Calico was designed from the ground up with a pluggable dataplane architecture. The Calico 3.13 release introduced an exciting new eBPF (extended Berkeley Packet Filter) dataplane targeted at those ready to adopt newer kernel versions and wanting to push the Linux kernel’s latest networking capabilities to the limit. In addition to improved throughput and latency performance compared to the standard Linux networking data plane, Calico’s eBPF data plane also includes native support for Kubernetes services without the need to run kube-proxy. One of the ways Calico’s eBPF dataplane realizes these improvements is through source IP preservation and Direct Server Return (DSR)

Kube-proxy and Source IP

The application of Network Address Translation (NAT) by kube-proxy to incoming network connections to Kubernetes services (e.g. via a service node port) is a frequently encountered friction point with Kubernetes networking. NAT has the unfortunate side effect of removing the original client source IP address from incoming traffic. When this occurs, Kubernetes network policies can’t restrict incoming traffic from specific external clients. By the time the traffic reaches the pod it no longer has the original client IP address. For some applications, knowing the source IP address is desirable or required. For example, performing geo-location based on source address.

Calico and Direct Server Return

Calico’s eBPF dataplane makes several changes to this model. The most significant difference is in swapping out the Kubernetes kube-proxy with native service handling. This eliminates the need for SNAT. Because only DNAT is applied, the source IP address is preserved on the request. The response from the pod has a reverse DNAT applied by the eBPF program, at which point the response can be returned directly to the client, a method known as Direct Server Return.

Calico is keeping the standard Linux data plane, and that will continue to be the right choice for many. But when you’re ready to adopt the latest Linux kernels, Calico’s eBPF data plane will be ready for you.

For further exploration…

It’s relatively easy to try both of these configurations out and directly compare the differences between the two modes of operation. Would you like to explore some of these differences with a simple installation you can try out in your own cloud or virtual environment?

Check out this blog, which provides a more detailed description of DSR, as well as instructions on how to demonstrate the differences between the eBPF and standard kube-proxy models.

Free Online Training
Access Live and On-Demand Kubernetes Training

Calico Enterprise – Free Trial
Network Security, Monitoring, and Troubleshooting
For Microservices Running on Kubernetes

Introducing industry first SaaS solution for Kubernetes Security and Observability.

Subscribe to our newsletter

Get updates on webinars, blog posts, new releases and more!

Thanks for signing up. You must confirm your email address before we can send you. Please check your email and follow the instructions.


📣 Read our new O'Reilly eBook on Kubernetes Security and ObservabilityLearn more >>>