Past, Present, and Future of eBPF in Cloud Native Observability

The presentation discusses the use of BPF (Berkeley Packet Filter) in cybersecurity and DevOps, highlighting its benefits and future potential.

• BPF is a powerful tool for network analysis, security, and observability in production environments.
• BPF allows for zero-instrumentation profiling of entire production clusters.
• BPF has some limitations, including performance issues and difficulty in interpreting raw data.
• Future developments in BPF may address these limitations, including increased support for programming languages and improved interpretability through machine learning.

The speaker gives a demo of the Parker open source project, which uses BPF to profile CPU time across a cluster without any instrumentation. They also discuss the potential for machine learning to generate BPF Trace programs and interpret their output.

eBPF has long been promising in the cloud native ecosystem but has evolved significantly over the years. Frederic will start by first giving a brief history of the past and how eBPF has developed to be what it is today. This leads us to the current state of things in the present space of observability. Here Frederic will outline how eBPF is safely used in a variety of open source, apache2 licensed, projects from Cilium Hubble, Pixie, to Parca, and others. Here we will also take a look at a simple demo on eBPF and how this can be run on a Kubernetes cluster and what we can find about that cluster just by using eBPF data. The last portion of the talk will discuss the future of observability using eBPF and where Frederic thinks it will develop, which among other things will include how eBPF will enable correlation between different signals such as connecting distributed tracing with profiling data.