Understanding Kube Proxy Modes

TechOps Examples

Hey — It's Govardhana MK 👋

Welcome to another technical edition.

Every Tuesday – You’ll receive a free edition with a byte-size use case, remote job opportunities, top news, tools, and articles.

Every Thursday and Saturday – You’ll receive a special edition with a deep dive use case, remote job opportunities, and articles.

Kedify: Smarter Kubernetes Autoscaling — Live Demo

Struggling with cloud spend or unpredictable traffic?

In this 15-minute live demo, you’ll see how teams use Kedify to:

• Cut cloud costs by 30–40%

• Eliminate cold starts with predictive autoscaling

• Stabilize HTTP, gRPC, and realtime workloads

• Prevent performance incidents before they happen

Built and maintained by the founding team behind KEDA, Kedify gives you production-grade autoscaling without the engineering overhead.

👀 Remote Jobs

• Oscilar is hiring a Sr./Staff - Infrastructure/Site Reliability Engineer (SRE)

  Remote Location: Worldwide

• Bespoke Labs is hiring a Senior Devops/Backend Engineer (Contract)

  Remote Location: Worldwide

📚️ Resources

• I can’t recommend Grafana anymore

• Scanning 5.6 million public GitLab repositories for secrets

TOGETHER WITH THE BEEHIIV

You can (easily) launch a newsletter too

This newsletter you couldn’t wait to open? It runs on beehiiv — the absolute best platform for email newsletters.

Our editor makes your content look like Picasso in the inbox. Your website? Beautiful and ready to capture subscribers on day one.

And when it’s time to monetize, you don’t need to duct-tape a dozen tools together. Paid subscriptions, referrals, and a (super easy-to-use) global ad network — it’s all built in.

beehiiv isn’t just the best choice. It’s the only choice that makes sense.

Start free today. No credit card required

🧠 DEEP DIVE USE CASE

Understanding Kube Proxy Modes

When you call a Kubernetes Service, you never think about which Pod will receive the request or how the traffic finds it. You just hit a ClusterIP or NodePort and expect the cluster to “do the right thing”. That “right thing” is mostly the work of kube-proxy.

At a high level, every worker node runs kube-proxy. It watches the API server for Service and Endpoint/EndpointSlice updates and programs the node’s networking layer so that Service virtual IPs exist, traffic to those IPs is load balanced to the correct Pod IPs, and changes are applied automatically as Pods appear or disappear.

Kube-proxy can implement this routing in different ways, called proxy modes. In practice you’ll mostly see:

1. Iptables Proxy Mode

2. User Space Proxy Mode

3. IPVS Proxy Mode

Iptables Proxy Mode

kube-proxy programs iptables DNAT rules on every node. These rules map a Service ClusterIP or NodePort to the Pod IPs. Traffic never touches kube-proxy after rules are written. The Linux kernel handles everything through connection tracking.

What kube-proxy actually does on the node

Watches the API server for: Service objects, Endpoints or EndpointSlice objects

Generates iptables rule chains like: KUBE-SERVICES, KUBE-NODEPORTS, KUBE-SEP-xxxx (service endpoints), KUBE-SVC-xxxx (service VIP rules)

Injects these chains into the node’s PREROUTING and OUTPUT tables. So the node becomes “aware” of all Service virtual IPs and all Pod backends.

Practical nuances that actually matter

• Rule explosion in large clusters
  Thousands of Services or rapidly changing Endpoints make rule updates slow. kube-proxy may spike CPU during heavy churn.

• Failover isn’t instant
  If a Pod dies, traffic may still hit it for a short time until kube-proxy rewrites the rules. Applications may see brief 502/503 errors.

• Debugging is straightforward
  You can inspect every routing decision with: iptables -t nat -L KUBE-SERVICES -n --line-numbers

• NodePort behavior is transparent
  All NodePort rewrites live under KUBE-NODEPORTS, making it easy to trace external-to-pod traffic.

• Not ideal for very large clusters
  If you have thousands of Services, heavy HPA, or frequent rollouts, iptables may struggle to keep up.

🔴 Get my DevOps & Kubernetes ebooks! (free for Premium Club and Personal Tier newsletter subscribers)

Become a paying subscriber to get access to this post and other subscriber-only content.

Already a paying subscriber? Sign In.

Paid subscriptions get you:

• • Access to archive of 250+ use cases
• • Deep Dive use case editions (Thursdays and Saturdays)
• • Access to Private Discord Community
• • Invitations to monthly Zoom calls for use case discussions and industry leaders meetups
• • Quarterly 1:1 'Ask Me Anything' power session