Configuring kube-proxy nftables Mode

By default, kube-proxy configures packet forwarding rules using iptables, but it can be configured to use the nftables mode instead, which provides better performance and scalability especially for large clusters.

The nftables backend also makes it easier to add custom firewall rules alongside kube-proxy rules by using rule priorities to control the evaluation order of chains sharing the same hook.

The nftables mode is available since Kubernetes v1.33 and requires kernel v5.13+.

The iptables mode is expected to stay the default for compatibility reasons, so you have to manually set this mode.

kubeadm

The kube-proxy config can be provided using a config file alongside ClusterConfiguration.

1apiVersion: kubeadm.k8s.io/v1beta4
2kind: ClusterConfiguration
3# ...
4---
5apiVersion: kubeproxy.config.k8s.io/v1alpha1
6kind: KubeProxyConfiguration
7mode: nftables

Then initialize the cluster using the config file:

$kubeadm init --config=config.yaml

Reference: KubeProxyConfiguration

minikube

For minikube the --extra-config flag on the start command can be used to configure kubeadm using the following syntax component.key=value.

$minikube start --extra-config=kube-proxy.mode=nftables

kind

The kind kube-proxy mode can be set using the config file:

1apiVersion: kind.x-k8s.io/v1alpha4
2kind: Cluster
3networking:
4  kubeProxyMode: 'nftables'

Then create a cluster using the config file:

$kind create cluster --config=config.yaml

Verification

Check the kube-proxy ConfigMap:

$kubectl -n kube-system get cm/kube-proxy -o yaml | grep mode

Check the the kube-proxy DaemonSet logs, looking for "Using nftables Proxier":

$kubectl -n kube-system logs ds/kube-proxy | grep nftables

Resources

• NFTables mode for kube-proxy
• Migrating from iptables mode to nftables
• How the Tables Have Turned: Kubernetes Says Goodbye to Iptables