Why IPVS Beats iptables for Scalable Kubernetes Service Load Balancing

Iptables Mode

kube-proxy watches Service and Endpoint changes via the Service informer and creates iptables rules on the host that match the Service’s clusterIP and port, randomly redirecting traffic to backend Pods. For each Endpoint it generates rules to select Pods.

If the first selected Pod does not respond, kube-proxy detects the failure and retries another backend Pod.

iptables is a Linux kernel firewall providing efficient packet filtering. In iptables mode, kube-proxy implements NAT and load‑balancing in the NAT pre‑routing hook, leveraging mature kernel functionality.

Because iptables uses a linear O(n) lookup where n grows with the number of Services and Pods, large clusters generate many rules, increasing lookup time and CPU load. For example, a 5000‑node cluster with 2000 Services each having 10 Pods would create at least 20 000 iptables entries per node, heavily loading the kernel.

Conclusion

kube‑proxy’s iptables implementation creates a large number of host rules that must be constantly refreshed, consuming CPU and becoming a scalability bottleneck for clusters with many Pods.

IPVS Mode

In IPVS mode, kube-proxy monitors Services and Endpoints, uses the netlink interface to create IPVS rules, and periodically syncs them. Traffic is directed to backend Pods via IPVS, which uses a hash‑table data structure, giving O(1) lookup and lower latency.

When a Service is created, kube‑proxy creates a virtual device (kube‑ipvs0) with a VIP, then sets up three virtual servers on that IP and configures round‑robin (rr) as the load‑balancing method.

IPVS is a kernel‑level load balancer that replaces iptables rules with more efficient hash‑based lookups and supports multiple algorithms (rr, lc, dh, sh, sed, nq). Its complexity is O(1) and it scales independently of cluster size.

A potential drawback is that IPVS‑processed packets follow a different netfilter hook path than iptables packets, which may require compatibility checks with other iptables‑using components.

Conclusion

IPVS, designed for kernel‑level load balancing with hash tables, offers better performance and near‑unlimited horizontal scalability for Kubernetes Services, and is expected to become the default backend.

Summary

IPVS (IP Virtual Server) is a layer‑4 load‑balancing technology built into the Linux kernel via Netfilter, capable of forwarding TCP/UDP traffic to backend servers and naturally supporting Kubernetes Services.

As Kubernetes scales, service scalability becomes critical; iptables, designed for firewalls with a linear rule list, struggles with tens of thousands of Services.

IPVS moves rule handling into the kernel using hash tables, drastically reducing rule‑maintenance overhead.

Kubernetes has supported large clusters since v1.6, but iptables‑based kube‑proxy becomes a bottleneck around 5000 nodes; IPVS alleviates this while still relying on iptables for ancillary functions.

IPVS provides more efficient data structures, advanced load‑balancing algorithms, health checks, and connection retries.

When the number of Services exceeds ~1000, IPVS often outperforms iptables, though iptables remains a good choice for smaller clusters due to compatibility with network policies.

References:

https://kubernetes.io/blog/2018/07/09/ipvs-based-in-cluster-load-balancing-deep-dive/

https://cloud.tencent.com/developer/article/1470033

https://blog.csdn.net/qq_36807862/article/details/106068871