Glossary of GKE networking key terms

This glossary provides definitions for key terms related to Google Kubernetes Engine (GKE) networking.

Additive VPC scope (DNS)
An optional Cloud DNS setting that lets headless services in your cluster be resolved by other resources in the same VPC network.
Application layer
The highest layer in the OSI model, where applications interact with the network. Protocols like HTTP and DNS operate at this layer.
Application Load Balancer
A Google Cloud load balancer for HTTP(S) traffic. You configure it using Kubernetes resources like Ingress or the more modern, and recommended, Gateway API.
cbr0
A Linux bridge on nodes in non-VPC-native clusters (using the kubenet CNI) that connects Pods on the same node. This bridge isn't used in VPC-native clusters, which are the GKE default.
CIDR (Classless Inter-Domain Routing)
A method for specifying IP address ranges. It's crucial for planning how you allocate IP addresses in GKE for Pods, Services, and Nodes.
Cloud DNS
Google Cloud's managed DNS service. When used for GKE, it provides a highly available, scalable, and VPC-scoped DNS resolution as an alternative to the in-cluster kube-dns. It simplifies service discovery across GKE clusters and other Compute Engine resources.
Cloud Interconnect
A Google Cloud service for dedicated, high-bandwidth connections between your on-premises network and Google Cloud.
Cloud Load Balancing
A Google Cloud service that distributes user traffic across multiple instances of your applications.
Cloud NAT (Network Address Translation)
A managed service that enables private GKE clusters to securely access the internet for outbound connections.
Cloud Next Generation Firewall
Google Cloud's firewall service that protects your GKE cluster at the VPC network level. It works alongside Kubernetes Network Policies to provide defense-in-depth by controlling traffic to and from the cluster nodes.
Cloud VPN
A Google Cloud service that lets you securely connect your on-premises network to your Google Cloud VPC network through encrypted tunnels.
ClusterIP
A stable, virtual IP address assigned to a Kubernetes Service, used for communication within the cluster.
cluster networking
The outermost layer of GKE networking, focusing on how the entire Kubernetes cluster interacts with external resources and networks.
Cluster scope (DNS)
A Cloud DNS setting that makes DNS records resolvable only within a single GKE cluster.
ConfigMap
A Kubernetes resource for storing non-confidential data in key-value pairs. Applications often use ConfigMaps for their configuration.
Container network interface (CNI)
A standard for configuring network interfaces for Linux containers. GKE uses a CNI plugin to implement and manage Pod networking.
control plane
The central management component of your Kubernetes cluster, which includes the Kubernetes API server and other control processes.
Deployment
A Kubernetes object that manages a set of replicated Pods by controlling ReplicaSets.
DNS (Domain Name System)
A hierarchical distributed naming system for computers, services, or other resources connected to the Internet or a private network. In Kubernetes, it's vital for service discovery.
eBPF (extended Berkeley Packet Filter)
A Linux kernel technology that lets you run sandboxed programs in the kernel space. In GKE, it's the foundation of GKE Dataplane V2, which implements high-performance networking for Services, load balancing, and network policies, bypassing conventional mechanisms like iptables.
External Load Balancers
Google Cloud load balancers that handle internet-facing traffic to expose applications outside the cluster.
Gateway API
An evolution of the Kubernetes Ingress API for managing inbound traffic. We recommend using Gateway API to configure Application Load Balancers and manage traffic routing in GKE.
GKE GKE Dataplane V2
A high-performance, eBPF-based networking data plane for GKE. It replaces kube-proxy and iptables and implements Kubernetes Services, load balancing, and Network Policies with improved scalability, observability, and security.
Headless Service
A Kubernetes Service that doesn't have a virtual cluster IP address. Stateful applications often use a HeadlessService when they require individual Pod addressing.
Ingress
A Kubernetes API object that manages external access to services in a cluster, typically for HTTP(S) traffic. Gateway API is its successor.
Internal Load Balancers
Google Cloud load balancers that handle traffic originating from within your VPC network, but outside the cluster.
IP address
A numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication.
iptables rules
A conventional mechanism in the Linux kernel for packet filtering and NAT. In Kubernetes, kube-proxy uses iptables to implement Service routing. eBPF replaces this mechanism in clusters that use GKE Dataplane V2.
kube-dns
The default DNS service used in Standard clusters for service discovery. Autopilot clusters use Cloud DNS.
kube-proxy
A Kubernetes component that runs on each node and maintains network rules to implement Service objects. It typically uses iptables or IPVS. This component isn't used in GKE clusters with GKE Dataplane V2 enabled.
kubelet
An agent that runs on each node in a Kubernetes cluster. It communicates with the control plane, manages Pods running on the node, and works with the container runtime to help ensure that containers are running and healthy.
Kubernetes network model
The set of rules defining how containerized applications communicate within a cluster. A key principle is that every Pod gets its own IP address and can communicate directly with other Pod objects.
LoadBalancer Service
A Kubernetes Service type that provisions a built-in Google Cloud Load Balancer to expose applications externally.
Multi-cluster Ingress
A GKE feature that lets you deploy a single, global Application Load Balancer that routes traffic to Service objects running in multiple GKE clusters across different regions.
Multi-cluster Services
A GKE feature that lets you create Service objects that span multiple clusters, enabling service discovery and connectivity for applications distributed across different GKE clusters.
maximum transmission unit (MTU)
The largest packet size that a network can transmit without fragmentation.
NetworkPolicy
A Kubernetes resource that acts like a firewall for your Pod objects, controlling network traffic between them based on defined rules.
NodeLocal DNSCache
An optional feature in GKE to improve DNS performance by running a caching DNS agent on each node.
Nodes
The worker VMs in a GKE cluster that host your Pod objects.
Pod
The smallest and most basic deployable unit in Kubernetes. A Pod runs one or more containers that share the same network resources and get a unique IP address.
Pod networking
The foundational layer of GKE networking that governs how individual Pod objects communicate with each other and external resources.
Private clusters
GKE clusters where the control plane has only an internal IP address, keeping communication within your VPC.
Private Google Access
A feature that lets resources in your VPC network, including GKE clusters, communicate securely with other Google Cloud services without exposing traffic to the public internet.
Private Service Connect
A Google Cloud feature that lets you privately consume services across different VPC networks. In GKE, you can use it to securely expose a Service in your cluster to consumers in other VPC networks without using external IP addresses or VPC peering.
Service
A Kubernetes abstraction that defines a logical set of Pods and a policy for accessing them, providing a stable, virtual IP address (ClusterIP) and DNS name.
Service discovery
The process by which applications find and communicate with each other. In Kubernetes, this process is often facilitated by DNS.
Service mesh
An optional infrastructure layer that provides advanced features for traffic management, observability, and security between services. Cloud Service Mesh is Google's managed Istio offering for GKE.
Service networking
The layer in GKE networking that focuses on how you expose and access services, including load balancing and Ingress.
Subnets
Regional IP address ranges defined within your VPC network, from which GKE components get their IP addresses.
Veth pair (virtual Ethernet pair)
A virtual network device that acts like a virtual network cable, connecting a Pod's isolated network namespace to the node's primary network.
Virtual Private Cloud (VPC)
An isolated, global network in Google Cloud that forms the foundation of a GKE cluster's network.
VPC-native cluster
The default cluster type in GKE, where Pod IP addresses are allocated as alias IP ranges from the cluster's VPC subnet. This configuration makes Pod IP addresses natively routable within the VPC network, which simplifies connectivity and eliminates the need for NAT for on-premises or other VPC connections.

What's next