CNI Comparison — Cilium vs Calico vs Flannel¶
Canonical comparison of the three dominant Kubernetes CNI plugins.
Quick Reference¶
| Dimension | Cilium | Calico | Flannel |
|---|---|---|---|
| Latest Version | v1.19.2 (Mar 2026) | v3.31.4 (Mar 2026) | v0.28.2 (Mar 2026) |
| Data Plane | eBPF only | eBPF, iptables, nftables, VPP | VXLAN, host-gw, WireGuard |
| Network Policies | L3/L4/L7 | L3/L4 (extended GlobalNetworkPolicy) | ❌ None |
| Observability | Hubble (deep flow visibility) | Basic (Tigera Enterprise for full) | ❌ None |
| Service Mesh | Sidecar-free (built-in) | ❌ (external Istio/Linkerd) | ❌ |
| BGP | Native | Native | ❌ |
| Encryption | WireGuard / IPsec | WireGuard | WireGuard (backend) |
| Multi-cluster | Cluster Mesh | Federation (Enterprise) | ❌ |
| License | Apache 2.0 | Apache 2.0 / Proprietary (EE) | Apache 2.0 |
| CNCF Status | Graduated | N/A (Tigera) | N/A |
| Kernel Requirement | ≥5.8 | Any | Any |
Performance¶
| Metric | Cilium (eBPF) | Calico (eBPF) | Calico (iptables) | Flannel (VXLAN) |
|---|---|---|---|---|
| Throughput | ★★★★★ | ★★★★ | ★★★ | ★★★ |
| Latency | Lowest (O(1) lookup) | Low | Medium (linear chain) | Medium (encapsulation) |
| CPU overhead | Low (kernel-space) | Low (eBPF mode) | High at scale | Low |
| Scale limit | 10,000+ pods | 10,000+ pods | 5,000+ pods | 1,000 pods |
Feature Matrix¶
| Feature | Cilium | Calico | Flannel |
|---|---|---|---|
| L3/L4 Policy | ✅ | ✅ | ❌ |
| L7 Policy | ✅ (HTTP, gRPC, Kafka, DNS) | ❌ (Enterprise only) | ❌ |
| Network observability | ✅ Hubble | ⚠️ Basic / Enterprise | ❌ |
| Runtime security | ✅ Tetragon | ❌ | ❌ |
| Service mesh | ✅ Sidecar-free | ❌ | ❌ |
| BGP peering | ✅ | ✅ | ❌ |
| Gateway API | ✅ | ❌ | ❌ |
| Windows support | ✅ (since v1.12) | ✅ (HNS) | ✅ |
| Non-K8s hosts | ✅ | ✅ | ❌ |
| Bandwidth management | ✅ EDT-based | ❌ | ❌ |
| AI Assistant | ❌ | ✅ (Tigera, 2026) | ❌ |
Decision Guide¶
| Scenario | Recommendation |
|---|---|
| Production K8s (any size) | Cilium — best performance, observability, security |
| Hybrid (K8s + VMs + bare metal) | Calico — extends to non-K8s workloads |
| Windows worker nodes | Calico — native Windows HNS support |
| Dev/test/homelab | Flannel — simplest "it just works" option |
| K3s lightweight | Flannel (default) or Cilium |
| Zero-trust L7 policies | Cilium — only CNI with native L7 enforcement |
| Existing iptables investment | Calico — iptables mode with upgrade path to eBPF |
Resource Consumption¶
Memory and CPU overhead per node vary significantly across CNIs. Benchmarks below are based on AWS c5.4xlarge instances (2025-2026 data from independent testing).
Memory Consumption Per Node¶
| Pod Density | Cilium 1.17+ | Calico 3.31+ | Flannel 0.28+ |
|---|---|---|---|
| 50 pods | ~150 MB | ~100 MB | ~55 MB |
| 100 pods | ~180 MB | ~120 MB | ~60 MB |
| 250 pods | ~280 MB | ~160 MB | ~65 MB |
| 500+ pods | ~450 MB | ~220 MB | ~68 MB |
At cluster scale, memory adds up:
| Cluster Size | Cilium (total) | Calico (total) | Flannel (total) |
|---|---|---|---|
| 100 nodes | ~18-28 GB | ~12-16 GB | ~5.5-6.8 GB |
| 1,000 nodes | ~180-280 GB | ~120-160 GB | ~55-68 GB |
| 5,000 nodes | ~900 GB-1.4 TB | ~600-800 GB | ~275-340 GB |
CPU Overhead¶
| CNI | Avg CPU (TCP) | Avg CPU (UDP) | Notes |
|---|---|---|---|
| Cilium | ~10% | ~18% | eBPF bypasses netfilter stack |
| Calico (iptables) | ~25% | ~35% | Linear chain walk at scale |
| Calico (eBPF) | ~12% | ~20% | Comparable to Cilium |
| Flannel | ~10% | ~16% | Lightweight but no policy processing |
Vendor benchmarks are marketing, not engineering
The only benchmark that matters is the one you run yourself. Use iperf3 with 8 parallel streams across real workloads. These numbers are directional — your mileage will vary with kernel version, NIC driver, and pod density.
Operational Complexity¶
Installation & Upgrade¶
| Dimension | Cilium | Calico | Flannel |
|---|---|---|---|
| Install method | Helm chart or Cilium CLI | Helm, manifest, or operator | Single DaemonSet manifest |
| Time to first pod | 5-10 min | 3-5 min | 1-2 min |
| Upgrade process | Rolling via Helm; pre-flight checks | Rolling via operator or Helm | kubectl apply (trivial) |
| Upgrade risk | Medium (eBPF map migrations) | Low-Medium | Very low |
| CRD count | 25+ CRDs | 15+ CRDs | 0 CRDs |
| Config surface area | Large (200+ Helm values) | Medium (100+ Helm values) | Small (~10 config options) |
Debugging & Observability Tools¶
| Tool | Cilium | Calico | Flannel |
|---|---|---|---|
| Built-in CLI | cilium status, cilium monitor |
calicoctl node status |
None |
| Flow visibility | Hubble UI + CLI (L3-L7) | Tigera Flow Visualizer (Enterprise) | tcpdump only |
| Policy troubleshooting | cilium policy trace |
calicoctl policy get |
N/A |
| eBPF inspection | cilium bpf * commands |
calico-node bpf (eBPF mode) |
N/A |
| Prometheus metrics | Comprehensive (agent + operator) | Good (Felix + Typha) | Minimal |
Community & Support¶
| Dimension | Cilium | Calico | Flannel |
|---|---|---|---|
| GitHub stars | ~21k | ~6k | ~9k |
| CNCF status | Graduated (Oct 2023) | N/A (Tigera-owned) | Sandbox-era project |
| Commercial support | Isovalent (Cisco) | Tigera | None |
| Slack activity | Very active (#cilium) | Active (#calico) | Minimal |
| Release cadence | ~8 weeks | ~6 weeks | Infrequent |
Multi-cluster & Federation¶
| Capability | Cilium ClusterMesh | Calico Federation | Flannel |
|---|---|---|---|
| Availability | Open source (Apache 2.0) | Calico Enterprise / Cloud only | N/A |
| Setup | CLI-driven (cilium clustermesh enable) |
Manual kubeconfig + manifests | N/A |
| Service discovery | Automatic via K8s DNS | Federated Services controller | N/A |
| Cross-cluster policy | Full identity-based L3-L7 | Federated tiers + endpoint identity | N/A |
| Routing requirement | Non-overlapping PodCIDRs, IP reachability | Pod IPs routable (overlay or BGP) | N/A |
| Observability | Hubble across clusters | Dynamic Service Graph (Enterprise) | N/A |
| Max clusters | Tested to 255 | TBD — Tigera docs do not publish limit | N/A |
Cilium ClusterMesh is free; Calico federation is not
Cilium ClusterMesh ships in the open-source release. Calico's full multi-cluster federation (federated endpoint identity, federated services, federated tiers) requires Calico Cloud or Calico Enterprise — a paid product.
Migration Paths¶
Flannel to Cilium (Most Common)¶
This is the most frequently traveled migration path, especially for K3s clusters that outgrow Flannel's lack of network policy.
- Install Cilium in "chaining" mode alongside Flannel (Cilium takes over policy, Flannel handles routing)
- Test network policies — verify L3/L4 enforcement works with existing workloads
- Switch to full Cilium — disable Flannel (
--flannel-backend=noneon K3s), let Cilium manage routing - Clean up — remove Flannel DaemonSet and ConfigMap
K3s-specific: disable Flannel at install
On K3s, start the server with --flannel-backend=none --disable-network-policy before installing Cilium. Retrofitting is harder — plan for a maintenance window.
Calico to Cilium¶
- Audit existing NetworkPolicies — Cilium supports standard K8s NetworkPolicy; Calico-specific
GlobalNetworkPolicyCRDs need manual conversion toCiliumClusterwideNetworkPolicy - Deploy Cilium as secondary CNI using migration mode (Cilium docs: "Migrating from Calico to Cilium")
- Cordon, drain, restart nodes one-by-one to switch the active CNI
- Validate — use
cilium connectivity testend-to-end suite
Flannel to Calico¶
- Remove Flannel DaemonSet and clean up CNI config (
/etc/cni/net.d/) - Install Calico via operator or manifest
- Restart all pods to pick up new CNI — fastest via rolling node drain
CNI migrations require pod restarts
All CNI migrations require restarting every pod in the cluster. Plan for a maintenance window or use a rolling node-drain strategy to minimize downtime.
ARM & Edge Support¶
| Capability | Cilium | Calico | Flannel |
|---|---|---|---|
| ARM64 (aarch64) | Supported (auto-detected by CLI) | Supported | Supported |
| ARM32 (armhf) | Not supported | Not supported | Supported |
| K3s integration | Custom install (disable Flannel first) | Custom install (disable Flannel first) | Default CNI |
| MicroK8s add-on | microk8s enable cilium |
microk8s enable calico |
Available |
| KubeEdge | Supported | Supported | Supported |
| Talos Linux | First-class support | Supported | Default option |
| Minimum RAM (edge node) | ~200 MB overhead | ~120 MB overhead | ~55 MB overhead |
| Kernel requirement | >= 5.8 (4.19 degraded) | Any | Any |
Lightweight K8s Distribution Defaults¶
| Distribution | Default CNI | Cilium Viable? | Notes |
|---|---|---|---|
| K3s | Flannel (VXLAN) | Yes (disable Flannel) | Most popular edge distro; ARM + x86 parity |
| MicroK8s | Calico (add-on) | Yes (add-on) | Canonical-backed; ARM64 + x86 + s390x |
| K0s | Kube-router | Yes (custom) | Mirantis-backed |
| RKE2 | Canal (Calico + Flannel) | Yes (custom) | Rancher enterprise K8s |
Edge recommendation
For resource-constrained edge nodes (Raspberry Pi, IoT gateways), start with Flannel on K3s — it is the lightest option at ~55 MB overhead. Graduate to Cilium when you need network policy, observability, or L7 enforcement.
Cloud Provider Trends (2026)¶
Major cloud providers have converged on Cilium as the advanced networking option:
- GKE — Dataplane V2 is powered by Cilium (GA since 2022)
- AKS — Azure CNI Powered by Cilium (GA since 2023)
- EKS — Cilium available via Helm; AWS VPC CNI remains default