Skip to main content

Administration Guide

What Is the Control Plane?

The control plane is a logical perimeter that does not have direct access to data but may host components that drive operations in the data plane.

The following diagram shows, for the sake of simplicity, how the control plane interacts with a single data plane.


For the secure communication of services across the control plane and a data plane, refer to cross-plane authentication.

The control plane is set, by default, to run in a Kubernetes cluster, and is created with sensible default configuration values. It contains a variety of services that are beyond the scope of this document, but the following are worthy of further explanation:

  • Data bridge—This is the component in the control plane that handles communication with the data plane. It acts as a Google Remote Procedure Call (gRPC) server. It is replicated, and it sits behind an ingress with a load-balancer.

  • Data bridge load-balancer—Because the data bridge is a server with multiple replicas (for redundancy and scalability), it lives behind a load-balancer to which clients connect. The platform does not interact with it directly.

Configuration Values

The control plane has the following configuration values:

  • The data bridge requires the maximum JSON Web Token (JWT) expiration period for the client. The expiration period is typically only one minute, as it only needs to be long enough to allow token generation and token verification.

  • The data bridge also requires the maximum amount of clock skew to tolerate.