Flannel¶
Simple, lightweight overlay network for Kubernetes — the "it just works" CNI.
Overview¶
Flannel is the simplest CNI plugin for Kubernetes, providing basic L3 networking via VXLAN overlay. It is designed to be easy to install and configure with minimal operational overhead. Flannel is the default CNI in K3s and is widely used in development, testing, and small production clusters. It does not implement network policies — you must pair it with Calico or another policy engine for that.
Key Facts¶
| Attribute | Detail |
|---|---|
| Repository | github.com/flannel-io/flannel |
| Stars | ~9k+ ⭐ |
| Latest Version | v0.28.2 (March 2026) |
| Language | Go |
| License | Apache 2.0 |
| Governance | Community (flannel-io) |
Evaluation¶
| Pros | Cons |
|---|---|
| Simplest CNI to install and operate | No network policy support |
| Default in K3s | VXLAN overlay adds latency |
| WireGuard backend for encryption | No L7 visibility |
| Minimal resource footprint | No service mesh integration |
| Extremely stable and battle-tested | No observability features |
| host-gw mode for bare-metal speed | Not recommended for large production |
Architecture¶
flowchart TB
subgraph Node1["Node 1"]
Pod1["Pod A\n10.244.0.2"]
Flannel1["flanneld\n(DaemonSet)"]
VTEP1["VXLAN VTEP\n(flannel.1)"]
end
subgraph Node2["Node 2"]
Pod2["Pod B\n10.244.1.2"]
Flannel2["flanneld"]
VTEP2["VXLAN VTEP\n(flannel.1)"]
end
ETCD_F["etcd / K8s API\n(subnet lease store)"]
Pod1 -->|"encapsulated\nin VXLAN"| VTEP1
VTEP1 -->|"UDP 8472"| VTEP2
VTEP2 --> Pod2
Flannel1 -->|"lease"| ETCD_F
Flannel2 -->|"lease"| ETCD_F
style Node1 fill:#2e7d32,color:#fff
style Node2 fill:#2e7d32,color:#fffBackends¶
| Backend | Performance | Requirement | Encryption |
|---|---|---|---|
| VXLAN | Good (encapsulation overhead) | Any network | No |
| host-gw | Best (direct routing) | Same L2 network | No |
| WireGuard | Good | Kernel WireGuard module | Yes |
| UDP | Worst (userspace) | Fallback only | No |
Notes¶
Sources¶
- Flannel GitHub — source code and docs
- Backends — VXLAN, host-gw, WireGuard
- K3s Networking — Flannel as default CNI
Questions¶
Open¶
(No open questions remaining.)
Answered¶
- Q: Does Flannel support NetworkPolicy? -- No. Flannel is a pure overlay with no policy.
- Q: What is the migration path from Flannel to Cilium in K3s? -- K3s ships with Flannel as the default CNI. To migrate to Cilium: (1) Install the Cilium Helm chart with
kubeProxyReplacement=disabled(K3s manages its own kube-proxy). (2) Delete the Flannel DaemonSet and related resources:kubectl delete ds kube-flannel-ds -n kube-flanneland remove the Flannel CNI config from nodes (/etc/cni/net.d/10-flannel.conflist). (3) Remove thecni0andflannel.1interfaces on each node (ip link delete cni0; ip link delete flannel.1). (4) Restart Cilium pods to take over as the active CNI. (5) Verify pod networking withcilium connectivity test. Important: this is a disruptive operation -- pods will lose connectivity during the transition. For a less disruptive path, consider using Canal (Flannel + Calico policy engine) as an intermediate step. See architecture for Cilium component details and security for why Flannel's lack of policy support matters.