BLOG08: What is the Linux Module

BLOG17: Linux Modules and Runtime Tunables Required by Kubernetes

During Kubernetes installation, especially on Linux nodes (Ubuntu, CentOS, etc.), we typically enable some kernel modules and sysctl parameters so the container runtime and Kubernetes networking work correctly.

This document provides a clear explanation of why OverlayFS, br_netfilter, and sysctl net forwarding parameters are enabled.

1. overlay Kernel Module

Purpose: Enables OverlayFS — a modern union filesystem used by container runtimes.

Why it is needed?

• Docker, containerd, CRI-O use overlay2 storage driver.

• Without it, containers cannot layer images efficiently.

• It provides copy-on-write → fast container startup + small disk usage.

Check

lsmod | grep overlay

Enable permanently

cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
overlay
EOF
sudo modprobe overlay

2. br_netfilter Kernel Module

Purpose: Ensures Linux bridge interfaces (used by CNI plugins like Calico, Flannel, Cilium) pass network traffic through iptables.

Why it is needed?

Containers use a Linux bridge (cni0, flannel.1, docker0) for pod-to-pod networking.

If br_netfilter is NOT enabled:

• kube-proxy rules won’t work

• Pod networking fails

• NAT (masquerading) breaks

Check

Enable permanently

3. Sysctl Parameters (net.bridge.*, net.ipv4.ip_forward)

These ensure that Linux forwards traffic and handles bridged traffic properly.

Config 1: Allow iptables to inspect bridged traffic

Why?

• kube-proxy programs iptables rules for service routing.

• These settings ensure traffic passing through CNI bridges is visible to iptables.

Config 2: Enable IP forwarding

Why?

• Required for pod-to-pod routing across nodes.

• Kubernetes assumes the OS kernel will forward packets just like a router.

• If disabled → pods cannot reach external networks or other nodes.

Apply sysctl settings permanently

Summary: Why We Enable These

These settings ensure:

• Container runtime operates normally

• Pod networking works

• kube-proxy iptables rules take effect

• Node can route traffic between pods and external world

What is the difference between modprobe and sysctl parameters in Linux (especially for Kubernetes)?

This section explains the clear and simple difference between modprobe and sysctl parameters in Linux — especially in the context of Kubernetes.

modprobe vs sysctl — Key Difference

1. What is modprobe?

modprobe = load a kernel module (plugin) into the running Linux kernel.

Think of kernel modules as drivers or features the kernel can turn on/off.

Example modules:

• overlay → for container filesystem

• br_netfilter → bridge packet filtering

• ip_tables → iptables backend

Load module

Check module loaded

Persist it

Important: If a module is not loaded, sysctl parameters depending on it will not work.

2. What is sysctl?

sysctl = configure kernel runtime parameters under /proc/sys/*.

These parameters modify:

• Networking

• Routing

• Memory behaviour

• File system limits

Example sysctl values:

Apply immediately

Persist it

How Kubernetes Uses Each

modprobe (Kernel Modules):

If these are missing → container runtime or networking will fail.

sysctl (Kernel Parameters):

Simple Analogy

• modprobe = install/load a kernel feature

• sysctl = configure how the kernel behaves

Example:

• modprobe br_netfilter loads the feature.

• sysctl net.bridge.bridge-nf-call-iptables=1 configures how that feature works.

Final Summary

modprobe

• Loads kernel modules (drivers/features)

• One-time action per boot unless made persistent

• Required before using related sysctl values

sysctl

• Adjusts kernel parameters

• Controls kernel behavior

• Must be persisted via /etc/sysctl.d/

This section provides a clean, accurate, and production-ready comparison of the sysctl + kernel module requirements across Kubeadm, RKE2, K3s, and MicroK8s — highlighting what is needed, why, and what each installer does automatically vs manually.

1. Kubeadm — Manual & Full Control (Most Requirements)

You must enable all kernel modules + sysctl values yourself.

Required Kernel Modules

Required Sysctl Parameters

Additional (Optional for DNS, big clusters)

Who sets them?

• kubeadm does not set them

• containerd does not set them

• You must set them manually or via Ansible

2. RKE2 — Mostly Automatic (Best for Production)

RKE2 is a hardened Kubernetes distribution from Rancher/SUSE.

RKE2 automatically loads most modules and sets most sysctl parameters.

Kernel Modules (Auto-loaded by RKE2)

Sysctl Parameters (Auto-set by RKE2)

Notes

• RKE2 ships with its own hardened kernel security profile.

• Networking uses Cilium, Canal, or Calico, and automatically ensures needed modules.

3. K3s — Lightweight & Automatic (Most Settings Auto)

K3s is a lightweight Kubernetes distribution by Rancher.

K3s automatically configures almost everything for you.

Kernel Modules

Sysctl

Additional

K3s bundles:

• containerd

• flannel or cilium CNI

• traefik ingress

It includes its own optimized networking stack, so it requires fewer manual settings.

4. MicroK8s — Everything Auto + Snap Sandboxed Config

MicroK8s (Canonical) is the most automatic of all.

MicroK8s automatically configures almost all sysctl and modules.

Kernel Modules

Sysctl Parameters

Special Note

MicroK8s runs inside snap confinement, so it bundles:

• containerd

• CNI (Flannel or Calico)

• kubeproxy

• dns

• registry

• ingress

It manages sysctl values per namespace using snap hooks.

Final Summary Table

TL;DR — If you use kubeadm: you must configure everything manually.

• Kubeadm = DIY Kubernetes → you set sysctl + modules

• RKE2 = Hardened Kubernetes → most done for you

• K3s = Lightweight → most done for you

• MicroK8s = One command → almost everything auto