Deploy workloads with SCTP

Standard

This page explains how to deploy workloads that use the Stream Control Transmission Protocol (SCTP) on Google Kubernetes Engine (GKE) Standard clusters.

SCTP is supported on Cilium technology. Because GKE Dataplane V2 is implemented using Cilium, you can use SCTP only on clusters that have been enabled with GKE Dataplane V2. With SCTP support, you can enable direct SCTP communication for Pod-to-Pod and Pod-to-Service traffic. To learn more, see SCTP support on Cilium.

This page is for Operators and Developers who provision and configure cloud resources and deploy apps and services. To learn more about common roles and example tasks referenced in Google Cloud content, see Common GKE Enterprise user roles and tasks.

Before you begin

Before you start, make sure that you have performed the following tasks:

Enable the Google Kubernetes Engine API.

Enable Google Kubernetes Engine API

If you want to use the Google Cloud CLI for this task, install and then initialize the gcloud CLI. If you previously installed the gcloud CLI, get the latest version by running gcloud components update.
Note: For existing gcloud CLI installations, make sure to set the compute/region property. If you use primarily zonal clusters, set the compute/zone instead. By setting a default location, you can avoid errors in the gcloud CLI like the following: One of [--zone, --region] must be supplied: Please specify location. You might need to specify the location in certain commands if the location of your cluster differs from the default that you set.

Requirements and limitations

SCTP support on GKE Standard clusters has the following requirements and limitations:

Your cluster must run GKE version 1.32.2-gke.1297000 or later.
Cluster nodes must use Ubuntu node images. SCTP is not supported for Container-Optimized OS images.
To enable SCTP support, ensure that your Ubuntu-based container images and the underlying GKE node OS is loaded with the sctp kernel module.
You can't use SCTP on clusters that are enabled with multi-network support for Pods.
The setup time for an SCTP association can take longer than the setup time for a TCP connection. Design your applications to handle potential delays while associations are established.
To learn more about what Cilium supports and doesn't support with SCTP, see the Cilium documentation.

Deploy workloads with SCTP

Best practice:

Test your deployment thoroughly in a non-production environment before you deploy workloads to production.

From GKE version 1.32.2-gke.1297000, SCTP is enabled by default in clusters that use GKE Dataplane V2 and Ubuntu node images. To deploy workloads with SCTP, complete the following steps:

To create a cluster with GKE Dataplane V2 and Ubuntu images, run the following command:
```
gcloud container clusters create CLUSTER_NAME \
    --location=CONTROL_PLANE_LOCATION \
    --cluster-version=CLUSTER_VERSION \
    --enable-dataplane-v2 \
    --image-type=ubuntu_containerd
```
Replace the following values:
- CLUSTER_NAME: the name of your cluster.
- CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
- CLUSTER_VERSION: the GKE version, which must be 1.32.2-gke.1297000 or later.
To containerize the application, ensure that your container image includes an application that is configured to use SCTP. You can use any application that supports SCTP, such as a custom application.

The following is an example of a Dockerfile to containerize the application, assuming you use Docker:
```
FROM ubuntu:latest
RUN apt-get update && apt-get install -y socat

# Run a simple SCTP echo server.  This command uses socat to listen for
# incoming SCTP connections on a specified port and echo back any received data.
# The 'fork' option ensures that a new process is created for each connection.
# Replace "PORT" below with the desired port number.
CMD ["socat", "PIPE", "SCTP-LISTEN:PORT,fork"]
```
Build and push the image to a container registry like Artifact Registry. For more information about how this file works, see Dockerfile reference in the Docker documentation.

To create a Deployment and a Service, save the following manifest as sctp-deployment.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
 name: sctp-app
spec:
 replicas: 1
 selector:
   matchLabels:
     app: sctp-app
 template:
   metadata:
     labels:
       app: sctp-app
   spec:
     containers:
     - name: sctp-container
       image: CONTAINER_IMAGE
       ports:
       - containerPort: PORT
         protocol: SCTP
---
apiVersion: v1
kind: Service
metadata:
  name: sctp-service
spec:
  selector:
    app: sctp-app
  ports:
  - protocol: SCTP
    port: PORT
    targetPort: PORT
  type: ClusterIP

Replace the following:

CONTAINER_IMAGE: the container image you built in the preceding step.
PORT: the SCTP port and target port numbers of the application. The value for port and targetPort must be the same.

To apply the Deployment and Service, run the following command:
```
kubectl apply -f sctp-deployment.yaml
```

To verify SCTP connectivity for the Service, create a Pod within the same cluster and run the following command:

kubectl run sctp-client \
 --image=ubuntu:latest \
 --namespace=default \
 -it --rm \
 --command -- bash -c 'apt-get update && apt-get install -y socat && (echo "Hello, SCTP!"; sleep 1) | socat - SCTP:sctp-service:PORT'

The output is similar to the following:

Preparing to unpack .../socat_1.8.0.0-4build3_amd64.deb ...
Setting up socat (1.8.0.0-4build3) ...
Hello, SCTP!

Troubleshooting

If you experience issues with SCTP connectivity, follow this guidance to help determine the source of the issue:

Check Pod logs. To check the logs of your application for any errors, run the following command:
```
kubectl logs POD_NAME
```
These logs can help you identify what caused the Pod to crash.

Check the status of the SCTP Service object:

kubectl describe service SCTP_SERVICE_NAME

Check your network policies. Network policies can restrict SCTP traffic. Ensure that your network policies allow the necessary SCTP traffic for your applications.
Check the status of GKE Dataplane V2. To verify that GKE Dataplane V2 is enabled on your cluster, run the following command:
```
kubectl -n kube-system get pods -l k8s-app=cilium -o wide
```
Verify that the output includes Pods with the prefix anetd-. anetd is the networking controller for GKE Dataplane V2.
To improve throughput, increase the sysctl parameters net.core.wmem_default and net.core.rmem_default to a larger value, for example, 4194304 (4 MB). For more information, see Sysctl configuration options.
You might face issues if you use Network Address Translation (NAT) with SCTP in GKE. For more information about what Cilium supports with SCTP, see the Cilium documentation.
SCTP packets are subject to the Maximum Transmission Unit (MTU) of the network. Ensure that your network's MTU is sufficient for your SCTP traffic.
The performance of SCTP can be affected by factors such as network latency, packet loss, and kernel tuning. Monitor the performance of your application's SCTP and adjust the settings as needed.

What's next

Learn about SCTP support in the Cilium documentation.
Learn how to enable GKE Dataplane V2 on your cluster.

Deploy workloads with SCTP Stay organized with collections Save and categorize content based on your preferences.

Before you begin

Requirements and limitations

Deploy workloads with SCTP

Troubleshooting

What's next

Deploy workloads with SCTP