8.09 CNI Weave in Kubernetes

Abstract

Weave Net is a CNI-based networking solution for Kubernetes.

It creates a Pod network across nodes by running Weave agents/peers on every node. These peers exchange topology information and route Pod traffic across the cluster.

In production, understand how Weave routes traffic, how it is deployed, and how to troubleshoot Weave peers.

What is Weave Net?

Weave Net is a Kubernetes CNI plugin that provides Pod networking across nodes.

It helps Kubernetes satisfy the Pod networking model:

every Pod gets an IP address
Pods on the same node can communicate
Pods on different nodes can communicate
Pod-to-Pod communication works across the cluster

Note

Weave is one possible CNI solution. Kubernetes can use other CNI plugins such as Calico, Flannel, Cilium, or Kube-router.

Why Weave is Needed

Manual routing works in small labs, but it does not scale well.

In a large cluster:

many nodes exist
many Pods run on each node
routing tables can become difficult to manage manually
Pod locations change frequently

Weave solves this by deploying agents on every node.

Tip

Instead of manually configuring routes for every Pod subnet, Weave peers discover and manage Pod networking automatically.

Weave High-Level Architecture

Weave deploys a Weave peer/agent on each Kubernetes node.

Each peer:

runs on a node
communicates with other Weave peers
learns Pod and node topology
creates/uses a Weave bridge
routes traffic to local and remote Pods
encapsulates traffic when needed

Pod on Node 1
   ↓
Weave bridge / agent
   ↓
Node network
   ↓
Weave bridge / agent
   ↓
Pod on Node 3

Success

Weave peers maintain cluster-wide network awareness so Pods can communicate across nodes.

Weave Peers

Weave peers are the agents that run on every node.

They exchange information such as:

node details
Pod IP ranges
Pod locations
peer connectivity
routing information

Note

Each Weave peer stores topology information so it knows where remote Pods are located.

Weave Bridge

Weave creates its own bridge on each node.

Example:

BRIDGE: WEAVE

Each node has its own Pod subnet example:

Node	Node IP	Example Pod CIDR	Bridge Gateway
Node 1	`192.168.1.11`	`10.244.1.0/24`	`10.244.1.1`
Node 2	`192.168.1.12`	`10.244.2.0/24`	`10.244.2.1`
Node 3	`192.168.1.13`	`10.244.3.0/24`	`10.244.3.1`

Example

A Pod may be attached to multiple networks, such as the Weave bridge and Docker bridge. The route inside the Pod decides which path traffic takes.

Pod Route Example

Inside a Pod, check routes:

kubectl exec busybox -- ip route

Example route:

default via 10.244.1.1 dev eth0

This means:

Send traffic through the Weave bridge gateway.

Tip

If Pod-to-Pod traffic fails, checking ip route inside the Pod is a good first troubleshooting step.

How Weave Sends Traffic Across Nodes

When Pod traffic goes to a Pod on another node:

Pod sends packet to its default gateway
Weave agent intercepts the packet
Weave identifies the destination Pod location
Weave encapsulates the packet
Packet travels over the node network
Remote Weave peer receives it
Remote peer decapsulates it
Packet is delivered to the destination Pod

Note

Encapsulation allows Pod traffic to move across the existing node network without manually configuring every Pod route.

Weave Deployment Method

Weave can be deployed as Kubernetes objects.

The most important object is a DaemonSet.

A DaemonSet ensures one Weave Pod runs on every node.

Weave DaemonSet
   ↓
weave-net Pod on node01
weave-net Pod on node02
weave-net Pod on node03

Success

DaemonSet deployment is ideal for CNI agents because every node needs a network agent.

Important Update: Weave Cloud End of Service

The old Weave Cloud installation URL is no longer recommended because Weave Cloud reached end of service.

Old command:

kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')"

Danger

Do not rely on the old cloud.weave.works installation URL. It may not work anymore.

Use the newer release manifest instead:

kubectl apply -f https://github.com/weaveworks/weave/releases/download/v2.8.1/weave-daemonset-k8s.yaml

Warning

Always verify the latest supported Weave release before using it in production or labs.

Installing Weave Net

Apply the Weave manifest:

kubectl apply -f https://github.com/weaveworks/weave/releases/download/v2.8.1/weave-daemonset-k8s.yaml

Expected resources may include:

serviceaccount/weave-net created
clusterrole.rbac.authorization.k8s.io/weave-net created
clusterrolebinding.rbac.authorization.k8s.io/weave-net created
role.rbac.authorization.k8s.io/weave-net created
rolebinding.rbac.authorization.k8s.io/weave-net created
daemonset.extensions/weave-net created

Note

Weave installs required RBAC objects and a DaemonSet so the Weave agent can run on every node.

Verify Weave Pods

Check Weave Pods:

kubectl get pods -n kube-system

Example:

NAME              READY   STATUS    NODE
weave-net-5gcmb   2/2     Running   node02
weave-net-fr9n9   2/2     Running   master
weave-net-mc6s2   2/2     Running   node01
weave-net-tbzvz   2/2     Running   node03

Success

Weave is healthy when one weave-net Pod is running on each node.

View Weave Logs

Use logs for troubleshooting:

kubectl logs <weave-pod-name> -n kube-system

Example:

kubectl logs weave-net-5gcmb -n kube-system

If the Pod has multiple containers:

kubectl logs weave-net-5gcmb -n kube-system -c weave

Tip

Weave logs show peer discovery, IP allocation, connection issues, and network errors.

Troubleshooting Weave

If Pod networking fails, check:

Is the Weave DaemonSet created?
Is one Weave Pod running on every node?
Are Weave Pods READY 2/2?
Are nodes in Ready state?
Do Pods receive IP addresses?
Can Pods ping same-node Pods?
Can Pods ping cross-node Pods?
Are Weave logs showing peer connection errors?
Are firewall rules blocking node-to-node traffic?

Useful Commands

Check Weave DaemonSet:

kubectl get daemonset -n kube-system

Check Weave Pods:

kubectl get pods -n kube-system -o wide

Check logs:

kubectl logs <weave-pod-name> -n kube-system -c weave

Check all Pods with IPs:

kubectl get pods -A -o wide

Check node status:

kubectl get nodes

Check Pod route:

kubectl exec <pod-name> -- ip route

Check Pod connectivity:

kubectl exec <pod-name> -- ping <destination-pod-ip>

Production Best Practices

Recommended

Use a maintained and supported CNI plugin
Verify Weave version compatibility with Kubernetes
Deploy Weave as a DaemonSet
Monitor Weave Pods in kube-system
Validate cross-node Pod connectivity
Avoid overlapping Pod CIDR, Service CIDR, and node CIDR
Use NetworkPolicy if workload segmentation is required
Document CNI version and network design

Do's

Verify one Weave Pod runs on every node
Check kubectl get pods -n kube-system -o wide
Check Weave logs during troubleshooting
Validate Pod-to-Pod communication across nodes
Confirm Pod route points to the correct gateway
Keep manifests and versions documented

Don'ts

Don't use outdated installation links
Don't assume CNI is working just because the control plane is running
Don't ignore Weave peer errors
Don't use overlapping CIDRs
Don't expose unnecessary node ports
Don't deploy multiple conflicting CNI plugins

Danger

A broken or misconfigured CNI plugin can break CoreDNS, Services, cross-node Pod communication, and application availability.

CKA Exam Note

CKA Tip

If the exam asks you to deploy a network addon and does not specify the plugin, you may use any valid CNI solution allowed by the provided exam documentation.

Warning

The Kubernetes documentation is vendor-neutral and may not provide exact third-party installation commands. In the official exam, essential CNI deployment details will be provided when required.

Summary

Quote

Weave Net is a CNI plugin for Kubernetes Pod networking
It runs Weave peers/agents on every node
Weave peers exchange topology and routing information
Weave uses a DaemonSet to run on all nodes
The old Weave Cloud install link is deprecated
Use the current release manifest when installing Weave
Always verify Weave Pods, logs, and cross-node Pod communication