: Smaller clusters or scenarios where ease of setup and use is a priority.

Flannel

• Technology: Provides a simple overlay network for Kubernetes.
• Features: Easy to use, with a focus on networking simplicity rather than advanced features.
• Best For: Basic networking needs, particularly in smaller or less complex environments.

CNI chaining

CNI chaining is a powerful concept in Kubernetes networking, allowing for the sequential application of multiple Container Network Interfaces (CNIs) within the same cluster. This process involves configuring a series of CNIs to work in tandem, each handling specific aspects of the network setup. The advantage of CNI chaining is its flexibility; it lets administrators combine the strengths of different networking solutions to meet complex requirements. For instance, one CNI could manage IP address allocation and basic networking, while another adds layers of security or specialised routing capabilities. The chaining is typically managed by the Kubelet, which selects CNI configurations based on their order in the /etc/cni/net.d directory. This lexicographic ordering ensures a predictable and consistent application of CNIs across the cluster. CNI chaining is particularly useful in heterogeneous environments where diverse networking needs must be met, offering a customizable approach to handle various network functionalities efficiently and securely.

Use Cases

CNI chaining in Kubernetes offers versatile solutions for various scenarios, catering to complex networking requirements. Here are some practical use cases for CNI chaining:

Enhanced Security Over Basic Networking

Use a primary CNI for basic networking functionalities like IP address allocation and routing, followed by a secondary CNI that specialises in network security features like encryption, firewalling, or intrusion detection systems.

Performance Optimization

Combine a high-performance CNI that focuses on fast packet processing with another CNI that provides advanced monitoring and observability features. This setup can optimise network performance while still providing detailed network insights.

Multi-Tenancy Environments

In clusters hosting multiple tenants, one CNI can manage network isolation between tenants, while another handles more general networking tasks. This approach ensures both efficient network operation and strong tenant isolation.

Edge and IoT Deployments

For edge computing or IoT scenarios, use a lightweight CNI for basic connectivity and add another CNI that provides more robust network policies or mesh networking capabilities, adapting to the constrained resources and unique requirements of edge devices.

Hybrid Cloud and Cross-Cloud Networking

Deploy a CNI for handling in-cluster networking and another for managing secure connections to public cloud services or other Kubernetes clusters. This setup is ideal for hybrid or multi-cloud environments.

Custom Networking Requirements

Some workloads might require specialised networking features not available in a single CNI. Chaining allows for combining CNIs, each offering different parts of the required networking stack.

Network Policy Enforcement and Traffic Shaping

Use one CNI for basic network connectivity and another for sophisticated traffic shaping and network policy enforcement, providing granular control over how traffic flows through the cluster.

Service Mesh Integration

Combine a simple, efficient CNI for basic pod networking with a service mesh-focused CNI for advanced traffic management, load balancing, and service-to-service communication within the cluster.

Legacy Integration

In environments transitioning from legacy infrastructure, CNI chaining can be used to integrate newer networking solutions while maintaining compatibility with existing setups.

High Availability and Failover Scenarios

Implement CNI chaining with one CNI handling the standard networking flow and another configured for backup or failover purposes, enhancing the network’s resilience.

CECG applications

At CECG, we have successfully implemented a sophisticated approach in Kubernetes networking for one of our clients by integrating the AWS CNI with Cilium using CNI chaining, creating a robust and efficient infrastructure tailored to their specific needs.

Expanding on the integration of AWS CNI and Cilium in a Kubernetes environment through CNI chaining, we can delve deeper into how this setup leverages the strengths of both CNIs for a comprehensive networking solution:

In the evolving landscape of Kubernetes networking, the combination of AWS CNI and Cilium through CNI chaining stands out as a testament to the flexibility and power of modern network architectures. This innovative approach harnesses AWS CNI for its core networking functionalities, including device plumbing, IP Address Management (IPAM), and efficient routing.

By integrating seamlessly with AWS’s infrastructure, AWS CNI ensures optimised performance, leveraging AWS’s VPC for direct networking capabilities, which is crucial for large-scale, cloud-based Kubernetes deployments. Beyond the foundational networking layer provided by AWS CNI, the integration of Cilium brings an additional layer of sophistication, particularly in network policy enforcement. Cilium’s usage of eBPF technology allows for a high degree of visibility and control over network traffic, enabling administrators to enforce complex network policies with precision and agility. These policies are not just limited to traditional Layer 4 (IP/Port) networking rules but extend to Layer 7 (application-level) policies, allowing for fine-grained control over how different services within a Kubernetes cluster communicate and interact.

The concept of CNI chaining here is pivotal. It allows both CNIs to operate in concert, each handling specific aspects of the network stack. The chaining process is orchestrated by Kubernetes, which sequentially applies the CNIs according to their specified order. Initially, AWS CNI sets up the primary networking interface for a pod, allocating an IP address and establishing the route. Once this foundational layer is established, control is passed to Cilium, which then applies its set of advanced network policies, adding an additional security layer without disrupting the underlying network setup provided by AWS CNI.

This layered approach offers numerous benefits. It ensures that the network performance and scalability are handled effectively by AWS CNI, which is tailor-made for the AWS environment, while Cilium brings robust security and policy enforcement capabilities. Such a setup is particularly beneficial in environments where there is a need for both cloud-specific network optimizations and advanced security requirements, like in financial services, healthcare, or e-commerce sectors.

Furthermore, this CNI chaining strategy exemplifies the adaptability of Kubernetes networking, showing how different CNIs can be combined to meet specific requirements of diverse and complex deployment scenarios. It underscores the potential for Kubernetes in cloud-native environments, where flexibility, security, and performance are paramount.

Conclusion

In conclusion, the comparative analysis of various Container Network Interfaces (CNIs) in Kubernetes, including innovative combinations like AWS CNI with Cilium, highlights the diverse and dynamic nature of container networking. This exploration underscores the importance of choosing the right CNI based on specific needs, whether it’s for enhanced security, improved performance, or operational simplicity.

Each CNI, from the advanced capabilities of Cilium to the straightforward functionality of Flannel, serves distinct purposes and caters to different environments. The concept of CNI chaining, particularly the AWS CNI and Cilium combination, exemplifies the flexibility and adaptability necessary in modern Kubernetes deployments.

As organisations continue to navigate the complexities of cloud-native networking, the insights gleaned from this comparison will be invaluable in guiding them towards making informed decisions that align with their unique infrastructure requirements and strategic goals.