Dataplane V2 is a data plane for GKE and GKE clusters that is optimized for Kubernetes networking. This page gives an overview of what Dataplane V2 does and how it works.
Introduction
Dataplane V2 provides:
- A consistent user experience for networking in GKE and all GKE cluster environments. See Availability of Dataplane V2 for information about the environments that support Dataplane V2.
- Real-time visibility of network activity.
- Simpler architecture that makes it easier to manage and troubleshoot clusters.
Dataplane V2 is based on eBPF and Linux nodes to flexibly and efficiently process network packets in-kernel using Kubernetes-specific metadata.
Advantages of Dataplane V2
Security
Kubernetes Network policy is always on in clusters with Dataplane V2. You don't have to install and manage third-party software add-ons such as Calico to enforce network policy.
Scalability
Dataplane V2 is designed to improve routing in large clusters. It doesn't use kube-proxy or iptables.
Operations
When you create a cluster with Dataplane V2, network policy logging is built in. To see when your Pod objects allow and deny connections, configure the logging CRD on your cluster.
Consistency
Dataplane V2 is available and provides the same features on GKE and on other GKE clusters environments. See Availability of Dataplane V2 for more details.
How Dataplane V2 works
As packets arrive at a node, eBPF programs installed in the kernel decide how to route and process the packets. Unlike packet processing with iptables, eBPF programs can use Kubernetes-specific metadata in the packet. This lets Dataplane V2 efficiently process network packets in the kernel and report annotated actions back to user space for logging. The following diagram shows the path of a packet through a node using Dataplane V2:
The Dataplane V2 controller on the node is called anetd
. anetd
is deployed
as a DaemonSet
to each node and is responsible for interpreting Kubernetes objects and
programming network topologies in eBPF. The anetd
controller replaces the
service routing kube-proxy and the routing it would perform in the kube-system
namespace.
Dataplane V2 on GKE clusters runs in Overlay Network mode. In this mode, all cluster nodes form a mesh of tunnels using the Geneve encapsulation protocol. All container-to-container network traffic is routed through these tunnels. The main advantage of this model is that the cluster's nodes don't need to be aware of the underlying AWS network configuration.
What's next
- Configuring Network Policies on GKE Multi-Cloud
- Use network policy logging to record when your cluster's network policies allow or deny connections to a Pod.