Basic Network Options
This page describes K3s network configuration options, including configuration or replacement of Flannel, and configuring IPv6 or dualStack.
Flannel Options
Flannel is a lightweight provider of layer 3 network fabric that implements the Kubernetes Container Network Interface (CNI). It is what is commonly referred to as a CNI Plugin.
- Flannel options can only be set on server nodes, and must be identical on all servers in the cluster.
- The default backend for Flannel is
vxlan
. To enable encryption, use thewireguard-native
backend. - Using
vxlan
on Rasperry Pi with recent versions of Ubuntu requires additional preparation. - Using
wireguard-native
as the Flannel backend may require additional modules on some Linux distributions. Please see the WireGuard Install Guide for details. The WireGuard install steps will ensure the appropriate kernel modules are installed for your operating system. You must ensure that WireGuard kernel modules are available on every node, both servers and agents, before attempting to use the WireGuard Flannel backend.
CLI Flag and Value | Description |
---|---|
--flannel-ipv6-masq | Apply masquerading rules to IPv6 traffic (default for IPv4). Only applies on dual-stack or IPv6-only clusters. Compatible with any Flannel backend other than none . |
--flannel-external-ip | Use node external IP addresses as the destination for Flannel traffic, instead of internal IPs. Only applies when --node-external-ip is set on a node. |
--flannel-backend=vxlan | Use VXLAN to encapsulate the packets. May require additional kernel modules on Raspberry Pi. |
--flannel-backend=host-gw | Use IP routes to pod subnets via node IPs. Requires direct layer 2 connectivity between all nodes in the cluster. |
--flannel-backend=wireguard-native | Use WireGuard to encapsulate and encrypt network traffic. May require additional kernel modules. |
--flannel-backend=ipsec | Use strongSwan IPSec via the swanctl binary to encrypt network traffic. (Deprecated; will be removed in v1.27.0) |
--flannel-backend=none | Disable Flannel entirely. |
Version Gate
K3s no longer includes strongSwan swanctl
and charon
binaries starting with the 2022-12 releases (v1.26.0+k3s1, v1.25.5+k3s1, v1.24.9+k3s1, v1.23.15+k3s1). Please install the correct packages on your node before upgrading to or installing these releases if you want to use the ipsec
backend.