5 exercises on Kubernetes networking — CNI plugins, kube-proxy, NetworkPolicy, and service mesh sidecars.
0 / 5 completed
1 / 5
What does a CNI plugin do in Kubernetes?
CNI (Container Network Interface): when a pod is created, kubelet calls the CNI plugin to set up the network namespace, assign an IP from the cluster CIDR, and configure routing. Calico, Flannel, Cilium, and Weave are popular CNI implementations.
2 / 5
What is the role of kube-proxy?
kube-proxy: when a Service is created, kube-proxy programs packet-forwarding rules so traffic to the ClusterIP is distributed across healthy pod endpoints. Modern clusters often replace it with eBPF-based solutions like Cilium for better performance.
3 / 5
What does a NetworkPolicy resource control?
NetworkPolicy: by default all pod-to-pod traffic is allowed. A NetworkPolicy uses label selectors to define ingress and egress rules. Without a CNI that supports NetworkPolicy (like Calico or Cilium) the policies are created but have no effect.
4 / 5
What distinguishes Cilium from traditional CNI plugins?
Cilium + eBPF: instead of iptables rules (which are slow to update at scale), Cilium attaches eBPF programs directly to network interfaces. This provides L7-aware policy, lower latency, and rich observability (Hubble) without sidecars.
5 / 5
What is a service mesh sidecar in Kubernetes?
Sidecar proxy: meshes like Istio inject an Envoy proxy container alongside every application container. All inbound and outbound traffic passes through the sidecar, which enforces mTLS, collects telemetry, and applies traffic policies transparently.