As of May 10th, 2021, GKE Dataplane V2 and Kubernetes Network Policy logging are generally available starting with GKE version 1.20.6-gke.700 and gcloud 340.0.0.

Google, GKE, eBF and Cilium logo.

Extended Berkeley Packet Filter (eBPF) is a new Linux networking paradigm that exposes programmable hooks to the network stack inside the Linux kernel. The ability to enrich the kernel with user-space information—without jumping back and forth between user and kernel spaces—enables context-aware operations on network packets at high speeds.

Cilium is an open source project that has been designed on top of eBPF to address the new scalability, security and visibility requirements of container workloads. Cilium goes beyond a traditional Container Networking Interface (CNI) to provide service resolution, policy enforcement and much more as seen in the picture below.

Cilium, beyond the traditional Kubernetes CNI.

Last August 2020, I wrote a blog article about 4 main networking features GCP is providing for your GKE clusters, the GKE Dataplane V2 was one of them. I haven’t tested this feature until today, but today is the day! ;)

GKE Dataplane V2 is an opinionated dataplane that harnesses the power of eBPF and Cilium.

On Cilium’s blog article for the announcement, you could also read the story behind that partnership between Cilium, Google and actually the broad open source community, I love that!

Google clearly has incredible technical chops and could have just built their dataplane directly on eBPF, instead, the GKE team has decided to leverage Cilium and contribute back. This is of course a huge honor for everybody who has contributed to Cilium over the years and shows Google’s commitment to open collaboration.

First, let’s create a new cluster using Dataplane V2:

gcloud container clusters create \
    --enable-dataplane-v2

Note: Dataplane V2 comes with network policy enforcement built-in. This means that you don’t need to enable network policy in clusters that use Dataplane V2. As of today, if you try to explicitly enable or disable network policy enforcement in a cluster that uses Dataplane V2, the request will fail.

From here, you could apply your NetworkPolicies like you used to do with any Kubernetes cluster. But there is more. You could actually leverage the associated network policy logging (both allow and deny). For this you need to enable them with the below example:

kind: NetworkLogging
apiVersion: networking.gke.io/v1alpha1
metadata:
  name: default
spec:
  cluster:
    allow:
      log: true
      delegate: false
    deny:
      log: true
      delegate: false

And from here for any deny logs for example, you will be able to see them via Cloud Logging:

projectName=FIXME
clusterLocation=FIXME
clusterName=FIXME

filter="resource.type=\"k8s_node\" "\
"jsonPayload.disposition=\"deny\" "\
"resource.labels.location=\"${clusterLocation}\" "\
"resource.labels.cluster_name=\"${clusterName}\" "\
"logName=\"projects/${projectId}/logs/policy-action\""

gcloud logging read --project $projectId "$filter"

Tips: if your cluster is enrolled with Anthos, you will also be able to see the number of those deny logs on the Anthos > Security > Policy Summary > Kubernetes network policy page.

And that’s it, that’s how easy Cilium (eBPF) on GKE is bringing more security and more visibility for containers. I don’t know for you, but the NetworkLogging is game changer for me, I finally and easily have visibility on deny logs with my NetworkPolicies!

Further and complementary resources:

Hope you enjoyed that one, stay safe out there, cheers!