Kubernetes CNI plugins explained: Choosing the right network plugin
Learn how Kubernetes CNI plugins work and which one to choose. Covers Cilium, Calico, and Flannel with a comparison table covering performance, NetworkPolicy support, and ease of install.
2 lessons · 9 min · Advanced
Written by
Marketing Team at Civo
Written by
Marketing Team at Civo
Kubernetes defines a networking model but does not implement it. It leaves the actual implementation to Container Network Interface (CNI) plugins. The CNI project, hosted under the CNCF, combines various network technologies and produces a set of plugins that can be switched in and out of Kubernetes clusters through the kubelet to offer different features and capabilities.
CNI plugins are a requirement for inter-node networking. Without one, pods on different nodes cannot communicate at all. They handle two core responsibilities: IP address management (IPAM), assigning IP addresses to pods, and packet routing, ensuring packets can travel between pods on different nodes.
For a deeper comparison of Cilium, Calico, and Flannel on Civo, see the Comparing networking solutions for Kubernetes blog.
CNI comparison
Cilium uses eBPF to implement networking directly at the Linux kernel level, bypassing iptables entirely. This gives better performance, lower latency, and richer observability. Cilium goes beyond standard Kubernetes NetworkPolicy by introducing CiliumNetworkPolicies, which support application-level filtering for protocols like HTTP, gRPC, and Kafka. It also integrates with Hubble, a network observability platform that provides visibility into network flows and security events. Cilium is a CNCF graduated project and the best choice for new clusters where performance, security, and observability are priorities.
Calico provides a purely IP-based networking solution without NAT within the cluster. It supports Kubernetes NetworkPolicy and adds its own Calico network policies for more granular control. Calico uses iptables by default with an optional eBPF mode for better performance. It is the most widely deployed CNI in production clusters and a well-tested, reliable choice for most workloads.
Flannel is the simplest CNI to set up and is Civo's default for k3s clusters. It creates a flat overlay network and requires minimal configuration. The trade-off is that Flannel does not support NetworkPolicy natively. If you need to control pod-to-pod traffic with NetworkPolicy rules you need a different CNI.
How Flannel works under the hood
For readers who want to understand the implementation detail, here is how Flannel routes packets between nodes.
Flannel creates a virtual overlay network with a large address range (typically a /16) on top of your existing VPC or physical network. Within that overlay, each node gets a smaller subnet (typically a /24). This gives Flannel three layers of IP addressing: the VPC level, the cluster overlay level, and the per-node level. The per-node subnet assignment is how Flannel maps which IP ranges live on which nodes.
The packet journey
When a pod sends a packet to another pod on a different node, the following sequence happens:
- The packet leaves the pod through its veth pair and crosses the network namespace
- It reaches the L3 Linux bridge on the node
- The bridge forwards it to
flannel0, which is a TUN device that simulates a network layer device flannel0operates by sending bidirectional packets between user space and the kernel- The
flannelddaemon intercepts the packet and queries etcd to find the subnet range of the target host, resolving it to the underlying node IP on the VPC flanneldsends the packet via UDP to the destination node- The
flannelddaemon on the destination node receives it and passes it back down through the flannel0 tunnel into the kernel - The kernel routes it to the local bridge, up through the veth pair, across the network namespace, and into the target pod
This architecture works reliably but carries a performance cost. Every packet crossing nodes must pass between user space and kernel space twice, once on the source node and once on the destination. This is the main reason Cilium and Calico outperform Flannel on high-throughput workloads.
CNI on Civo
On Civo managed Kubernetes clusters, Flannel is installed by default. For most workloads this is sufficient. If you need NetworkPolicy support or higher networking performance, you can select Calico or Cilium as your CNI when creating your cluster via the dashboard or the Civo CLI.

Marketing Team at Civo
Civo is the Sovereign Cloud and AI platform designed to help developers and enterprises build without limits. We bridge the gap between the openness of the public cloud and the rigorous security of private environments, delivering full cloud parity across every deployment. As a team, we are dedicated to providing scalable compute, lightning-fast Kubernetes, and managed services that are ready in minutes. Through CivoStack Enterprise and our FlexCore appliance, we empower organizations to maintain total data sovereignty on their own hardware.
Our mission is to make the cloud faster, simpler, and fairer. By providing enterprise-grade NVIDIA GPUs and streamlined model management, we ensure that high-performance AI and machine learning are accessible to everyone. Built for transparency and performance, the Civo Team is here to give you total control over your infrastructure, your data, and your spend.
Share this lesson
Nice work, you finished Kubernetes Networking: How pods, services and nodes communicate.
Your next step is up to you - keep building on what you've learned, or put it into practice on Civo.
Next Course
Kubernetes Services: Exposing your Applications Inside and Outside the Cluster
4 lessons · 11 min
Learn how Kubernetes Services work and which type to use. Covers ClusterIP, NodePort, LoadBalancer and Headless Services with working examples and a decision guide.
Put it into practice
Spin up your first cluster on Civo
Get $250 free credit and launch a production-ready Kubernetes cluster in under 90 seconds.