Using Dataplane V2

Standard

This page explains Dataplane V2 for Google Kubernetes Engine (GKE).

About Dataplane V2

Dataplane V2 is based on eBPF and allows Linux nodes to flexibly and performantly process network packets in-kernel. Dataplane V2 includes built-in network policy enforcement and network policy logging without any third-party add-ons.

To use network policy logging, you must enable Dataplane V2 on your GKE cluster. For instructions, see the Creating a cluster with Dataplane V2 section.

Limitations

Dataplane V2 can only be enabled in new clusters. Existing clusters cannot be upgraded to use Dataplane V2.
Windows nodes do not support Dataplane V2.

Beta limitations

While Dataplane V2 is in beta, backwards compatibility is not guaranteed. You might have to recreate a cluster using Dataplane V2 when a new version of Dataplane V2 becomes available.
Some Kubernetes and GKE features are known not to work in Beta:
- Kubernetes services that set ExternalTrafficPolicy:local and are backed by Pods running with hostNetwork:true cannot receive traffic from clients outside the cluster.
- Kubernetes network policies that use FromCIDR with CIDR ranges that select some but not all node IPs don't work.
- Some features including NodeLocal DNSCache are not supported.
There is not a Google Cloud Console interface for Dataplane V2.

Creating a GKE cluster with Dataplane V2

You can enable Dataplane V2 when creating new clusters with GKE 1.17.9 and later.

gcloud

To create a new cluster with Dataplane V2, use the following command:

gcloud beta container clusters create cluster-name \
    --enable-dataplane-v2 \
    --enable-ip-alias \
    --cluster-version version \
    --release-channel channel-name \
    {--region region-name | --zone zone-name}

Replace the following:

cluster-name: the name of your new cluster.
version: your cluster version, which must be GKE 1.17.9 or later.
channel-name: a release channel that includes GKE version 1.17.9 or later.
region-name or zone-name: the location of the cluster. These arguments are mutually exclusive. See Types of clusters for more information.

API

To create a new cluster with Dataplane V2, specify the datapathProvider field in the networkConfig object in your cluster create request.

The following JSON snippet shows the configuration needed to enable Dataplane V2:

"cluster":{
  "initialClusterVersion":"version",
  "ipAllocationPolicy":{
     "useIpAliases":true
  },
  "networkConfig":{
     "datapathProvider":"ADVANCED_DATAPATH"
  },
  "releaseChannel":{
     "channel":"channel-name"
  }
}

Replace the following:

version: your cluster version, which must be GKE 1.17.9 or later.
channel-name: a release channel that includes GKE version 1.17.9 or later.

Troubleshooting

Check the state of the system Pods:
```
kubectl -n kube-system get pods
```
If Dataplane V2 is running, you will see Pods with the prefix anetd- running in the HEALTHY state. anetd is the networking controller for Dataplane V2.
If the issue is with services or network policy enforcement, check the anetd Pod logs:
```
kubectl -n kube-system describe pod anetd-pod
kubectl -n kube-system logs anetd-pod
```
Replace anetd-pod with the name of an anetd Pod identified previously.
If Pod creation is failing, check the kubelet logs for clues:
```
gcloud compute ssh node -- sudo journalctl -u kubelet
```
Replace node with the name of the VM instance.

What's next

Use network policy logging to record when connections to Pods are allowed or denied by your cluster's network policies.