Note: Please reference the Networking page for information about CoreDNS, Traefik, and the Service LB.

By default, K3s will run with flannel as the CNI, using VXLAN as the default backend. To change the CNI, refer to the section on configuring a custom CNI. To change the flannel backend, refer to the flannel options section.

Flannel Options

The default backend for flannel is VXLAN. To enable encryption, pass the IPSec (Internet Protocol Security) or WireGuard options below.

If you wish to use WireGuard as your flannel backend it may require additional kernel modules. Please see the WireGuard Install Guide for details. The WireGuard install steps will ensure the appropriate kernel modules are installed for your operating system. You need to install WireGuard on every node, both server and agents before attempting to leverage the WireGuard flannel backend option.

CLI Flag and Value Description
--flannel-backend=vxlan (Default) Uses the VXLAN backend.
--flannel-backend=ipsec Uses the IPSEC backend which encrypts network traffic.
--flannel-backend=host-gw Uses the host-gw backend.
--flannel-backend=wireguard Uses the WireGuard backend which encrypts network traffic. May require additional kernel modules and configuration.

Custom CNI

Run K3s with --flannel-backend=none and install your CNI of choice. IP Forwarding should be enabled for Canal and Calico. Please reference the steps below.

Visit the Project Calico Docs website. Follow the steps to install Canal. Modify the Canal YAML so that IP forwarding is allowed in the container_settings section, for example:

"container_settings": {
              "allow_ip_forwarding": true
          }

Apply the Canal YAML.

Ensure the settings were applied by running the following command on the host:

cat /etc/cni/net.d/10-canal.conflist

You should see that IP forwarding is set to true.

Follow the Calico CNI Plugins Guide. Modify the Calico YAML so that IP forwarding is allowed in the container_settings section, for example:

"container_settings": {
              "allow_ip_forwarding": true
          }

Apply the Calico YAML.

Ensure the settings were applied by running the following command on the host:

cat /etc/cni/net.d/10-calico.conflist

You should see that IP forwarding is set to true.