[remram]

Using container technology doesn't necessarily mean adding virtual network devices/proxying/forwarding. In practical terms, you can run in "host" networking mode (no separate network namespace) on Docker or Kubernetes, and most people would still consider those "containers".

In this case they seem to be NAT'ing packets from a host port on the correct Kubernetes node (the one running the container) to a port in the container, which can be done fast enough with iptables (or similar mechanism used by Kubernetes).

[bravetraveler]

I think keeping that kind of stuff to the minimum would be important.

iptables is a good example -- it can scale rather poorly! Packets are run across the chains at length until a matching rule is found.

For most configurations this isn't a problem - the rules are filtered against quickly.

If density reaches the point to where you have thousands of forwards, it'll slow down a lot!

You'll want to look into optimizations (eg: ipsets), offloading to hardware, or simply going to host networking

[remram]

If you're running a handful of game servers on each machine, each with a single NATed port, you're fine. At bigger scales it's a problem, but as you mention there are better solutions now.