CNI (Container Network Interface)
Definition
CNI (Container Network Interface) is a CNCF specification that defines a standard for configuring network interfaces for Linux containers. It provides a pluggable framework for container runtimes (Docker, containerd) to integrate with network plugins.
CNI is the networking foundation for Kubernetes, which uses CNI plugins to provide pod networking.
How CNI Works
Container Runtime (Docker/containerd)
↓ creates container
CNI Spec
↓ calls CNI plugin
CNI Plugin (e.g., Calico, Flannel)
↓ configures network
Container gets: IP address, network namespace, interfaces
The CNI plugin is a binary that:
- Adds a container to a network (assigns IP, creates interfaces)
- Delishes a container from a network (removes interfaces, releases IP)
Popular CNI Plugins
| Plugin | Provider | Features |
|---|---|---|
| Calico | Tigera | Network policy, BGP, high performance |
| Flannel | CoreOS/Simple | Simple overlay networking, easy setup |
| Cilium | Cilium project | eBPF-based, observability, L7 policies |
| Weave Net | Weaveworks | Mesh networking, encryption |
| Canal | Project Calico + Flannel | Combines Calico policies + Flannel networking |
| Multus | NVIDIA | Multi-network (multiple CNI plugins per pod) |
| Macvlan | Linux native | Assigns MAC addresses to containers |
CNI vs Network Policy
| Aspect | CNI | Network Policy |
|---|---|---|
| Purpose | Connect containers | Control traffic between containers |
| Layer | L2/L3 connectivity | L3/L4 filtering |
| Example | Calico provides both networking AND policies | Calico policies are part of the Calico CNI |
| Standard | CNCF CNI spec | Kubernetes NetworkPolicy API |
Kubernetes Networking Requirements
Kubernetes defines three networking requirements that CNI must satisfy:
- All containers can communicate with all others (no NAT)
- Node IPs overlap with container IPs (containers see their own IP as the node sees it)
- Agent can view and manage all network connections
CNI Configuration
# /etc/cni/net.d/10-calico.conflist
{
"cniVersion": "0.4.0",
"name": "calico",
"plugins": [
{
"type": "calico",
"log_level": "info",
"datastore_type": "kubernetes",
"nodename": "node1",
"mtu": 1440,
"policy": {
"type": "kubernetes"
},
"kubernetes": {
"kubeconfig": "/etc/cni/net.d/calico-kubeconfig"
}
}
]
}
Related Terms
- Kubernetes — container runtime using CNI
- Network Policy — traffic control built on CNI
- Service Mesh — overlay networking protocol used by some CNI plugins
References
- CNI Spec: https://github.com/containernetworking/cni
- CNCF CNI: https://www.cncf.io/projects/cni/
- Calico docs: https://docs.tigera.io/calico
- Cilium docs: https://docs.cilium.io/