logo
allArticlesConferencesPresentations

Beyond the Hype: Cloud Native eBPF

Conference:  KubeCon + CloudNativeCon North America 2021

2021-10-15

Authors:   Frederic Branczyk

Summary

The talk discusses the use of eBPF in the cloud native ecosystem, its portability through the CO:RE initiative, and its combination with Go and Kubernetes for observability, security, and performance tuning.
  • eBPF allows running programs in kernel space and attaching them to events or hooks for observability, security, and networking
  • The CO:RE initiative aims to achieve portability through libbpf, a just-in-time compiler that transforms eBPF bytecode into executable code on the host
  • eBPF can be combined with Go and Kubernetes to bridge low-level kernel features to higher-level Kubernetes concepts like Pods
  • Real-life examples are shown to help measure and improve performance systematically
The speaker mentions that ebpf was necessary for observability, security, and networking in the kernel, but it used to be difficult to develop for because it required compiling kernel modules for a wide array of architectures and kernels. With ebpf, companies like Cystic were able to adopt it as a technology and supercharge the possibility of hot loading code into the kernel without having to load a kernel module. This is made possible through the CO:RE initiative and libbpf, which transforms ebpf bytecode into executable code on the host.

Abstract

eBPF being a promising technology is no news, but for a long time eBPF has struggled with portability, it needed to be compiled for each kernel, or a compiler and kernel headers needed to be shipped executing effectively arbitrary code. The eBPF community acknowledged this and started the CO:RE (compile once-run everywhere) initiative, which is young but quickly maturing in the form of libbpf. Parallel to it, we are discovering more and more use cases where eBPF can be useful, especially when combined with Go and Kubernetes, from security, over observability to performance tuning. In this talk, Frederic will explain what libbpf does in order to achieve compile once-run everywhere, how it can be used in Go, and lastly how to bridge the low-level Kernel features to higher-level Kubernetes concepts like Pods, and demonstrate all of it with real-life examples to help measure and improve performance systematically.
Materials:
Slides
Tags:
eBPF
CO:RE
libbpf
Go
Kubernetes

Post a comment

Related work

Alice in Kernel Land: Lessons Learned From the eBPF Rabbit Hole

Conference:  Black Hat Asia 2023
Authors: Simon Scannell, Valentina Palmiotti, Juan José López Jaimez
2023-05-11

eBPF on the Rise - Getting Started

Conference:  KubeCon + CloudNativeCon Europe 2021
Authors: Quentin Monnet

HotBPF - An On-demand and On-the-fly Memory Protection for the Linux Kernel

Conference:  Linux Security Summit Europe 2022
Authors: Yueqi Chen, Zhenpeng Li
2022-09-15

Securing the Superpowers: Who Loaded That EBPF Program?

Conference:  Cloud Native SecurityCon North America 2023
Authors: John Fastabend, Natalia Reka Ivanko

Past, Present, and Future of eBPF in Cloud Native Observability

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Natalie Serrino, Frederic Branczyk
2023-04-19

Return to Sender - Detecting Kernel Exploits with eBPF

Conference:  Black Hat USA 2022
Authors:
2022-08-10