Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.siderolabs.com/llms.txt

Use this file to discover all available pages before exploring further.

Flannel is a popular Container Network Interface (CNI) plugin that provides a simple and efficient way to create an overlay network for Kubernetes clusters. Flannel is a default CNI installed by Talos Linux, and it can be overridden with other CNI implementations if desired (e.g. Cilium, Calico, etc.). Flannel encapsulates the network traffic between pods using VXLAN (Talos default), which allows for seamless communication between pods across different nodes in the cluster without requiring any additional configuration on the underlying network infrastructure. With Flannel, kube-proxy handles the routing of traffic between pods and services, while Flannel manages the overlay network and ensures that pods can communicate with each other regardless of their physical location in the cluster. Starting with Talos 1.13, Flannel can be configured to support Network Policies by using the following machine configuration patch: 
cluster:
  network:
    cni:
      name: flannel
      flannel:
        kubeNetworkPoliciesEnabled: true
Network policies allow you to control the traffic flow between pods and services in your Kubernetes cluster, providing an additional layer of security and isolation.

Example network policy

The following example demonstrates a network policy that restricts ingress traffic to pods with the label app: web in the default namespace, allowing only traffic from pods with the label app: api: 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-api-to-web
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: web
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: api
      ports:
        - protocol: TCP
          port: 80
Apply the policy: 
kubectl apply -f network-policy.yaml
Once applied, only pods with the label app: api can reach port 80 on pods labeled app: web. All other ingress traffic to those pods is denied.
Network policies require kubeNetworkPoliciesEnabled: true in the Flannel configuration as shown above. Without this setting, NetworkPolicy resources are accepted but not enforced.

Custom Flannel deployment with Omni

By default, Talos manages the Flannel installation automatically. However, if you need to customize Flannel settings that are not exposed through the Talos API — such as changing the backend type (e.g. from VXLAN to host-gw or WireGuard), adjusting MTU, or modifying other Flannel configuration — you can deploy a custom Flannel manifest using Omni’s manifest sync feature. Step 1. Download the upstream Flannel manifest: 
curl -Lo flannel.yaml https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml
Step 2. Edit flannel.yaml to customize the Flannel configuration. For example, to change the backend from VXLAN to host-gw, find the net-conf.json section in the ConfigMap and update it: 
{
  "Network": "10.244.0.0/16",
  "Backend": {
    "Type": "host-gw"
  }
}
Step 3. Reference the manifest in your Omni cluster template. Set the default CNI to none so Talos does not install its own Flannel: Step 4. Apply the cluster template: 
omnictl cluster template sync --file cluster-template.yaml
Using mode: full ensures that Omni continuously syncs the manifest, so any changes you make to the Flannel configuration in the cluster template are applied to the cluster automatically. See Sync Kubernetes Manifests for more details. Talos Linux ships with all necessary base CNI plugins for Flannel, so a default Flannel installation done by Talos can be replaced with a custom one based on Flannel documentation.