Comparing iptables and IPVS
kube-proxy is a key component of a Kubernetes cluster. It is used for load balancing and forwarding data between a Service and its backend pods.
CCE supports the iptables and IP Virtual Server (IPVS) forwarding modes.
Feature Difference |
iptables |
IPVS |
---|---|---|
Positioning |
iptables is a mature and stable kube-proxy mode, but its performance is average. It applies to scenarios where the number of services is small (less than 1000) or there are a large number of short concurrent connections on the client. For details, see iptables. |
IPVS is a high-performance kube-proxy mode. It applies to scenarios where the cluster scale is large or the number of Services is large. For details, see IPVS. |
Throughput |
Relatively low |
Relatively high |
Complexity |
O(n). n increases with the number of Services and backend pods in the cluster. |
O(1). In most cases, the connection processing efficiency is irrelevant to the cluster scale. |
Load balancing algorithm |
iptables has only one algorithm for random selection. |
IPVS involves multiple load balancing algorithms, such as round-robin, shortest expected delay, least connections, and various hashing methods. |
ClusterIP connectivity |
The internal IP address in the cluster cannot be pinged. |
The internal IP address in the cluster can be pinged.
NOTE:
The cluster IP address in clusters of v1.27 or later cannot be pinged due to security hardening. |
Additional restrictions |
When there are more than 1000 Services in the cluster, network delay may occur. |
|
iptables
iptables is a Linux kernel function for processing and filtering a large amount of data packets. It allows flexible sequences of rules to be attached to various hooks in the packet processing pipeline. When iptables is used, kube-proxy implements NAT and load balancing in the NAT pre-routing hook. For each Service, kube-proxy installs an iptables rule which captures the traffic destined for the Service's ClusterIP and ports and redirects the traffic to one of the backend pods. By default, iptables randomly selects a backend pod. For details, see iptables proxy mode.
IPVS
IPVS is constructed on top of Netfilter and balances transport-layer loads as part of the Linux kernel. IPVS can direct requests for TCP- or UDP-based services to the real servers, and make services of the real servers appear as virtual services on a single IP address.
In the IPVS mode, kube-proxy uses IPVS load balancing instead of iptables. IPVS is designed to balance loads for a large number of Services. It has a set of optimized APIs and uses optimized search algorithms instead of simply searching for rules from a list. For details, see IPVS proxy mode.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot