> ## Documentation Index
> Fetch the complete documentation index at: https://docs.siderolabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Flannel CNI

> In this guide you will learn about Flannel CNI on Talos.

export const k8s_release = '1.36.0';

[Flannel](https://github.com/flannel-io/flannel) is a popular Container Network Interface (CNI) plugin that provides a simple and efficient way to create an overlay network for Kubernetes clusters.
Flannel is a default CNI installed by Talos Linux, and it can be overridden with other CNI implementations if desired (e.g. [Cilium](./deploying-cilium), [Calico](./deploy-calico), etc.).

Flannel encapsulates the network traffic between pods using VXLAN (Talos default),
which allows for seamless communication between pods across different nodes in the cluster without requiring any additional configuration on the underlying network infrastructure.
With Flannel, `kube-proxy` handles the routing of traffic between pods and services, while Flannel manages the overlay network and ensures that pods can communicate with each other regardless of their physical location in the cluster.

Starting with Talos 1.13, Flannel can be configured to support [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) by using the following machine configuration patch:

```yaml theme={null}
cluster:
  network:
    cni:
      name: flannel
      flannel:
        kubeNetworkPoliciesEnabled: true
```

Network policies allow you to control the traffic flow between pods and services in your Kubernetes cluster, providing an additional layer of security and isolation.

### Example network policy

The following example demonstrates a network policy that restricts ingress traffic to pods with the label `app: web` in the `default` namespace, allowing only traffic from pods with the label `app: api`:

```yaml theme={null}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-api-to-web
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: web
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: api
      ports:
        - protocol: TCP
          port: 80
```

Apply the policy:

```bash theme={null}
kubectl apply -f network-policy.yaml
```

Once applied, only pods with the label `app: api` can reach port 80 on pods labeled `app: web`. All other ingress traffic to those pods is denied.

<Note>Network policies require `kubeNetworkPoliciesEnabled: true` in the Flannel configuration as shown above. Without this setting, NetworkPolicy resources are accepted but not enforced.</Note>

## Custom Flannel deployment with Omni

By default, Talos manages the Flannel installation automatically. However, if you need to customize Flannel settings that are not exposed through the Talos API — such as changing the backend type (e.g. from VXLAN to host-gw or WireGuard), adjusting MTU, or modifying other Flannel configuration — you can deploy a custom Flannel manifest using Omni's [manifest sync](../../omni/cluster-management/sync-kubernetes-manifests) feature.

**Step 1.** Download the upstream Flannel manifest:

```bash theme={null}
curl -Lo flannel.yaml https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml
```

**Step 2.** Edit `flannel.yaml` to customize the Flannel configuration. For example, to change the backend from VXLAN to host-gw, find the `net-conf.json` section in the ConfigMap and update it:

```json theme={null}
{
  "Network": "10.244.0.0/16",
  "Backend": {
    "Type": "host-gw"
  }
}
```

**Step 3.** Reference the manifest in your Omni cluster template. Set the default CNI to `none` so Talos does not install its own Flannel:

<CodeBlock lang="yaml">
  {`kind: Cluster\nname: my-cluster\nkubernetes:\n  version: ${k8s_release}\n  manifests:\n    - name: flannel\n      file: flannel.yaml\n      mode: full\npatches:\n  - name: disable-default-cni\n    inline:\n      cluster:\n        network:\n          cni:\n            name: none\n...\n# Include machines for template`}
</CodeBlock>

**Step 4.** Apply the cluster template:

```bash theme={null}
omnictl cluster template sync --file cluster-template.yaml
```

Using `mode: full` ensures that Omni continuously syncs the manifest, so any changes you make to the Flannel configuration in the cluster template are applied to the cluster automatically. See [Sync Kubernetes Manifests](../../omni/cluster-management/sync-kubernetes-manifests) for more details.

Talos Linux ships with all necessary base CNI plugins for Flannel, so a default Flannel installation done by Talos can be replaced with a custom one based on [Flannel documentation](https://github.com/flannel-io/flannel).