Kubernetes v1.35 marks an important turning point for cluster networking. The IPVS backend for kube-proxy has been officially deprecated, and future Kubernetes releases will remove it entirely. If your clusters still rely on IPVS, the clock is now very much ticking.
In this show-and-tell article, you will learn how to migrate an existing IPVS-based cluster to the recommended (by kubernetes) nftables backend. We’ll cover what changes under the hood, what to watch out for during the transition, and how to validate that your cluster networking continues to behave as expected.
While Kubernetes upstream now recommends nftables as the default path forward, it’s not the only option. We’ll also briefly touch on an alternative approach: migrating away from kube-proxy altogether by adopting the Calico eBPF dataplane. This provides a glimpse into what a modern, kube-proxy less Kubernetes networking stack can look like for teams ready to take that step.
Prerequisites
NFtables doesn’t have too many requirements and by now it should be covered by most Linux distributions. Here is a short list of things that you should know before attempting to migrate:
- Linux Kernel: Your Linux kernel should be compiled with nftables support.
- Kubernetes: v1.31 or higher
- Calico: v3.30+ This guide uses Calico as the networking backend here you can learn How to install Calico.
It is recommended to perform networking backend change during a maintenance window.
Verify The Current Mode
To confirm if your cluster is currently in IPVS mode, check the kube-proxy logs:
kubectl logs -n kube-system daemonset/kube-proxy | grep -i ipvs
Output:
I0103 01:18:49.979100 1 server_linux.go:253] "Using ipvs Proxier"
In Kubernetes v1.35+, you will also see this deprecation log:
"The ipvs proxier is now deprecated and may be removed in a future release. Please use 'nftables' instead."
If your environment is set to IPVS then Calico automatically switches to its IPVS mode and utilizes IPVS based service creation to gain better performance.
You can verify this by using the following command:
kubectl logs -n calico-system daemonset/calico-node | grep -i ipvs
Output:
2026-01-03 03:09:52.996 [INFO][71] felix/driver.go 85: Kube-proxy in ipvs mode, enabling felix kube-proxy ipvs support.
Migrate Kube-Proxy to NFTables
As shown in the previous log emitted by kube-proxy, the upstream Kubernetes recommendation is to switch from IPVS to nftables.
Update the ConfigMap
You need to update the mode parameter in the kube-proxy ConfigMap.
kubectl edit configmap -n kube-system kube-proxy
Locate the mode configuration (usually found within the config.conf data block) and change it from ipvs to nftables:
mode: nftables
Restart Kube-Proxy
Changes to the ConfigMap do not apply automatically. You must restart the DaemonSet to pick up the changes.
kubectl rollout restart -n kube-system daemonset/kube-proxy
Verify Kube-Proxy Migration
Once the pods restart, check the logs to confirm the new mode is active:
kubectl logs -n kube-system daemonset/kube-proxy | grep -i nftables
Switch Calico to NFTables
After updating kube-proxy, you must instruct the Calico dataplane to switch to NFTables mode. This is done by patching the Tigera Operator’s installation resource.
Step 1: Patch the Installation
Run the following command to update the Linux dataplane mode:
kubectl patch installation default --type=merge -p '{"spec":{"calicoNetwork":{"linuxDataplane":"Nftables"}}}'
Step 2: Verify Calico Migration
The Tigera operator will initiate a rolling restart of all calico-node pods. Once complete, verify the change in the logs:
kubectl logs -f -n calico-system daemonset/calico-node | grep -i nftables
Output:
2026-01-03 01:25:07.803 [INFO][837] felix/config_params.go 805: Parsed value for NFTablesMode: Enabled (from datastore (global))
Switch to Calico eBPF (High Performance)
If you are already performing a migration, consider skipping NFTables entirely and moving to the Calico eBPF dataplane.
The eBPF dataplane bypasses kube-proxy entirely, offering:
Lower latency than both IPVS and NFTables.
- Source IP preservation.
- Direct Server Return (DSR) capabilities.
Note: Make sure to change your kube-proxy mode to iptables before switching to eBPF.
Learn more about the Calico eBPF dataplane here.