DataPlane V2 Network Acceleration

DataPlane V2 can be enabled for clusters that use a VPC network or Cloud Native Network 2.0. Once enabled, eBPF redirection is supported, which allows the use of network policies.

CCE DataPlane V2 is released with restrictions. To use this feature, submit a service ticket to CCE.

DataPlane V2	Description
Technical implementation	DataPlane V2 integrates open-source Cilium to provide capabilities such as network policies.
Supported cluster versions	CCE standard clusters (using the VPC networks) of v1.27.16-r30, v1.28.15-r20, v1.29.13-r0, v1.30.10-r0, v1.31.6-r0, or later CCE Turbo clusters of v1.27.16-r10, v1.28.15-r0, v1.29.10-r0, v1.30.6-r0, or later
Usage	When creating a CCE standard cluster, select the VPC network in the container network configuration and enable DataPlane V2. When creating a CCE Turbo cluster, select Cloud Native Network 2.0 and enable DataPlane V2. NOTICE: After DataPlane V2 is enabled, secure containers (Kata Containers as the container runtime) are not supported. Enabled DataPlane V2 cannot be disabled. DataPlane V2 can only be enabled for new clusters. DataPlane V2 is in limited OBT. Upgrading it to a commercial version requires the node to be reset. Exercise caution when enabling this function. After DataPlane V2 is enabled, the Guaranteed Egress Network Bandwidth capability of cloud native hybrid deployment cannot be enabled. If Layer 7 network policies or DNS-based policies are enabled for services in your cluster, the traffic that matches these policies will be disrupted during a Cilium upgrade. For details, see the constraints in the community.
Supported OS	Only Huawei Cloud EulerOS 2.0 is supported.
Performance optimization	EDT is used to limit the egress bandwidth. This makes bandwidth limitation more accurate and resource consumption lower.
Bandwidth	After DataPlane V2 network acceleration is enabled, pods on the nodes running Huawei Cloud EulerOS 2.0 use EDT to limit the egress bandwidth. The ingress bandwidth limitation is not supported. In other network modes, a TBF qdisc is used to limit the bandwidth. For details, see Configuring QoS for a Pod.
NetworkPolicy	The implementation of network policies is different from that of container tunnel networks. For details, see Configuring Network Policies to Restrict Pod Access. The IPBlock selector can only select CIDR blocks outside a cluster. The IPBlock selector does not have good support for the except keyword, so this keyword is not recommended. If a network policy of the egress type is used, the pod fails to access the IP addresses of the hostNetwork pod and node in the cluster. The CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy APIs support different functions in different clusters. CCE standard clusters do not support host policies. CCE Turbo clusters do not support host policies, DNS-based policies, or Layer 7 network policies.
Resource consumption	The resident cilium-agent process on each node is responsible for eBPF network acceleration. Each cilium-agent process may occupy 80 MiB of memory. Each time a pod is added, the cilium-agent memory consumption may increase by 10 KiB.

Components

After DataPlane V2 is enabled, components listed in the following table are installed.

Component	Description	Resource Type
cilium-operator	Synchronizes CRDs. Removes the node.cilium.io/agent-not-ready taint of a node. Tunes and recycles internal resources.	Deployment
yangtse-cilium	Installs the auxiliary CNI (cilium-cni) for CCE to adapt to Cilium. Deploys cilium-agent.	DaemonSet

Change History

Add-on Version	Cluster Version	New Feature	Community Version
2.0.2	v1.27 v1.28 v1.29 v1.30 v1.31 v1.32	Supported only the CCE clusters that use VPC route networks. Disabled bpf-lb-sock (by setting bpf-lb-sock=false). Disabled host-based firewalls (by setting enable-host-firewall=false). Enabled Layer 7 network policies (by setting enable-l7-proxy=true). Enabled host-routing (by setting enable-host-legacy-routing=false).	v1.17
1.0.15	v1.27 v1.28 v1.29 v1.30 v1.31 v1.32	Disabled bpf-lb-sock (by setting bpf-lb-sock=false).	v1.14
1.08	v1.27 v1.28 v1.29 v1.30 v1.31	Supported CCE Turbo clusters that use Cloud Native 2.0 networks. Disabled host-based firewalls (by setting enable-host-firewall=false). Disabled L7 network policies (by setting enable-l7-proxy=false).	v1.14

Add-on Version

Cluster Version

New Feature

Community Version

2.0.2

v1.27

v1.28

v1.29

v1.30

v1.31

v1.32