Merge pull request #43588 from danwinship/kep-3866-nftables-proxy-alpha

Document nftables kube-proxy alpha (KEP 3866)
kubernetes · Nov 27, 2023 · d5466c3 · d5466c3
2 parents fdcd1f6 + 75e93c6
commit d5466c3
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/content/en/docs/reference/networking/virtual-ips.md b/content/en/docs/reference/networking/virtual-ips.md
@@ -62,6 +62,9 @@ On Linux nodes, the available modes for kube-proxy are:
 [`ipvs`](#proxy-mode-ipvs)
 : a mode where the kube-proxy configures packet forwarding rules using ipvs.
 
+[`nftables`](#proxy-mode-nftables)
+: a mode where the kube-proxy configures packet forwarding rules using nftables.
+
 There is only one mode available for kube-proxy on Windows:
 
 [`kernelspace`](#proxy-mode-kernelspace)
@@ -268,6 +271,23 @@ falls back to running in iptables proxy mode.
 
 {{< figure src="/images/docs/services-ipvs-overview.svg" title="Virtual IP address mechanism for Services, using IPVS mode" class="diagram-medium" >}}
 
+### `nftables` proxy mode {#proxy-mode-nftables}
+
+{{< feature-state for_k8s_version="v1.29" state="alpha" >}}
+
+_This proxy mode is only available on Linux nodes._
+
+In this mode, kube-proxy configures packet forwarding rules using the
+nftables API of the kernel netfilter subsystem. For each endpoint, it
+installs nftables rules which, by default, select a backend Pod at
+random.
+
+The nftables API is the successor to the iptables API, and although it
+is designed to provide better performance and scalability than
+iptables, the kube-proxy nftables mode is still under heavy
+development as of {{< skew currentVersion >}} and is not necessarily
+expected to outperform the other Linux modes at this time.
+
 ### `kernelspace` proxy mode {#proxy-mode-kernelspace}
 
 _This proxy mode is only available on Windows nodes._