Beyond the Hype: Cloud Native eBPF


Authors:   Frederic Branczyk


The talk discusses the use of eBPF in the cloud native ecosystem, its portability through the CO:RE initiative, and its combination with Go and Kubernetes for observability, security, and performance tuning.
  • eBPF allows running programs in kernel space and attaching them to events or hooks for observability, security, and networking
  • The CO:RE initiative aims to achieve portability through libbpf, a just-in-time compiler that transforms eBPF bytecode into executable code on the host
  • eBPF can be combined with Go and Kubernetes to bridge low-level kernel features to higher-level Kubernetes concepts like Pods
  • Real-life examples are shown to help measure and improve performance systematically
The speaker mentions that ebpf was necessary for observability, security, and networking in the kernel, but it used to be difficult to develop for because it required compiling kernel modules for a wide array of architectures and kernels. With ebpf, companies like Cystic were able to adopt it as a technology and supercharge the possibility of hot loading code into the kernel without having to load a kernel module. This is made possible through the CO:RE initiative and libbpf, which transforms ebpf bytecode into executable code on the host.


eBPF being a promising technology is no news, but for a long time eBPF has struggled with portability, it needed to be compiled for each kernel, or a compiler and kernel headers needed to be shipped executing effectively arbitrary code. The eBPF community acknowledged this and started the CO:RE (compile once-run everywhere) initiative, which is young but quickly maturing in the form of libbpf. Parallel to it, we are discovering more and more use cases where eBPF can be useful, especially when combined with Go and Kubernetes, from security, over observability to performance tuning. In this talk, Frederic will explain what libbpf does in order to achieve compile once-run everywhere, how it can be used in Go, and lastly how to bridge the low-level Kernel features to higher-level Kubernetes concepts like Pods, and demonstrate all of it with real-life examples to help measure and improve performance systematically.


Post a comment

Related work

Conference:  Black Hat Asia
Authors: Simon Scannell, Valentina Palmiotti, Juan José López Jaimez