ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
.AntreaFlannelWeave NetCalicoCiliumCloudNative LabsRomanaContivTungsten Fabrickopeio
2
CompanyVMwareRed HatWeaveWorksTigera IncIsovalentPani Networks IncCiscoJuniperKopeio
3
Latest Stable Version0.11.10.11.02.6.03.10.1 => 3.16.61.9.30.2.1 12.0.21.25.0,1experimental
4
Last Release dateDecember 2020January 2019November 2019January 2021
5
Start DateOctober 2019July 2014August 2014July 2014December 2015April 2017November 2015December 20142012May 2016
6
LanguageGoGoGoGoGoGoGoC / C++Go
7
Minimum OS Version--Linux Kernel > 3.8RHEL 7, Centos 7, Ubuntu 16.04, Debian 8Linux Kernel >= 4.9--CentOS 7, Ubuntu 16.04Linux Kernel > 2.6-
8
Minimum Kubernetes Version1.161.61.61.61.61.61.81.81.81.8
9
IP Versionhttps://opencontainers.org/about/overview/ipv4ipv4ipv4, ipv6ipv4, ipv6ipv4ipv4ipv4, ipv6ipv4, ipv6ipv4
10
Open SourceYesYesYesYesYesYesYesYesYesYes
11
EncryptionIPSecExperimentalNaCl libraryWireguard (since 3.14)Yes, IPSec and WireguardNoNoNoNoExperimental
12
Network policyYes, Ingress, Egress,Ingress, EgressIngress, EgressIngress, EgressIngress, EgressIngress, EgressIngress, EgressIngress, EgressNo
13
Network policy auditingNoNoPaidYes (via Cilium's Hubble)NoNoNoNoNo
14
Recommended Max Nodes500+50050005000+
15
Default Network ModelLayer 2 VXLANLayer 2 VXLANLayer 3Layer 3 (L2 avaliable with chaining)Layer 3CentLayer 2, Layer 3 or ACI optionsLayer 2, VXLAN or IPSEC
16
Layer 2 EncapsulationVXLAN, GENEVE, GRE, STTVXLANVXLan---VXLANVXLANVXLAN
17
Layer 3 RoutingNSXiptablesiptables, kubeproxyiptables, kubeproxyBPF, kubeproxyIPVS, iptables, ipsetsiptablesiptablesTF VRouterip route
18
Layer 3 EncapsulationVXLAN, GENEVE, GRE, STT-Sleeve (fallback)IPIP or VXLan (optional)VXLan or Geneve (optional)IPVS/LVS DR mode, GRE/IPIP-VLANMPLSoUDP, MPLSoGRE, VXLAN-
19
Layer 4 Route DistributionAPI--BGPCRD, kvstore, BGPBGPBGP, OSPFBGPBGP--
20
vnic per containeryesnoyesyesyesyesnoyesno
21
Multicast Supportyesnoyesnonononoyesno
22
Subnet PerHost, namespaceHostClusterOne or more of Cluster / Host / Namespace / DeploymentHost, Cluster or Custom (via CRD)HostHostOverlapping IP poolsVRFsHost
23
Isolationlabel, cidr, advancedcidrcidr, networklabel, host, cidr, network setslabel, services, AWS metadata, entities (host, cluster, world), cidr, dns, L7 (http, kafka, cassandra, memcached, ...)cidrcidrlabel, cidrno
24
Load Balancingyes, can replace kube-proxynoyesyesYes, can replace kube-proxyyesyesyesNo
25
Multi Cluster Routingyes thru NSXnoyesyesyesyesyesyesno
26
Partially Connected Networks-noyesnononononono
27
IP Overlap Supportnonononononoyesno
28
Name Servicenonoyesnononononono
29
DatastoreCRDkubernetes CRDs or etcdv3file inside podskubernetes CRDs, or etcdv3CRD, etcd3, consulkubernetes etcdkubernetes etcdkubernetes etcd, etcd or consulkubernetes etcd
30
Paid SupportYesNoYesYesYesnoYesNoNo
31
Docshttps://github.com/vmware-tanzu/antrea/tree/master/docshttps://coreos.com/flannel/docs/latest/https://www.weave.works/docs/net/latest/overview/https://docs.projectcalico.org/v3.3/introduction/http://docs.cilium.io/en/stable/https://github.com/cloudnativelabs/kube-routerhttps://romana.readthedocs.io/en/latest/http://contiv.github.io/documents/https://github.com/tungstenfabric
https://github.com/Juniper/contrail-controller
https://github.com/kopeio/networking
32
IntegrationsNSX, TMC, TSM, OctantFlannel + Calico-Flannel + CalicoCilium + Kube RouterCilium + Kube Router-
33
PlatformsLinux, WindowsLinux, WindowsLinuxLinux, WindowsLinuxLinuxLinuxLinuxLinuxLinux
34
Why?Global and Enchanced Network Policy, many integrationsLayer 2 solution. Simple and mature. Overlays are useful when network address space is limited. Overlays also mostly auto-configure. Combines Layer 2 overlay networking with network policies and other features. Best solution for partially connected networks.Layer 3 solution. Good network policy support. Default on most Kubernetes distributions. Easy to debug on hosts by looking at route table. BGP allows for access both inside and outside the cluster.Security and observability focused. Uses BPF which is faster than iptables to enforce identity based policies. Policies also operate at Layer 7 allowing for application specific enforcement. The cluster mesh feature is simpler than BGP to confgure.Single Go binary built from the ground up for Kubernetes. Uses new IPVS/LVS kernel features to improve service load balancing performance. Also does direct server return to improve latency.Aims for performance by using native Linux routing, iptables and no encapsulation.Integrates with On-Prem Cisco ACI. Has a cool bandwidth network policy.Really simple. Uses the default Kubernetes network and sets up layer 3 routes between pods using ip route.
35
ScenarioOn-prem, Public cloud - AKS, EKS, BareMetalOn-Prem or custom cloud where native routing isn't possibleSmall to medium size On-Prem or custom cloudOn-Prem with native routing or cloud Kubernetes servicesOn-Prem (direct routing), cloud integrated, security focusedOn-Prem or custom cloud latency focussedLarge scale On-Prem or AWSOn-Prem with ACI investment
36
Why Not?Native routing is faster and easier to debug. You need to also use Calico if you want network policies.Some people are scared of overlay networks because they aren't as easy to debug as native routing. It's a full mesh so very large clusters will require custom config with autodiscovery disabled.IPIP mode is needed when routing between subnets (AWS AZ's) which negates some of the performance benefits vs an overlay. BGP is slighly scary to some people.Overlay can be disabled if direct routing is preferred.Similar to Calico in that it uses IPIP by default to encapsulate traffic between subnets. Quite a new project and although it's in use in production at some companies it's still not v1.Community not very largeNo defaults make the recommended setup confusing.Still in experimental or Alpha stage.
37
References[0] https://cilium.io/blog/2019/04/24/cilium-15
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100