This documentation is for the current version of GKE on AWS, released in November 2021. See the Release notes for more information.

Dataplane V2

Dataplane V2 is a data plane for GKE and GKE clusters that is optimized for Kubernetes networking. This page gives an overview of what Dataplane V2 does and how it works.

Introduction

Dataplane V2 provides:

A consistent user experience for networking in GKE and all GKE cluster environments. See Availability of Dataplane V2 for information about the environments that support Dataplane V2.
Real-time visibility of network activity.
Simpler architecture that makes it easier to manage and troubleshoot clusters.

Dataplane V2 is based on eBPF and Linux nodes to flexibly and efficiently process network packets in-kernel using Kubernetes-specific metadata.

Advantages of Dataplane V2

Security

Kubernetes Network policy is always on in clusters with Dataplane V2. You don't have to install and manage third-party software add-ons such as Calico to enforce network policy.

Scalability

Dataplane V2 is designed to improve routing in large clusters. It doesn't use kube-proxy or iptables.

Operations

When you create a cluster with Dataplane V2, network policy logging is built in. To see when your Pod objects allow and deny connections, configure the logging CRD on your cluster.

Consistency

Dataplane V2 is available and provides the same features on GKE and on other GKE clusters environments. See Availability of Dataplane V2 for more details.

How Dataplane V2 works

As packets arrive at a node, eBPF programs installed in the kernel decide how to route and process the packets. Unlike packet processing with iptables, eBPF programs can use Kubernetes-specific metadata in the packet. This lets Dataplane V2 efficiently process network packets in the kernel and report annotated actions back to user space for logging. The following diagram shows the path of a packet through a node using Dataplane V2:

A packet arriving at a node is processed in-kernel by eBPF. eBPF programs perform policy enforcement, service resolution, and connection tracking. This activity is reported to userspace for logging. The packet payload is then delivered to a Pod.

The Dataplane V2 controller on the node is called anetd. anetd is deployed as a DaemonSet to each node and is responsible for interpreting Kubernetes objects and programming network topologies in eBPF. The anetd controller replaces the service routing kube-proxy and the routing it would perform in the kube-system namespace.

Dataplane V2 on GKE clusters runs in Overlay Network mode. In this mode, all cluster nodes form a mesh of tunnels using the Geneve encapsulation protocol. All container-to-container network traffic is routed through these tunnels. The main advantage of this model is that the cluster's nodes don't need to be aware of the underlying AWS network configuration.

What's next

Configuring Network Policies on GKE Multi-Cloud
Use network policy logging to record when your cluster's network policies allow or deny connections to a Pod.