By now, Isovalent Networking for Kubernetes, powered by Cilium, is widely recognized as the go-to CNI for Kubernetes. Yet, Kubernetes has been around long enough that many of its original components still feel like “comfort food” to platform owners; chief among them is kube-proxy, a staple in every cluster. Even though eBPF and Cilium have demonstrated huge gains in performance and flexibility, many teams continue to rely on kube-proxy simply because it “just works.”
But as your cluster grows, or as you need more fine-grained control and better performance, kube-proxy’s drawbacks become glaring. It relies on iptables or IPVS, which can struggle as workloads change and grow. If you’ve encountered the complexity of managing massive iptables rules or the performance overhead that comes with them, you know exactly what we mean. Despite this, we still see clusters, small and large, that hold onto kube-proxy even while using Cilium. In this post, we’ll dive into why it’s time to “remove the chains of kube-proxy” entirely and how Cilium’s eBPF-based approach can transform your Kubernetes networking.
What are the downsides of Kube-Proxy?
You’re probably here because you’ve already hit some pain points with kube-proxy. To recap those succinctly:
- Performance Penalties: Kube-proxy typically uses iptables or IPVS. In large or dynamically scaling environments, you end up with massive rule sets or complicated load-balancing configurations. This overhead can noticeably degrade networking performance.
- Operational Overhead: Debugging iptables or IPVS rules can be time-consuming, even though iptables theoretically allows listing all rules and using log actions for troubleshooting. In fast-moving production clusters, however, these manually managed rules can quickly become unmanageable, leading to long resolution times when something goes wrong.
- Inefficient Load Balancing: Traditional kube-proxy solutions don’t provide the same direct in-kernel load balancing that eBPF-based solutions like Cilium do. This gap becomes more pronounced as traffic scales up.
In one of our earlier write-up’s looking at how eBPF can replace IPTables, we included performance testing, which is highlighted below.
This benchmark results table measures latency for the following TCP connect/request/response (CRR): open a TCP connection, send a payload, return the payload, and close the connection. The results are that eBPF significantly outperformed kube-proxy in iptables mode, with this becoming clear as services scale. Furthermore, eBPF outperformed kube-proxy in IPVS mode.
The bottom line: while kube-proxy was a solid “default” in Kubernetes’ early days, many of you are well past the point where it’s still serving you efficiently.
Why Completely Remove Kube-Proxy?
If Cilium is already deployed, you may be wondering why you need to go the extra mile and remove kube-proxy altogether. Here’s why:
- Eliminate Redundancy: Running both kube-proxy and Cilium can be unnecessary duplication. If Cilium already handles Service routing and policy enforcement via eBPF, kube-proxy mostly just adds overhead.
- Simplify Troubleshooting: With kube-proxy out of the picture, you don’t have to sift through iptables or IPVS rules. Any networking issues are confined to Cilium’s eBPF-based logic, which is often easier to trace and debug.
- Achieve the Full Cilium Experience: Some advanced Cilium features work best when it’s in full control of packet forwarding. Removing kube-proxy ensures you can leverage those capabilities, like eBPF-based load balancing, in-depth observability, and more dynamic policy enforcement, without interference.
Let’s examine how Isovalent Networking for Kubernetes, Powered by Cilium and eBPF helps to address these pain points in practice.
Demystifying eBPF and Cilium
What is eBPF?
eBPF is like having a programmable microkernel inside the Linux kernel. Instead of creating static rules or chaining multiple layers, eBPF lets you attach custom programs to events within the kernel, network packets, function calls, system calls, etc. This means you can apply logic (like load balancing or policy enforcement) precisely where it’s needed.
Cilium’s Architecture
Cilium builds on eBPF, handling everything from Kubernetes Network Policies to Service load balancing in the kernel itself. That translates to:
- Lower latency: Fewer context switches.
- Better performance: No monstrous iptables chain to parse.
- Rich observability: eBPF hooks can gather in-kernel metrics for real-time insights.
Real-World Use Cases and Success Stories
Small to Medium Clusters
Even at modest scales, adopting Cilium simplifies Kubernetes networking operations and accelerates troubleshooting:
- Reduced Complexity: Cilium’s eBPF data path removes reliance on massive iptables rules, cutting down on rule management overhead.
- Faster Development Cycles: By unifying load balancing, policy enforcement, and network observability into one tool, smaller teams can iterate quicker without juggling multiple components.
- Easy Growth: Starting small with modern tooling ensures you won’t need a major architectural overhaul as traffic, microservices, or cluster sizes increase.
Large-Scale or High-Throughput Clusters
Organizations running hundreds or thousands of nodes, often with high volumes of microservices and large data flows, typically experience a more pronounced performance gap when relying on kube-proxy:
- High Performance Under Load: Cilium’s in-kernel packet processing and efficient use of eBPF hash tables, as opposed to the linear rule-matching overhead of iptables. Leading to performance gains.
- Scalable Observability: Tools like Hubble (Cilium’s observability layer) help track and debug massive numbers of services and connections in real time.
- Enterprise-Level Adoption: From big tech to financial services, many large Kubernetes deployments, like Adobe, S&P Global, Confluent and various cloud providers, have used Cilium to address latency, throughput, and security at scale.
AI-Driven Workloads
As the rise of AI and Large Language Models (LLMs) drives unprecedented demand on infrastructure, Cilium helps teams cope with the heavy I/O, security, and performance pressures these workloads create. While GPU-based computations remain the realm of specialized hardware and libraries, Cilium ensures all surrounding traffic flows (from inter-service communications to API requests) run at peak efficiency and minimal latency::
- High-Bandwidth + Low-Latency: GPU-intensive environments or HPC-like setups, common in training and serving AI models, benefit from Cilium’s eBPF-based data path and optional XDP (eXpress Data Path) to achieve near-line-rate performance.
- Robust Security: Sensitive model data (and the IP behind them) can be protected with features like transparent encryption, advanced network policies, and mutual TLS enforcement. This is crucial for both “AI publishers” (building models) and “AI consumers” (calling AI APIs) secure against unauthorized access or data exfiltration.
- API-Centric Controls: AI workloads often involve microservices exchanging data with external APIs (e.g., ChatGPT, Bard, or internal inference services). Cilium’s L7-aware policies let you govern which specific API endpoints or domain names your workloads can call, particularly helpful when controlling or auditing calls to external AI services.
Focusing on Cilium’s unique feature set and capabilities, enabling BIG TCP in Cilium can yield a 42% improvement in Transactions per Second (TPS) under certain high-throughput conditions compared to standard TCP packet sizes. (Read more about BIG TCP in this LWN article). By optimizing network performance for data-intensive operations, Cilium ensures that even non-GPU traffic in AI pipelines can run smoothly at scale.
Are you worried about your network being under pressure from the addition of AI workloads? Read our article covering why many of the leading artificial intelligence platforms and services rely on Cilium to provide high-scale network performance and security for their cloud native applications.
Heavily Regulated or Mission-Critical Environments
Industries such as finance, healthcare, and government often have strict compliance standards that demand hardened security and bulletproof reliability:
- Zero-Trust Networking: Cilium’s identity-aware security model allows fine-grained authentication and network policy enforcement, making it easier to meet SOC 2, ISO 27001, PCI-DSS or other regulatory requirements. (Read our Case Study with Schuberg Philis)
- Seamless Encryption: Features like IPsec or WireGuard encryption at the node or pod level protect sensitive data in transit, vital for organizations handling payment or personal health information.
- Operational Confidence: As seen with financial institutions like PostFinance or S&P Global, deploying Isovalent Networking for Kubernetes, the hardened Cilium enterprise-tested offering provides 24/7 support, ensuring minimal downtime for critical banking, trading, or insurance workloads.
Using kube-proxy, and with our clusters growing, it was becoming a challenge to simply start a pod. It took several seconds, and up to a minute, for a pod to gain connectivity or for services to map to a pod, massively impacting the scalability of our platform.
Clément Nussbaumer, Systems Engineer, PostFinance
Beyond Performance: Additional Benefits of Cilium
Cilium doesn’t just solve the performance and scalability challenges posed by kube-proxy; it also delivers a host of features that streamline operations, enhance security, and future-proof your Kubernetes environment. While eBPF serves as the powerful engine under the hood, it’s Cilium’s toolset and community that bring these capabilities to life.
Enhanced Security
- Granular Network Policies
Cilium implements Kubernetes Network Policies at the kernel level, providing L3–L7 filtering without the overhead of iptables. This allows for more precise traffic control and reduces attack surfaces within your clusters. - Encryption and Zero-Trust
Cilium supports transparent encryption of pod traffic, helping you build a zero-trust environment. This mitigates risks even if an attacker gains access to the underlying network.
Deep Observability and Troubleshooting
- Hubble Integration
Cilium’s Hubble observability platform offers real-time network insights, service dependency graphs, and flow logs, all within a user-friendly interface—dramatically reducing the time spent troubleshooting. While it’s theoretically possible to troubleshoot iptables by listing every rule or setting log actions, that approach grows unwieldy in large, dynamic clusters. Hubble, on the other hand, automatically captures and visualizes network flows in real time, helping you pinpoint issues faster than manual rule-parsing ever could and providing richer, more actionable data for root-cause analysis. - Unified Metrics and Tracing
With Cilium, you have a single source for collecting and aggregating network metrics. The result? A more complete picture of your cluster’s health, so you can troubleshoot and optimize performance without juggling multiple tools.
Simplified Operations
- No More iptables Bloat
By removing kube-proxy’s reliance on iptables, Cilium takes over packet routing with in-kernel logic, vastly reducing the complexity and clutter of chain-based rules. - Single Networking Stack
Cilium handles service discovery, load balancing, and policy enforcement in one place, you eliminate overlapping components, leading to fewer integration headaches.
Future-Proofing Your Clusters
- Rapid Innovation
Cilium is backed by a vibrant open-source community that keeps pace with evolving Kubernetes features, new security standards, and performance optimizations. - Extensibility and Flexibility
Cilium’s design lets you plug in advanced features or integrate with service meshes, making your environment adaptable to future architectural changes without another big networking overhaul.
With Cilium fully in control of your data plane, you gain not only higher performance but also a more robust and maintainable infrastructure. Removing kube-proxy is a crucial step in reducing operational complexity, bolstering security, and ensuring your Kubernetes platform is ready for whatever challenges lie ahead.
Final Thoughts
Removing kube-proxy and letting Isovalent Networking for Kubernetes, powered by Cilium take the reins of your Kubernetes networking stack is more than just a performance optimization, it’s an investment in simplicity, security, and future scalability. By unifying service routing, policy enforcement, and observability in one tool, you reduce operational friction and gain the flexibility to adapt as your environment grows.
Here are a few ways to move forward from here:
- Evaluate your clusters – Double-check your current Kubernetes and, if already deployed, your Cilium configurations. Identify any features or policies that still depend on kube-proxy, and plan how to phase them out.
- Create a Pilot – If you’re cautious about going all-in, start with a non-critical or staging environment. Monitor performance, collect metrics, and share results with your team to build confidence. The Isovalent Customer Success team can help you plan and manage this process.
- Tap into the Free Isovalent Hands on Labs – If you want a guided environment to test Cilium’s features, check out our free labs. They provide a hands-on way to explore advanced capabilities and understand best practices.
As your organization scales, embracing a kube-proxy-free architecture with Cilium ultimately unlocks richer capabilities and reduces the operational headache of maintaining multiple networking stacks. By taking these steps now, you’ll ensure your Kubernetes platform is primed for the demands of tomorrow.
Dean Lewis is a Senior Technical Marketing Engineer at Isovalent – the company behind the open-source cloud native solution Cilium.
Dean had a varied background working in the technology fields, from support to operations to architectural design and delivery at IT Solutions Providers based in the UK, before moving to VMware and focusing on cloud management and cloud native, which remains as his primary focus. You can find Dean in the past and present speaking at various Technology User Groups and Industry Conferences, as well as his personal blog.
