Migrating from IPVS to nftables

[frozenprocess]

Kubernetes v1.35 marks an important turning point for cluster networking. The IPVS backend for kube-proxy has been officially deprecated, and future Kubernetes releases will remove it entirely. If your clusters still rely on IPVS, the clock is now very much ticking.

In this show-and-tell article, you will learn how to migrate an existing IPVS-based cluster to the recommended (by kubernetes) nftables backend. We’ll cover what changes under the hood, what to watch out for during the transition, and how to validate that your cluster networking continues to behave as expected.

While Kubernetes upstream now recommends nftables as the default path forward, it’s not the only option. We’ll also briefly touch on an alternative approach: migrating away from kube-proxy altogether by adopting the Calico eBPF dataplane. This provides a glimpse into what a modern, kube-proxy less Kubernetes networking stack can look like for teams ready to take that step.

Prerequisites

NFtables doesn’t have too many requirements and by now it should be covered by most Linux distributions. Here is a short list of things that you should know before attempting to migrate:

• Linux Kernel: Your Linux kernel should be compiled with nftables support.
• Kubernetes: v1.31 or higher

⚠️It is recommended to perform networking backend change during a maintenance window. ⚠️

Verify The Current Mode

To confirm if your cluster is currently in IPVS mode, check the kube-proxy logs:

kubectl logs -n kube-system daemonset/kube-proxy | grep -i ipvs

Output:

I0103 01:18:49.979100 1 server_linux.go:253] "Using ipvs Proxier"

In Kubernetes v1.35+, you will also see this deprecation log:

"The ipvs proxier is now deprecated and may be removed in a future release. Please use 'nftables' instead."

If your environment is set to IPVS then Calico automatically switches to its IPVS mode and utilizes IPVS based service creation to gain better performance.
You can verify this by using the following command:

kubectl logs -n calico-system daemonset/calico-node | grep -i ipvs

Output:

2026-01-03 03:09:52.996 [INFO][71] felix/driver.go 85: Kube-proxy in ipvs mode, enabling felix kube-proxy ipvs support.

Migrate Kube-Proxy to NFTables

As shown in the previous log emitted by kube-proxy, the upstream Kubernetes recommendation is to switch from IPVS to nftables.

Update the ConfigMap

You need to update the mode parameter in the kube-proxy ConfigMap.

kubectl edit configmap -n kube-system kube-proxy

Locate the mode configuration (usually found within the config.conf data block) and change it from ipvs to nftables:

mode: nftables

Restart Kube-Proxy

Changes to the ConfigMap do not apply automatically. You must restart the DaemonSet to pick up the changes.

kubectl rollout restart -n kube-system daemonset/kube-proxy

Verify Kube-Proxy Migration

Once the pods restart, check the logs to confirm the new mode is active:

kubectl logs -n kube-system daemonset/kube-proxy | grep -i nftables

Switch Calico to NFTables

After updating kube-proxy, you must instruct the Calico dataplane to switch to NFTables mode. This is done by patching the Tigera Operator's installation resource.

Step 1: Patch the Installation

Run the following command to update the Linux dataplane mode:

kubectl patch installation default --type=merge -p '{"spec":{"calicoNetwork":{"linuxDataplane":"Nftables"}}}'

Step 2: Verify Calico Migration

The Tigera operator will initiate a rolling restart of all calico-node pods. Once complete, verify the change in the logs:

kubectl logs -f -n calico-system daemonset/calico-node | grep -i nftables

Output:

2026-01-03 01:25:07.803 [INFO][837] felix/config_params.go 805: Parsed value for NFTablesMode: Enabled (from datastore (global))

Switch to Calico eBPF (High Performance)

If you are already performing a migration, consider skipping NFTables entirely and moving to the Calico eBPF dataplane.
The eBPF dataplane bypasses kube-proxy entirely, offering:
Lower latency than both IPVS and NFTables.

• Source IP preservation.
• Direct Server Return (DSR) capabilities.

Note: Make sure to change your kube-proxy mode to iptables before switching to eBPF.

Learn more about the Calico eBPF dataplane here.