Skip to content

CNI Comparison — Cilium vs Calico vs Flannel

Canonical comparison of the three dominant Kubernetes CNI plugins.

Quick Reference

Dimension Cilium Calico Flannel
Latest Version v1.19.2 (Mar 2026) v3.31.4 (Mar 2026) v0.28.2 (Mar 2026)
Data Plane eBPF only eBPF, iptables, nftables, VPP VXLAN, host-gw, WireGuard
Network Policies L3/L4/L7 L3/L4 (extended GlobalNetworkPolicy) ❌ None
Observability Hubble (deep flow visibility) Basic (Tigera Enterprise for full) ❌ None
Service Mesh Sidecar-free (built-in) ❌ (external Istio/Linkerd)
BGP Native Native
Encryption WireGuard / IPsec WireGuard WireGuard (backend)
Multi-cluster Cluster Mesh Federation (Enterprise)
License Apache 2.0 Apache 2.0 / Proprietary (EE) Apache 2.0
CNCF Status Graduated N/A (Tigera) N/A
Kernel Requirement ≥5.8 Any Any

Performance

Metric Cilium (eBPF) Calico (eBPF) Calico (iptables) Flannel (VXLAN)
Throughput ★★★★★ ★★★★ ★★★ ★★★
Latency Lowest (O(1) lookup) Low Medium (linear chain) Medium (encapsulation)
CPU overhead Low (kernel-space) Low (eBPF mode) High at scale Low
Scale limit 10,000+ pods 10,000+ pods 5,000+ pods 1,000 pods

Feature Matrix

Feature Cilium Calico Flannel
L3/L4 Policy
L7 Policy ✅ (HTTP, gRPC, Kafka, DNS) ❌ (Enterprise only)
Network observability ✅ Hubble ⚠️ Basic / Enterprise
Runtime security ✅ Tetragon
Service mesh ✅ Sidecar-free
BGP peering
Gateway API
Windows support ✅ (HNS)
Non-K8s hosts
Bandwidth management ✅ EDT-based
AI Assistant ✅ (Tigera, 2026)

Decision Guide

Scenario Recommendation
Production K8s (any size) Cilium — best performance, observability, security
Hybrid (K8s + VMs + bare metal) Calico — extends to non-K8s workloads
Windows worker nodes Calico — native Windows HNS support
Dev/test/homelab Flannel — simplest "it just works" option
K3s lightweight Flannel (default) or Cilium
Zero-trust L7 policies Cilium — only CNI with native L7 enforcement
Existing iptables investment Calico — iptables mode with upgrade path to eBPF

Sources

  • Cross-validated via official docs and engineering blogs (April 2026)