Goodbye to iptables: A Quick Dive into GKE's Dataplane V2

Have you heard of Cilium and its eBPF-based networking magic for Kubernetes? If you're already a fan, then you're going to like what Google has been up to with GKE Dataplane V2.

GKE Dataplane V2 is built directly on top of Cilium, bringing the power of eBPF to Google's managed Kubernetes service.

Sounds cool, right? Let's dive into a few exciting things that Dataplane V2 brings to the table.

What's the Big Deal? If you've been using GKE for a while, you're probably familiar with the standard networking stack that used Calico for Network Policy and kube-proxy (with iptables) for service routing. Dataplane V2 changes the game completely.

Here are the highlights:

• Default on Autopilot: To make things easy, Dataplane V2 is enabled by default for all new GKE Autopilot clusters. You might already be using it without knowing!

• No More kube-proxy! That's right. GKE Dataplane V2 completely removes kube-proxy and its complex web of iptables rules. This means service routing is handled far more efficiently by eBPF, leading to better performance and scalability.

• Built-in Security: Security is now a first-class citizen. You don't need a third-party tool like Calico just to enforce Network Policies. You can enable policy enforcement with a single click in the GKE console or a simple flag in your cluster config.

• Network Policy Logging: Ever wondered if a connection was allowed or denied by a Network Policy? Dataplane V2 has built-in logging for this. You can configure a simple CRD on your cluster to get detailed logs, which is a massive help for debugging and security audits.

• Real-time Network Visibility: Thanks to its eBPF foundation, you get much deeper, real-time visibility into the network traffic flowing between your pods.

The Specs: By the Numbers Dataplane V2 isn't just about features; it's built for scale.

• Specification Limit on Dataplane V2 Number of nodes per cluster 7,500 Number of Pods per cluster 200,000 Number of Pods behind one Service 10,000 Number of Cluster IP Services 10,000 Number of LoadBalancer Services per cluster 750.

  Things to Keep in Mind (The Limitations)

  As with any powerful technology, there are a few things you should be aware of before jumping in:

• Creation Time Only: Dataplane V2 can only be enabled when you create a new GKE cluster. You can't migrate an existing cluster to it on the fly, so plan accordingly.

• eBPF Map Limits: GKE Dataplane V2 relies on eBPF maps, which are limited to 260,000 endpoints across all services. An "endpoint" here is a single Pod backing a Service.

• Missing kube-proxy Features: Since kube-proxy is gone, you might miss some specific metrics or behaviors you were used to. It's a new paradigm, so some old debugging habits might need to change.

• Update Your GKE Version: To get the most out of Dataplane V2 and all its features without limitations, you'll want to be on a recent GKE version (the docs often recommend 1.31+ for the latest enhancements).

Key Takeaways GKE Dataplane V2 is more than just an update; it's a fundamental shift in how Kubernetes networking is handled in GKE. By leveraging Cilium and eBPF, it offers:

• Increased performance and scalability by removing kube-proxy.

• Simplified and integrated security with built-in Network Policies.

• Better observability with features like policy logging.

It's a powerful and efficient foundation for your modern applications running on GKE.