DataPlane V2

DataPlane V2 can be enabled in clusters that use VPC networks or Cloud Native Network 2.0. This feature uses eBPF redirection to enable features like Services, bandwidth, and NetworkPolicy.

DataPlane V2	Description
Technical implementation	DataPlane V2 integrates open-source cilium to enable features like Services, bandwidth, and NetworkPolicy.
Supported cluster versions	CCE standard clusters using VPC networks for commercial use of v1.27.16-r30, v1.28.15-r20, v1.29.13-r0, v1.30.10-r0, v1.31.6-r0, or later CCE Turbo clusters (commercial use): v1.34.3-r10 or later
Usage	When creating a CCE standard cluster, select the VPC network in the container network configuration and enable DataPlane V2. When creating a CCE Turbo cluster, select Cloud Native Network 2.0 and enable DataPlane V2. NOTICE: After DataPlane V2 is enabled, secure containers are not supported. Enabled DataPlane V2 cannot be disabled. After DataPlane V2 is enabled, CCE standard clusters support Layer 7 network policies on VPC networks. CCE Turbo clusters do not support this feature. With DataPlane V2 enabled, CCE standard clusters on the VPC network model use eBPF-based bandwidth limiting by default. CCE Turbo clusters default to TBF Qdisc for bandwidth limiting, with eBPF disabled. After DataPlane V2 is enabled, Host-Routing is enabled by default. With DataPlane V2 enabled, when a CCE Turbo cluster node accesses a workload on the same node, traffic is forwarded directly within the node rather than through the VPC. This invalidates the workload's associated security group. Use CiliumNetworkPolicy to enforce access restrictions if required. For CCE standard cluster workloads with Layer 7 network policies, NodePort access from source addresses outside non-masqueraded CIDR blocks is not supported. DataPlane V2 can only be enabled for new clusters. If the initial version of a new cluster is v1.34 or later and DataPlane V2 is enabled, kube-proxy will not run on the node. If Layer 7 or DNS-based network policies are enabled in your cluster, matching traffic will be disrupted during Cilium upgrades. For details, see community constraints.
Supported OS	Huawei Cloud EulerOS 2.0 is supported. Clusters v1.28.15-r70, v1.29.15-r30, v1.30.14-r30, v1.31.10-r30, v1.32.6-r30, v1.33.5-r20, v1.34.1-r0, and later versions support Ubuntu 22.04.
Performance optimization	Service networks use eBPF to replace kube-proxy, reducing latency for large-scale Service clusters. eBPF is used to limit the bandwidth. This makes bandwidth limitation more accurate and resource consumption lower.
Bandwidth	With DataPlane V2 enabled, CCE standard clusters on the VPC network model use eBPF for bandwidth limiting, and CCE Turbo clusters use TBF Qdisc. For details, see Configuring QoS for Pods.
NetworkPolicy	The implementation of network policies is different from that of container tunnel networks. For details, see Configuring Network Policies to Restrict Pod Access. The ipBlock selector can only select CIDR blocks outside a cluster. The ipBlock selector does not have good support for the except keyword, so this keyword is not recommended. If a network policy of the egress type is used, the pod fails to access the IP addresses of the hostNetwork pod and node in the cluster. CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy API support varies by cluster type. CCE standard clusters do not support host policies. CCE Turbo clusters do not support host policies, DNS-based policies, or Layer 7 network policies.
Resource consumption	The resident cilium-agent process on each node is responsible for eBPF network acceleration. Each cilium-agent process may occupy 80 MiB of memory. Each time a pod is added, the cilium-agent memory consumption may increase by 10 KiB.

Components

After DataPlane V2 is enabled, components listed in the following table are installed.

Component	Description	Resource Type
cilium-operator	Synchronizes CRDs. Removes the node.cilium.io/agent-not-ready taint of a node. Tunes and recycles internal resources.	Deployment
yangtse-cilium	Installs the auxiliary CNI (cilium-cni) for CCE to adapt to Cilium. Deploys cilium-agent.	DaemonSet

Configuration Management

You can use ConfigMaps to create custom network components of DataPlane V2.

ConfigMap Configuration	Description	Configurable Component	Priority
yangtse-cilium-config	Default DataPlane V2 configuration. If this configuration is modified, the configuration will be restored to what it was during the cluster upgrade. Do not modify this configuration.	cilium-agent	1
cilium-config	Native configuration of the Cilium community. The priority of this configuration is lower than that of yangtse-cilium-config. If you need to create custom DataPlane V2 components, modify this configuration first.	cilium-agent cilium-operator	2

ConfigMap Configuration

Description

Configurable Component

Priority

yangtse-cilium-config

Default DataPlane V2 configuration. If this configuration is modified, the configuration will be restored to what it was during the cluster upgrade. Do not modify this configuration.

cilium-agent

cilium-config

Native configuration of the Cilium community. The priority of this configuration is lower than that of yangtse-cilium-config. If you need to create custom DataPlane V2 components, modify this configuration first.

cilium-agent

cilium-operator

Currently, only the Cilium add-on of 2.1.1 or later supports custom configuration.

Example custom network components:

Example 1: To change the default NodePort range of a cluster, modify the Service Port Range in Settings > Network > Service Settings, and then update the Cilium settings by creating a native Cilium community ConfigMap:
```
apiVersion: v1
kind: ConfigMap
metadata:
  name: cilium-config
  namespace: kube-system
data:
  node-port-range: "30000,32767"
```
After configuring cilium-config, run the following command to rebuild yangtse-cilium in rolling mode to apply the modification:
```
uuid=$(uuidgen)
kubectl patch daemonset -nkube-system yangtse-cilium --type='json' -p="[{\"op\": \"add\", \"path\": \"/spec/template/metadata/annotations/change-id\", \"value\": \"$uuid\"}]"
```
Example 2: When cilium-agent malfunctions, configure --set-cilium-node-taints=true for cilium-operator to automatically taint affected nodes, preventing pods from being scheduled to them.
You can create the following native ConfigMap configuration of the Cilium community:
```
apiVersion: v1
kind: ConfigMap
metadata:
  name: cilium-config
  namespace: kube-system
data:
  set-cilium-node-taints: "true"
```
After configuring cilium-config, you can run the following command to roll back and rebuild cilium-operator to apply the configuration:
```
uuid=$(uuidgen)
kubectl patch deployment -n kube-system cilium-operator --type='json' -p="[{\"op\": \"add\", \"path\": \"/spec/template/metadata/annotations/change-id\", \"value\": \"$uuid\"}]"
```

Example 3: To enable Hubble for cilium-agent, create the following native Cilium community ConfigMap. For details about the parameter settings, see Deploying Hubble for DataPlane V2 Network Observability.

apiVersion: v1
kind: ConfigMap
metadata:
  name: cilium-config
  namespace: kube-system
data:
  enable-hubble: "true"
  hubble-disable-tls: "true"
  hubble-listen-address: :4244
  hubble-metrics: dns drop tcp flow port-distribution icmp http
  hubble-metrics-server: :9965

After configuring cilium-config, run the following command to rebuild yangtse-cilium in rolling mode to apply the modification:

uuid=$(uuidgen)
kubectl patch daemonset -nkube-system yangtse-cilium --type='json' -p="[{\"op\": \"add\", \"path\": \"/spec/template/metadata/annotations/change-id\", \"value\": \"$uuid\"}]"

Change History

You can run the following command to check the cilium-operator image tag for the DataPlane V2 version:

kubectl get deploy -nkube-system cilium-operator -oyaml | grep "image:" | cut -d ':' -f 3

Information similar to the following is displayed:

3.1.5

Add-on Version	Status	Supported Cluster Version	What's New	Community Version
3.1.5	Commercial use	v1.29 v1.30 v1.31 v1.32 v1.33 v1.34 v1.35	CCE standard clusters' VPC networks are supported. CCE Turbo clusters v1.34 and later are supported. CCE Turbo clusters do not support Layer 7 network policies. Cilium is upgraded to v1.19.1.	v1.19
3.0.1	Commercial use	v1.28 v1.29 v1.30 v1.31 v1.32 v1.33 v1.34	CCE standard clusters' VPC networks are supported. If the initial version of a new cluster is v1.34 or later and DataPlane V2 is enabled, kube-proxy will not run on the node. Upgraded Cilium to v1.18.3. Support for Ubuntu 22.04	v1.18
2.1.1	Commercial use	v1.27 v1.28 v1.29 v1.30 v1.31 v1.32 v1.33	Support for CCE standard clusters that use VPC networks Upgraded Cilium to v1.17.6. Support for CCE standard clusters of v1.33 Custom Cilium parameters Configurable Hubble observability	v1.17
2.0.2	OBT	v1.27 v1.28 v1.29 v1.30 v1.31 v1.32	Support for CCE standard clusters that use VPC networks Upgraded Cilium to v1.17.3. Disabled bpf-lb-sock (by setting bpf-lb-sock=false). Disabled host-based firewalls (by setting enable-host-firewall=false). Enabled Layer 7 network policies (by setting enable-l7-proxy=true). Enabled host-routing (by setting enable-host-legacy-routing=false).	v1.17
1.0.17	Limited OBT	v1.27 v1.28 v1.29 v1.30 v1.31 v1.32 v1.33	Support for only CCE Turbo clusters Support for Ubuntu 22.04	v1.14
1.0.16	Limited OBT	v1.27 v1.28 v1.29 v1.30 v1.31 v1.32 v1.33	Support for only CCE Turbo clusters Support for CCE Turbo clusters of v1.33	v1.14
1.0.15	Limited OBT	v1.27 v1.28 v1.29 v1.30 v1.31 v1.32	Support for only CCE Turbo clusters Disabled bpf-lb-sock (by setting bpf-lb-sock=false).	v1.14
1.0.8	Limited OBT	v1.27 v1.28 v1.29 v1.30 v1.31	Support for only CCE Turbo clusters Disabled host-based firewalls (by setting enable-host-firewall=false). Disabled L7 network policies (by setting enable-l7-proxy=false).	v1.14

Add-on Version Differences

Add-on Version	Status	Cilium Version	Difference	Cluster Upgrade
3.1.x	Commercial use	v1.19	CCE standard clusters' VPC networks are supported. CCE Turbo clusters v1.34 and later are supported. veth networking is fully compatible with Cilium. L7 network policies are supported. (CCE Turbo clusters do not support this feature.) Hubble network observability is supported.	When the cluster is upgraded, Cilium is automatically upgraded to the latest version.
3.0.x	Commercial use	v1.18	CCE standard clusters' VPC networks are supported. veth networking, fully compatible with Cilium L7 network policies Hubble network observability	When the cluster is upgraded, Cilium is automatically upgraded to the latest version.
2.x.x	Commercial use	v1.17	Only CCE standard clusters' VPC networks are supported. veth networking, fully compatible with Cilium L7 network policies Hubble network observability	When the cluster is upgraded, Cilium is automatically upgraded to the latest version.
1.x.x	Limited OBT	v1.14	Only CCE Turbo clusters are supported. Network interface passthrough networking No L7 network policies	When the cluster is upgraded, Cilium is not automatically upgraded. This version does not support in-place upgrade to the commercial version. Create a new cluster using the latest version instead.

Parent Topic: Pod Network Settings

Previous topic: Configuring Network Policies to Restrict Pod Access

Next topic: Deploying Hubble for DataPlane V2 Network Observability

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.

Chatbot